Icon Labs’ and Infineon’s joint solution provides automated certificate injection in the factory and enables OEMs to develop and deploy secured embedded connected devices with relative ease. (see following page, “How it works”) The partnership enables device manufacturers to manage PKI certificates using the OPTIGA TPM – including support for certificate injection during device manufacturing. Instead of having to manually install a certificate into each device, the device comes off the assembly line with a PKI certificate already installed. Infineon`s OPTIGA TPM chip complies with the internationally recognized security standards of the Trusted Computing Group (TCG).
Security is a critical requirement for the IoT, and strong device authentication, using widely adopted PKI technology, enables managed security solutions for IoT deployments. Icon Labs’ Floodgate Certificate Authority (CA) and Floodgate PKI Client allow manufacturers to incorporate certificate-based authentication using the OPTIGA TPM for secure key storage. Capabilities include certificate creation during the manufacturing process using private keys stored in the TPM, certificate creation during device provisioning, and certificate management throughout the life of the device.
Icon Labs provides both the client- and server-sides of the PKI solution required to automate secure provisioning and enrollment. The Floodgate PKI Client is compatible with public and private CAs, providing the flexibility to operate a private PKI system without dependence on a public CA or to operate within the hierarchy of a public CA. The OPTIGA TPM securely stores the keys, the Floodgate Factory CA Server creates device authentication certificates, and the Floodgate PKI Client enables a connection in the field to a CA for issuance of TLS (transport layer security) and other run-time certificates. The certificates create a Root of Trust enabling secure machine-to-machine communications, using keys secured by the OPTIGA TPM.
“Icon Labs’ solution solves two main security challenges for the IoT,” said Steve Hanna, Sr. Principal for Technical Marketing, of Infineon. “OEMs can easily create certificates for devices using the OPTIGA TPM for secured key storage, and, by automating the process, provide the scalability required as the number of IoT devices grows into the billions.”
Alan Grau, President of Icon Labs, adds, “The Floodgate PKI Client provides the device-side software to streamline TPM usage and key storage, while the Floodgate CA Server allows management of Public Key Infrastructure (PKI) certificates after the device is deployed.”
next page; how it works…
How it works
Creating a signed certificate during manufacturing requires several steps. First, the Floodgate PKI Client requests the OPTIGA TPM to generate a new public-private key pair. Using this key pair, a certificate signing request (CSR) is created, while the private key does not leave the TPM. The Floodgate PKI Client sends the CSR to the Factory CA Server, which signs the request and returns a signed certificate to the PKI Client. This certificate can then be used to authenticate the device when the device is provisioned in the field. Follow this link for more information: Automated certificate insertion for OPTIGA TPM
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.