The Internet of Things has been used many times to describe almost anything that is connected to the Internet – but what does this actually mean? Physical devices connected to the Internet include CCTV, Vehicles, Baby Monitors, Toys….the range is vast. Recent hacks on the Internet have shown that attackers can take control of IoT devices and use these as “robots” to do their bidding – so called “botnet” attacks.
M2M Telecom in association with Blueskytec has developed a range of Cyber security products aimed at high value IoT systems – like the ECU of a vehicle (the brain of the car), or the controller of a solar energy system. The product – called Geepy- allows these high value embedded systems to safely connect to the Internet. They are designed to be either standalone or integrated into existing equipment. The products are designed to be immune from bot net attacks, and allow embedded IoT systems to be safely connected to the Internet.
M2M Telecom in association with Blueskytec has developed a range of Cyber security products aimed at high value IoT systems – like the ECU of a vehicle (the brain of the car), or the controller of a solar energy system. The product – called Geepy- allows these high value embedded systems to safely connect to the Internet. They are designed to be either standalone or integrated into existing equipment. The products are designed to be immune from bot net attacks, and allow embedded IoT systems to be safely connected to the Internet.
SECURE BOOT PROCESS (BSTBoot)
This is a hardware boot process that locks the module with a unique key. If a tamper is detected on the circuit board then the key is void and the hardware will not start. If the module is physically tampered with, all keys are erased and the unit must be programmed with the unique key. Additionally, if the unit is probed then the system can be erased to a non-operative state that cannot be recovered. The key will stay on the module for up to 6 months without power.
The electronic key can be supplied with the board to allow the distributer to re-key the device for their user. A standard RS232 interface is used and the electronic key is supplied in a standard document file, ready for transmission to the module. The key generation software can be supplied upon request.
For developers using the module, a development board can be supplied with the JTAG cable and a unique key to unlock the JTAG chain, to allow programming of the Cortex M3. If the development team requires programming of the FPGA Tiles a different unique key can be obtained to allow this access.
The electronic key can be supplied with the board to allow the distributer to re-key the device for their user. A standard RS232 interface is used and the electronic key is supplied in a standard document file, ready for transmission to the module. The key generation software can be supplied upon request.
For developers using the module, a development board can be supplied with the JTAG cable and a unique key to unlock the JTAG chain, to allow programming of the Cortex M3. If the development team requires programming of the FPGA Tiles a different unique key can be obtained to allow this access.
SECURE AUTHENTICATION
The in-built Microsemi AES 128/256 engine can be used to generate one-time authentication codes. These codes can be stored in the on-board 512MBit flash as a One-Time-Pad, or the codes can be generated on-the-fly. The in-built Microsemi True Random Number Generator can be used to generate one time keys for the process if required. Example code or full application can be supplied for both types of system. For non-standard authentication BSTCrypt64/128/256 can be used instead of AES128/256. The Microsemi M2S processor contains a real-time-clock that can be used in the authentication process, or the time can be obtained from the GSM/GPS time signal.
ENCRYPTION
The in-built Microsemi AES128/256 can be used for encryption of user data. The keys for the encryption process can be generated form the True Random Number Generator, or stored locally in the on-board 512MBit flash.
Roadmap
The roadmap for the GEEPY range is detailed in Figure 3. This shows 4 products: Geepy Nano, Geepy Bike, Geepy SAT and Geepy CAM. These have various levels of functionality, size and cost. They all contain a core functionality of security provided by the Blueskytec IP on the Microsemi SmartFusion2 (SF2) processor.
This IP has been designed and developed by Blueskytec to perform 2 functions:- tamper resistant security and encryption/decryption. The tamper resistant hardware and IP, operates by having a unique key per board installed, that will erase upon tamper. This renders the unit un-operable until the key is re-installed. The benefits of a unique key per board are that there is no single Pre-placed key to compromise security. If the key is compromised then only that board is compromised.
The encryption/decryption installed on the SF2 is NIST certified AES128/256. This gives the user confidence in a world-wide encryption standard that has been accredited by the US government. Additionally BST has developed its own 64/128/256 bit encryption technology that can be used to provide a non-standard communication channel. The advantages of this are that the algorithm is secure within the tamper protected boundary of the module and allows the use of a short message length (8 bytes) for transmission of messages that require security. The disadvantages are that it is not compatible with AES, it has not been accredited and at the short key lengths the strength of the encryption relies in the security of the algorithm.
The encryption/decryption installed on the SF2 is NIST certified AES128/256. This gives the user confidence in a world-wide encryption standard that has been accredited by the US government. Additionally BST has developed its own 64/128/256 bit encryption technology that can be used to provide a non-standard communication channel. The advantages of this are that the algorithm is secure within the tamper protected boundary of the module and allows the use of a short message length (8 bytes) for transmission of messages that require security. The disadvantages are that it is not compatible with AES, it has not been accredited and at the short key lengths the strength of the encryption relies in the security of the algorithm.
Copyright © 2020 - Geepy Mobile - All rights reserved
