To improve the accessibility of our content, please find the audio version of this blog post.
Thanks to the STSAFE-A110 secure element and ST’s Secure Factory processes, customers can now create family-wide security certificates to automate the authentication and attachment of devices to AWS and Azure clouds. And to make the feature even more accessible, we’re opening it to productions of only 5,000 units or more.
Experts know that the cloud has a bright and dark side. On the one hand, it allows engineers to share an unimaginable amount of information to connect our physical world to data. On the other hand, securing a cloud is complex, and device attachment operations are sensitive as well as laborious. Requiring device makers to log in and register each device may be tedious and costly. ST’s solution solves this by creating a system that automatically attaches a product family to a cloud account. Let us, therefore, explore this issue in more details and see what teams can do today in preparation for it.
STSAFE-A110 and the Cloud: The Need for a Secure Element and the Challenge of Per-Device Registration
Security in the Cloud and the Importance of a Secure Element
Fundamentally, a device connecting to a cloud must be authenticated by proving its identity and its entitlement to specific privileges. Such process almost always involves a challenge-response authentication protocol. In this instance, the asymmetric scheme uses a private key and a certificate containing the device ID and public key. The server first requests the certificate and verifies its validity. The same server will then challenge the sign-in process by asking for a challenge signature to confirm that the certificate came from the device. The client device answers such requests by signing a challenge with its unique and hidden private key. The STSAFE-A110 assists in the process by offering tamper-proof secure storage and an optimized asymmetric authentication scheme. The device also comes with customer-specific keys and certificates securely loaded at the ST secure factory before shipment.
Workflow for Devices Attachment and the Need for Automation
Such mechanism is efficient as it enables the attachment of each device to a cloud account by registering its certificate. However, one drawback for a family of devices is that each device must be registered one by one. As a result, the process demands complex and sensitive manufacturing operations. In turn, companies must, therefore, make specific investments since outsourcing the procedure would add significant security risks. Additionally, problems arise when teams must do this for thousands or even millions of devices. When dealing with such volumes, the costs associated with individual registrations may become prohibitive. For instance, when installing connected nodes in a smart city, a company must activate them rapidly. ST is thus offering a solution that streamlines this process.
STSAFE-A110 and the Cloud: A New Way to Automate Attachment
Self-Signed Family Certificates and the Solution to the Attachment Automation Challenge
To facilitate the secure attachment of a family of devices, ST added a new ability to personalize the STSAFE-A110. The functionality relies on an intermediate self-signed certificate assigned to a group of products and registered to a cloud account. As a result, after the single registration of this intermediate certificate on a specific cloud account, the devices automatically attach themselves to that account on their first connection. Moreover, outsourcing manufacturing becomes possible because the OEM (Original Equipment Manufacturer) controls the sole sensitive operation on their premises without needing any specific secure processes during manufacturing. There’s no need to invest in additional equipment or configure devices during assembly. To make the feature even more attractive, we also provide the self-signed family certificate free of charge for a minimum order of 5,000 units.
Development Boards and Software Packages to Jumpstart Projects
The quickest way to take advantage of this feature is to start developments on one of the ST boards that houses an STSAFE-A110 device. For instance, developers can use the B-L4S5I-IOT01A, our latest Discovery Kit IoT Node. Teams working on industrial applications can also turn to the STEVAL-STWINKT1B, which can jumpstart projects relying on condition monitoring or AI at the edge. To help engineers, ST also came up with example applications for both of these boards. For instance, FP-CLD-AWS1 will help applications connect to AWS by using traditional per-device registrations. Once designers are ready for mass production, they can contact ST to generate the self-signed family certification. The process usually takes about a month.