Kudelski IoT keySTREAM

Securely Connect, Manage & Update Your IoT Devices

A device-to-cloud solution for securing all the key assets of your IoT ecosystem, end to end and during its entire lifecycle.

keystream header illustration


We enable trust, integrity and control throughout the entire IoT product lifecycle

Your long-term success depends on your ability to build on trusted foundations (your data, your devices, your connectivity), along with your ability to efficiently manage, scale and update your IoT ecosystem.

trust icon

Establish Trust

Give every IoT device a unique identity that is immutable, unclonable and forms the foundation for any IoT security function.

integrity icon

Ensure Integrity

Protect data at rest and in motion, ensuring it is authentic, comes from a verified source and hasn’t been tampered with.

control icon

Enforce Control

Prevent unauthorized commands or software from being executed on a device, and control access to data using fine-grained policies.

lifecycle icon

Full product lifecycle

Respond to evolving threats and new security requirements by actively managing the product from launch through end of life, using advanced security technology and services.


How you can use keySTREAM to secure and enable your use-cases

Kudelski IoT keySTREAM provides trust, integrity and control for any IoT application or use case you wish to secure, ensuring protection of data, safety and revenue throughout its entire product lifecycle.


LoRaWAN Security Management

LoRaWAN Security Management

Manage LoRa-enabled devices with a Join Server that provides application keys on demand.

Learn more
Just-in-Time Device Security Provisioning

Just-in-Time Device Security Provisioning

Manage IoT security provisioning in a complex supply chain environment with multiple involved parties.

Learn more
Secure energy metering

Secure energy metering

Enable accurate billing of residential and commercial energy usage, preventing fraud and enabling smarter energy management.

Learn more
Protecting Worker Safety

Protecting Worker Safety

Establish trust in the data received by connected vests in dangerous work environments and provide alerts to workers to ensure their safety.

Learn more
Dealer Lot Management

Asset Tracking

Dealer Lot Management

Enable dealerships to locate and manage their entire inventory across lots and locations, granting access only to authorized parties..

Learn more
Vehicle Theft Recovery

Asset Tracking

Vehicle Theft Recovery

Empower car owners to locate their vehicle at any time and share information with police, all while providing strong privacy protections.

Learn more
Guaranteeing Delivery Supply Chain Quality

Guaranteeing Delivery Supply Chain Quality

Give retailers a tamper-proof monitoring solution with miniaturized sensor tags that protects their goods and their data.

Learn more
Passive Keyless Access for Shared Vehicles

Passive Keyless Access

Passive Keyless Access for Shared Vehicles

Enable secure shared vehicle access using "phone as key" at scale.

Learn more
Secure Camera Surveillance

Secure Camera Surveillance

Ensure strong cybersecurity and access protections, so cameras always work & access to video is controlled.

Learn more
Secure Printing

Passive Keyless Access

Secure Printing

Encrypt individual print jobs are encrypted and can only be accede by authorized users.

Learn more
Predictive Maintenance Secure Access

Predictive Maintenance Secure Access

Transform mobile phones and tablets into secure access “keys” for access by specific personnel to specific devices at specific times.

Learn more
Passive Keyless Building Access

Passive Keyless Access

Passive Keyless Building Access

Enabling people to use mobile phones as secure access passes to buildings, garages, events and other venues.

Learn more
Passive Payments

Passive Payments

Enable secure passive payments using mobile phones as a personal payment wallet for pre-authorized devices and venues.

Learn more
Agricultural Data Security

Agricultural Data Security

Encrypt all data traffic from remote sensors end-to-end in order to ensure data confidentiality, integrity and authenticity.

Learn more


keySTREAM is your end-to-end security backbone

Whatever your IoT business objectives,  our core security enablement technologies and services easily integrate across your ecosystem to help you achieve IoT success.

integration icon
Step 1


Integrate the keySTREAM security form factor that is best for your device, use cases and identified threats.

  • Hardware-independent, pre-integrated options
  • Unique ID, provisioned at manufacture
  • Simple device & cloud APIs
connectivity icon
Step 2


Your devices are effortlessly recognized and available as soon as they connect to the network.

