Trust Onboard provisions Twilio Programmable Wireless SIM cards with two X.509 client-side certificates. These certificates can be used to authenticate devices when they are making HTTPS connections. You can also authenticate with cloud providers such as Microsoft Azure, or with your own systems, using TLS.
No additional pre-shared keys (API tokens, passwords, request signing) are needed — only a Twilio SIM card with Trust Onboard. The SIM cards are manufactured with two unique certificates and key pairs. These certificates and keys have different capabilities which are described below.
Check out the guide Working withTrust Onboard to learn how to implement Trust Onboard in your IoT product.
If you received a Twilio Broadband IoT Developer Kit, please check out this tutorial to learn how to set it up and build your first IoT application.
|Device identity||Device identity differentiation at the point of manufacture so that the device manufacturer does not need to install custom software or hardware|
|Device protection||Software integrity|
|Secure communication||API authentication and authorization|
- Twilio generates two sets of public and private keys, and two certificates per SIM card. The certificates and their associated keys are called Available and Signing.
- The certificates are loaded onto the SIM card during SIM manufacture.
- Twilio provides you with an ICCID-to-certificate mapping and the ability to sync certificates to your backend. The ICCID is the SIM card’s 19-digit identification number.
- Using the Twilio Breakout SDK for Trust Onboard, you can use the certificates and keys on the SIM card to authenticate your device to your backend service and set up TLS connections.
- The Available certificate is located on the SIM card but the text is freely available to the host device. Your code will also have access to the full text of the Available public and private keys. The Available entities are intended to be used with hardware that requires you to hand over this data for HTTPS communication. The Available entities are contained in a simple global platform applet that holds files with read-only permissions.
- The Signing certificate and its associated keys are also located inside the SIM card but cannot be read directly. You must utilize TLS libraries such as mBed or OpenSSL that are able to ask the SIM card to sign requests and to perform request encryption. The SIM does so using the Signing entities. The Signing entities are intended for use cases where your hardware allows you to offload TLS communication to the SIM card. The Signing entities are contained in a global platform applet called mIAS that implements a full security suite similar to OpenSSL.
Each SIM certificate has an expiration period of 30 years.
- Available certificates, which are able to be extracted from the SIM into device memory, can never be replaced. The Available keys and certificate are stored in a location on the SIM card that is read only. For this reason, they are effectively permanent and the certificate should outlive the physical device.
- Signing certificates have the same 30-year expiration period as Available.
The Twilio IoT Breakout SDK for Trust Onboard provides example code that demonstrate how to utilize the Available and Signing certificates on Trust Onboard-enabled SIM cards. The SDK can be built as a static or dynamic library and linked to your executable.
The guide Working withTrust Onboard shows you how to apply the Breakout SDK to utilize Trust Onboard.
The SDK is available on Github.