Secure IoT Registry

CIRA recently joined L-SPARK Global’s Secure IoT Accelerator program to help solve a massive, industry-wide problem: securing internet of things (IoT) devices.

Over the coming year, CIRA Labs will be working with a cross-disciplinary team of experts, technologists and advisors to develop a cutting edge Secure IoT Registry – an innovative framework to securely provision IoT devices.

So what’s the pitch?

Take an IoT device such as a generic smart city parking meter. The internet-connected smart meter is similar to a domain name in several respects:

• Both have owners and delegations.
• Each can be transferred to a different owner.
• Their delegation can change (e.g., pointing to a different cloud service provider is similar to pointing to a different IP address).

As a domain registry, CIRA creates a public DNS zone file for .CA and we publish WHOIS information about each domain. As an IoT registry, we would track a given IoT device’s eSIMID, public keys, cloud service provider, and mobile network operator (and their status), and then create a public DNS record of certificate fingerprints that can be used to authenticate individual IoT devices and their cloud service provider credentials based on the unique IoT device eSIMID — all while leveraging the internet based root of trust embedded in the DNS and DNSSEC.

As a result, the CIRA IoT Registry allows the world’s generic IoT devices to seamlessly and securely work between any manufacturer, owner, service provider and network operator.

What’s the problem?

With the widespread deployment of 5G networks on the horizon, there will soon be an explosion of internet-connected devices in households and businesses around the world. Everything from doorbells to fridges to thermostats will ship with a SIM card and a high-quality internet connection. As more and more devices become internet-connected, the cybersecurity risks around them will grow. With this in mind, CIRA is working on an innovative framework to mitigate the risks these devices pose to users as well as the public internet.

How does the Secure IoT Registry work?

CIRA Lab’s IoT Registry will establish trust between the mobile network operators , cloud service providers, IoT device manufacturers, and end-users. The IoT Registry’s core function is to enable any IoT device to connect to any cloud service providers. In short, the IoT registry lets you connect anything to everything securely.

The IoT Registry is similar to a domain registry. In the same way that a domain name’s (www.cira.ca) ownership can be transferred, an IoT device ownership can be transferred, from user A to user B. Similarly, in the same way the domain delegation can be changed, pointing to from user A’s website to user B’s website, an IoT device can connect from one cloud service provider to another. To facilitate these changes, CIRA has developed a solution to deliver IoT credentials directly on the eSIM card securely. We are leveraging the public DNS and it’s DNSSEC based cryptographically enabled chain of trust feature as a new root of trust simplifying the verification of certificates.

You can check out our full demo here.

What are the benefits of an IoT Registry?

• Interoperability. Enabling generic IoT Devices to connect to generic Cloud Services using standard APIs.  With an IoT Registry, any IoT device can be switched to any cloud provider easily and securely.
• Streamlined operations. The Registry keeps track of cloud provider certificates and individual IoT device keys so that cloud providers and device manufacturers don’t have to.
• Proven security. Certificates are managed using cryptographically-enabled, road-worn DNSSEC enabled DNS infrastructure.
• No “man in the middle” attacks. Our IoT Registry makes it impossible for attackers to create fake credentials. The credentials (public key pair) are created in a Hardware Security Module (HSM) and encrypted with the public key of the IoT device, keys are then destroyed, and the fingerprint of the IoT device keys can be validated in the public DNS using DNSSEC CERT records.  The keys and configuration information are sent to the mobile network operator which, in turn, writes the IoT profile onto the eSIM IoT Security Applet, at which point the IoT device can decrypt the IoT profile.  This ensures secure and trusted communication between the IoT registry and the device.

Why is CIRA working on this?

 

“The incoming tsunami of IoT devices will fundamentally change the way we need to approach cybersecurity. Innovative technologies will require innovation in security, especially when so many IoT devices lack adequate security themselves. CIRA’s Secure IoT Registry demonstrates how a national registry can be used to establish trust and configure IoT devices of all types.”

-Brian O’Higgins, Security Expert

“The CIRA IoT Registry allows the world’s generic IoT devices to seamlessly and securely work between any manufacturer, owner, service provider and network operator.”

-Don Slaunwhite, CIRA IoT Registry Product Manager

CIRA is a purpose-driven not-for-profit working hard to make the internet safe, stable and secure through our DNS infrastructure and cybersecurity products. As we look ahead to the next evolution of the internet – an internet where cloud computing, big data, and IoT devices are ubiquitous – we see a huge opportunity to leverage our 20 years of world-class registry operations and help solve the problem of securely provisioning IoT devices. Once it’s up and running, we are confident that our Secure IoT Registry will help make the global internet more secure.

Learn more:

• CIRA:  IoT Registry DEMO.
• CIRA: We just joined a brand new IoT accelerator to help solve a massive, industry-wide security problem.
• Ottawa Business Journal: Ottawa-based CIRA lands spot in first cohort of L-Spark’s new secure IoT accelerator.
• CIRA: An update from CIRA on IoT security
• ISOC: DNSSEC Primer
• Crypto4A: Canadian based Certificate Authority Appliance