PKI for the IoT
IoT security requires strong authentication. All IoT devices, including the smallest endpoints, must support mutual authentication, ensuring all communication is between known, trusted devices and all access is authorized.
With the number of IoT devices growing into the billions, a scalable solution for generation, distribution, and revocation of keys and certificates is required. Icon Labs’ Floodgate CA and PKI Toolkit provides the automation and scalability required for the IoT.
Enterprises and OEMs can deploy a hardened Certificate Authority server or hierarchy of servers in their own private environment. This provides a closed PKI system without dependence upon public certificate authorities or other third-parties. Companies have the flexibility to implement a customized CA hierarchy to meet their requirements.
Floodgate PKI Client for IoT
Icon Labs’ Floodgate PKI Client enables IoT devices to generate keys, create certificate signing requests, and retrieve signed certificates from the CA.
· Supports SCEP, EST and OCSP
· Supports RTOSes, embedded Linux and Windows devices
· Supports resource-limited IoT devices
· Operates with Icon Labs CA or a public CA
IoT Device Authentication
Device authentication is a key component of security for IoT devices. Certificate-based authentication using public key infrastructure provides a proven, reliable authentication method. The Floodgate Certificate Authority and Floodgate PKI Client enable certificate-based machine-to-machine authentication for IoT devices.
· Secure device identification using unique PKI certificates
· Mutual device authentication for security protocols such as TLS
· Strong protection against hacking by optionally storing certificates and private keys in a TPM or other hardware-based secure storage
· Credentials for secure remote device management, software update, and attestation
· Easy integration and deployment of device identity
· Device certificate provisioning and maintenance
TPM and Secure Key Storage Integration
Icon Labs Floodgate PKI Client supports TPM integration or other Secure Key storage solutions. The PKI Client will utilize the TPM to generate a private key. The private key never leaves the TPM, protecting it from malicious attacks or accidental leakage. The PKI client uses the public key to generate certificate signing requests sent to the CA. The CA returns the signed certificate to the device. All operations requiring the private key are performed by the TPM, ensuring the private key remains protected.