PKI for the IoT

IoT security requires strong authentication.  All IoT devices, including the smallest endpoints, must support mutual authentication, ensuring all communication is between known, trusted devices and all access is authorized. 

With the number of IoT devices growing into the billions, a scalable solution for generation, distribution, and revocation of keys and certificates is required.  Icon Labs’ Floodgate CA and PKI Toolkit provides the automation and scalability required for those billions of IoT devices. 

Using Floodgate CA, enterprises and OEMs can deploy a hardened Certificate Authority server or hierarchy of servers in their own private environment.  This provides a closed PKI system without dependence upon public certificate authorities or other third-parties.  Companies have the flexibility to implement a customized CA hierarchy to meet their requirements.

Floodgate PKI Client for IoT

Icon Labs’ Floodgate PKI Client enables IoT devices to generate keys, create certificate signing requests, and retrieve signed certificates from the CA.  The Floodgate PKI Client:GraphicwithBulkCerts


· Supports SCEP, EST and OCSP protocols

· Supports RTOSes, embedded Linux, and Windows devices

· Supports resource-limited IoT devices

· Operates with Icon Labs’ CA or a public CA

Floodgate Certificate Authority

The Floodgate Certificate Authority (CA) is part of Icon Labs’ PKI solution providing complete certificate management for companies choosing to implement their own certificate-based authentication using public key infrastructure.  It provides OEMs the ability to operate as a private certificate authority, enabling secure certificate distribution and management for the millions of industrial and IoT devices currently being developed.

The certificate authority automates the server-side process of secure provisioning and enrollment. It enables certificate signing, enrollment, and revocation services. The CA provides:

· User interface for end-to-end certificate management and revocationPKI GraphicwithCerts.jpg

· Automated distribution of certificates

· Use in manufacturing/device production

· Use in operational networks to manage certificates for the lifecycle of a device

· Support for SCEP, EST and OCSP protocols

· The ability to operate as a sub-CA to a public CA or as its own root CA

IoT Device Authentication

Device authentication is a key component of security for IoT devices.  Certificate-based authentication using Public Key Infrastructure provides a proven, reliable authentication method.  The Floodgate Certificate Authority and Floodgate PKI Client enable certificate-based machine-to-machine authentication for IoT devices.  PKI-based authentication provides:

· Secure device identification using unique PKI certificates

· Mutual device authentication for security protocols such as TLS

· Strong protection against cyber attacks by optionally storing certificates and private keys in a TPM or other hardware-based secure storage

· Credentials for secure remote device management, software update, and attestation

· Easy integration and deployment of device identity

· Device certificate provisioning and maintenance

Initial Device Provisioning

Floodgate Certificate Authority functionality encompasses a wide-range of potential use cases including key management, generating Public Key Infrastructure certificates, and injecting keys and certificates during the manufacturing process.

Floodgate PKI Benefits

OEMs and their customers all benefit from a single vendor solution.  The Floodgate CA presides over all PKI-related duties in an intuitive manner, supplying users with the ability to manage certificate trees, certificate revocation lists, private keys, signing requests, and more.

The CA can be provided on a hardened server, or delivered as a software solution that customers can run on their own servers.

TPM and Secure Key Storage Integration

Icon Labs’ Floodgate PKI Client supports TPM integration or other Secure Key storage solutions.  The PKI Client utilizes the TPM to generate a private key.  The private key never leaves the TPM, protecting it from malicious attacks or accidental leakage.  The PKI client uses the public key to generate certificate signing requests sent to the CA. The CA returns the signed certificate to the device. All operations requiring the private key are performed by the TPM, ensuring the private key remains protected.