After the acquisition of an environment monitoring infrastructure from a local operator, you need to integrate hundreds of their field devices into your company's IoT infrastructure.
Most of the devices use X.509 authentication but there are some device types that are secured with TPM modules.
After all the devices have been transferred to your ownership, you need to ensure that the previous owner won't have any access to the devices.
You decide to re-generate the storage root keys of the devices.
Is that the action you should take?
Click on the arrows to vote for the correct answer
A. B.Correct Answer: A.
Option A is CORRECT because it is the storage root key (SRK) that is used to identify the owner of the device.
It works like a password that can be (and should be) changed when a TPM device is transferred to a new owner.
The new owner can take ownership of the TPM by generating a new SRK, thus ensuring that the previous owner can't use the TPM.
Option B is incorrect because changing (re-generating) the device's SRK is the recommended way of preventing the previous owner from accessing the device any longer.
Reference:
The action of re-generating the storage root keys of the devices is a good security practice to ensure that the previous owner of the devices cannot access them after they have been transferred to your ownership. Therefore, the answer is A. Yes, this is the action you should take.
When a device is manufactured, it is assigned a unique identity that is used to authenticate and authorize access to the device. This identity is stored in a hardware-based security module, such as a Trusted Platform Module (TPM), or in software-based storage, such as an X.509 certificate. The identity is protected by a storage root key, which is used to sign and encrypt the device identity and other security-related data.
Regenerating the storage root keys of the devices will invalidate the previous owner's access to the devices, as they will no longer have the correct keys to authenticate and access the devices. This will also prevent any unauthorized access to the devices, as only the new owner will have the new storage root keys.
It is important to note that regenerating the storage root keys will require re-provisioning of the devices, which may require significant effort and time. Additionally, if the devices are using X.509 authentication, the new root certificate will need to be distributed to all devices, which can be a complex process in large-scale IoT deployments.
In summary, re-generating the storage root keys of the devices is a good security practice to ensure that the previous owner cannot access the devices after they have been transferred to your ownership. However, it should be considered as a complex and time-consuming process that requires proper planning and execution.