Identities in Devices – What and Why?

ControlThings offers software for making mutual TLS authentication easy for solution providers, and for recording Verifiable Audit Trails using certified identities in devices and user interfaces. Device private keys can be copy-protected using hardware enforced security. We provide software libraries for apps and devices, and we offer a hosted Cert Manager service. Your users can authenticate using their own corporate account for obtaining personal cert. The device identities remains invisible, while a middleware we provide produces a cryptographically verifiable chain (audit trail), a tamper protected event log.

Certificate Management Made Easy

Certificate management is know to be cumbersome. We are striving to make it as easy as alternatives, but you will get the superior features that certificates enable, such as clone-protection and spoof-protection.

Verifiable Audit Trails - Cover Your Back with Recorded Evidences

When you need to confirm that insurance conditions or warranty conditions have been met, you appreciate the verifiable event logs with tampering detection. A customer may deny that he used a service specified on the invoice. Can you be confident that logged records are authentic, or could the file potentially have been manipulated? With digitally signed log records, chained cryptographically together, you can verify who triggered what, in which order and that no event has been erased or modified. It provides immutability and non-repudiation. Like in police registers, medical records and fintech databases users are required to digitally sign commands for accessing or storing data, or for triggering sensitive actions. This has previously been achieved using smart cards containing a crypto identity. With our mobile app framework, you can avoid the pain and costs of smart cards and card readers. This middleware produces indisputable log files, every party can be held liable for their own acts.

A Verifiable Immutable Chain of Events

An Audit Trail enables impartial verification of the essential events:

  • Verifiable trust anchoring
    • app anchoring to an organisational user account
    • the trust provisioning on the target device
  • Verifiable event producer
  • Verifiable command triggered by event producer
  • Verifiable target system who executed and recorded event
  • Verifiable order of events
  • Verifiable chain coherence, completeness and immutability
  • Verifiable common understanding of time, between producer and event recorder

Manufacturer-Private Ecosystem + Device Customer Ecosystem

We make it easy for you (as a manufacturer) to authenticate your devices remotely, using unique device certificates. At the same time, your devices are able to authenticate your service technicians and your remote support. There are no shared secrets that would risk the security of your entire device fleet - those kind of solutions are common, and are often resulting in compromised security.

We also make it easy for you (as the device customer) to deploy the device into your own private environment, such as your mill environment, hospital, or other corporate network. An integration with your OAuth enables your corporate users to interact with the deployed devices, which can record verifiable traces upon interaction.

The Cert Manager tool / Certificate Authority

Try our Cert Manager CA tool with a few clicks. You can set up and evaluate an own CA instance.

The certification is fully automated, the Cert Manager provides an overview of which devices and users have been certified. The tool allows you to revoke certificates, and suspend user accounts preventing them from obtaining new certificates.

The software libraries we offer for devices and mobile apps are co-operating with this CA, for automatically rotating certificates. All these components are X.509 standards compliant.

Hardware Enforced Security

Certificate holders can benefit of hardware enforced security. We encourage you to use Secure Elements and Hardware Security Modules (HSM) where applicable. They provide copy-protection for the private keys, and thereby mitigate the risk of unwanted clone-copies of devices. This is possible since certificate authentication involves proof of private key possession (using digital signature), and the HSM cannot provide same benefits for alternative authentication methods such as tokens where the secrets are transported.

Today HSM hardware solutions can be found even on low-budget microcontrollers for IoT applications. We provide you with consultancy and the required integration development for your platform.


Accurate Register of Activated Devices

The device certification has separate phases for bootstrap certs installed at factory and for device activation where a cert is issued when the device comes online for the very first time.

You get accurate knowledge over which devices have been activated, and when. This enables more flexibility in your business models and provides you with accurate warranty tracking. This activation evidence can on-site be verified by your service technician tools.

We can achieve this even with Bluetooth devices, by using device registration through a mobile app with Internet access.


Mutual Authentication for IoT and On-Prem systems

We are making it easy for you to achieve mutually authenticated TLS, using certificates you are in full control over. We are supplying you with the software you need for your IoT-projects and mobile app development.
You are in our target group if you plan to use peer-to-peer connections, where you need to authenticate both communicating parties. Who need to do that? Machine-to-Machine communication is very common. Device manufacturer cloud-connections are often forbidden in critical systems environments like mills, power plants and hospitals. Peer-to-peer connections are for example used for on-site service tasks, sometimes even over Bluetooth (where we also can provide help). Direct communication is also used when robustness, latency or throughput are relevant.
 

What does it take to try it out?

Almost nothing, it is actually fast and easy! A few clicks, and you have registered an own Certificate Authority on https://certmanager.controlthings.fi. Another few clicks, and you have installed our mobile app demo. Login with your Google account and you are up and running. In your app, that authentication would be replaced with your the one you are using for your environment. You can play around with the device certificates, app certificates, cert revocation, cert rotation and mutually authenticated TLS connections. You'll get a clear understanding of the device certification process, device registration process, and how Verifiable Audit Trails could be recorded by your devices.

Agile Cert Management

The automated certification is quick and easy. Start recording Audit Trails on your edge system using events triggered by iOS and Android apps, or other edge devices.

Recorded Evidences

Cryptographically verifiable log files leave no room for arguing.

Manufacturer-friendly signing process

The two-phase device certification allow you to outsource the device manufacturing, and bootstrap certification of your devices. The device registration on first-use provides you with full control over which set of devices that are enabled on the market.

Contact us

Drop us a line or give us a ring. We love to hear from you and are happy to answer any questions.

OUR OFFICE

Mestarintie 14, 06150 Porvoo
FINLAND

OUR MAIL

info@controlthings.fi

OUR PHONE

+358 405 166116