To create a successful Internet of Things, connected devices and applications must be able to easily, securely and intelligently interact across silos. The cloud platform supporting interoperability among different vendors creates an ecosystem. Multiple players each focus on their core strength (devices, applications, analytics, etc.) and build an end-to-end IoT solution collectively on the ecosystem, without integration pain. We will go over the methodology that ARTIK Cloud uses to support interoperability. In addition, we will discuss the security, specifically secure device registration.
18. ________________________________________________________________________
#IoTDevCon
@artikcloud
#IoTDevCon
What we use to solve it:
• A private key and a certificate signed by a trusted
CA
• Certificate associated with the private key
guarantees device authenticity
• TLS with mutual authentication prevents spoofing
and provided a reliable device authentication
• Each device should have a unique certificate
within a given vendor to achieve our goal
• CA certificate should be trusted in Artik Cloud
artik.cloud
Greet and introduce speakers
Good morning everyone. Thank you for being here. The session is about … My name is Yujing Wu and I am developer evangelist Samsung Strategy & Innovation Center. Joining me here is my colleague Oleg Gryb. He is senior manger working in security domain. In the late part of this talk, you will hear from him.
At the end of this talk, you will have the basic understanding of our point view of interoperability, our methodology to address that and security aspects of the cloud platform. We will take questions at the end if time permits.
You are a developer. You have created an innovative thing (for example touch free bio sensor, coffee machine, smart switches). You want to connect this thing to Internet and be able to control it or visualize its data. You have a couple of options here. You can create your own apps and own cloud. Even better, you bring your device data to a few available IoT cloud platform, which will collect, transport, store and analysis the data and a way for your app to control your devices.
Easiest option,
Connect everything for IoT… connect cars, traffic…,
However, to make your device even more useful, you want your devices to interact with other type of devices and other apps which are not created by you. For example, the coffee machine can control the amount of coffin based on the energy level measured by a wearable device. Talk to smart cook…. Now, this becomes more difficult to achieve compared to the earlier scenario. You really need to platform…..
You may end to do integration with different types of devices/cloud. Such integration is not scalable and not future proof.
It should be easy to connect every type of things including one have not yet invented
An app developer can easily build app that use the device types not from his organization
In addition, we believe that the rich insight about users can only come from diverse data. There should be a easy way for analytics applications to get diverse data.
Live in siloed world. limit data analysis to siloed data, This cannot generate rich insight about users. Rich insight about users does not come from
Rich data analysis about users can
It should be easy to do rich data analysis from diverse type of data instead of siloed data
ARTIK Cloud is introduced to realize the vision – to make connection among different types of things easily instead of creating another silos
ARTIK Cloud is data exchange platform. It allows devices, apps, services easily work together across vendors and vertical markets.
The achieve this level of interoperability, the right place for us to do it is in cloud, not locally (at gateway or device level)
ARTIK Cloud is completely open.
Can work with Samsung and non samsung devices,
It can work with 3rd party clouds.
We have supported device from 30 brands.
ARTIK Cloud provides open and rich APIs, powerful development tools and rich SDK, we also build sophisticated security and permission management in the cloud.
Agnostic to underlying wireless protocols
Two options to cloud:
If you have created a new type of device, it is very easy for you to bring your devices into ARTIK Cloud.
Developers use Device Manifest to describe the attributes and capability of your device types. (what action is possible for that type device)
Once you define the device Manifest, it is easy to send data or receive command from or to your devices. In terms of communication protocols, we support HTTP for REST API calls, websocket, MQtt and CoAP.
=================
We provide a way for developer to describe the attributes and capability of your device types. (what action is possible for that type device)
We call it device Manifest. Every device type has a Manifest.
We provide two ways for you to create device Manifest: UI and Groovy code for Advanced Manifest
This is key component of ARTIK Cloud solution.
Devices: Multiple protocols
HTTP
WebSockets
MQTT
CoAP
You do not need to build the customized solution to get data from different cloud services. Do customized integration
Simply use our Cloud Connector framework
Devices never worked together before
Data store
No need to build data access API
There are many capabilities of ARTIK Cloud I do not have time to go over. Talk to us after the session.
Make it extremely …..
Diversity : mqtt and web
Beyond data exchange capability, ARTIK Cloud has many other capability like sophisticated permission management and powerful development tools, which I do not have time to address.
However, I want to emphasize that security is very important part of our cloud offering. Let me handle over the talk to my colleague security expert Oleg to talk about security.
AC Security team handles all aspects of security in our org. We’re trying to be just as agile as our DevOps team is. Our approach of achieving this is descried in details in this video. Since I don’t have much time, I’ll focus on one thing – building security architecture for Artik Cloud. More specifically, I’m going to talk about Secure Device Registration or SDR as we call it.
What is SDR and what kind of problems we’re trying to solve. If you deal with sensitive information such like medical data or personal identifiable data, it’s important to meet certain criteria.
To solve the described problem we use PKI based mutual server/client authentication, which relies on certificates and private keys stored on both client (device) and a server.
Each device vendor should be associated with a CA in our approach.
The vendor is responsible for creating CA, clients certificates and keys and storing them securely in his infrastructure.
AC should make a vendor’s CA trusted before vendor’s clients can securely connect to AC.
Since each certificate is unique, there is no way to spoof a device after it has been resgitered.
Another security feature is a secure device to a device owner pairing, which doesn’t allow to register the same device to a different user or use API to spoof device traffic.
Registration starts on a device when a user hits “register” button
2-way SSL will be used to start a conversation between a device and AC
Client’s certificate will be verified to make sure that it’s signed by a trusted CA
AC will generate a long nonce and a relatively short PIN. The latter will be displayed on a device.
The owner of the device will take that PIN and completes a registration on AC’s user portal by entering device type, device name and PIN.
In the demo, I will simulate a real device with an SDR client that have an access to a device key and certificate. This is how my command line will look like:
-cert and –key used to specify device’s certificate and the key
-dtid is an internal device type ID available at AC’s dev portal
-vdid – a unique (with a vendor) device ID
s-api.artik.cloud is an ARTIK Cloud endpoint