Factory Provisioning of Device Identities & Credentials
We can help you securely install identities & other security-critical data onto your devices in a manufacturing setting. Sensitive data is protected all the way to the target device, from the point of generation/ingest through intermediate networks and system elements.
- Comprehensive protection and management of secure device data
- Direct import of device identity data from third-party licensing authorities
- Secure networks, infrastructure, and customer support
- Software SDKs & integration support
- System deployment to factories, service/repair facilities, and distribution centers
At its core, our device identity provisioning solution is a system for securing delivering individualized identity data and credentials to devices being manufactured in a factory. What sets it apart from competing overrings is the value-added advantages it offers:
- comprehensive protection and management of secure device data
- extensive deployment support
- vast expertise in protecting and managing a security-critical infrastructure
We take care of the complementary logistics so you don’t have to.
Comprehensive Protection and Management of Secure Device Data
Many electronics products, such as mobile devices, cable modems, set-top boxes, require pre-installed individualized device identity data and digital certificates to enable security functions. If the secret data that gives devices their unique identities is leaked, rogue devices can be created to impersonate genuine, compliant devices. Data entrusted to such rogue devices, such as commercial entertainment content, can be stolen. To learn more about the importance of digital supply chain security, see our blog post on the subject.
We provide comprehensive and fully managed supply-chain device identity provisioning services with multiple layers of encryption and integrity checks, so that even if any specific network node or encryption layer is compromised, the overall supply-chain security is still intact. All the hardware and software elements of our identity provisioning system are provided by and fully managed by CommScope, whose PKI Center team of experts have experience spanning three decades in end-to-end cryptographic identity provisioning.
Unauthorized duplication (cloning) of device-unique credentials can undermine the effectiveness of device authentication and subscriber authentication. To combat this threat, anti-cloning measures are deployed at every step of the provisioning process, from the time device-unique credentials are generated or acquired all the way through their installation into the target devices. Our system ensures that each set of device credentials is provisioned into a single target device.
Our system has been engineered to provide very high provisioning capacity. Currently it interfaces with hundreds of secure factory servers deployed at 30+ sites across over a dozen countries, with enough capacity to provision 300+ billion sets of device data annually. Capacity can be scaled to support even higher volumes if needed.
- plus others
Storage and processing elements of our credentials generation and import system are housed in a state-of-the-art secure facility protected by multiple layers of physical security controls. Housed inside this facility is a PKI infrastructure, including certificate authorities that undergo annual audits for compliance with WebTrust security requirements. This infrastructure
- generates X.509 certificates used for SSL/TLS, IPsec, DOCSIS cable modems, MediaKind set-top boxes and many more secure interfaces;
- generates proprietary conditional access credentials and unique symmetric keys installed into secure chips; and
- imports credentials from third-party licensing authorities, including DTCP, HDCP, Netflix, Widevine, Marlin and many more.
This provisioning system provides real-time inventory monitoring of identity data sets that are consumed as devices are made. And it can generate standard and customized reports. Our experience has shown that customized reports can be invaluable in troubleshooting manufacturing problems.
Interface to Third-Party Licensing Authorities
Cable modems, as well as electronic devices used for consuming digital entertainment content, often require individualized credentials issued by third-party authorities. Netflix, Widevine, and PlayReady credentials are commonly used to secure video streaming services, such as Netflix, Amazon, Hulu, Disney+, and the like. Cable modems include X.509 certificates under a CableLabs root of trust.
In these cases, CommScope is authorized to either issue security credentials directly under license, or request and import credentials from the licensor on your behalf. Our provisioning system protects third-party-sourced credentials from the time of acquisition all the way through the installation onto your products.
Secure Networks, Infrastructure, and Customer Support
Our device credentials provisioning system is protected by standard network security technologies. This includes multiple layers of security as part of a defense-in-depth strategy, ensuring that the supply-chain process will remain secure if one of the layers should fail.
To protect against unauthorized factory sites, we provide our own managed hardware and software components to harden manufacturing stations in factories. Our system maintains full traceability of provisioning activities to each online and factory server, manufacturing station and target device.
All these security infrastructure and networks are managed by a highly-skilled team of experienced IT security professionals. And we provide 24x7x365 customer support for systems and networks with extensive monitoring capabilities.
Software SDKs & Integration Support
To serve the varied requirements of many device types and security data specifications, our system has been designed to be flexible and extensible. The built-in flexibility and existing integrations can be leveraged to accommodate the requirements of new products – quickly and at low start-up cost.
We provide a software development kit (SDK) to our customers’ supply chain engineering teams, along with USB crypto tokens that secure test stations in factories. In some environments this SDK and token may be susceptible to misuse to install digital credentials into unauthorized products. This is of particular concern with repair facilities operated by third parties rather than the device manufacturer. To defend against these threats, we are introducing fingerprinting of the test stations and the associated management infrastructure. This fingerprinting ensures that the SDK and the crypto token are only usable with the approved test stations.
A second SDK is available for inclusion with your device’s manufacturing test code. This SDK includes support for securely handling, validating, and processing of device keys delivered through the provisioning system. Versions of these two SDKs are available for popular operating systems and programming languages.
System Deployment to Factories, Service/Repair Facilities, and Distribution Centers
A range of deployment options are available to suit your production volume and priorities. For lower production volumes, a fully hosted solution with shared key servers optimizes start-up costs. For high production volumes, a configuration with managed on-site equipment offers high capacity and enhanced resilience against equipment and network malfunctions.
Experience with International Deployment Logistics
We are also experienced in the logistics of international deployments, including the import/export of equipment. Many countries, such as the USA, China, and Mexico, have very specific and stringent regulations on the import/export of hardware and software. Our experience in this area helps avoid customs issues and other surprises.
Visit our blog on end-to-end supply chain security.
To learn more about our secure device identity provisioning solutions, please see our whitepaper.