TLS client with default certificate

TLS stands for Transport Layer Security. This is a protocol that extends TCP to secure the communication over an untrusted network. Private key 0D in the ECC Secure Element and SpringCard-supplied certificate 0D are intented to authentify the device against a TLS server.

The typicall use case is using the device as an MQTT client, connecting to a MQTT server.

Basically, the MQTT server may authentify the device given only a login/password pair, but this is not the best approach for at least three reasons:

  • The login and password are stored in the device’s NVM (registers MQTT Login and MQTT Password), and anyone with a access to the device is likely to retrieve these values (and possibly forge a ‘clone’ of the device),
  • The login and password shall be declared on the MQTT server for every device, and configured individually into all of them, which becomes a complex commissioning process when a large number of devices are to be deployed,
  • Most cloud services that offer MQTT servers don’t use login/password pair but unforce the use of a private key for client authentication.

The state of the art is to use PKI to authenticate the client against the server. Since the private key is protected within the Secure Element, cloning it to another device is impossible. More than that, the server could easily be configured to accept automatically new clients -provided that they come with a trusted certificate- hence removing most of the complexity of the commissioning process.