TPM – Sander van de Velde

IoT Devices need a secure connection, the reason is obvious. It all starts with a secure connection between a device in the field and the Cloud platform.

Microsoft provides a secure connection for devices to the IoT Hub in three ways:

Symmetric keys
Certificates
Support for a Trusted Platform Module (TPM)

We are interested in how to get our connection secured using the TPM.

A TPM is “an international standard for a secure cryptoprocessor”. It can generate private keys and expose the public keys related to them. So it somewhat behaves like a set of certificates but now as a physical device.

If somebody tries to physically compromise the chip to retrieve a private key, it should break thus destroying the chip and its content. You can buy TPM chips (eg. for a Raspberry PI) but it’s better to have it already attached to your PC’s motherboard. The chip acts as an identity and you do not want to see it being unplugged.

My Advantech UNO 2372G has a TPM 2.0 chip already built in. The same goes for a few laptops I have. Keep in mind that older versions of this security chip (like the TPM 1.2) are not supported by Microsoft.

Symmetric keys and certificates are supported by the Azure IoT Hub. We need another service, the Azure Device Provisioning Service to provision a device using the TPM and get access to an IoT Hub of your choice.

How does it work?

The Device Provisioning Service acts as a broker between provisioned devices and one or more IoTHubs.

The following picture shows the ‘dance’ a registered device has to perform if it wants to contact an IoT Hub (example taken from the documentation):

Device manufacturer adds the device registration information to the enrollment list in the Azure portal.
Device contacts the provisioning service endpoint set at the factory. The device passes the identifying information to the provisioning service to prove its identity.
The provisioning service validates the identity of the device by validating the registration ID and key against the enrollment list entry using either a nonce challenge (Trusted Platform Module) or standard X.509 verification (X.509).
The provisioning service registers the device with an IoT hub and populates the device’s desired twin state.
The IoT hub returns device ID information to the provisioning service.
The provisioning service returns the IoT hub connection information to the device. The device can now start sending data directly to the IoT hub.
The device connects to IoT hub.
The device gets the desired state from its device twin in IoT hub.

Note: Keep in mind, this dance can only start after a device is registered at the DPS. There must be a trust relationship between the device (with a TPM) and Device Provisioning Service first.

Why should we use a TPM?

Every example starts with symmetric keys. Are symmetric keys not enough?

All three available ways to secure a device are great but only certificates and a TPM are recommended to be used in production. The problem with symmetric keys is that replacing those keys is hard, you need to change it on the device itself. And you need to transport the new key to the device (on a USB stick?) so you are a bit vulnerable then.

Using a TPM (and a DPS) helps in two ways:

When the security token behind the secure connection with an IoT Hub expires, the device itself simple asks for a new token by connecting to the DPS. There is no need for extra work to be done.
The DPS has knowledge about one or more IoTHubs. So depending on rules you have set, the DPS routes the device to the right IoT Hub. Imagine a device on a ship going around the world and always connects to the nearest IoTHub for the best connection (lowest lag). You can also program rules yourself using Azure Functions.

Note: If you want to make use of a DPS with Azure IoT Edge, only a TPM is supported at this moment (2018Q4).

How to register your IoT Edge device

So we need an IoT Edge device like a Raspberry Pi with a TPM on top of it or an industrial PC like the Advantech Uno 2372G with a TPM built in.

At this point, the IoT Edge documentation get’s a bit fussy. All examples I found until now are referring to the use of a TPM emulator, not an actual TPM.

In this blog, I will show you how you can register using a DPS.

Doorgaan met het lezen van “Provision your IoT Edge device using a TPM”

I bet, most of the time you have seen Azure IoT demos or most of the time you have programmed an IoT Uwp app yourself, you hard coded device credentials for the IoT hub. Yes, I’m guilty too 🙂

And this is, of course, a bad practice.

Not only, there is a risk these credentials are shared by checking them in into your version control system (like public Git). But it’s also inconvenient because, for each device running that production code, you will have to alter the credentials in the code and deploy again.

We could use configuration files. But this is still worthless in perspective of distribution.

We would like to pass the credentials to known devices separately, apart from the applications. We want to use a second channel. And this is possible with the current Windows IoT Core infrastructure.

All we need is a TPM. This is a Trusted Platform Module:

“Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessor, which is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices. TPM’s technical specification was written by a computer industry consortium called Trusted Computing Group (TCG). International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) standardized the specification as ISO/IEC 11889 in 2009.^[1]”

Why do we need it? Microsoft provides a separate mechanism to write credentials into the module which acts like a vault.

In this example, we will look at Windows 10 Core running on a Raspberry Pi. And we will use IoT Hub device credentials stored in a TPM.

Doorgaan met het lezen van “Distributing IoTHub credentials using TPM”