Protecting IoT Components & Devices with Key Injection
An IoT ecosystem has far reaching application areas - from home networks to medical and automotive industries, through to national defence. When considering these, it’s important to focus on the supply chain as a whole- various global suppliers, distributors, manufacturers and multiple technologies coupled with processes for contracting and logistics. Add this to the engineering beyond what makes the end product or device possible- an interconnected IoT ecosystem where protection of components is critical - any poorly-built component can cause a systematic failure and therefore, security is paramount.
Giving each component a unique electronic identity increases the authenticity of the device, and this is achievable by injecting a unique identity in each component- key injection. The integrity of the key injection process is of extreme importance and can be achieved by using HSMs to establish a Root of Trust for this process.
Utimaco provides industry-grade key injection solutions and a remote key loading Hardware Security Module (HSM) enabling remote key lifecycle management and tracking, including distribution control - creating, securing, and managing required keys and monitoring the full key lifecycle from creation to termination.
Business value
Root of Trust for IoT
- Ensuring that each device has a unique electronic identity that can be trusted and managed throughout the complete device life-cycle from manufacturing (key injection) through device operation (PKI) to end-of-operation (key termination).
- Secures key storage and processing inside the secure boundary of the HSM
- Provides the ability to update the System Master Key (SMK) for periodic key rotation
Remote Access
Remote Key Delivery- Supporting the remote distribution of keys to deployed (POI) terminals
Device & Data Security
- Providing each device with a trusted ‘key injected’ identity using digital certificates
- Ensuring secure communication and software updates over the lifetime of the device
- Allows users to securely store secret data such as HSM master key components, passwords, PINs, safe combinations, access codes, and derivation data.
- Secures storage of data obtained and shared by devices in a database using encryption and secure key storage in an HSM
- Device auditing & tracking
- If a device demonstrates unusual behaviour, administrators can revoke privileges or decommission the device
Scalable and flexible
- Recently introduced feature- the ARCKTM API (API for Remote Centralized Key Management) that allows for new schemas to be included for support
- The API can even be used for the purposes of issuing Cryptographic Signing Requests to third party Certificate Authorities.
- Seamless integration- supplying a key injection solution for establishing a secure, authenticated network of devices
- Provides additional terminal-specific functionality supported through the KeyBRIDGE injection dashboard for each supported device.
- Performs periodic key rotations in the instance of suspected or known key compromise by quickly and efficiently replacing terminal keys in the field
- Multiple integrations with PKI applications, database encryption
- PKI can be managed on-premise or cloud-based.
- Supports the requirements of Verifone Remote Key (VRK), allowing customers with their own Terminal Management Systems to build a remote keying facility.
Deployment options
On Premise
- Useful for centralized use cases without a requirement of scalability or remote accessibility and existing legacy infrastructure
- Defined total cost of ownership
- Complete control on hardware and software, including configuration and upgrades
- Secured uptime in areas with insatiable internet connectivity
- Preferred choice in industry-segments where regulation imposes restrictions
In the Cloud
- Strategic architectural fit & risk management for your high value assets
- Provides flexibility, scalability and availability of HSM-as-a-service
- Ideal for a multi-cloud strategy, supporting multi-cloud deployments & allows for migration flexibility
- Allows you to seamlessly work with any Cloud Service Provider
- Easy-to-use remote management and on-site key ceremony service option
- Full control over data through encryption key life-cycle and key administration
- Secured data privacy through Bring-Your-Own-Key procedures