The new Matter protocol, which lets smart home devices from different manufacturers communicate with each other, is an important step forward in the industry because it combines interoperability with reliability and security.
Matter uses the Internet Protocol (IP) as its basis, which makes it possible for smart home devices to work together, right out of the box. That means less frustration and a better experience when setting up the initial network or adding devices down the road.
At the same time, Matter uses strong, thoroughly tested security mechanisms to keep information private, prevent unauthorized access and help to ensure that every communication is protected. For example, Matter devices have unique identities, go through a screening process before joining a network and encrypt data to protect confidentiality and privacy. Device operation is also restricted by detailed access-control policies, so devices only do what they’re supposed to do.
A fundamental part of Matter security is the use of device attestation, a process for screening devices prior to letting them share information. Before a Matter device can share information with the network or another device, it must first use device attestation to confirm its authenticity, demonstrate its trustworthiness and establish a validated, authenticated connection.
Device attestation is a little bit like using a passport. To receive a passport, we must apply to a government agency, which is a trusted organization. This organization, having confirmed our identity, then issues an official document that serves as proof of identity. The passport tells anyone who asks (a border agent, a bank clerk, a lawyer) that we are who we say we are. It confirms that we’re trustworthy and provides the basis for granting access to what we want.
In similar fashion, device attestation involves using an official certificate, issued by a trusted organization, to confirm device identity and then grant access.
In the case of Matter, device attestation is based on public key infrastructure (PKI) and uses X.509 certificates to authenticate Matter products and device vendors. PKI and X.509 certificates have been used to manage identity and security across the internet for decades. These certificates are also part of several offline applications, including the electronic signatures used to authenticate legal and financial transactions.
Matter uses X.509 certificate-based device attestation to ensure only compliant products from legitimate device vendors can join the Matter home network.
All Matter devices are required to use an attestation keypair and an X.509 certificate signed by a Trusted Certificate Authority (CA) or a Product Attestation Authority (PAA), to use the language of the Connectivity Standards Alliance (CSA)—the organization that defines the Matter specification and certifies Matter devices.
Proper use of device attestation is a central part of Matter compliance. For developers, that means the first step in obtaining Matter compliance—and shipping Matter-certified devices—is to obtain a Matter-trusted device attestation certificate for each device.
There are two ways to get Matter device attestation certificates for your devices. You can apply to become a trusted PAA and issue your own certificates, or you can partner with someone who can issue the certificates for your products.
Becoming a trusted PAA is no small task. Before being authorized to issue device-unique attestation certificates, an organization must first meet specific CSA requirements, and then, must apply and maintain a strict security process during device manufacture. Creating and managing the necessary in-house processes to meet these requirements for security and confidentiality is a major undertaking that not every organization can afford to pursue. In addition to the technical security requirements that need to be met, there are also operational controls, facility and physical controls and auditing requirements that need to be established, tracked and maintained. In many cases, partnering with an established manufacturer—with a certified-secure process for certificate issuance—is the better way to go.
NXP is one of a few semiconductor companies that helped define the Matter specification, and is one of the first to offer Matter-certified and compliant development platforms and products. We are also one of the first semiconductor manufacturers to have been granted trusted PAA status by the CSA, so we’re able to issue Matter device attestation certificates for our customers' products.
What makes us special, as a PAA, is that we can inject credentials into silicon. As one of the leading suppliers to the Internet of Things (IoT), we have been issuing and maintaining device credentials for quite a while and have strong expertise in trust provisioning. Our EdgeLock 2GO service is a flexible, fully turnkey platform for securely provisioning IoT devices. Through the EdgeLock 2GO service, we can inject credentials directly into silicon (with pre-injection on embedded Secure Elements and authenticators) or deliver the credentials securely over-the-air (OTA).
Using our in-depth knowledge, as a contributor to the Matter specification, we’ve updated our EdgeLock 2GO service to meet the Matter requirements and can now offer this service to our customers to help them more effectively and efficiently design and deploy their Matter devices.
The EdgeLock 2GO service is a flexible, cost-effective security platform that leverages our well-established security infrastructure and our extensive capabilities in hardware security.
With EdgeLock 2GO for Matter, there’s no need to establish an in-house process for issuing and managing PKI certificates, and the development process gains the flexibility of being able to customize configurations, manage OTA updates, and scale to accommodate changes in demand.
We’re strong supporters of Matter because we believe consumers want a better way to create smart homes. And, by the same token, we want to give developers a better way to deliver Matter devices. That’s why we’ve moved quickly to achieve CSA trusted PAA status and have expanded our industry-proven EdgeLock 2GO service to include Matter-trusted certificates.
Explore further the capabilities of EdgeLock 2GO when paired with Matter by inquiring through our dedicated dedicated EdgeLock 2GO form.
Julien Delplancke is Senior Product Manager at NXP Semiconductors. As part of the IoT security team, he is driving NXP’s secure service offering for IoT products and collaborating with device manufacturers, service providers and cloud providers in order to help NXP customers to protect their devices and services.
