Originally published at: Why use certificates for Internet of Things authentication (DTLS) - Golioth
How can security improve when manufacturing large volumes of devices? That’s the question I ended on in my last article about Golioth Pre-Shared Keys (PSK). Securing a large population of devices (10k or more) in a way that’s scalable and meets your project’s budgets is not trivial, but it is solvable. It takes a combination of modern technologies, and even not so modern technologies. Certificates have been around for decades. Today the most recognizable is SSL, which started all the way back in the mid-90s. But certificates haven’t found their way to all IoT applications because of their complexity and infrastructure requirements. Many connected devices work around the complexity by eschewing good security practices: Completely ignoring security (authentication or encryption) Relying on “security by obscurity” (proprietary solutions that are not secure, but would need to be intentionally exploited by an attacker) Use product-wide passwords Are produced in small enough quantities to not feel the pain (and cost) of handling per-device keys. None of these are ideal at scale. The Limits of Pre-Shared Key (PSK) Scaling When using PSK, your device and your cloud need to pre-share a secret. That means you need to store and distribute a sensitive per-device key for every device (or a system to derive the key). For prototyping, this involves copying and pasting a key from the Cloud to your Device over serial or similar. There are challenges getting those keys to your devices on the production line, but the ultimate risk to your deployments are when those devices are out in the field PSK symmetry From a security perspective, the limitation of PSK is that it uses symmetric encryption. Both sides of the communication use…