Universelle Referenzarchitektur für eine sichere cloudbasierte Automation

Kenntnisfreie Erstanmeldung von ressourcenbeschränkten IoT-Geräten mit symbiotischer Sicherheit

  • Witali Bartsch
  • Michael Hübner Brandenburgische Technische Universität


In the first of a series of articles, we introduce the term “Symbiotic Security” to denote an ideal architecture where all essential components (e.g. hardware, software or networks) contribute to raising the architectural security bar. The growing importance of cloud computing for secure and resilient automation and its intended independence from hardware to accommodate all platforms have led us to observe a disconnect between well-known cloud service providers and manufacturers of embedded devices or IoT: the unsolved problem of initial enrolment. After elaborating on the root cause of this gulf we present a non-invasive
extension and implementation of a cloud IoT reference architecture for an automated, mutually  authenticated and encrypted roll-out of IoT nodes. To also enable automated key management without human intervention, the system refrains from using any static secrets usually employed by the hardware vendors – a longstanding point of criticism. Despite our practical choice of a target platform, the idea itself is uniform across such environments given their inherent similarities.


  1. [1]  Yang, X. (2017). LoRaWan: Vulnerability analysis and practical exploitation. Delft University of Technology.
  2. PointBlank Security by Steen Harbach AG. (2018). Security for Internet-enabled Products “Made in Germany”. Abgerufen von: https://www.pointblank.de/de/?file=files/assets/downloads/PointBlank-Security_pbTLS_sS2E-Module_Leaflet.pdf
  3. PointBlank Security by Steen Harbach AG. (2018). sS2E Module Manual. Abgerufen von: https://www.pointblank.de/de/?file=files/assets/downloads/MS500_SS2E_MODULE_User_Manual_V1.0.pdf
  4. Gartner Inc. (2013). Magic Quadrant for Cloud Infrastructure as a Service. Abgerufen von: https://web.archive.org/web/20130825054202/http://www.gartner.com/technology/reprints.do?id=1-1IMDMZ5&ct=130819&st=sb
  5. Amazon Web Services. (2018). Getting Started with Amazon FreeRTOS. Abgerufen von: https://aws.amazon.com/freertos/getting-started/
  6. Amazon Web Services. (2018). Amazon FreeRTOS Qualification Program Developer Guide. Abgerufen von: https://d1.awsstatic.com/product-marketing/iot/Amazon-FreeRTOS-Qualification-Program-Developer-Guide-V1.0.0.pdf
  7. Skorobogatov, S. P. (2000). Copy Protection in Modern Microcontrollers. Abgerufen von: https://web.archive.org/web/20190228185532/https://www.cl.cam.ac.uk/~sps32/mcu_lock.html
  8. Fielding, R. T. (2000). Architectural Styles and the Design of Network-based Software Architectures. Abgerufen von: https://web.archive.org/web/20190314180316/https://www.ics.uci.edu/~fielding/pubs/dissertation/top.htm
  9. Skyhigh Networks, Coles, C. (2019). Cloud Market in 2018 and Predictions for 2021. Abgerufen von: https://web.archive.org/web/20190121190318/https://www.skyhighnetworks.com/cloud-security-blog/microsoft-azure-closes-iaas-adoption-gap-with-amazon-aws/
  10. Microsoft Azure, Berdy, N. (2017). Device provisioning: Identity attestation with TPM. Abgerufen von: https://web.archive.org/web/20190316221710/https://azure.microsoft.com/de-de/blog/device-provisioning-identity-attestation-with-tpm/
  11. Bundesamt für Sicherheit in der Infromationstechnik. (2013). Report on Microsoft Windows 8 and TPM. Abgerufen von: https://web.archive.org/web/20160304004000/https:
  12. //www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2013/Windows_TPM_Pl_21082013.html
  13. Nemec, M., Sys, M., Svenda, P., Klinec, D., Matyas, V. (2017). The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli. In ACM Conference on Computer and Communications Security (CCS) 2017. Abgerufen von: https://web.archive.org/web/20171102170138/https://acmccs.github.io/papers/p1631-nemecA.pdf
  14. Microsoft Corporation. (2018). Control access to IoT Hub. Abgerufen von: https://web.archive.org/web/20180921103416/https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-devguide-security
  15. Microsoft Corporation. (2017). Support additional protocols for IoT Hub. Abgerufen von: https://web.archive.org/web/20181208124323/https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-protocol-gateway
  16. Microsoft Corporation. (2017). Provisioning devices with Azure IoT Hub Device Provisioning Server. Abgerufen von: https://web.archive.org/web/20190108164849/https://docs.microsoft.com/en-us/azure/iot-dps/about-iot-dps
  17. Microsoft Corporation. (2017). Conceptual understanding of X.509 CA certificates in the IoT industry. Abgerufen von: https://web.archive.org/web/20190316220629/https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-x509ca-concept
  18. Microsoft Corporation. (2018). Get started with Key Vault certificates. Abgerufen von: https://web.archive.org/web/20190108051426/https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-byok-azure-sql
  19. Wu, T. (1998). SRP Protocol Design. Abgerufen von: https://web.archive.org/web/20190201161506/http://srp.stanford.edu/design.html
  20. Misra, S., Goswami, S., Taneja, C., Mukherjee, A., Obaidat, M. S. (2015). A PKI adapted model for secure information dissemination in industrial control and automation 6LoWPANs. IEEE Access, 3, 875-889.
  21. Chen, L., Li, J. (2010). A note on the Chen–Morrissey–Smart DAA scheme. Information Processing Letters, 110(12-13), (pp. 485-488).
BARTSCH, Witali; HÜBNER, Michael. Universelle Referenzarchitektur für eine sichere cloudbasierte Automation. atp magazin, [S.l.], v. 61, n. 9, p. 72-82, sep. 2019. ISSN 2364-3137. Verfügbar unter: <http://ojs.di-verlag.de/index.php/atp_edition/article/view/2428>. Date accessed: 16 juli 2020.
Hauptbeitrag / Peer-Review