Looking to add a cryptochip (Atmel ATECC608A) to a product that will be used to communicate with a company server.
We want to make sure that only our devices are communicating to our server (authentication).
From what I can tell, my company will have its own key pair which we will use to sign an intermediate key pair which in turn will be used to sign all the device key pairs.
My question is - how does the server "know" that the end devices are legit ?
The canonical cryptographic answer would be client certificates or secrets of some sorts on each device. Consider this example where Microchip details how to authenticate the ATECC608A versus the Google IoT Cloud. The details are given here. You'll need a secret private key and a secure algorithm.
Of course, that means that you'll have to securely deploy those secrets in mass production on your chips.
In general terms, this is called mutual authentication, most often by using TLS and client certificates, although other schemes are possible. Individual device certificates are signed by the manufacturer using a issuer private key, and that signature is verified during communication handshake when presented by the client. This is how the server "knows" the device is legit.
Effectively, the issuer/manufacturer needs to act as a Certificate Authority or CA, or intermediate CA when issuing individual device certs, and also maintain revocation database for individual compromised devices. I.e. pretty much everything else that setting up a CA involves.
