Benefits of Client-Side SSL for IoT Device Authentication
The use of client-side certificates isn’t new, but isn’t exactly widespread, especially in comparison to server-side certificates used for websites. However, it’s quickly emerging as the key identity and authentication mechanism for IoT scenarios and machine-to-machine (M2M) communications. Client certificates are more secure than other authentication mechanisms available because they’re based on public and private keys where the private keys aren’t ever shared.
Client-side certificates are superior to the other methods because the device owns the secret instead of the server. That means the only way a person could impersonate the device, they’d have to have the physical device and be able to get the private key data off the device, which is incredibly difficult to do. If you’re not using client-side SSL, it is also much harder to shut down a breach if it happens.
Client-side SSL is the standard. In fact, it’s the preferred way to authenticate with AWS IoT, Azure and Google Cloud. It’s also the only way to authenticate with NervesHub.
If client-side SSL is so great, why don’t all IoT projects use it for device authentication? The answer is pretty simple — it’s difficult to do and it can be expensive.
Let Your Use Case Be Your Guide
It’s important to consider the implications of a breach and let that guide the amount of time and money you invest in authenticating your Internet-connected devices. If you are using sensors to do inventory tracking, the consequences of a hack are relatively small. In situations like this, we recommend using another type of device authentication like token-based authentication.
However, some connected devices incorporate risk that could endanger lives or jeopardize the well being of your company. In these cases, IoT device authentication is of the ultimate importance and client-side SSL should be used.