posted: February 16, 2021  updated: February 16, 2021

EST over CoAP Explained

Device authentication is the critical security requirement for the Internet of Things (IoT). Unlike the classic web where authentication of users is usually not needed, IoT devices are actually attached to physical equipment, whose operation may be changed as the result of communication. This poses a great risk for actual security of equipment and consequently for the human environment as well. For example, if a fire detector is maliciously switched off, a hypothetical fire won’t be discovered as quickly as it should be and will be more difficult to combat. This calls for a mutual authentication of a device and a server. Essentially, there are two ways of providing mutual authentication, either by using pre-shared keys (PSK) or by certificates. In this blogpost, we focus on enrollment over secure transport (EST), a robust and scalable mechanism for device certificate management.

What is EST?

EST is a certificate management protocol enabling users to retrieve Certificate Authority (CA) certificates, enroll them on a client and renew them if needed. In the public key infrastructure, the EST Server can be considered as a Registration Authority (RA) which receives certificate signing requests (CSRs) and forwards them to a CA, where CA itself is embedded inside the EST Server or is an external service.

Apart from the three basic functionalities, the EST server may also implement optionally: full Certificate Management over CMS (CMC) enrollment, server-side key generation and listing CSR attributes. Originally, the enrollment over secure transport protocol was designed for clients using HTTP over TLS (HTTPs) but it can be also implemented with CoAP to provide those functionalities to resource-constrained devices.

Enrollment over secure transport with HTTPs

The EST server provides functions via URI-defined HTTP endpoints with .well-known/est prefix. The client and server communicate over the secure channel (i.e., mutually authenticated and encrypted).

Obtaining CA certificates is done by posting a GET request on /cacerts. The provided CA certificates are used by the client to verify signatures of objects returned by the CA. 

From the client perspective, the most important functions provided by the EST server is client enrollment. By performing a POST on the /simpleenroll endpoint, the client requests a certificate by providing the certificate signing request (CSR). It can be renewed/rekeyed by sending a similar POST request on the /simplereenroll endpoint.

A CSR provided by the client may require the presence of specific attributes based on the CA policy. Therefore, some EST servers implement the /csrattrs endpoint which returns attributes required by the CA.

The EST server may also provide server-side key generation function. The client requests a private key, certificate pair from the server using a POST on the /serverkeygen endpoint. This is useful when the client lacks resources for key pair generation. However, it must be noted that this is not the ideal method from the device security perspective, as a private key can be leaked if the EST server is compromised.

Enrollment over secure transport with CoAP

As many low-resource IoT devices use CoAP instead of HTTP, a need arose to implement the enrollment over secure transport for such a kind of communication. This implementation mainly focuses on lowering the amount of data transfer, which results in energy savings, as radio is enabled for a shorter period of time. These are the main differences of EST over CoAP:

  • DTLS is used instead of TLS,
  • response content is in a binary format,
  • URIs are shortened, e.g. /cacerts --> /crts,
  • resource-consuming function – full CMC request is not supported for CoAP as client-side computations would be too heavy and the transferred data may be too large,
  • each function requires the client to be authenticated via a certificate,
  • the server may respond with delayed responses using the empty ACK code 0.00 before sending the certificate to the client.

The Coiote IoT Device Management (DM) platform is a case of HTTPS-CoAPS Registrar, not purely a CoAP server. Registrar is an agent between the CoAP client and the actual HTTP EST Server. It handles incoming CoAP requests, translates them into HTTP and handles communication with an external EST HTTP server.

EST in Lightweight M2M – Coiote IoT Device Management case 

The main use of the enrollment over secure transport protocol in LwM2M is a security mode called the Certificate mode with EST. It is configured during the bootstrap phase on IoT devices. When using EST, a private key is generated on the device so it never leaves it, and in addition, the certificate can be refreshed by the IoT device periodically – these features increase security. A typical scenario concerns the device sending the LwM2M Bootstrap request to the bootstrap server. If during bootstrap the EST certificate mode is enabled, then the device sends a CoAP request on the /sen (simple enroll) endpoint to obtain a certificate which is then used to connect to the Management server in the Certificate mode. If the certificate is going to expire shortly, then the device can use the /sren (simple reenroll) endpoint to renew its certificate. The diagram below shows an example scenario in which the device is requesting a Bootstrap Request to the Coiote IoT Device Management and after bootstrap, it uses the EST endpoint to retrieve the certificate which is then used to register on the Management server.

Summary

As the number of IoT devices grows, so does the importance of device security and device authentication. The more devices there are, the more difficult it is to keep them secure. Enrollment over secure transport is a great mechanism that simplifies handling device certificates for large-scale implementation for everyday users. By providing full support for EST, Coiote IoT DM platform makes it more secure as well as faster and easier for ops teams to manage certificates on devices. Watch our webinar on security, to learn more about EST.

Łukasz Kowalski
Software Engineer

Download blogpost

PDF

Recommended posts

back icon
Hello! We’re always open.
Let’s start a conversation.

Marketing Consent Opt In Date:
Marketing Consent Opt In Reason:
Marketing Consent Opt Out Date:
Marketing Consent Opt Out Reason:

Thank you!

Your message has been sent. Our team will contact you as soon as possible.


AVSystem sp. j., Radzikowskiego 47D, Cracow is the controller of your personal data. We will process your personal data to contact you in response to your message. If you agree to a specific communication channel, we can also contact you in the future for marketing purposes. You can withdraw your consent at any time or object to data processing. You have the right to r access your personal data, the right to rectification data, the right to erasure data, the right to demand the restriction of the processing of your personal data and the right to object to the processing of your data. More information about processing of your personal data is available here.

Message Btn

Hello!
Contact us!

This website is using cookies

We use cookies for statistical and marketing purposes and to improve the quality of our services. The information stored in cookies usually allow the identification of a specific device or user’s browser, so they may contain personal data. By continuing to use this website with setting the web browser in a way which alows the use of cookies by the website means your’s consent to the use of cookies. You can change your web browser settings at any time.

More information on the processing of personal data and cookies you can find in our Privacy and cookies policy.

Accept