Filter results by

Secure Storage

It’s not enough that IoT device makers have to protect confidentiality and integrity of data on their devices as a matter of doing business—they may also be required to comply with more specific (and stricter) regulations and guidelines such as HIPPA (Health Insurance Portability and Accountability Act) in the U.S. and GDPR (General Data Protection Regulation) in the EU. Poorly designed systems that result in data loss can also adversely impact end users and expose device manufacturers to significant brand damage. Tougher regulations also mean IoT companies and their employees can face crippling fines. To address these concerns, Samsung built the ARTIK IoT platform from the ground up with data security in mind.

secure storage
The Samsung ARTIK security architecture protects data at rest, data in use, and data in motion

The high security standards of the ARTIK IoT platform require each device to meet two storage requirements—it must provide secure storage to guarantee confidentiality and data integrity, and all storage security must be hardware-backed. Devices that do not meet these requirements cannot connect with the Samsung SmartThings cloud.

ARM TrustZone

The Samsung trusted execution environment (TEE) implementation takes advantage of the ARM® TrustZone® hardware architecture. TrustZone allows for the complete separation of the trusted execution thread from the device’s regular execution environment. Using a well-proven and widely deployed architecture implemented in hardware provides for improved security assurance.

Developers have two options when it comes to utilization of a TEE—they can use a Samsung developed hardened trusted execution environment or a pre-integrated TEE from Trustronic.

Samsung secure execution environment (SEE)

By providing a hardened TEE, the Samsung SEE reduces the attack surface and uses FIPS 140-2 certified cryptography. The SEE environment supports both the implementation of core encryption functions and provisioning of additional credentials.

The SEE environment includes all the key and cryptography services required to protect your data.

  • Key Manager: Provides APIs to generate, setup, and remove keys
  • Certificate Manager: Provides APIs to request, manage, and verify certificates and signatures
  • Crypto Manager: Provides APIs for Advanced Encryption Standard (AES) and RSA encryption and decryption
  • Secure Storage Manager: Provides APIs for initializing and managing the secure storage
  • Post Provision: Provides APIs for injecting and provisioning a certificate and key into Secure Element

The ARTIK TEE is also available pre-integrated with Trustronic to run entire applications in a completely isolated secure environment. The Trustronic TEE is a hardware-based execution protection mechanism, requiring no additional hardware to be installed on the device. This integration makes Samsung ARTIK devices ideal for trusted applications that require a secure and isolated execution environment with strong authentication and identify verification as well as controlled access to resources.

Secure storage implementation

Secure storage can be implemented using a Secure Element, TrustZone-based TEE software, a physical unclonable function (PUF), and other methods. In any case, each device should have a unique key for encrypting data in secure storage. Samsung ARTIK devices store data using the eMMC file system (flash-based) and a Secure Element.

Secure file system

The Samsung eMMC secure file system uses the same storage as the host operating system. However, a specific partition is managed by the TrustZone-based Samsung Secure OS. This approach encrypts all data in this partition using a unique key that is generated in runtime and stored as a file unit.

Hardware Secure Element

The Samsung Secure Element is an isolated storage device that supports the storage of digital certificates, up to 16 AES 128-bit keys, and a number of public/private key pairs. It provides high levels of security (Common Criteria EAL5 Augmented) in hardware with anti-temper measures. Additionally, its secured software environment delivers the highest level of security available on consumer devices.

Developers can access and use the secure storage via the APIs provided by the ARTIK security library and select the storage type by using an API argument.

The Secure Element protects credentials and keys using the following key technologies:

  • Custom random layout, including memory encryption
  • Digital fault detection, including protection against fault-injection attacks
  • High-speed secure cryptography engines with a secure low power CPU

Physically Unclonable Function

ARTIK 053 modules also provide provisioning of X.509 certificates and corresponding keys and identities inside the secure storage implemented using a PUF. The PUF is ideally suited to smaller IoT devices because it provides many attributes of the secure element—such as protection of unique keys and digital certificates—with reduced overhead.

Edge-to-cloud protection

The ARTIK platform protects data from edge to cloud. It provides an easy and secure connection with the cloud by employing a shared route of trust, which enables all IoT system components to quickly establish a secure channel of communication. At the core of this approach, ARTIK SOMs are pre-provisioned with certificates and keys that chain to a common root Certificate Authority (CA). This ensures that data on devices and the cloud servers to which they connect is always secure.  

Security built into the platform eases IoT development

All of these storage protection features combine to provide additional levels of device and data protection as well as the highest levels of security across the ARTIK IoT platform—from edge devices to the cloud.

ARTIK SOMs with secure storage and a shared root of trust provide additional device-level data protection. They enable companies to benefit from safe data exchange and interoperability, while also providing secure access to cloud-based ARTIK IoT services that enhance customers’ experiences throughout the product lifecycle. These include device onboarding, orchestration, management, and over-the-air updates.

By building security into these devices and across the entire platform, ARTIK makes it fast and easy for manufacturers to create IoT systems with security based on best practices. This end-to-end security eliminates many of the risks of end user disruptions and non-compliance with regulations.

Related content

 

Get the ARTIK Newsletter

You like your news fresh! Sign up now and you will be the first to know about our latest software releases, coding tips, upcoming events, new blog posts and more!

By providing your contact information, you agree to our Privacy Policy and Terms of Use, confirm you are an adult 18 years or older, and authorize Samsung™ ARTIK to contact you by email with information about Samsung™ ARTIK products, events, and updates for Samsung IoT Solutions. You may unsubscribe at any time by clicking the link provided in our communications.