To connect to Mbed Cloud each IoT device must have a unique cryptographic credential. Mbed Cloud uses this unique credential to authenticate devices, generate session encryption keys and authorize device access to various system services. The device cryptographic credential must be stored securely as it is used to protect data that moves between the device and the server, and to protect the Mbed Cloud device management service itself from unauthorized access.
The device private keys, certificates and firmware validation keys are securely stored in protected storage implemented by Mbed Cloud Client. The protected storage can secure the data in external and internal non-volatile memory serving as a protected root-of-trust in the device. For increased security, the root-of-trust can utilize TrustZone capabilities supported by Arm processors.
Each IoT device must be configured with the correct server and connection parameters to identify, connect to and authenticate the Mbed Cloud server. Mbed Cloud Provision supports industry-standard X.509 certificates. The certificates facilitate mutual authentication and establishment of encrypted DTLS or TLS sessions between devices and the Mbed Cloud server.