Aticara IoT gateway system

Aticara IoT gateway system:

Aticara IoT gateway system has "Extended Service Gateway (eSG)" integrated with "Virtual Service
Gateway (vSG)" and IoT Gateways.

IoT Gateways:
IoT gateways are connected to the vSG. The IoT agent which resides in the IoT gateway is responsible for
MQTT interface with the CPI. The MQTT messages from IoT gateway are published by the IoT agent to
the CPI via eSG and vSG. The MQTT messages from CPI are published to the IoT gateway via vSG and
eSG. The vSG acts as a router for the MQTT messages between CPI and IoT gateways. eSG is responsible
for secured connectivity between IoT gateway and vSG.
 Aticara IoT gateway
system

The IoT gateway terminates the communication protocol of the devices like Zigbee, Z-Wave, WMBus etc
All the application level messages and sensor traffic from the devices are forwarded by the IoT gateway
to the vSG (via eSG). The vSG in turn forwards the application level messages and sensor traffic to the
CPI. The application level messages are terminated at the CPI. The commands for individual devices
(which in turn are application level messages) are sent by the CPI to the IOT gateway through the vSG
over a “gateway specific” MQTT topic.. The IoT gateway in turn sends the command to the device
through appropriate protocol. If there is a response associated with the command, the response to the
command is sent back to the CPI from the device via IoT gateway and vSG.

The number of IoT gateways deployed in customer premises depends on coverage and capacity. In case
of limited availability of access points to WAN connectivity, the IoT gateways will be connected in a
mesh topology. The IoT gateways are connected in a mesh topology through Wifi. One of the IoT
gateways is elected as a coordinator through an election process and all the traffic from different IoT
gateways are routed through the coordinator IoT gateway to the vSG via the WAN access point. If the
coordinator IoT gateway goes down, re-election process is triggered and another IoT gateway takes up
the role of coordinator.

The trust centre is responsible for the key generation with respect to Zigbee protocol

Link key – Key used to encrypt messages at Link layer of Zigbee protocol between IoT device and
IoT gateway
Network key – Key used to encrypt messages at Network layer of Zigbee protocol between
nodes

Page 2
 Aticara IoT gateway
system

The trust centre uses the device’s MAC address (extended Unique address) and the install code to
generate the link key. The install code is typically provided along with device by the vendor.

The trust centre will be part of the Coordinator IoT gateway.

The devices are connected to any of the IoT gateways through one of the protocols Zigbee, Z-
Wave, WMBus, BLE, Wifi, IP based devices.

Virtual Service Gateway (vSG):

Virtual Service Gateway (vSG) is responsible to authenticating the IoT gateways with the registered
Gateway ID, on successful gateway registration and authentication Gateway devices are issued with the
unique AES 256 bit Key.

Issued AES 256 bit key are used at the IoT Gateway to encrypt or decrypt MQTT messages before publish
or subscribe at the IoT Agent.

vSG get the TLS certificate at the time of associating with the CPI, it provide a secure communication
channel between a vSG and a CPI. At the core, TLS are cryptographic protocols which use a handshake
mechanism to negotiate various parameters to create a secure connection between the vSG and the
CPI. After the handshake is complete, an encrypted communication between vSG and CPI is established
and no attacker can eavesdrop any part of the communication. CPIs provide a X509 certificate, typically
issued by a trusted authority that vSG use to verify the identity of the CPI.

MQTT relies on the TCP transport protocol.TCP connections do not use an encrypted communication. To
encrypt the whole MQTT communication, MQTT brokers allow use of TLS instead of plain TCP. need to
use the username and password fields of the MQTT CONNECT packet for authentication and
authorization mechanisms. Port 8883 is used for a secured MQTT connection.

vSG can have count up mechanism to maintain the number connections which are established from the
IoT Gateway and it manages load balancing connections with the CPI. Once it reaches the max
connections per CPI, it triggers a new instance of CPI.

vSG maintains the packet label switching to route the connections in case of multiple CPI associated
with vSG. packet label switching is a protocol-agnostic routing technique designed to speed up and
shape traffic flows across multiple CPI. Packet labels consist of two parts, Label value: 20 bits and Time
to live: 8 bits. Each packet gets labeled on entry into the CPI identifier it router that decides the LSP the
packet will take until it reaches its destination address.

