Author: Héctor Tejero Arrow Electronics
Introduction
Authentication is essential for enterprise applications. By verifying the identity of users, devices, and system entities, applications ensure that only authorized personnel, devices, or systems have access to sensitive information and resources, reducing the potential for data breaches.
In the context of IoT, various authentication methods are worth exploring, such as certificate-based authentication and token-based authentication. The authentication material used by IoT devices is typically protected in a hardware Root of Trust (RoT) managed by a Trusted Execution Environment. RoT is a component or set of components that provide a secure foundation for a system's security mechanisms. RoT is essential to establishing trust in a system and ensuring its secure operation.
RoT provides a set of cryptographic/trust services and cryptographic operations implemented as the building blocks of a trust device. It is essential to ensure that unauthorized device boot code and device software components cannot be used to authenticate to the network as authentic devices, steal or compromise sensitive data, and attack the network.
Certificate-based authentication
Certificate-based authentication is an authentication method that uses digital certificates to verify the identity of a user or device. A digital certificate is a digital file that contains information about the user or device and a public key that can be used for encryption and verification of digital signatures.
In certificate-based authentication, a user or device presents a digital certificate to a server to authenticate their identity. The server verifies the certificate by checking its digital signature against a trusted certification authority that issued the certificate. If the certificate is valid, the server allows the user or device access. Two-way authentication is also common.
Certificate-based authentication is considered more secure than traditional password-based authentication because it is more difficult to steal or guess a private key than a password. Furthermore, digital certificates are usually issued for a certain validity period. They can be revoked if the certificate is compromised or if the user or device is no longer authorized to access the system.
Certificate-based authentication is commonly used in secure web applications, virtual private networks, and other systems that require strong authentication. It is also widely used in IoT to secure communications between devices and the network or cloud.
To implement certificate-based authentication, a user or device must obtain a digital certificate from a trusted certification authority. The certificate is typically installed on the user's device or stored on a smart card or other secure hardware device such as RoT. When the user or device connects to the server, they present the certificate as proof of their identity. The server verifies the certificate and grants access if it is valid. Certificate-based authentication is built into many IoT protocols, including the widely used SSL/TLS protocol.
Token-based authentication
Authentication tokens, on the other hand, are used in cloud applications to authenticate and authorize IoT devices. When a device attempts to establish a connection to a cloud service, the authentication server generates a token and sends it back to the client to use to respond to the connection request to the server. The token is usually a string of characters specific to the IoT device and the current session.
The device stores the token, typically in locally secured storage backed by hardware isolation, and sends it to the server along with subsequent communication requests. The server then verifies the token to determine if the user is authenticated and authorized to access the requested resource.
Authentication tokens can be implemented using various protocols, including OAuth 2.0 and JSON Web Tokens (JWT). The specific implementation will depend on the application requirements and system security needs.
Message Queuing Telemetry Transport (MQTT) is one of the most widespread machine-to-machine network protocols for data telemetry. MQTT does not have built-in support for token-based authentication, but does provide a mechanism to implement custom authentication methods.
To implement token-based authentication in MQTT a JWT is used. When the client connects to the authentication server, the authentication server verifies the client's identity and issues a JWT session token to the client. The client uses this temporary JWT token to connect to the MQTT broker, which checks whether the JWT token is valid before granting access. It is important to keep the JWT token in the device's protected storage because if it is stolen by a potential attacker, it could be used to gain access to the MQTT broker.
Using authentication tokens has its advantages. Authentication tokens are stateless, meaning the server does not need to maintain any session state on the server side. Tokens can be revoked or expired, providing additional security and control over access to the application.
Conclusion
Many forward-thinking organizations have been transforming toward service-based business models to be more successful in the digital economy. And it is clear that strong authentication methods and robust security will continue to play a crucial role in supporting the delivery and consumption of secure services, now and in the future.
This is the third in a series of articles from Arrow Electronics exploring the desirable characteristics of secure connected systems.
