Trusted Device Identification, Device On-Boarding and Service Provisioning
Pelion Device Management enables device manufacturers to configure millions of devices with unique cryptographic identities and connection parameters before they leave the factory. Private keys, certificates, server URL, connection parameters and firmware update keys necessary to connect to Pelion Device Management are created, injected and securely stored for easy device assignment, onboarding and service activation.
To connect to Pelion Device Management each IoT device must have a unique cryptographic credential. This unique credential is used to authenticate devices, generate session encryption keys and authorize device access to various system services. The device cryptographic credential is stored securely to protect data that moves between the device and the server, and to protect the the device management service itself from unauthorized access.
The device private keys, certificates and firmware validation keys are securely stored in protected storage implemented by Pelion Device Management Client. The protected storage can secure the data in external and internal non-volatile memory serving as a protected root-of-trust in the device. For increased security, the root-of-trust can utilize TrustZone capabilities supported by Arm processors.
Each IoT device must be configured with the correct server and connection parameters to identify, connect to and authenticate the Pelion Device Management server. Support for industry-standard X.509 certificates facilitates mutual authentication and establishment of encrypted DTLS or TLS sessions between devices and the device management server.
Device management capabilities are delivered as a flexible and extensible SDK supporting multiple factory floor configurations and trust levels.