Encrypted Service Gateway (eSG):

Encrypted Service Gateway (eSG) is integrate with vSG, eSG is responsible for AES 256 decrypt or
encrypt of the MQTT messages which will be received or sent to IoT Gateway. eSG get the AES 256 Bit
secure Key from vSG based on the Gateway ID which is registered at the time of association with vSG.

Page 3
 Aticara IoT gateway
system

eSG has the functionality block cipher with a block length of 256 bits for handling encryption or
decryption of the MQTT packets.

Encryption consists of 14 rounds of processing for 256-bit keys, except for the last round in each case, all
other rounds are identical. Each round of processing includes one single-byte based substitution step, a
row-wise permutation step, a column-wise mixing step, and the addition of the round key. The order in
which these four steps are executed is different for encryption and decryption.

For encryption, each round consists of the following four steps: 1) Substitute bytes, 2) Shift rows, 3) Mix
columns, and 4) Add round key. The last step consists of XORing the output of the previous three steps
with four words from the key schedule.

For decryption, each round consists of the following four steps: 1) Inverse shift rows, 2) Inverse
substitute bytes, 3) Add round key, and 4) Inverse mix columns. The third step consists of XORing the
output of the previous two steps with four words from the key schedule. Note the differences between
the order in which substitution and shifting operations are carried out in a decryption round vis-a-vis the
order in which similar operations are carried out in an encryption round.

Technical Specification:

Broadcom BCM2837 64bit ARMv7 Quad Core Processor powered Single Board Computer
running at 1.2GHz
1GB RAM
BCM43143 WiFi
Bluetooth Low Energy (BLE)
Zigbee
Wireless M-Bus
Z-Wave
4 x USB 2 ports
4 pole Stereo output and Composite video port
Full size HDMI
Upgraded switched Micro USB power source supports
up to 2.4 Amps

Page 4
 Aticara IoT gateway
system

About Aticara IoT Gateway:

Complete IoT ecosystem for smart automation applications.
Gateway is a flexible for connecting all devices in a building management
system, smart home and smart energy .
Its highly secure, provides secure channel with TLS and packet level encryption
using AES256.
Supports a wide range of communication protocols including Zigbee, Z-Wave,
LoRa, WLAN, Wireless M-Bus and Bluetooth Low Energy.
It hosts a programmable Linux-platform and it can be integrated with any cloud
solutions (ex: Aticara Cloud, AWS, bluemix etc...).
Gateway has Machine learning and AI.
It supports the WiFI mesh topology b/w the Gateways

Aticara 's IoT Cloud:

Aticara's IoT Cloud is designed to store and process Internet of Things (IoT) data. It has massively
scalable real-time event processing engine. It is built to take in the massive volumes of data
generated by devices, sensors, websites, applications and initate actions for real-time
responses.
IoT Cloud is part of Aticara's IoT ecosystem and will enable users to manage Smart IoT devices
from an orchestration platform via REST APIs.
On the north-bound, the Aticara's IoT Cloud will provide a series of REST APIs to an external
entity for User and Device management.
Aticara's IoT Cloud as a system will hold the business logic and the data needed to accomplish
the User and Device management. On the south-bound, the it will talk to the IoT Gateway
through a secured IPV4 connection.

CONTACT US:

demo@aticara.com

sales@aticara.com

www.aticara.com
©2019 Aticara Technologies & systems Pvt Ltd . All rights reserved. Aticara reserves the right to make design changes without
notice. As we are always seeking to improve our products, the information in this document gives only a general indication of the
product capacity, performance and suitability, none of which shall form part of any contract. All trademarks are acknowledged

Page 5