The wolfSSL embedded SSL/TLS library supports many popular hardware secure elements from several suppliers using different technologies.
Some of these hardware elements are specifically designed to enable end-to-end security in IoT devices, by providing a hardware ‘Root of Trust’, and by providing asynchronous cryptography functionality and key vaults.
GSMA is an alliance representing mobile operators, manufacturers and companies focusing on the mobile communication industry. The alliance has published the guidelines to implement a Root-of-trust mechanism, IoT SIM Applet For Secure End-to-End Communication, also known as IoT-SAFE. This technology promotes the use of SIM cards as Root-of-Trust to secure applications and services running on embedded systems connected through the mobile network. IoT-SAFE opens new possibilities for key provisioning through a component that is, in fact, already designed to support end-to-end security within different layers of the protocol.
wolfSSL, in collaboration with partners in the mobile industry, has recently developed an IoT-SAFE module for the wolfSSL embedded TLS library.
The code is portable and it’s designed to be used on an embedded board, equipped with an LTE modem and an IoT-SAFE capable SIM card, but can be easily adapted to run on any environment that has access to a communication channel with an IoT-SAFE capable SIM card.
The module includes several features, such as the possibility to use IoT-SAFE as true random number generator, access asymmetric key operations on the SIM, as well as generate, store and retrieve keys in the secure vault. The most important feature though, is the possibility to equip wolfSSL sessions with IoT-SAFE support, so that all the operations during the TLS handshake for that session are executed through IoT-SAFE commands.
To demonstrate a full TLS endpoint using IoT-SAFE API to complete the handshake and establish a TLS session, we have prepared an example that uses a SIM card pre-provisioned with our test ECC certificate and keys. Both TLS 1.3 and 1.2 are supported.
Securing Device-to-Cloud communication with a robust end-to-end strategy is of course the main priority of this module. However, we are looking forward to seeing wolfSSL IoT-SAFE support used in different applications and use cases.
Are you planning to integrate GSMA IoT-Safe in your TLS or cryptography design? Let us know about your architecture and use cases, write us an email to firstname.lastname@example.org.