Zerynth offers the highest level of security features for IoT devices by designing all the system around it. All Zerynth hardware is based around a secure element that provides the following functionalities:
- Stores an ECC secp256r1 private key. The private key is inserted into the secure element by the manufacturer (Microchip) exploiting its expensive and FIPS certified infrastructure. As a result, no one in the world can know the secret key stored in a Zerynth hardware
- Stores a set of device certificates. Those certificates are generated by the manufacturer and signed by its root certificate. Anyone in the world can verify the authenticity of a Zerynth hardware, because it is guaranteed by Microchip itself.
- Sign, verify and exchange secret keys to accelerate cryptography operations. In particular, Zerynth provides a hardened TLS stack that used the secure element as the source for certificates and secrets.
- Generates cryptographically secure random numbers, allowing for always fresh secret keys during connections.
On the cloud side, the zDeviceManager has a copy of every certificate stored in every produced Zerynth hardware and accepts a connection only if it comes from a device owning a known certificate.
A delicate step in IoT is the device provisioning, namely the addition of information that are not known during the manufacturing phase. For example, once a Zerynth hardware is bought, it still can't connect to the zDeviceManager because it is not yet associated with the account of the user. This step is critical, and it must be possible to prove that a physical device belong to someone.
The secure element comes to help because it can sign a message with its private key and the zDeviceManager can verify that the signature is valid. This step is quite complex, but thanks to the Zerynth SDK it can be automated with just a click from the VSCode extension.
There may be additional information that it is not known during the manufacturing phase and that must be added into the device. For example, Wifi passwords should never be stored as a readable file in the internal filesystem; or worse, directly written into the firmware. Anyone with physica access to the device can attach a jtag probe or a development machine with the Zerynth toolchain and extract precious information from the internal filesystem.
Fortunately, the secure element offers an internal small storage designed just for this task. Wifi passwords and other information can be stored in the secure element securely directly with the Zerynth toolchain.
IoT devices are often left alone in the field and hackers can have an easier access to them. What happens if someone steals a Zerynth hardware and removes the secure element? Can it be soldered into another device to impersonate the original Zerynth hardware?
The secure element offers protection from this scenario too. The first time a Zerynth hardware is powered on, the secure element is automatically configured so that any interaction (i.e. signign, verifying, etc...) can be done only with that particular Zerynth hardware and no one else.