Solving IoT security with IoT SAFE

Anatomy of a smart card

Smart cards have become ubiquitous in our modern world. We use them as credit cards, public transport tickets, hotel room keys, and even in personal ID cards in some countries. While the form factor is different, very similar technology is also used in modern passports and RFID tags used to track inventory in stores, among other use cases. And most importantly for this article, the SIM cards that bind mobile phones and IoT devices to cellular service subscriptions are a type of smart card.

However, many people don’t realize that most such smart cards are, in fact, fully functional computers – while very limited in processing power, the tiny chips contained in smart cards integrate a CPU, up to a couple of hundred kilobytes of flash memory, up to few kilobytes of RAM, and some input-output circuitry to exchange data with the outside world through a distinctive set of gold contacts, a near-field contactless interface, or both. Smart cards can run applications, often written in a special subset of Java called Java Card, and the protocols for communicating with those applications are standardized in the ISO/IEC 7816 documents.

Smart card applications can perform a variety of tasks – SIM cards, for example, contain storage space for the phone book and text messages (even though modern smartphones largely ignore that and store these in the phone’s internal storage). However, the most important function of a smart card is usually the ability to cryptographically authenticate itself so that a bank can verify the account to which a credit card is linked, a cellular carrier can securely link a phone with a specific SIM card to a subscriber, and their phone number or a personal ID can be verified as genuine. This is why many smart cards include a specialized cryptoprocessor that accelerates cryptographic operations and securely stores cryptographic keys – much like Secure Elements used in computer hardware, which we discussed on the HSM blog back in March.

Enter IoT SAFE

Since a SIM card already needs to perform tasks typical of a secure element, very little is in the way of actually using it as a secure element within a larger device. There just needs to be a dedicated application present in the SIM card’s software that exposes such functionality in a more generic way compared to only the operations that are needed to attach to a cellular network.

IoT SAFE (IoT SIM Applet For secure End-2-end communication), a technical standard developed by the GSM Association and the Trusted Connectivity Alliance, has been developed around exactly that thought – it defines an application running on a smart card that performs tasks typical of a secure element, and a set of ISO/IEC 7816-compliant commands to interact with it. It is designed specifically for IoT devices and machine-to-machine applications.

Among the features supported by IoT SAFE, there are:

• Secure storage of symmetric encryption keys and asymmetric key pairs
• General-purpose file storage that can be used for storing certificates or initial bootstrap configuration
• On-card generation of random numbers and asymmetric key pairs
• Typical cryptographic operations used in the TLS protocol: signature calculation and verification, Diffie-Hellman key agreement, HMAC-based key derivation

The operations available through IoT SAFE are closely aligned with the requirements of the TLS 1.2 and 1.3 protocols, so an IoT SAFE-enabled SIM card can be easily used as a root of trust for application layer security based on TLS or DTLS.

This application-layer security is provided on top of any existing link-layer security provided by the cellular network itself. While the root of trust is on the SIM card, it does not necessarily mean that cellular communication needs to be used. A more sophisticated device can use e.g., WiFi for connectivity when possible but still communicate with the SIM card to perform security operations.

The keys and other security information can be either generated by the application using a relevant IoT SAFE operation – which is useful for certificate management protocols such as EST – or can be provisioned by the card operator – either at the factory or later remotely over the air.

Since the root of trust is on the SIM card, it is portable across devices in a similar manner to how you can use your phone number in a different handset by swapping the SIM cards – the secure identity is generally not linked to the physical device, but to the SIM card, which can, in theory, be swapped between devices.

IoT SAFE in practice

A couple of open source projects that wrap IoT SAFE SIM card interface in a higher-level C or C++ API have already shown up, including the IoT Safe Middleware Library from Thales Group, and IoT SAFE APDU library by Orange S.A.

Here at AVSystem, we were able to integrate IoT SAFE with our example client applications for Mbed OS and for FreeRTOS and STM32Cube, using Mbed TLS, the aforementioned middleware from Thales and Anjay’s hardware security module support subsystem. The glue code is a couple of hundred lines long and can be easily adapted to any platform where a C++ compiler is available and AT commands can be sent to the cellular modem. We will be happy to share this code with any customers of the commercial version of Anjay.

To sum everything up, if you are able to cooperate with the cellular service provider on provisioning the security material, IoT SAFE is a solution for IoT end-to-end security that is robust – as it is based on a proper hardware-based root of trust, flexible – as it facilitates out-of-band remote certificate management, big-scale device provisioning, and is also cost-effective – as you don’t need a separate hardware secure element but can reuse the SIM card that is likely to be required in modern IoT devices anyway.