IoT SAFE(PoC) [English]


What is IoT SAFE?

IoT SAFE (IoT SIM Applet For Secure End-2-End Communication) is a standard defined by the GSMA to use SIM cards as the Root of Trust for secure communication between IoT devices and the cloud.

By incorporating a SIM applet with authentication and encryption functions, it provides secure device authentication and end-to-end data encryption, and it is considered a key technology for ensuring device security in IoT devices using cellular networks.

This applet has been developed in compliance with IoT SAFE standard specifications.


Overview of IoT SAFE

IoT SAFE operates in the following sequence:


Preliminary Tasks

  1. Install the IoT SAFE applet on the SIM card.

  2. From either the “IoT SAFE” menu or the OpenAPI, register either the “SIM-specific identification information” or the “identification template.”


Certificate Generation Process

  1. When launched, the IoT SAFE applet generates a key pair and then contacts the Applet Console to verify commands.

  2. The Applet Console issues a command (ReadPublicKey command) to instruct the reading of the public key.

  3. The IoT SAFE applet sends the public key of the generated key pair to the Applet Console.

  4. The Applet Console instructs the generation and submission of a CSR (GenerateCSR command).

  5. The IoT SAFE applet generates the CSR and sends it to the Applet Console.

  6. The Applet Console signs a client certificate based on the submitted CSR.

  7. The Applet Console distributes the client certificate using the DeliveryClientCert command.


Usage of the Client Certificate

  1. Establish mTLS and VPN communications.

As a result of these operations, the IoT SAFE applet stores the key pair (private and public keys), CSR, and client certificate, enabling secure communications.


Verification of IoT SAFE

This section demonstrates how to verify the mTLS communication between the IoT SAFE applet and Applet Console using OpenSSL.


Verification Environment

This verification requires the following software and hardware:


IoT Device

  • Raspberry Pi

    • Debian GNU/Linux 12 (bookworm)

    • OpenSSL 3.0.11

  • device

    • For supported models, please refer to here.


IoT Server

  • Any web server, etc.

    • Must be configured to require client certificate verification.


Applet Console

  • Used for applet installation and verification of public keys and CSR.


Prerequisites

  1. Install the packages (libifd-atcmd and pkcs11-iotsafe) necessary to run IoT SAFE on Linux
    sudo mkdir /opt/iotsafe && sudo chown _apt /opt/iotsafe
sudo cp ~/*.deb /opt/iotsafe/

sudo apt install /opt/iotsafe/*.deb

Installation of IoT SAFE Applet

  1. Install the IoT SAFE applet on the SIM card.
  2. Confirm that the IoT SAFE applet has been successfully installed on the SIM card.

    1. From the SIM menu of the Applet Console, open the SIM detail screen of the corresponding SIM card.

    2. Confirm that the OTA status is "Install:Succeeded".

    ../_images/install_success.png

Identification Information Registration in Applet Console

  1. Register either "SIM-specific identification information" or an "identification template".

    In this example, we will demonstrate how to register the "identification template".

注釈

If the identification template has already been registered, this step is not necessary. Please proceed to "Generate CSR and Sign the Client Certificate".

  1. In the Client Certificate tab, click on "Identification Template".
    ../_images/Setting5.png
  2. Click the "Edit" button to modify the identification template.
    ../_images/Setting6.png
  3. Enter the required information and click the "Save" button.
    ../_images/Setting7.png

  4. Confirm that the identification template has been registered.


CSR Generation and Client Certificate Signing

  1. Power on the IoT device and launch the IoT SAFE applet.

  2. Click on the "ID" displayed in the Client Certificate list to view the details of the client certificate.
    ../_images/ClientCertificatesDetail1.png
  3. Confirm that the results of the ReadPublicKey command, ReadCSR command, and DeliveryClientCert command have all succeeded.
    ../_images/PoC-ClientCertificates4.png
  4. You can verify the public key, CSR, and client certificate from the "SIM Details" under the "SIM" menu.
    ../_images/sim_detail.png

Establishing mTLS Communication

  1. Save the client certificate retrieved from API or GUI as a file, and deploy it to the IoT device.

  2. Connect to the IoT server using mTLS communication.

    • If you named the client certificate "iotsafe.client.cert", you can verify the connection using the following command:

    openssl s_client \
-connect IP address of IoT server:port number of IoT server \
-cert "./iotsafe.client.cert" -key "pkcs11:token=IoTSAFE;type=private;id=%01"