Features & Limitations

A look into what the 1NCE SIM-as-an-Identity Service can and cannot do.

Features

The SIM-as-an-Identity Solution is part of the 1NCE IoT Connectivity Suite and allows customers a seamless and fully automated device onboarding for the AWS IoT Core (other platforms will follow).

Customers who want to use this solution require an active AWS Account connection to be available in the 1NCE Customer portal. More detailed steps on how to set up and connect an AWS Account can be found in the 1NCE Rules Engine section.

The Service will set up, create and configure Device in the AWS IoT Core using a default Policy allowing devices to only connect to a device-specific topic using the 1NCE ICCID as ThingName in AWS. A full example of the used Policy can be found below in the References. All Things are onboarding using the AWS Root CA.

The following picture shows a high-level flow of the Onboarding Flow:

Security

Security is the highest focus for our Onboarding Service. Therefore, we paired the regular AWS IoT Core Authentification using an X.509 certificate with our 1NCE SIM Card.

X.509 certificates provide AWS IoT with the ability to authenticate client and device connections. Client certificates must be registered with AWS IoT before a client can communicate with AWS IoT. A client certificate can be registered in multiple AWS accounts in the same AWS Region to facilitate moving devices between your AWS accounts in the same region. More details available at https://docs.aws.amazon.com/iot/latest/developerguide/x509-client-certs.html

The 1NCE Onboarding Service is taking care of this certificate generation and integration on AWS IoT. The X.509 certificate generated by AWS IoT is transmitted to the device during the onboarding. 1NCE is ensuring that each X.509 certificate can only be used in combination with a specific IoT Device by leveraging the 1NCE SIM as a secure element and using the 1NCE Core Network identity.

Each SIM Card is authenticated by our Core network using unique identifiers like IMSI, MSISDN and IMEI (if the IMEI Lock is activated by the customer). Additionally, we are also using the Static private IP Addresses used in our Core Network to identify and check each Data Package processed by the 1NCE IoT Connectivity Suite to validate the authentication of the device.

Limits

Server Authentication

During the onboarding process, the required certificates are exchanged between the IoT device and the AWS IoT Core. As this takes place through a secured connection, the IoT client with the 1NCE SIM must trust the Connectivity Suite Server CA. The CA is issued by AWS, therefore the IoT device needs to trust the AWS Root CA(s). Some devices might struggle with the validation of the CA, thus returning a connection refused error and not connecting to the 1NCE Onboarding/AWS IoT service. Additional setup steps to successfully validate the AWS CA might be needed for a IoT device. Please refer to AWS Server Authentication CA for more information.


Did this page help you?