Asymmetric Attestation Protocol for Constrained IoT Devices

Abstract

The evolution of computing systems, particularly in the Internet of Things (IoT), has emphasized openness to support innovation, but this same openness introduces critical security challenges. Modern cyber-attacks are increasingly sophisticated and persistent, exposing the limitations of traditional software-only defenses. IoT devices, often deployed in hostile environments and subject to stringent constraints in power, memory, and cost, lack the robust security mechanisms required for trust and resilience, especially as the demand for remote software updates grows.
To address these challenges, this thesis proposes a scalable and cost-effective security architecture that supports hardware-rooted identity, remote attestation, and secure device updates for resource-constrained embedded devices. The design is grounded in modest hardware assumptions compatible with commercial IoT platforms. A statistically unique, device-specific secret anchors the root of trust, enabling verifiable software identity throughout the device lifecycle. Building on the Device Identifier Composition Engine (DICE) standard, an asymmetric attestation protocol is developed specifically for constrained environments.
The architecture is validated through a prototype implementation on an STM32 microcontroller, demonstrating secure remote attestation via server communication. Performance measurements, including clock cycles and memory utilization, alongside a structured security analysis offer insight into the feasibility and resilience of the proposed solution. This work contributes to the advancement of DICE-based architectures by providing a practical and secure framework for verifying software execution in trusted IoT devices.