This document describes the NEOS-IoTSP, an IoT security platform based on the NEOS RTOS. It includes secure RTOS software, an integrated development environment, a system-on-module reference hardware, and a development kit. The platform features secure boot, firmware updates, cryptographic functions, device management integration, and key management integration. It is designed for applications requiring security such as public safety, military, healthcare and manufacturing.

1. NEOS-IoTSP
IoT Security Platform based on NEOS RTOS ™
supporting WiFi and TPM (Trusted Platform Module)
2016.12
http://www.neosrtos.com/neosp1
email: daeyeoun@mdstec.com
© 2016 MDS Technology Co., Ltd..

2. Features of NEOS IoT Security Platform
● Full Featured Solution Package : Secure RTOS Software, Integrated
Development Environment Software, System-on-module, and
Development Kit
● Crypto Library
● Secure Boot
● Secure Firmware Update
● TPM Support
● Device Management Solution, Integrated
● Key Management System for IoT, Integrated

3. Configuration of NEOS IoT Security Platform
Secure RTOS SW
Secure Boot
Secure Firmware
Update
Crypto API
NEOS™ RTOS
Key
Manager
IoT Agent
Crypto-
library
Neo-SP1
(System-On-
Module)
Cortex-M4 MCU
WiFi
Device
Manager
TPM
DVMS
(Development Kit + Sensors)
Serial to USB
(monitor)
SWD
(debug)
Accelerometer
Magnetic Field
NEOSPACE™
IDE
USB
(Serial, SWD)
Internet /
Intranet
Temperature
& Humidity
Light & UV
Host Computer
■ Softwares : Secure RTOS Software, IDE (Integrated Development Environment)
■ Reference Hardwares : System-on-module, and DevKit
3
<NEOS-IoTSP> http://www.neosrtos.com/neosp1

4. 4
A. Secure RTOS SW Platform
■ Secure Boot
■ Secure Firmware Update
■ Standard Cryptographic Library for end-to-end Security
■ Secure Key Management on TPM (Trusted Platform Module)
■ Standard based Device Management Solution (NEO-IDM™) Integrated
■ Standard based Key Management Solution (iKMS) Integrated
Secure RTOS SW
Secure Boot
Secure Firmware
Update
Crypto API
NEOS™ RTOS
Key
Manager
IoT Agent
Crypto-
library
Device
Manager

5. 5
B. IDE (NEOSPACE)
■ Complete Integrated Development Environment based on eclipse development platform
■ Project Management
■ Building target software : compiler, linker
■ Debugging and Flash Programming through Serial Wire Debug (SWD)
USB
(Serial, SWD)

6. • Neo-SP1 Module
– Hardware Root of Trust by TPM (Trusted Platform Module)
– User can program IoT application on the module
• DVMS : Full Featured Development Kit
– Neo-SP1 Mounted
– SWD ST Link-v2 Debug Interface ready for Debugging and Flash Programming
– Sensors : Accelerometer/Magnetometer, Temperature/Humidity, Light/UV
– Configurable External Ports with I2C, ADC, UART interfaces
6
C. Reference Hardware
JTAG
Trace32
SWD - USB
Serial - USB
Temp./
Humidity
Accel. /
mageto.
Neo-SP1
Light/UV
External
Ports
DVMS (DevKit)
Function Specification
MCU STM32F415
TPM Infineon SLB9670VQ1.2
Connectivity WiFi 802.11b/g/n : ESP8266
Dimension 25mm x 35mm
● Neo-SP1

7. Applications
● Edge Device, Connectivity Module, or Secure Media Converter
● Ready for various wireless connection

8. ■ Boot only OEM provided software only
■ Download firmware from Update Server and verify the Signature
8
Secure Boot, Secure Firmware Update
Device Power On
Firmware boot loader
Boot Manager
verifies Signature
Boot to
Main OS
Boot to
Update
boot
configuration
database
Internet /
Intranet
Update Server Signing
( OS and
Hash )
Public key of
update Server
Download from
update server

