Adding Secure Element Support Using AWS IoT Greengrass Hardware Security Integration (HSI)

By Richard Elberger, Partner Solutions Architect at AWS

Internet of Things (IoT) gateways enabled with AWS IoT Greengrass connect to the AWS IoT Core service, and AWS IoT Greengrass gateways also manage the connections from the gateway downstream to edge nodes.

In embedded security, the concept of “root of trust” is crucial. Each connected system needs to have a unique, trusted, protected, and managed identity. If a private key is accessed then the attacker can impersonate the connected device or gateway.

A device identity is:

• Unique due to its private key.
• Trusted due to the public key infrastructure (PKI) associated to the private key.
• Protected with the usage of a secure element, such as the ATECC608a from Microchip.
• Managed with a combination of AWS services such as AWS IoT Core authentication and AWS IoT Greengrass service role composed by Device Certificate Management (DCM).

So, how do you integrate the security concepts above into an AWS IoT Greengrass gateway?

In this post, we’ll discuss the AWS IoT Greengrass security framework using AWS IoT Greengrass Hardware Security Integration (HSI) and how it works with secure elements. We’ll also explore coupling Just in Time Registration (JITR) or Just in Time Provisioning (JITP), and how to implement the secure element from Microchip leveraging AWS IoT Greengrass HSI.

Microchip Technology is an AWS Partner Network (APN) Advanced Technology Partner with the AWS IoT Competency. They offer microcontroller and analog semiconductors, providing low-risk product development, lower total system cost, and faster time to market.

If you want to be successful in today’s complex IT environment, and remain that way tomorrow and into the future, teaming up with an AWS Competency Partner is The Next Smart. The AWS Competency Program verifies, validates, and vets top APN Partners that have demonstrated customer success and deep specialization on AWS.

AWS IoT Greengrass Security Framework

The AWS IoT Greengrass security model is based on X509 certificates with mutual TLS authentication described in the AWS IoT Greengrass Security Developers Guide.

As shown in Figure 1, a public/private key pair and certificate are generated for the AWS IoT Greengrass device core (B). This private key will be used to authenticate the AWS IoT Greengrass core device. The signature, based on that private key, will be verified by AWS IoT Core and/or the AWS IoT Greengrass cloud service using the AWS IoT Core Root CA.

Figure 1 – AWS IoT security model roles and responsibilities.

Device certificates (C) need to be created with associated public/private key pairs along with AWS IoT policies for each device that will connect to the AWS IoT Greengrass core. The edge node device private key (C) will issue a signature that will be verified by the AWS IoT Greengrass core root CA (E).

If proper design considerations are not performed, private keys are accessible in memories of the gateway and stored in vulnerable zones that could lead to the device being compromised.

Let’s take a look at how the private keys can be protected by using a hardware secure module (HSM), commonly called secure elements, that are better suited for embedded IoT solutions.

Enabling Secure Key Storage with AWS IoT Greengrass HSI

A secure element is an agnostic companion device for any microprocessor or microcontroller. For example, Microchip provides a CryptoAuthentication device, ATECC608a, which is equipped with side attack channel protection and anti-tampering active shield along with defenses to many other attack vectors. The device has received a Joint Interpretation Library (JIL) “high” rating, making it a robust solution to store private keys.

To communicate with the secure element, a software library comes with a hardware abstraction layer (HAL). In the case of the ATECC608a, Microchip’s CryptoAuthlib is that library.

Now, how can you facilitate communication, in a scalable fashion from a code perspective, between the library and AWS IoT Greengrass running in the Linux environment?

Figure 2 – AWS IoT Greengrass HSI critical security objects.

AWS IoT Greengrass HSI is the missing link between AWS IoT Greengrass and CryptoAuthlib in the example of the ATECC608A. AWS IoT Greengrass HSI is simply an integrated PKCS#11 interface that will work within AWS IoT Greengrass. PKCS#11 is a standard programming interface that enables manipulation or creation of cryptographic assets such as certificates, keys, and other tokens.

To add the secure element interface as part of AWS IoT Greengrass, the user modifies the AWS IoT Greengrass configuration file. The config.json configuration file located at …/greengrass/config directory associated to the PKCS#11 plug-in enables AWS IoT Greengrass HSI.

Here’s an example of the config.json file:

{
    "crypto": {
        "caPath" : "file:///path-to-root-ca",
        "PKCS11" : {
            "OpenSSLEngine" : "/path-to-p11-openssl-engine",
            "P11Provider" : "/path-to-pkcs11-provider-so",
            "slotLabel" : "crypto-token-name",
            "slotUserPin" : "crypto-token-user-pin",
        },
        "principals" : {
            "IoTCertificate" : {
                "privateKeyPath" : "pkcs11:object=corekeylabel;type=private",
                "certificatePath" : "file:///path-to-core-device-certificate"
            },
            "MQTTServerCertificate" : {
                "privateKeyPath" : "pkcs11:object=serverkeylabel;type=private",
            }
        }
    },
    "coreThing" : {
        "thingArn" :
        "arn:aws:iot:aws-region:aws-account-id:thing/thing-name",
        "iotHost" : "HOST_PREFIX_HERE.iot.aws-region.amazonaws.com",
        "ggHost" : "greengrass.iot.aws-region.amazonaws.com",
        "keepAlive" : 600
    },
    "runtime" : {
        "cgroup" : {
            "useSystemd" : "yes"
        }
    },
    "managedRespawn" : false
}

Presently, AWS IoT Greengrass HSI leverages two private keys using either ECC-P256 or RSA 2048 formats for gateway to cloud authentication. ECC-P256 will be the use case covered here because it is a more efficient cryptographic curve, as it uses shorter key lengths for similar performance.

