IoT Data Protection · E4

Internet of Things (IoT)? Connected systems are a growth and innovation factor across diverse industries

They enable “smart systems”, thanks to their connectivity and data-based behavior

But this also creates risk and challenges

Automotive

Smart cities Healthcare Transportation Energy smart grid

Supply chainAccess control Oil and gas

The IoT data protection problemIoT data transits over many systems such as cloud providers, message brokers, or network proxies

Data is thus exposed to cloud services, foreign entities, criminals, and other third parties

Risks from loss of data control • Industrial sabotage and fraud • Data resell to third parties • Covert collection for BI purposes • Covert data scanning and analytics • Business interruption and ransomware • Non-compliance with privacy regulations

The IoT data protection problemIoT data transits over many systems such as cloud providers, message brokers, or network proxies

Data is thus exposed to cloud services, foreign entities, criminals, and other third parties

Challenges of IoT data protection • Web technology insufficient (TLS, PKI)

• Not end-to-end, client–server only • Complex to manage • Failure-prone

• Diversity of devices and platforms • Large number of devices and messages

Teserakt’s solution: E4Designed to address IoT needs, by renowned experts in security and scalable systems

Full end-to-end data protection • Highest cryptographic security • No performance or bandwidth impact • Dynamic key server to manage devices • Simple integration:

• Lightweight client library • Virtualized server (containers, VMs)

Core innovations

Minimal energy consumption and bandwidth usage Thanks to an innovative protocol meticulously designed to minimize costs

Automation of security policies scaling to arbitrarily many devices/messages No change needed to the servers, compatible with AWS/Azure/GCP/IBM

Web UI for simple operation and network monitoring APIs and command-line interfaces for admin and scripting

E4’s two componentsClient library

• Available in C, Go, Java, Python, Rust

• Works on ARM, AVR, MIPS, x86 platforms

• Minimal code and RAM footprint

• Can leverage platforms’ hardware security

features/accelerators (TrustZone, AES engine, etc.)

Open-source on our GitHub (APLv2)

Business logic

Transport layer

Teserakt security

Dynamic key server

• Manage devices and message topics

• Automate security policies at scale

• Web and command-line interfaces

• HTTP and gRPC APIs

• Observability, monitoring, analytics

Modern cryptography and security

The right cryptography

• Confidentiality, integrity, authenticity

• Forward/backward secrecy, replay protection

• AES-SIV, Argon2, Curve25519, Ed25519, SHA-3

• FIPS 140-2 mode (AES-GCM, p256, ECDSA, PBKDF2)

• Minimal overhead (only 24 bytes per message)

Solid security engineering

• Encrypted database records

• TLS links between all internal services

• Support for KMS, software vaults, HSMs, etc.

• Secure-by default behavior and configuration

• If server down/attacked, messages still received

Server: easy integration & operation

State-of-the-art scalable design

• Written in Go, following modern design principles

• SQL-like database (Postgres, mySQL, MariaDB, etc.)

• Observability with OpenCensus (metrics, tracing)

• High-availability architecture with DB replication

Simple deployment and integration

• Automated via Ansible scripts (a few minutes)

• HTTP/JSON and gRPC/protobuf APIs

• Structured logs suitable for local SIEMs

• On-premise or managed version

Typical deployment over MQTT

MQTT

MQTT

MQTTMQTT MQTT

BROKERHTTP

gRPC/TLS

gRPC/TLS

Teserakt’s client library reside on your devices, and protects data sent to the broker

Teserakt’s key server connects to the network as a client to manage devices’ rights

Monitoring workstation - Web UI for desktop or mobile platforms - Dashboard with live data and analytics - Full key management functionalities

Automation service - Deploys key rotation policies - Using shell scripts or our SDK

Operator workstation - Command-line utility + interactive shell - Remotely manage keys and permissions - Support for batch commands and scripts

Technical data sheet

• AWS KMS (with CloudHSM) • Local HSM (such as Gemalto Safenet) • Hashicorp Vault

Client platform requirements

• Symmetric key mode: at least AVR ATMega328 • Public key mode: at least ARM Cortex-M0 • At least 128 bytes of RW local storage

Server components requirements

• 2GB RAM for core services • ELK analytics: depends on configuration • DB: SQL (Postgres, Maria, Cockroach, etc.) • OpenCensus metric and tracing: variable

Server protocols support

• Off-the-shelf: MQTT 3.1.1 and 5.0 • Compatible: AMQP, 0MQ, RabbitMQ, Kafka • Other protocols on demand

Cryptography algorithms

• AES-SIV 256 authenticated encryption (RFC 5297) • SHA3-256 hashing (NIST FIPS 202) • Argon2i password hashing • Ed25519 signatures (RFC 8032) • X25519 key agreement (RFC 7748)

Client enhanced security support

• Crypto hardware engines • PKCS11/SCP11-compatible secure elements • Execution as a TrustZone enclave

Server enhanced security support

IoT Data Protection · E4

For more information or demo request: contact@teserakt.io