The default solution seems to use a ATECC508A or similar as a secure storage for encryption keys. One of the issues I see with this is that the availability of these chips is not that great, so I would guess there are other models that are used for professional use-cases?
While I was thinking about this, I remembered that smartcards are mainly used to do the exact same thing, not to mention that most of the deployed devices on the field have already a SIM used for internet. Theoretically we should be able to use at the very least the key that the SIM uses to authenticate with the cellular tower, even a better thing would be to be able to deploy your custom key, but I guess this highly depends on the model of the SIM your operator uses.
The great thing about such a solution it’s extremely easy to implement both from development standpoint (as all sims should follow the same AT commands standard) and in terms of hardware.
Maybe anyone tried to do this already with Nerves? It would be really interesting to hear more about this.
I think this is an interesting idea. I looked into doing something like this during the supply chain shortages 4-5 years ago. I must have missed the AT commands or you have a different modem that has better commands. We were able to acquire ATECC parts, so we abandoned the investigation. If you have a PoC of doing this, I’d be super curious to see how you did it. I don’t think the Nerves part of this will be an issue.
I have worked with other kind of smartcards before, the ones used by truck drivers in europe, so I am not entirely sure about the capabilities of current SIMs. Those cards follow the ISO standard for data signature and challenges and I’m more than positive that is a convention widely used by all other vendors too.
I have never used a modem for this before (I am actually thinking now on buying a few models to play around with them), but as long as your modem supports APDU protocol used for issuing commands to smartcard, you are good to go. At work, we were using USB smartcard readers, those are extremely easy to work with from your computer.
Once I get the hardware, I will definitely give it a try as I plan on deploying a few RPIs zero w2 and while I don’t care about encrypting the firmware, I don’t want anybody acquiring the keys used for authentication for firmware download from NervesHub. I will definitely share my findings!
