Rolling DICE: Lightweight Remote Attestation for COTS IoT Hardware

The specification Device Identity Composition Engine (DICE) provides a novel basis for remote attestations specifically suitable in the IoT context. Its purpose is to provide means for remote attestations to devices that are too size-, cost-, energy- or otherwise constrained to have Trusted Platform Module attached. This paper gives a short explanation of DICE and compares different approaches for building up a remote attestation protocol based on it, using symmetric and asymmetric cryptography. Based on this comparison a symmetric attestation protocol is proposed for most resource constrained devices and its implications for attestation servers are discussed. Furthermore a feasibility study is conducted mapping the DICE and the proposed DICE-based attestation approach to commercial off-the-shelf (COTS) hardware -- namely Arduino Uno in this case -- and measurement of the code size, binary size and added computational requirements is provided. The security of the mapping approach is evaluated and its advantages and pitfalls are demonstrated. The goal is to show how DICE-based approaches can be mapped to existing hardware and how a more secure IoT environment can be established on already deployed devices without changes to the hardware.