  • Zero-touch provisioning
  • Authenticated to your cloud of choice
  • Group-based device management
manage iot security icon
Step 3


Now a part of your IoT ecosystem, you can manage devices and data throughout their entire lifecycle.

  • Validate device integrity
  • Protect data end-to-end
  • Control access to data/device
  • Authorize device features
An icon for secure iot update
Step 4


Actively monitor and update your ecosystem to ensure it continues to deliver the business value you expect.

  • Device security telemetry
  • Remote attestation
  • Secure FOTA updates
  • Device refurbishment and revocation


Contact us to learn more

For more information about how we can help your product ideas a reality, contact us….

How it WOrks

keySTREAM secures your business end to end

keySTREAM consists of two main elements - a Security Client and Security Server - that easily integrate with your devices and backend platforms and applications using simple APIs.

keystream overview diagram


Robust device identity

One of the biggest challenges in IoT security is establishing an immutable identity (root of trust) in hardware (or software) that forms the basis for all other security use cases.

Root of Trust

The Root of Trust (RoT) is integrated in software or embedded as hardware into the device and is the foundation for all security use cases. This root of trust is personalized when the component hosting the security is manufactured. Today we offer different security clients that bring increasing levels of robustness to the solution including Secure Elements, eSIMs, integrated IP blocks and software-hardened solutions.

Secure Client Library

The Secure Client Library (SCL) integrates with the device firmware and applications and acts as a driver to provide APIs to all security functions of the Root of Trust and of the Kudelski IoT Security Platform.

The Secure Client Library (SCL) is delivered as an SDK including test suites and documentation to test the SCL and SAL API integration.


Secure Data, Decisions, Commands and Actions

Achieving your IoT business objectives depends on your ability to process and act on data. We create trust between all physical, digital and human assets in your IoT ecosystem and fully attest to data origin and integrity.

Security Server

The Security Server connects to your back-end platform to enable secure features by any authorized application. The server provides trusted data to the customer’s backend. The data sent between the device and the cloud is identified, authenticated and traceable.


Device and Server APIs enable encryption, authentication and manage all IoT business logic. All Server functions are provided through REST APIs.

An online documentation kit is available to support the end-to-end integration of the Server and Client APIs including reference code for all functionalities of the platform.

Integration options

Embedding trust and creating device reach

Every device profile is different in terms of power consumption and computing power. Kudelski IoT therefore offers a wide variety of different client options in order to ensure the easiest possible integration with your device.

root of trust icon

Software Root of Trust

Kudelski-Hardened Software
Trusted Execution Environment

security icon discrete secure element

Discrete Secure Elements

Telco-Specific SIM (eUICC)
- M2M & Consumer
Kudelski Pico SE - 800

security icon integrated secure element

Integrated Secure Elements

iSE (Kudelski IP in 3rd party SoCs)


Easily secure and manage your IoT ecosystem with trusted functions

Kudelski IoT keySTREAM provides you with functions to identify, secure, manage and authorize your IoT devices, protect your data, control access and actively secure and update them over time.

Device identity and security

Device and Identity features enable a robust authentication and identification of the device enabling trust in the authenticity of the origin of data.

Device Identity Provisioning

Device Identity Provisioning is the process by which trusted device identities are is written into the Root of Trust. These identities enable remote management by the device owner of a device or group of devices. Device Identity provisioning is performed either at the boot of the device or after production through ingestion of production logs into the system.

Tiered Identity

Multiple identities can be tiered to the main RoT identity allowing identification at different stages of the device product process. For example, a Wi-Fi module serial number is sealed into the RoT at boot of the module. At a later stage the Wi-Fi module is integrated into a connected coffee machine. The coffee machine serial number can now be sealed into the RoT and can be used as a primary identifier.

Device Authentication & Registration

Device Registration is the process by which a Device registers with the IoT Platform with its Device Identity and is then enrolled in the customer’s Device Manager based on pre-defined rules. The platform has been developed with real-world operational scenarios in mind: field returns, debugging and refurbishing scenarios are all supported.

