Security platform

Secure Facility

Cryptera’s services for secure provisioning of IoT devices make use of our own Visa approved secure facility for device provisioning and key loading. The secure facility is located on-site at Cryptera in Denmark and is continuously audited to ensure a payment industry level of security. It is equipped with Hardware Security Modules (HSMs) and powered by the Cryptera Secure Provisioning System (SPS).

Provisioning Service

Cryptera offers provisioning services which loads firmware and establishes “root-of-trust” in every device. It then adds cryptographic keys and certificates, which can later be used to secure device identification, communication and device updates.

Remote clients can be linked to the Cryptera SPS. The SPS clients will establish a secure link between the HSM at Cryptera and the device being provisioned. This means that you can directly integrate provisioning of your IoT devices at your production site of choice, without compromising security.

Boot Loaders

Cryptera offers boot loader components to establish “root-of-trust”. The boot loader is securely loaded on the chip and will verify the integrity and origin of firmware applications started on the device. Applications will only execute if the signature is correct.

IP & Firmware protection

To protect your intellectual property against theft and reverse-engineering of your firmware, we also encrypt your firmware application and transfer it securely to the device. The Cryptera boot loader is then able to verify and decrypt the firmware.

Additionally, we can make use of chip specific security measures to enhance the protection of the running firmware and applications on your IoT device. Furthermore, during production, we protect against overproduction of your devices.

CA Services

Cryptera offers a CA service, which can handle issuing and loading of digital certificates (x.509) on every device. This provides your devices with the ability to communicate securely and enables your backend services, e.g. cloud services, to verify the identity of the devices you have deployed before trusting them. We offer to load both certificates issued by public CAs, where the root certificate is available in common trust stores, but we can also issue certificates under a private PKI, with a Cryptera trust anchor. This is backed by HSMs located in our secure facility. Both options come with their own advantages enabling us to tailor the solution to your needs.

Key Management Services

Cryptera can securely handle keys in our secure facility according to the customer’s needs. The keys are imported using split knowledge/dual control principles or encrypted depending on the setup agreed.

Key values can be loaded directly into devices during provisioning or exported as encrypted key blocks for loading later, when the device is operational in the field.

HSM services & HW solutions

Customer keys imported by Cryptera are stored in HSMs in our secure facility. We operate several types of HSMs, among these, HSM that we ourselves produce as an OEM.

The Cryptera SPS consists of a secure backend and physical provisioning clients, which are installed in the customer premises. The remote setup consist of a small PC running the provisioning application, a fingerprint reader, USB hub and Security Tokens used for verification of the operators.

With years of experience in producing secure devices protected against physical attackers, we know the challenges of producing secure devices.

Compliance and certification

Our Secure Provisioning System (SPS) is used to load keys in our own secure devices used in the payment industry, and is therefore approved by Visa. We continuously ensure that the facility is compliant with PCI (Payment Card Industry) regulations and this means that our IoT offering is able to benefit from the same level of security.

Several security standards within the IoT space are currently emerging and some slowly converging. We follow this development closely, and find that our PCI level security is a great foundation in this case.