Internet of Things (IoT) devices such as sensor nodes are often cost-sensitive and commonly utilize resource-constrained wireless microcontrollers (MCUs). These resource constraints, including limited on-chip memory and security features, may prevent the use of some security standards available in desktop or server environments. However, as they connect to the Internet and often reside in unsecured locations, IoT devices offer potential attack vectors for hackers. To provide a security standard that specifically addresses resource-constrained devices, the Trusted Computing Group, which creates open standards and specifications that enable more secure computing in devices ranging from IoT devices to cloud servers, has developed the Device Identity Composition Engine (DICE) standard. Microsoft assisted the development of the DICE standard and its Azure IoT Hub Device Provisioning Service supports DICE-enabled devices. However, since DICE-compliant devices use X.509 certificates and TLS, they can connect to any IoT service that supports them.
I’ll give you an overview of the benefits of DICE, how it works, and how to get started with DICE on the latest generation of TI’s SimpleLink Wi-Fi device family – the CC323X. I will point you to a SimpleLink Academy example that gives you a detailed step-by-step process of how to use DICE with SimpleLink W-Fi and how to then connect your device to Azure IoT.
How DICE works and its benefits
The DICE standard provides several potential security benefits, including a secure device identity, secure over-the-air (OTA) updates and remote software attestation. Remote software attestation enables a server to verify that a connecting device has indeed booted the correct image, as opposed to malware or an incorrect version. While SimpleLink Wi-Fi devices have always supported these capabilities, an established standard like DICE will simplify customer adoption of such security capabilities.
To meet the varied needs of embedded systems developers, the DICE standard comprises a set of guidelines that give both semiconductor providers and IoT device developers flexibility in implementing a DICE-compliant system. DICE employs industry-standard X.509 certificates. It defines certificate extensions to represent both the device identity and its associated firmware image. The IoT server side can use the DICE-generated certificate chain to perform standard Transport Layer Security (TLS) authentication, both to verify the device identity and to perform attestation of its firmware image. Because the certificate chain includes field values specifically tied to the IoT device’s firmware image, an OTA update requires a new certificate chain so that the IoT server can continue performing remote software attestation.
DICE and SimpleLink Wi-Fi
SimpleLink CC323X devices include the core software required to implement DICE. To prevent malware takeovers, only TI-signed software updates can modify the DICE core software. When DICE support is enabled, the DICE core software utilizes the unique key pair embedded into each SimpleLink device to generate the device identity and associated certificate chain. This operation requires the routing of a certificate signing request (CSR) to the appropriate certificate authority. The IoT device then uses this certificate chain for TLS authentication when joining the IoT network. The SimpleLink OTA operations are also DICE-enabled, automatically deleting the old certificate chain and generating a new one when the OTA operation replaces an existing IoT device firmware image with a new one.
You can learn more about DICE and SimpleLink Wi-Fi by viewing this SimpleLink Academy module that mimics the use of DICE in a production line process. This module will walk you through creating the DICE CSR, getting it signed using openSSL and securely storing the certificate in the SimpleLink secure file system. It then takes you through the steps needed to connect to Azure IoT with this certificate.