Various key combinations are possible:

• An individual private key named iotkey to authenticate the AWS IoT Greengrass device to AWS IoT Core service.
• An individual private key named MQTT key to authenticate the edge nodes connected to the AWS IoT Greengrass gateway, which can be different from the IoT private key.
• The private key can be the same to authenticate both the AWS IoT Core service and the edge node.
• The private key(s) can be stored in a secure element to improve the system security performance, or can be handled by the file system. It’s recommended to consult with an AWS IoT security expert before using the file security system.

Figure 3 – Example of config.json file.

Secure Authentication Flow with a Secure Element and AWS IoT Greengrass HSI

To take the full value of the AWS IoT Greengrass HSI feature to production, let’s look at the secure authentication flow using an ATECC608a. During manufacturing, the following occurs to eliminate risk of exposure:

• Microchip creates signer certificates and has them signed by the customer with its OEM root certificate authority.
• The signed signer certificates (also called Issuing CA’s) used in Microchip’s factories are also loaded to AWS IoT Core in the customer AWS account using the Use Your Own Certificate function.
• The AWS IoT private key is generated internally by the secure element with its associated certificate, all within Microchip’s secure factories.
• The signer private key signs the secure element IoT certificate associated with the IoT key.

All of the above is done using Microchip’ secure provisioning service during manufacturing so the customer doesn’t have to manage the process.

When the IoT gateway is deployed in the field:

• The AWS IoT Greengrass service requests a signature from the AWS IoT Greengrass core gateway equipped with an ATECC608a.
• The IoT private key stored in the secure element issues an ECDSA signature to the AWS IoT Greengrass core.
• Using p11tool, the associated IoT certificate inside the secure element is pulled from the secure element into the AWS IoT Greengrass file system (config.json file).
• Then, the AWS IoT Core service can leverage JITR to pull the IoT certificate into the customer AWS account and verify it with the signer certificate previously loaded.

Figure 4 – Provisioning workflow.

As shown in Figure 4, let’s walk through the provisioning workflow that occurs between the OEM, Microchip, and the OEM’s AWS account:

1. The OEM creates the AWS IoT account.
2. The OEM creates its Certificate Authority that has a trusted root.
3. The OEM creates certificates for the Microchip production signers. These are intermediates with the OEM certificate being its parent in the chain.
4. The OEM registers production signer certificates into AWS account.
5. Device certificates are loaded into the ATECC608A in Microchip secure factories. The private key is initialized, and the CSR is signed by the signers and loaded into the ATECC608A slot.
6. Microchip ships the initialized ATECC608A chips to the contract manufacturer (CM) making the product on behalf of the OEM.
7. The CM manufactures the product according to the design.
8. The CM ships the product to distribution centers, where the product arrives at stores (or some other end distribution point), and the customer purchases the product.
9. When the customer turns on the device and connects to AWS IoT Core for the first time, the JITR process triggers.
10. Part of the JITR process is verifying the certificate’s relationship with registered CA certificates. Although AWS Lambda plays a significant role in this process, it has been omitted to focus on the security objects.
11. When the certificate meets the OEM’s requirements (based on custom AWS Lambda logic), the certificate is marked active and the customer device can connect normally.

To take the full value of the AWS IoT Greengrass HSI feature to production, the secure authentication flow using an ATECC608a goes as follows. During manufacturing, the following occurs to eliminate risk of exposure:

• Microchip creates signer certificates and has them signed by the customer with its OEM root certificate authority.
• The signed signer certificates (also called Issuing CA’s) used in Microchip’s factories are also loaded to AWS IoT Core in the customer AWS account using the Use Your Own Certificate function.
• The AWS IoT private key is generated internally by the secure element with its associated certificate, all within Microchip’s secure factories.
• The signer private key signs the secure element IoT certificate associated with the IoT key.
• All of the above is done using Microchip’s secure provisioning service during manufacturing so the customer doesn’t have to manage the process.

When the IoT gateway is deployed in the field:

• The AWS IoT Greengrass service requests a signature from the AWS IoT Greengrass core gateway equipped with an ATECC608a.
• The IoT private key stored in the secure element issues an ECDSA signature to the AWS IoT Greengrass core.
• Using p11tool, the associated IoT certificate inside the secure element is pulled from the secure element into the AWS IoT Greengrass file system (config.json file).
• Then, the AWS IoT Core service can leverage JITR to pull the IoT certificate into the customer AWS account and verify it with the signer certificate previously loaded.

The user has now completed the implementation of a TLS mutual authentication between an AWS IoT Greengrass core and AWS IoT Core using AWS IoT Greengrass HSI and a secure element. The combined technologies are particularly well suited to take security into mass production.

Summary

In this post, we explored the importance of using AWS IoT Greengrass HSI when deploying gateways running AWS IoT Greengrass. We learned how AWS IoT Greengrass HSI enables customers to leverage the Microchip secure element to protect AWS IoT Greengrass credentials. We also looked at how customers provision the secure element for production deployments.

To dive deep on AWS IoT Greengrass HSI, see the Hardware Security page in the AWS IoT Greengrass Developer Guide.

To learn more about using AWS IoT Greengrass HSI with the Microchip ATECC608A, visit the Microchip page for AWS IoT Greengrass HSI for the ATECC608A Secure Element.

.

Microchip Technology – APN Partner Spotlight

Microchip is an AWS IoT Competency Partner. They offer microcontroller and analog semiconductors, providing low-risk product development, lower total system cost, and faster time to market for diverse customer applications.

Contact Microchip | Solution Overview

*Already worked with Microchip? Rate this Partner

*To review an APN Partner, you must be an AWS customer that has worked with them directly on a project.