Filter results by

Integrating SAMI With ARTIK for a Secure IoT

It’s not a surprise that our introduction of the ARTIK platform at IoT World 2015 didn’t go unnoticed. The strong demand for ARTIK DevKits, currently transitioning into Beta, can easily confirm the need for basic modules implementing a common IoT device’s functionality such as CPU, memory, WiFi®, Bluetooth™, ZigBee, sensors, etc.

Having basic IoT modules that function “out of the box” will help IoT device developers to stay focused on their unique goals and avoid reinventing the wheel.

Three types of ARTIK modules (ARTIK 1, ARTIK 5 and ARTIK 10) add even more flexibility for developers, who can choose the right hardware configuration depending on their particular use case.

ARTIK was built with security in mind—all three models have a Secure Element (SE), which can be used to protect sensitive information stored on a device using traditional cryptography, and to store cryptographic materials used to encrypt user’s data. These security features are very important for the scope of the below discussion, since they’ll facilitate a secure integration of IoT devices with SAMI.

Why integrating SAMI with ARTIK is important

As we demonstrated in the previous blog, SAMI supports a secure device registration (SDR) and secure pairing of a device with a user. By implementing this approach on the ARTIK platform, we can help integrate all IoT devices built on that platform to register and to connect to SAMI in a secure manner.

There are two major cases that we can think of:

  1. Any ARTIK-based device that is directly connected to the Internet and can be treated by SAMI as a “normal” IoT device.
  2. An ARTIK-based gateway that can act and send data on behalf of legacy devices that are not directly connected to the Internet and do not use common IP-based protocols.

The first use case (a “normal” IoT device) is really simple from SAMI’s point of view, and fits well to the existing SDR flow.

The second one, which we call ARTIK Hub, is more complex. It requires that additional features be implemented on SAMI, because an ARTIK Hub device should be able to create other devices as end nodes and send data on their behalf.

We’ve created a working prototype for the “ARTIK Hub” use case and will describe it in the rest of this blog.

Using ARTIK as a hub

The below diagram shows a common usage of the ARTIK Hub:

ARTIK Hub

A user controls ARTIK Hub through a mobile application (called Controller) that can also be used to pair multiple home devices with the Hub, using the connectivity options supported by ARTIK.

From SAMI’s point of view, the Controller application running on the mobile device can be considered as a third-party app that is associated with the owner of all IoT devices connected directly to the Hub.

As a third-party SAMI app, Controller can request an application token from SAMI using the traditional OAuth flow, in which a user would grant permissions to the Controller application to write information generated by their devices to SAMI.

The user would need to sign into SAMI only one time to get a token for the third-party app. After this is done, the app can refresh the OAuth tokens using SAMI’s token-refresh mechanism.

The user experience

The following video demonstrates how SDR looks from a user’s point of view:

 

You’ll see an ARTIK Hub mobile application and a browser that both run on a BlueStacks Android emulator. At the very beginning, a user selects “Secure Registration” from the Controller menu:

ARTIK Hub menu

and then clicks the “GENERATE PIN” link:

Generate pin

This will generate a /cert/devices/registrations API call as described in the SDR API documentation.

In the response, the SDR API generates a PIN and nonce and sends these back to the ARTIK Hub app.

The generated PIN will be presented to a user as follows:

Generated pin

To complete the registration, the user would need to open a browser, sign into their SAMI account, select “The ARTIK Hub” device type and register a new ARTIK Hub device using the provided PIN.

After the registration is completed, a device connected to the ARTIK Hub can start sending data through a secure socket. For the purposes of this demo we’ve just used a “POST MESSAGE” button to send data.

The next step is to verify that data has been received through the SAMI User Portal:

Data received

The rest of the video demonstrates adding a new user to the ARTIK Hub and sending data to SAMI on behalf of this new user.

This is how data looks in the SAMI User Portal after two different users have finished sending their messages:

Data from two users

Device certificate provisioning

Since the SDR flow requires a private key and a certificate to be provisioned to an ARTIK Hub device, we came up with a flexible solution that can be used on Hubs and other ARTIK-based devices as well.

We’ve created a tool called SAMIcerts that allows creating a root certificate for each IoT vendor and generates as many device certificates as needed for each vendor.

An advantage of the SAMIcerts tool is that all certificates created this way will be automatically compliant with our security requirements.

The tool and its source are currently available by request on all major Linux platforms. SAMIcerts has been ported to the ARTIK 10 platform and used to integrate ARTIK and SAMI.

We currently add new vendors to SAMI manually. This includes verification of the vendor verification and making its root certificate trusted on our servers.

After a vendor is provisioned on SAMI, they can start using the SDR flow for all their devices.

SAMIcerts usage

SAMIcerts simplifies a process of certificate creation and makes the generated certificates automatically compliant with our security requirements.

To generate a new root certificate authority, a vendor can run a simple command like below:

cr_root.sh /C=US/ST=California/O=MyOrg/OU=MyDep/CN=MyDevAuthority

The above command will generate a root certificate and a private key. The latter will be used for signing all client certificates for the devices belonging to this vendor.

To generate a client certificate signed by the generated root key, a vendor would need to run the following command:

cr_cert.sh xxxxxxxxx MyAwesomeDevice

where xxxxxxxxx is a certificate serial number and MyAwesomeDevice is a device name.

After certificates are generated and provisioned to a device, the latter can start using SAMI’s SDR flow.

Storing secrets and the next steps

In this proof of concept, the certificates and private keys have been stored on ARTIK’s file system, which is of course not the safest solution. We do plan storing a private key on a device’s SE in the future, as well as provide libraries and code samples that would demonstrate secure key storage.

Conclusion

The sky’s the limit on what kind of IoT devices will be built on top of the ARTIK platform. It’s easy however to imagine that in many applications, these devices will be processing sensitive data—in which case secure device registration available “out of the box” can be invaluable in freeing developers to solve new problems.

To learn more about ARTIK, visit the website.

Get the ARTIK Newsletter

You like your news fresh! Sign up now and you will be the first to know about our latest software releases, coding tips, upcoming events, blog posts, datasheet updates, and more.

By providing your contact information, you agree to our Privacy Policy and Terms of Use, confirm you are an adult 18 years or older, and authorize Samsung™ ARTIK to contact you by email with information about Samsung™ ARTIK products, events, and updates for Samsung IoT Solutions. You may unsubscribe at any time by clicking the link provided in our communications.