IoT devices identification and implicit attestation

The increasing adoption of Internet of Things (IoT) devices has raised serious concerns about their security, particularly given the limited hardware resources available on many of these devices. Hardware-based Roots of Trust (RoT) like TPM 2.0 offer strong security guarantees but are often unsuitable for small IoT devices due to space, cost, and computational constraints. This thesis explores the use of MARS (Modular Architecture for Root of Trust Security), a lightweight, flexible RoT designed to operate without requiring a discrete chip or specialized processor modes. MARS can be implemented in various ways, including as a hardware state machine within a microcontroller, as silicon IP, via FPGA, or as software running on trusted adjunct processors or in protected execution environments. In this work, a practical use case was developed in which a sensor communicates with a message broker using the MQTT protocol over a TLS-PSK secured channel. The use of pre-shared keys, derived from a MARS attestation key representing the device's cryptographic identity, allows the system to avoid asymmetric cryptography, which is often too computationally expensive for the targeted hardware. The result is a static attestation of the sensor's initial mutable code, effectively establishing the beginning of a trust chain for the device. This approach demonstrates that a small IoT device can achieve meaningful security guarantees using only symmetric cryptography, although it introduces a trade-off in that the broker must manage all pre-shared keys, creating a single point of failure. Overall, the thesis shows that MARS enables scalable, hardware-rooted authentication and attestation for constrained IoT environments without the need for traditional TPM hardware.