Storage of Per-Device Keys in Database?

Question

In the context of many devices being secured with their own symmetric key (think: thousands of IoT devices), is it reasonable to hold these secret keys in a MySQL database?

The goal is to verify the authenticity of devices; I'd like to hear from people with experience in security what their thoughts are.

Answer 1

Using symmetric keys for authentication sounds unusual, they are commonly used to secure a connection after the identity of communication partners has been established using public key cryptography. In addition, symmetric keys are normally ephemeral, you create them using a secure key exchange mechanism and discard them after use.

In the following I'm assuming the IoT devices are clients and initiate connections to a server.

Depending on the CPU power of your devices, using standard TLS with client certificates for authentication might be a better option.

With client certificates, the server only needs to have the public key of the CA that issues these certs, no need to store individual public or private keys on the server side. The clients store their private key and the signed certificate, that's all they need to authenticate themselves to the server.

Update to address the comments:

If you need to roll your own scheme due to hardware restrictions, you will need to analyze the security and attack scenarios - I'm not enough of an expert to even guess where there might be loopholes in the scheme. Devising and correctly implementing cryptography is hard, I would avoid it unless the secrets to be guarded aren't really valuable. For IoT devices, the stakes might be surprisingly high, for example when breaking into their communication enables an attacker to break into a house, to cause damage to expensive gear, or to sabotage a factory.