External entropy supply for IoT devices employing a RISC-V Trusted Execution Environment

TL;DR

This paper presents a trusted external entropy provisioning system for IoT devices using RISC-V TEEs, enabling secure cryptographic key generation despite limited local entropy sources.

Contribution

It introduces a novel RISC-V based external entropy service for IoT devices, enhancing security by providing cryptographically strong entropy from a trusted source.

Findings

Feasible and effective entropy provisioning on open RISC-V platforms.

Secure communication established with minimal initial entropy.

Expandable system with sensor-based entropy sources.

Abstract

Entropy--a measure of randomness--is compulsory for the generation of secure cryptographic keys; however, Internet of Things (IoT) devices that are small or constrained often struggle to collect suf ficient entropy. In this article, we solve the entropy provisioning problem for a fleet of IoT devices that can generate a limited amount of entropy. We employ a Trusted Execution Environment (TEE) based on RISC-V to create an external entropy service for a fleet of IoT devices. A small measure of true entropy or pre-installed keys can establish initial secure communication. Once connected, devices can request cryptographically strong entropy from a TEE-backed server. RISC-V offers True Random Number Generators (TRNGs) and a TEE for devices to attest that they are receiving reliable entropy. In addition, this solution can be expanded by adding IoT devices with sensors that produce high-quality entropy as additional entropy sources for the RISC-V entropy provider. Our open-source implementation shows that building trusted entropy infrastructure for IoT is both feasible and effective on open RISC-V platforms.