Hardware components | ||||||
 |
| × | 1 | |||
| × | 1 | ||||
 |
| × | 1 | |||
| × | 1 | ||||
Software apps and online services | ||||||
 |
| |||||
| ||||||
The project is intended to demonstrate Pod IoT security solution – SAFE2 applet with the simplest IoT module - Arduino Nano.
The SAFE2 applet is based on the expansion of the GSMA IoT SAFE idea. The applet is intended for extremely low cost and constrained IoT devices to provide secure delivery of telemetry data to the data server.
IoT SAFEThe IoT SAFE applet was introduced by the GSMA on December 3, 2019. It is intended to simplify IoT solutions and to provide a secure storage for cryptography keys and secure environment to execute cryptography functions for TLS protocol.
IoT SAFE is a kind of security library which runs on a protected environment. Such a model imply the complex architecture of IoT Application, which may include TLS layer, middleware and the Security Element (SIM) with the IoT SAFE applet.
The TLS Layer is responsible for the TLS handshake and protocol handling. The IoT SAFE Middleware is responsible for command transfer from the TLS Layer to the IoT SAFE applet. The IoT SAFE applet is responsible for cryptography operations execution.
SAFE2The Pod SAFE2 solution was developed to simplify data delivery from SIM to a server. It includes not only the cryptography library but the TLS1.3 protocol implementation based on the SIM Toolkit functionality.
It significantly simplifies the interface between a data gathering application (for example IoT telemetry) and the SAFE2 applet.
An external application needs only to pass the data which shall be sent to the server.
The TLS Layer in the IoT Application is not required anymore as it is already implemented by the Pod SAFE2 applet.
The SIM is responsible for all the protocol steps including domain name resolving and for repeating attempts until the message will be delivered to the server.
To send some data via SAFE2 applet, the Device Application shall send specific commands to the SIM via Modem Middleware - AT commands for full SIM access, namely “AT+CSIM”.
First of all the supplementary logical channel must be open (to not interfere with the GSM session between the modem and the SIM in the base channel). Then the applet must be selected in the new channel and data shall be sent to the applet in the same channel. The channel shall be closed for reuse.
The AT+CSIM commands must encode the next APDU commands to the SIM according to ISO/IEC 7816-4:
- MANAGE CHANNEL (Open);
- SELECT (by name);
- PUT DATA with proprietary tag ‘c1’;
- MANAGE CHANNEL (Close).
Getting the PUT DATA command with application data, the SAFE2 applet creates a sending job. The job contains address info and application data. The applet will try to execute the job until it will succeed. Currently for each job the server name is resolved if necessary and TLS 1.3 session is established with the Pre-Shared Key stored in the SIM.
Execution LogBelow is the typical execution log of he Demo Scetch. The first part is a modem setup, waiting for network registration and finishing of GSM-related processes in the modem. The next part - Device ID registration - completes the setup. The last part - providing data to the applet.
15:35:05.588 -> nano started!
15:35:06.589 -> put 'at'
15:35:06.988 -> put 'at'
15:35:07.389 -> put 'at'
15:35:07.789 -> put 'at'
15:35:08.189 -> put 'at'
15:35:08.589 -> put 'at'
15:35:08.988 -> put 'at'
15:35:09.387 -> put 'at'
15:35:09.787 -> put 'at'
15:35:10.186 -> put 'at'
15:35:10.286 -> at
15:35:10.319 -> OK
15:35:10.386 ->
15:35:10.386 -> +CFUN: 1
15:35:10.485 ->
15:35:10.519 -> +CPIN: READY
15:35:10.651 ->
15:35:10.685 -> SMS Ready
15:35:11.581 -> put 'at+creg?'
15:35:11.581 -> 0:2
15:35:11.581 -> cntr: 0
15:35:13.074 -> put 'at+creg?'
15:35:13.074 -> 0:2
15:35:13.074 -> cntr: 0
15:35:14.600 -> put 'at+creg?'
15:35:14.600 -> 0:5
15:35:14.600 -> cntr: 1
15:35:16.093 -> put 'at+creg?'
15:35:16.093 -> 0:5
15:35:16.093 -> cntr: 2
15:35:17.587 -> put 'at+creg?'
15:35:17.587 -> 0:5
15:35:17.587 -> cntr: 3
15:35:19.080 -> put 'at+creg?'
15:35:19.113 -> 0:5
15:35:19.113 -> cntr: 4
15:35:20.606 -> put 'at+creg?'
15:35:20.606 -> 0:5
15:35:20.606 -> cntr: 5
15:35:22.099 -> put 'at+creg?'
15:35:22.099 -> 0:5
15:35:22.099 -> cntr: 6
15:35:23.592 -> put 'at+creg?'
15:35:23.625 -> 0:5
15:35:23.625 -> cntr: 7
15:35:24.621 -> setup finished
15:35:24.621 -> at+csim=10,"0070000001"
15:35:24.621 -> +CSIM: 6,"019000"
15:35:24.621 ->
15:35:24.621 -> OK
15:35:24.654 -> at+csim=34,"01A404000CF0706F646773616665320101"
15:35:24.654 -> +CSIM: 4,"9000"
15:35:24.654 ->
15:35:24.654 -> OK
15:35:24.787 -> at+csim=30,"01DA02C00A51523143572089723526"
15:35:24.787 -> +CSIM: 4,"9000"
15:35:24.787 ->
15:35:24.787 -> OK
15:35:24.820 -> at+csim=10,"0070800100"
15:35:24.820 -> +CSIM: 4,"9000"
15:35:24.820 ->
15:35:24.820 -> OK
15:35:24.820 -> Set DeviceID: OK
15:35:24.821 -> Humidity: 40
15:35:24.821 -> Temperature: 25
15:35:24.821 ->
15:35:24.821 -> HT data:00280019
15:35:24.821 -> at+csim=10,"0070000001"
15:35:24.821 -> +CSIM: 6,"019000"
15:35:24.821 ->
15:35:24.821 -> OK
15:35:24.854 -> at+csim=34,"01A404000CF0706F646773616665320101"
15:35:24.854 -> +CSIM: 4,"9000"
15:35:24.854 ->
15:35:24.854 -> OK
15:35:25.650 -> at+csim=18,"01DA02C10400280019"
15:35:25.650 -> +CSIM: 4,"9000"
15:35:25.650 ->
15:35:25.650 -> OK
15:35:25.650 -> at+csim=10,"0070800100"
15:35:25.650 -> +CSIM: 4,"9000"
15:35:25.650 ->
15:35:25.650 -> OK
Now we are able to check the data stored by sending a https query to the server. The server responded with the data as below.
[
{
"sim_attribute_update_id": 11,
"iccid": "894450250918638963",
"deviceid": "51523143572089723526",
"createdAt": "2020-10-01",
"updatedAt": "2020-10-01",
"sim_attributes": [
{
"id": 5,
"sim_attribute_update_id": 11,
"key": "data",
"value": "00280019",
"createdAt": "2020-10-01",
"updatedAt": "2020-10-01"
}
]
}
]
Comments
Please log in or sign up to comment.