IoT SAFE(PoC) [English]¶
What is IoT SAFE?¶
IoT SAFE (IoT SIM Applet For Secure End-2-End Communication) is a standard defined by the GSMA to use SIM cards as the Root of Trust for secure communication between IoT devices and the cloud.
By incorporating a SIM applet with authentication and encryption functions, it provides secure device authentication and end-to-end data encryption, and it is considered a key technology for ensuring device security in IoT devices using cellular networks.
This applet has been developed in compliance with IoT SAFE standard specifications.
Overview of IoT SAFE¶
IoT SAFE operates in the following sequence:
- Register either "SIM-specific identification information" or an "identification template" through the IoT SAFE dedicated OpenAPI.
- When the IoT SAFE applet is launched, it automatically generates a key pair and retrieves the identification information.
- The IoT SAFE applet then generates a CSR using the retrieved identification information and submits it to the Applet Console.
- The CA issues a client certificate based on the CSR submitted to the Applet Console.
- The client certificate is then deployed to the IoT device.
- mTLS communication is established.
Verification of IoT SAFE¶
This section demonstrates how to verify the mTLS communication between the IoT SAFE applet and Applet Console using OpenSSL.
Verification Environment¶
This verification requires the following software and hardware:
IoT Device
- Raspberry Pi
- Debian GNU/Linux 12 (bookworm)
- OpenSSL 3.0.11
- device
- For supported models, please refer to here.
IoT Server
- Any web server, etc.
- Must be configured to require client certificate verification.
Applet Console
- Used for applet installation and verification of public keys and CSR.
Prerequisites¶
- Install the packages (libifd-atcmd and pkcs11-iotsafe) necessary to run IoT SAFE on Linux
sudo mkdir /opt/iotsafe && sudo chown _apt /opt/iotsafe sudo cp ~/*.deb /opt/iotsafe/ sudo apt install /opt/iotsafe/*.deb
Installation of IoT SAFE Applet¶
- Install the IoT SAFE applet on the SIM card.
- Please refer to Applet Consoleの操作方法
- Confirm that the IoT SAFE applet has been successfully installed on the SIM card.
- From the SIM menu of the Applet Console, open the SIM detail screen of the corresponding SIM card.
- Confirm that the OTA status is "Install:Succeeded".
Obtaining CSR and Client Certificate through Identification Information Registration in Applet Console¶
注釈
In the following API operation commands, modify {env_name}, {iccid}, {api_id}, and {api_secret} according to your environment.
- Register either "SIM-specific identification information" or an "identification template".
In this example, we will demonstrate how to register the "SIM-specific identification information".
Request
curl -X 'POST' \ 'https://iot-safe.api.{env_name}.sim-applet.com/v1/identity/sim/{iccid}' \ -H 'accept: application/json' \ -H 'api_id: {api_id}' \ -H 'api_secret: {api_secret}' \ -H 'Content-Type: application/json' \ -d '{ "label": "string", "subject": { "commonName": "example.com", "country": "JP", "organizationName": "Example Co.,Ltd.", "organizationalUnitName": "Example Group", "stateOrProvinceName": "Tokyo", "localityName": "Example City", "email": "hoge@example.com" } }'
Response
{ "id": 1, "label": "string", "content": "3079310d300b06035504030c0474657374310b300906035504060c024a50310d300b06035504070c0474657374310d300b06035504080c0474657374310d300b060355040a0c0474657374310d300b060355040b0c0474657374311f301d06092a864886f70d0109010c1074657374406578616d706c652e636f6d", "createdAt": "2024-01-01T00:00:00Z", "iccid": "{iccid}" }
- Check the OTA task to verify that the response of the CSR generation command shows "Succeeded".
Request
curl -X 'GET' \ 'https://iot-safe.api.{env_name}.sim-applet.com/v1/ota-tasks?iccid={iccid}' \ -H 'accept: application/json' \ -H 'api_id: {api_id}' \ -H 'api_secret: {api_secret}'
Response
{ "id": 1, "totalItems": 1, "totalPages": 1, "data": [ { "id": 1, "iccid": {iccid}, "identityTemplate": { "id": 1, "label": "string", "content": "3079310d300b06035504030c0474657374310b300906035504060c024a50310d300b06035504070c0474657374310d300b06035504080c0474657374310d300b060355040a0c0474657374310d300b060355040b0c0474657374311f301d06092a864886f70d0109010c1074657374406578616d706c652e636f6d", "createdAt": "2024-01-01T00:00:00Z" }, "simIdentity": null, "file": null, "externalCaConfig": null, "taskType": { "name": "GenerateCSR" }, "status": { "name": "Succeeded" }, "retryCount": 0, "createdAt": "2024-01-01T00:00:00Z", "updatedAt": "2024-01-01T00:00:00Z" } ] }
- It may take 5 minutes or more for the IoT SAFE applet to connect.
- Verify that the CSR has been generated.
Request
curl -X 'GET' \ 'https://iot-safe.api.{env_name}.sim-applet.com/v1/csr/{iccid}' \ -H 'accept: application/json' \ -H 'api_id: {api_id}' \ -H 'api_secret: {api_secret}'
Response
{ "csr": "-----BEGIN CERTIFICATE REQUEST-----\n ... \n-----END CERTIFICATE REQUEST-----" }
- It may take 5 minutes or more for the IoT SAFE applet to generate and send the CSR.
- Verify that the client certificate has been issued.
Request
curl -X 'GET' \ 'https://iot-safe.api.{env_name}.sim-applet.com/v1/certificate/{iccid}' \ -H 'accept: application/json' \ -H 'api_id: {api_id}' \ -H 'api_secret: {api_secret}'
Response
{ "certificate": "-----BEGIN CERTIFICATE-----\n ... \n-----END CERTIFICATE-----" }
- The CSR and client certificate verified through the API can also be viewed from the SIM details screen.
Establishing mTLS Communication¶
Save the client certificate retrieved from API or GUI as a file, and deploy it to the IoT device.
- Connect to the IoT server using mTLS communication.
- If you named the client certificate "iotsafe.client.cert", you can verify the connection using the following command:
openssl s_client \ -connect IP address of IoT server:port number of IoT server \ -cert "./iotsafe.client.cert" -key "pkcs11:token=IoTSAFE;type=private;id=%01"