IoT-SAFE, IoT SIM Applet For Secure End-to-End Communication, is a standard mechanism, based on the use of SIM cards (both physical SIM and ESIM) as Root-of-Trust to secure applications and services running on embedded systems connected through the mobile network. IoT-SAFE is standardized and promoted by GSMA, and is currently being implemented in the mobile market worldwide. GSMA, the alliance representing mobile operators, manufacturers and companies focusing on the mobile communication industry, has published the guidelines to implement IoT-SAFE. IoT-SAFE opens the road to key provisioning through a component that is, in fact, already designed to support end-to-end security within different layers of the protocol.
Over one year ago, wolfSSL introduced integrated, built-in support for IoT-SAFE. The support allows to transfer the cryptography required by TLS connections to the engine running on the secure element in the SIM, which uses the provisioned keys and certificates. This way, private and secret keys are never accessed by the software in the device, increasing the security by minimizing the attack surface. Since then, the code has been maintained, improved and tested on different platforms, also thanks to the contributions from our partners within the mobile industry.
The code for the wolfSSL port of IoT-SAFE is portable and it’s designed to be used on an embedded board, equipped with an LTE modem and an IoT-SAFE capable SIM/eSIM card, or any environment that has access to a communication channel with an IoT-SAFE capable SIM/eSIM card. Examples are available in the wolfSSL repository for both microcontroller-based and CPU-based targets.
The module includes several features, such as the possibility to use IoT-SAFE as true random number generator, access asymmetric key operations on the SIM, as well as generate, store and retrieve keys in the secure vault. The most important feature though, is the possibility to equip wolfSSL sessions with IoT-SAFE support, so that all the operations during the TLS handshake for that session are executed through IoT-SAFE commands.
Depending on the hardware platform, some of the cryptographic operations may be quicker if performed in software, rather than offloading to the secure element. By default, wolfSSL offloads to the secure element all the operations implemented, when the session enables IoT-SAFE support at runtime. However, by associating the callbacks manually at runtime, it is possible to compare the performance between the software vs. the hardware-assisted cryptography. wolfSSL is the only TLS implementation so far that supports TLS 1.3 specific IoT-SAFE key derivation functionality (HKDF), integrating it in the TLS 1.3 handshake.
Securing Device-to-Cloud communication with a robust end-to-end strategy is of course the main use case of this module. However, we are looking forward to seeing wolfSSL IoT-SAFE support used in different applications, provisioning and device integration scenarios.
Are you planning to integrate IoT-Safe for TLS in your device, software or mobile infrastructure? Let us know about your architecture and use cases, contact us at facts@wolfSSL.com or +1 425 245 8247.
Need more? Subscribe to our YouTube channel for access to wolfSSL webinars!
Love it? Star us on GitHub!