Group-Based Device Management

The Platform provides APIs to address operations based on groups of trusted identities of particular attributes ensuring maximum efficiency in addressing and managing large numbers of devices.

Zero-Touch Provisioning / Cloud Onboarding

Authenticated and trusted devices do not need to provision their devices with 3rd-party IoT cloud providers’ PKI based device certificates in order to connect to 3rd-party clouds. This remote provisioning greatly simplifies the personalization processes as well as reducing the overall device bill of materials.

Remote Attestation / Device State Change Tracking

Device run time code can be attested to be authentic. Any external measurements such as runtime code Platform Configuration Registers (PCR) values are reported to the Server for analysis and corrective actions in case of discrepancies.

Device Sleep Management

The Security Client is designed to support interactions with the device to enable efficient usage of battery resources. For example, the state of security operations/functions can be saved before entering Deep Sleep to enable fast and network- and power-efficient resumption.

Data security

Data Security functions provide simple means to securely manage application data locally, in transit to cloud and in the cloud. Data authenticity, integrity and confidentiality are ensured. Additionally, data stored locally in the devices is secured and can be erased if required. This provides a single data encryption scheme across device, network and cloud.

End-to-End Data Encryption

Kudelski’s IoT Security Client provides functions to encrypt data using ephemeral keys generated by the root of trust on the device or the server. Data can be decrypted by the server or client application by requesting the key for decryption. Where confidentiality is not required, data can be authenticated only enabling inteermediate processing.

Secure Data Storage / Local Data Encryption

Data can be encrypted and decrypted locally on the device by leveraging the IoT Security Client and the RoT. This data remains confidential within the device.

DTLS Client and Independent Endpoint

Both the Security Client and the Server provide a DTLS stack that is optimized for LPWA use cases. It leverages the Platforms’ pre-shared key scheme to enable a simple opening of a secured tunnel between a Device and an Application endpoint. The DTLS Server is provided as an independently deployable container for instantiating into the your cloud.

Key Management for DTLS

Generic APIs are provided for managing keys. These APIs can be used to implement your own encryption schemes, in particular those used for securing IP connections. The same shared keys can be requested either from the Kudelski IoT Security Client or the Kudelski IoT Security Server. This is proven very efficient in constrained networks where data transfer is expensive. The key management API can be used to provision shared keys to a standard secure communication stacks (openSSL, mbedTLS, tinyDTLS).

Chip-to-Chip Security

The Kudelski IoT Security Client provides mechanisms to cryptographically link the different components of a device or subsystem together where authentication and confidentiality of communication between the different components is required.

Access Management

Access Management functions allow fine-grained authorization of features on the Kudelski IoT Security Platform or IoT Application.

Role-Based Access Control

RBAC is enforced to segregate application vs management API access. Identities can be delegated to external identity providers through standard interfaces. Access to device resources can be segregated by device or by device type.

Application Feature Authorization

Application features can be enabled on devices using tokens generated by the IoT Security Platform. Tokens can be used to give authorizations for time-bounded periods.

Security Feature Authorization

Security features, such as the Local Data Encryption can be authorized through the Platform to enable for example subscription-based monetization schemes.

Active Security

The Kudelski IoT Security Platform integrates dynamic security functions from day one that enable security renewability.

Root of Trust Firmware Update

Kudelski RoTs are designed to be updated from the outset with patching mechanisms supported to limit bandwidth on constrained networks. The Platform provides APIs to schedule, test and track update campaigns.

Key management and key renewability

Key management functions enable the generation of shared keys between the RoT and the Server. Renewal of keys, for example to enforce or revoke certain functions on the devices, can be managed through simple Platform APIs.

Secure FOTA

The Platform’s key management and DTLS stacks enable secure deployment and updates of device firmware.

The digital trust label

Awarded with the
Digital Trust Label

keySTREAM has successfully passed the audit for the Digital Trust Label. The label stands for the trustworthiness of the digital service according to the checked criteria. The Digital Trust Label developed in Switzerland, is the first of its kind in the world and is managed by the Swiss Digital Initiative (SDI), an independent non-profit Foundation based in Geneva.


Articles related to keySTREAM

Read more Insights