Embedded security in IoT – reference design
The design’s hardware includes a peripheral module representing a protected sensor node monitoring operating temperature and remaining life of a filter (simulated through ambient light sensing) and an mbed shield representing a controller node responsible for monitoring one or more sensor nodes. The design is hierarchical with each controller node communicating data from connected sensor nodes to a web server that maintains a centralized log and dispatches notifications as necessary.
In this IoT-embedded world, security emerges as a paramount feature to protect industrial equipment from counterfeiting while tracking product lifetime with smart notifications. The reference design demonstrates an authenticated data chain from a protected sensor node to a web server. There are notifications to the user through the web server when intervention is required such as when it is time to change the consumable being monitored (i.e., the protected sensor node), a filter in this case, or if an unsafe consumable (i.e., counterfeit sensor node) is installed.
The operating sequence is;
– The Sensor Node measures temperature using the DS7505 and simulated filter life using the MAX44009, which measures light illuminating through the filter when requested from the mbed Platform.
– The mbed Platform uses the DS2465 to perform an Authenticated Write to filter life stored on the Sensor Node if necessary.
– The mbed Platform requests a challenge from the Web Server to prevent replay attacks.
– Use the DS2465 and the mbed Platform to formulate a MAC from the following components: formatted sensor data, a Transport Secret derived from the Master Secret, and received challenge from the Web Server.
– The mbed Platform sends sensor data and the newly formulated MAC to the Web Server using a Wi-Fi connection.
– The Web Server verifies MAC, adds authentic sensor data to the log, and distributes alerts if necessary.
The mbed shield contains a Wi-Fi module, a DS2465 coprocessor with 1-Wire master function, an LCD, LEDs, and pushbuttons. The protected sensor node contains a DS28E15 authenticator, a DS7505 temperature sensor, and a MAX44009 light sensor. The mbed shield communicates to a web server by the onboard Wi-Fi module and to the protected sensor node with I²C and 1-Wire. The MAXREFDES143# is equipped with a standard shield connector for immediate testing using an mbed board such as the MAX32600MBED#. The simplicity of this design, Maxim asserts, enables rapid integration into any star-topology IoT network requiring the heightened security with low overhead provided by the SHA-256 symmetric-key algorithm.
Features of the design include;
Unique secret for each node in the system
DeepCover secure key storage
Example source code
mbed shield equivalent to Arduino form factor pinout
Pmod-compatible protected sensor node
The design offers, Maxim concludes; crypto-strong authentication; no need for secure key storage memory on processor; and low overhead performance for signed data between the web server and the mbed platform. Suggested areas of application include authentication of Internet of Things (IoT) device nodes; data authentication at all levels from sensor node to web server; protection of industrial applications from counterfeiting; tracking product lifetime with smart notifications; and invalidating unsafe industrial sensor nodes.