Security tends to lag behind technology adoption, and few technologies have seen growth as massive as the Internet of Things (IoT). Despite the rapid growth of the market for connected devices, security has all too often been an afterthought, creating an unprecedented opportunity for hackers.
Device authentication is a key aspect of IoT security that can easily lead to a breach if approached incorrectly. If your web backend believes that a malicious person is acting as a valid device, a hacker can start to do anything that your device has permissions to do. That could mean that they’d have access to private data like security camera footage, or they could even crash your entire web infrastructure with a single device.
By using device authentication, you can ensure that a trusted set of devices are used in your IoT solution and that those devices can trust the application that is sending the control commands. There are various security mechanisms that can be used to establish that trust, but when security is paramount, we recommend using client-side SSL.
Server-Side vs Client-Side SSL
Before we dive into the benefits of client-side SSL, it’s important to have a basic understanding of what SSL stands for and the technology behind it. SSL (Secure Sockets Layer) is an industry-standard security protocol for establishing an encrypted connection between two machines or devices operating over the internet or an internal network. This kind of connection guarantees that all data passed between the two machines or devices stays private and secure.
Millions of websites protect their customers’ private information by using SSL to secure communication between a web browser and a web server. This turns a website's address from HTTP to HTTPS, with the ‘S’ standing for ‘secure.’ This is an example of server-side SSL, where you’re wanting to verify the identity of a web server before connecting.
Unlike server-side SSL, the certificates used in client-side SSL are meant to validate the identity of a client. In the case of IoT development, the client is often an individual device. Instead of the device needing to verify the identity of the server, the server needs to verify the identity of the device.
Server-side and client-side SSL both use public key infrastructure (PKI) for authentication. However, there is one significant difference between the two. Unlike server certificates, client certificates don’t encrypt any data — they’re installed for validation purposes only.
Benefits of Client-Side SSL for IoT Device Authentication
The use of client-side certificates isn’t new, but isn’t exactly widespread, especially in comparison to server-side certificates used for websites. However, it’s quickly emerging as the key identity and authentication mechanism for IoT scenarios and machine-to-machine (M2M) communications. Client certificates are more secure than other authentication mechanisms available because they’re based on public and private keys where the private keys aren’t ever shared.
Client-side certificates are superior to the other methods because the device owns the secret instead of the server. That means the only way a person could impersonate the device, they’d have to have the physical device and be able to get the private key data off the device, which is incredibly difficult to do. If you’re not using client-side SSL, it is also much harder to shut down a breach if it happens.
Client-side SSL is the standard. In fact, it’s the preferred way to authenticate with AWS IoT, Azure and Google Cloud. It’s also the only way to authenticate with NervesHub.
If client-side SSL is so great, why don’t all IoT projects use it for device authentication? The answer is pretty simple — it’s difficult to do and it can be expensive.
Let Your Use Case Be Your Guide
It’s important to consider the implications of a breach and let that guide the amount of time and money you invest in authenticating your Internet-connected devices. If you are using sensors to do inventory tracking, the consequences of a hack are relatively small. In situations like this, we recommend using another type of device authentication like token-based authentication.
However, some connected devices incorporate risk that could endanger lives or jeopardize the well being of your company. In these cases, IoT device authentication is of the ultimate importance and client-side SSL should be used.