9. Neo-IDM Service UI
• Standard IoT Device Management Platform based on LwM2M protocol
• Two Operation Models : IoT Edge Device and Connectivity Module
9
Integration with Neo-IDM
NEOS IoT SP
Edge Device
Neo-IDM CoAP Server
IoT Gateway
Neo-IDM LwM2M
Client
CoAP
Interworking Proxy
LwM2M
IoT Server
Azure, ThingWorx, ...
HTTP/MQTT
LwM2M Server
NEOS IoT SP
Connectivity Module
Neo-IDM LwM2M
Client & CoAP Server
LwM2M
LwM2M Server
Secure RTOS SW
Secure Boot Secure Firmware Update Crypto API
NEOS™ RTOS
Key Manager
IoT Agent
Crypto-
library
Device
Manager

10. • Key distribution function and management scheme
• Key Injection for IoT Device
• Thus providing End-to-End Security
10
Integration with iKMS (Key Management System)
NEOS IoT SP
iKMS Agent
Secure Key
Distribution
iKMS Server
(Hancom Secure Co.)
Secure RTOS SW
Secure Boot Secure Firmware Update Crypto API
NEOS™ RTOS
Key
Manager
IoT Agent
Crypto-
library
Device Manager
IoT Server
LwM2M, Azure, ...
Secure Key
Distribution

11. Cryptographic Library
11
Function Algorithm Description
Block Cipher
ARIA 128, 192, 256 bits
SEED 128, 256 bits
LEA 128, 192, 256 bits
HIGHT 64 bits
Block Cipher
Operating Mode
Confidentiality ECB, CBC, CFB, OFB, CTR Block Cipher : ARIA, SEED, LEA, HIGHT
Confidentiality/Authentication CCM, GCM Block Cipher : ARIA, SEED, LEA, HIGHT
Random Number Generator
HASH_DRBG Hash : SHA-224/256/384/512
CTR_DRBG Block Cipher : ARIA, SEED, LEA, HIGHT
HMAC_DRBG Hash : SHA-224/256/384/512
Public Key Cryptography RSAES Public Key : 2048, 3072 bits
Key Management
DH Public / Private Key : (2048, 256)
ECDH
B-233, K-233, P-224
B-283, K-283, P-256
Hash Function SHA-2 Output Length : 224, 256, 384, 512 bits
Message Authentication
Code
Hash Based HMAC Key Length : 128, 256 bits
Block
CMAC Block Cipher : ARIA, SEED, LEA, HIGHT
GMAC Block Cipher : ARIA, SEED, LEA, HIGHT
Digital Signature
RSA-PSS Public Key : 2048, 3072 bits
KCDSA Public Key : 1024, 2048, 3072 bits
ECDSA
B-233, K-233, P-224
B-283, K-283, P-256
ECKCDSA
B-233, K-233, P-224
B-283, K-283, P-256
■ cryptographic algorithms
■ light-weighted, and optimized for embedded system

12. 12
Connection Types
Neo-SP1
IoT GateWay
IoT Server
As a Connectivity Module
Connect to Server without IoT Gateway
Neo-SP1
Wireless
Access Point
As an Edge Device
Connect to Server through IoT Gateway
Internet /
Intranet
Internet /
Intranet
IoT Server
Neo-SP1
Device-to-device Security
Connect to other devices
Internet /
Intranet

13. ■ To provide Secure Channel for systems with Legacy Devices
■ Minimal or no modification to Legacy System for easy deployment
13
Secure Media Converter
Legacy Devices Legacy Devices
Trans-
ceiver
Trans-
ceiver
Unsecure
Media :
ethernet,
RS485, RS422,
...
Secure Channels
Wired or Wireless
Unsecure
Media :
ethernet,
RS485, RS422,
...

14. ■ Ready for Connectivity Modules : Bluetooth, Zigbee, LoRa, WISUN, LTE, etc
14
Ready for Various Wireless Connections Extension
RF
Module
Zigbee
Bluetooth
WISUN
LoRa
Sensors
Internet /
Intranet

15. 15
Applicable
■ To protect public safety data, environment data, smart grid data, etc, where Security is
mandatory by law
■ To protect data for Military IoT
■ To protect Private Sensitive data, such as Wellness information or Medical (Health) data
■ To protect Device Configuration Data, Manufacturing Technology

16. About NEOS RTOS
16
■ NEOS™ RTOS is a real-time operating system for embedded system developed by MDS
Technology
■ DO-178B Level A Certifiable Kernel
■ Multi-thread Kernel with fast and deterministic performance
■ Preemptive realtime scheduling
■ POSIX standard API add-on (POSIX 1003.13 PSE52)
■ Field proven in aerospace and military for safety critical and mission critical system
■ http://www.neosrtos.com