Securely Connect, Manage & Update Your IoT Devices
A device-to-cloud solution for securing all the key assets of your IoT ecosystem, end to end and during its entire lifecycle.
Your long-term success depends on your ability to build on trusted foundations (your data, your devices, your connectivity), along with your ability to efficiently manage, scale and update your IoT ecosystem.
Give every IoT device a unique identity that is immutable, unclonable and forms the foundation for any IoT security function.
Protect data at rest and in motion, ensuring it is authentic, comes from a verified source and hasn’t been tampered with.
Prevent unauthorized commands or software from being executed on a device, and control access to data using fine-grained policies.
Respond to evolving threats and new security requirements by actively managing the product from launch through end of life, using advanced security technology and services.
Kudelski IoT keySTREAM provides trust, integrity and control for any IoT application or use case you wish to secure, ensuring protection of data, safety and revenue throughout its entire product lifecycle.
Whatever your IoT business objectives, our core security enablement technologies and services easily integrate across your ecosystem to help you achieve IoT success.
Integrate the keySTREAM security form factor that is best for your device, use cases and identified threats.
Your devices are effortlessly recognized and available as soon as they connect to the network.
Now a part of your IoT ecosystem, you can manage devices and data throughout their entire lifecycle.
Actively monitor and update your ecosystem to ensure it continues to deliver the business value you expect.
keySTREAM consists of two main elements - a Security Client and Security Server - that easily integrate with your devices and backend platforms and applications using simple APIs.
One of the biggest challenges in IoT security is establishing an immutable identity (root of trust) in hardware (or software) that forms the basis for all other security use cases.
The Root of Trust (RoT) is integrated in software or embedded as hardware into the device and is the foundation for all security use cases. This root of trust is personalized when the component hosting the security is manufactured. Today we offer different security clients that bring increasing levels of robustness to the solution including Secure Elements, eSIMs, integrated IP blocks and software-hardened solutions.
The Secure Client Library (SCL) integrates with the device firmware and applications and acts as a driver to provide APIs to all security functions of the Root of Trust and of the Kudelski IoT Security Platform.
The Secure Client Library (SCL) is delivered as an SDK including test suites and documentation to test the SCL and SAL API integration.
Achieving your IoT business objectives depends on your ability to process and act on data. We create trust between all physical, digital and human assets in your IoT ecosystem and fully attest to data origin and integrity.
The Security Server connects to your back-end platform to enable secure features by any authorized application. The server provides trusted data to the customer’s backend. The data sent between the device and the cloud is identified, authenticated and traceable.
Device and Server APIs enable encryption, authentication and manage all IoT business logic. All Server functions are provided through REST APIs.
An online documentation kit is available to support the end-to-end integration of the Server and Client APIs including reference code for all functionalities of the platform.
Every device profile is different in terms of power consumption and computing power. Kudelski IoT therefore offers a wide variety of different client options in order to ensure the easiest possible integration with your device.
Trusted Execution Environment
Telco-Specific SIM (eUICC)
- M2M & Consumer
Kudelski Pico SE - 800
iSE (Kudelski IP in 3rd party SoCs)
Kudelski IoT keySTREAM provides you with functions to identify, secure, manage and authorize your IoT devices, protect your data, control access and actively secure and update them over time.
Device and Identity features enable a robust authentication and identification of the device enabling trust in the authenticity of the origin of data.
Device Identity Provisioning is the process by which trusted device identities are is written into the Root of Trust. These identities enable remote management by the device owner of a device or group of devices. Device Identity provisioning is performed either at the boot of the device or after production through ingestion of production logs into the system.
Multiple identities can be tiered to the main RoT identity allowing identification at different stages of the device product process. For example, a Wi-Fi module serial number is sealed into the RoT at boot of the module. At a later stage the Wi-Fi module is integrated into a connected coffee machine. The coffee machine serial number can now be sealed into the RoT and can be used as a primary identifier.
Device Registration is the process by which a Device registers with the IoT Platform with its Device Identity and is then enrolled in the customer’s Device Manager based on pre-defined rules. The platform has been developed with real-world operational scenarios in mind: field returns, debugging and refurbishing scenarios are all supported.
The Platform provides APIs to address operations based on groups of trusted identities of particular attributes ensuring maximum efficiency in addressing and managing large numbers of devices.
Authenticated and trusted devices do not need to provision their devices with 3rd-party IoT cloud providers’ PKI based device certificates in order to connect to 3rd-party clouds. This remote provisioning greatly simplifies the personalization processes as well as reducing the overall device bill of materials.
Device run time code can be attested to be authentic. Any external measurements such as runtime code Platform Configuration Registers (PCR) values are reported to the Server for analysis and corrective actions in case of discrepancies.
The Security Client is designed to support interactions with the device to enable efficient usage of battery resources. For example, the state of security operations/functions can be saved before entering Deep Sleep to enable fast and network- and power-efficient resumption.
Data Security functions provide simple means to securely manage application data locally, in transit to cloud and in the cloud. Data authenticity, integrity and confidentiality are ensured. Additionally, data stored locally in the devices is secured and can be erased if required. This provides a single data encryption scheme across device, network and cloud.
Kudelski’s IoT Security Client provides functions to encrypt data using ephemeral keys generated by the root of trust on the device or the server. Data can be decrypted by the server or client application by requesting the key for decryption. Where confidentiality is not required, data can be authenticated only enabling inteermediate processing.
Data can be encrypted and decrypted locally on the device by leveraging the IoT Security Client and the RoT. This data remains confidential within the device.
Both the Security Client and the Server provide a DTLS stack that is optimized for LPWA use cases. It leverages the Platforms’ pre-shared key scheme to enable a simple opening of a secured tunnel between a Device and an Application endpoint. The DTLS Server is provided as an independently deployable container for instantiating into the your cloud.
Generic APIs are provided for managing keys. These APIs can be used to implement your own encryption schemes, in particular those used for securing IP connections. The same shared keys can be requested either from the Kudelski IoT Security Client or the Kudelski IoT Security Server. This is proven very efficient in constrained networks where data transfer is expensive. The key management API can be used to provision shared keys to a standard secure communication stacks (openSSL, mbedTLS, tinyDTLS).
The Kudelski IoT Security Client provides mechanisms to cryptographically link the different components of a device or subsystem together where authentication and confidentiality of communication between the different components is required.
Access Management functions allow fine-grained authorization of features on the Kudelski IoT Security Platform or IoT Application.
RBAC is enforced to segregate application vs management API access. Identities can be delegated to external identity providers through standard interfaces. Access to device resources can be segregated by device or by device type.
Application features can be enabled on devices using tokens generated by the IoT Security Platform. Tokens can be used to give authorizations for time-bounded periods.
Security features, such as the Local Data Encryption can be authorized through the Platform to enable for example subscription-based monetization schemes.
The Kudelski IoT Security Platform integrates dynamic security functions from day one that enable security renewability.
Kudelski RoTs are designed to be updated from the outset with patching mechanisms supported to limit bandwidth on constrained networks. The Platform provides APIs to schedule, test and track update campaigns.
Key management functions enable the generation of shared keys between the RoT and the Server. Renewal of keys, for example to enforce or revoke certain functions on the devices, can be managed through simple Platform APIs.
The Platform’s key management and DTLS stacks enable secure deployment and updates of device firmware.