Collaborating with Industry to Create Secure IoT Solutions

Recently I had the opportunity to work on a Secure Internet of Things (IoT) demo with two collaborating companies, GlobalSign, a WebTrust-certified certificate authority and Infineon, a semiconductor manufacturer.  The demo comprised of a Raspberry Pi single board computer, an Infineon Iridium TPM Board, and an LED light strip which was controlled through a secure website with certificates and provisioning through GlobalSign.  Specifically, I was tasked with upgrading the demo to current hardware and technologies.  

According to the Trusted Computing Group (TCG), a “TPM (Trusted Platform Module) is a computer chip (microcontroller) that can securely store artifacts used to authenticate the platform (your PC or laptop).”  The artifacts can be passwords, certificates, or encryption keys.  Basically, a TPM is a dedicated storage platform that stores your sensitive data in a more secure location than the hard drive of the computer or laptop.  For the previous version of this demo, the Infineon TPM was connected to a Raspberry Pi Model B running an outdated version of Raspbian.  My job was to take that same TPM and move it to a Raspberry Pi 3 Model B running the latest version of Raspbian.

Before I could begin the upgrade, I first needed to assemble and understand the current demo. Zachary Short, Principal Software Engineer/Architect at GlobalSign, visited the IOL to assist with building the first version of the demo.  This meeting was very helpful to me because it gave me a chance to ask questions and see exactly how the demo was supposed to function.

The demo utilizes the TPM to protect the private key material used by a custom web application for secure communication (HTTPS).  For the TPM to operate, it must first be provisioned through the GlobalSign’s High Volume certificate issuance platform.  The provisioning process is fairly simple, thanks to code written by Mr. Short at GlobalSign.  During the provisioning process, the code accesses the TPM on the Raspberry Pi and communicates with the GlobalSign provisioning system to populate the device with device identity certificate that the Pi will use as an authentication credential.   During this process is where the TPM is joined to the Raspberry Pi, which prevents the keying material from being migrated or stolen from the device.

Launching the IoT server application is the last step in the setup process.  This program allows the user to access a web interface from a networked computer, which then allows for control of a 32 LED Digital LED Strip that is connected to the Raspberry Pi.  All of the communication happens over an HTTPS (Secure HTTP) connection, using the certificates and keying material protected by the TPM.

To modernize the demo, I first needed to install the newest version of the Raspbian Operating System onto a new Raspberry Pi 3 Model B.  In order for the Pi to load the TPM driver automatically on startup, I needed to patch and recompile the Raspberry Pi Kernel.  After having difficulty completing this step with the new hardware, I was able to find a workaround by adding the driver initialization command at the end of a startup script.  With the TPM driver automatically loading on startup it was now time to lock and take ownership of the TPM.  When the TPM is connected to the Raspberry Pi for the very first time, it must be locked and the user must take ownership of the TPM, this process involves a number of steps laid out by Infineon which includes the user creating a number of different passwords to access the TPM.  Once ownership is confirmed, the server application should work.  Unfortunately, at this point, it did not.

When the user attempted to run the server program from the Pi, the program would return numerous error codes that may have been caused because the server program was written to run on the old Raspberry Pi hardware.  To fix these errors, the server code needed to be altered and recompiled.  The server code also ran into issues with the SSL encryption keys used to create a secure connection between the Pi’s server and the internet browser.  After a little research on the subject, I found the error lied within the OpenSSL configuration file, pertaining to the Pi’s cryptography library, that needed to be modified on the new Raspberry Pi.  It was at this point that the server launched successfully.

The demo is up and running at the IOL in Durham, NH, as part of our larger IoT initiative.  I would like to thank Tim Carlin, IOL Senior Manager, for all of his help with this project, without him I would still be digging through code to this very day.  I would like to especially thank Zachary Short and Lancen LaChance of GlobalSign and Steve Hanna of Infineon, without the support of whom this project would not have been possible.