Universelle Referenzarchitektur für eine sichere cloudbasierte Automation

Kenntnisfreie Erstanmeldung von ressourcenbeschränkten IoT-Geräten mit symbiotischer Sicherheit


  • Witali Bartsch
  • Michael Hübner Brandenburgische Technische Universität




sichere Architektur für eingebettete Systeme, sichere kryptografische Schlüsselverwaltung, sichere Fernautomatisierung, symbiotische Sicherheit, sichere Erstanmeldung


In the first of a series of articles, we introduce the term “Symbiotic Security” to denote an ideal architecture where all essential components (e.g. hardware, software or networks) contribute to raising the architectural security bar. The growing importance of cloud computing for secure and resilient automation and its intended independence from hardware to accommodate all platforms have led us to observe a disconnect between well-known cloud service providers and manufacturers of embedded devices or IoT: the unsolved problem of initial enrolment. After elaborating on the root cause of this gulf we present a non-invasive
extension and implementation of a cloud IoT reference architecture for an automated, mutually  authenticated and encrypted roll-out of IoT nodes. To also enable automated key management without human intervention, the system refrains from using any static secrets usually employed by the hardware vendors – a longstanding point of criticism. Despite our practical choice of a target platform, the idea itself is uniform across such environments given their inherent similarities.


Yang, X. (2017). LoRaWan: Vulnerability analysis and practical exploitation. Delft University of Technology.

PointBlank Security by Steen Harbach AG. (2018). Security for Internet-enabled Products “Made in Germany”. Abgerufen von: https://www.pointblank.de/de/?file=files/assets/downloads/PointBlank-Security_pbTLS_sS2E-Module_Leaflet.pdf

PointBlank Security by Steen Harbach AG. (2018). sS2E Module Manual. Abgerufen von: https://www.pointblank.de/de/?file=files/assets/downloads/MS500_SS2E_MODULE_User_Manual_V1.0.pdf

Gartner Inc. (2013). Magic Quadrant for Cloud Infrastructure as a Service. Abgerufen von: https://web.archive.org/web/20130825054202/http://www.gartner.com/technology/reprints.do?id=1-1IMDMZ5&ct=130819&st=sb

Amazon Web Services. (2018). Getting Started with Amazon FreeRTOS. Abgerufen von: https://aws.amazon.com/freertos/getting-started/

Amazon Web Services. (2018). Amazon FreeRTOS Qualification Program Developer Guide. Abgerufen von: https://d1.awsstatic.com/product-marketing/iot/Amazon-FreeRTOS-Qualification-Program-Developer-Guide-V1.0.0.pdf

Skorobogatov, S. P. (2000). Copy Protection in Modern Microcontrollers. Abgerufen von: https://web.archive.org/web/20190228185532/https://www.cl.cam.ac.uk/~sps32/mcu_lock.html

Fielding, R. T. (2000). Architectural Styles and the Design of Network-based Software Architectures. Abgerufen von: https://web.archive.org/web/20190314180316/https://www.ics.uci.edu/~fielding/pubs/dissertation/top.htm

Skyhigh Networks, Coles, C. (2019). Cloud Market in 2018 and Predictions for 2021. Abgerufen von: https://web.archive.org/web/20190121190318/https://www.skyhighnetworks.com/cloud-security-blog/microsoft-azure-closes-iaas-adoption-gap-with-amazon-aws/

Microsoft Azure, Berdy, N. (2017). Device provisioning: Identity attestation with TPM. Abgerufen von: https://web.archive.org/web/20190316221710/https://azure.microsoft.com/de-de/blog/device-provisioning-identity-attestation-with-tpm/

Bundesamt für Sicherheit in der Infromationstechnik. (2013). Report on Microsoft Windows 8 and TPM. Abgerufen von: https://web.archive.org/web/20160304004000/https:


Nemec, M., Sys, M., Svenda, P., Klinec, D., Matyas, V. (2017). The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli. In ACM Conference on Computer and Communications Security (CCS) 2017. Abgerufen von: https://web.archive.org/web/20171102170138/https://acmccs.github.io/papers/p1631-nemecA.pdf

Microsoft Corporation. (2018). Control access to IoT Hub. Abgerufen von: https://web.archive.org/web/20180921103416/https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-devguide-security

Microsoft Corporation. (2017). Support additional protocols for IoT Hub. Abgerufen von: https://web.archive.org/web/20181208124323/https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-protocol-gateway

Microsoft Corporation. (2017). Provisioning devices with Azure IoT Hub Device Provisioning Server. Abgerufen von: https://web.archive.org/web/20190108164849/https://docs.microsoft.com/en-us/azure/iot-dps/about-iot-dps

Microsoft Corporation. (2017). Conceptual understanding of X.509 CA certificates in the IoT industry. Abgerufen von: https://web.archive.org/web/20190316220629/https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-x509ca-concept

Microsoft Corporation. (2018). Get started with Key Vault certificates. Abgerufen von: https://web.archive.org/web/20190108051426/https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-byok-azure-sql

Wu, T. (1998). SRP Protocol Design. Abgerufen von: https://web.archive.org/web/20190201161506/http://srp.stanford.edu/design.html

Misra, S., Goswami, S., Taneja, C., Mukherjee, A., Obaidat, M. S. (2015). A PKI adapted model for secure information dissemination in industrial control and automation 6LoWPANs. IEEE Access, 3, 875-889.

Chen, L., Li, J. (2010). A note on the Chen–Morrissey–Smart DAA scheme. Information Processing Letters, 110(12-13), (pp. 485-488).






Hauptbeitrag / Peer-Review

Am häufigsten gelesenen Artikel dieser/dieses Autor/in