How to Connect Downstream Device to Azure IoT Central using x509 Certificates? - azure-iot-central

I am having trouble figuring out how to connect a downstream device to my IoT Central application. There is sample code showing how to do it using symmetric keys, but I am interested in using x509 certificate (https://learn.microsoft.com/en-us/azure/iot-central/core/how-to-connect-iot-edge-transparent-gateway#provision-a-downstream-device). I've tried using the code in the EdgeX509AuthDownstreamDevice sample, but I am not sure what to put for the IOTHUB_HOSTNAME environment variable since IoT Central doesn't expose the IoT Hub. Has anyone gotten this to work?

The variables used are misleading. You don't see the IoTHUB connection string. Below, just replace the device shared key and it should work:
export IOTHUB_DEVICE_CONNECTION_STRING="HostName=edgegateway;DeviceId=thermostat1;SharedAccessKey={your device shared key}"

Related

How to authenticate a device (R-Pi say to be connected to Azure IoT Hub) using X.509 certificate

So, in the first place I have connected a DHT11 (temperature sensor) to my RPi (Raspberry Pi) then, in my azure portal I have created an IOT Hub and registered a Virtual device identity in the hub, while creating this (for the first time) I have selected the symmetric keys option as mentioned in the Azure IoT Hub tutorial documentation and then i have written a python script to be executed on my RPI which captures the temp reading and sends it to my iot hub.
Now to understand the security aspects of iot hub, i am trying to exactly replicate the above functionality (sending temp reading to iot hub) but this time using X.509 authentication method.
as of now i have followed this link and generated a certificate and uploaded it to the azure iot hub and verified it as well
OPENSSL - How to generate a proof of possesion for a X509 certificate?
now when i am trying to send the sensor data (DHT11) to the iot device registered in my iot hub it shows device not authorized
i don't understand how to authorize/authenticate a device with the certificate.
i feel i should copy over the certificate onto my raspberry pi and somehow make changes in the code that i am using to send temp data to the iot hub to intimate the iot hub that this device has already got a certificate (valid one)
i don't know how to do this...can somebody please help me out....i want to do this using python
There is a Python X.509 authentication sample here https://github.com/Azure/azure-iot-sdk-python-preview/blob/master/azure-iot-device/samples/advanced-hub-scenarios/send_message_x509.py
This is using the replacement Python SDK which is still in preview but it should still work.
You will need to create a certificate and private key and sign it with the certificate that you have verified on your IoT hub. This process is explained here: https://github.com/Azure/azure-iot-sdk-c/blob/master/tools/CACertificates/CACertificateOverview.md.

How to send events to a device in Azure IoT Hub using shared key for authentication

Is there a way to send data to a device in Azure IoT Hub using a shared key without first generating a SAS token? The reason I am trying to do this is because I want to send events via a web hook without writing code for it. The device is connected to our system and we're trying to use our web hooks functionality which can relay an event to a HTTP endpoint with preconfigured headers and format but it can't execute the code to get a temporary SAS token.
Alternatively can I make a SAS token that never expires?
Ended up using Azure IoT Central + the Azure IoT Central Bridge. The IoT Bridge is an Azure function where you put some JS code to convert your message to a format that IoT Central understands and then it deals with the tokens and eventual device registration. This is not an exact answer to the question since IoT Central is not exactly IoT Hub (it is a portal over it) but it turns out it works well enough for our case. Also I think the codebase of the IoT Bridge can be used with the IoT Hub if one wants to dig enough through it. Maybe this solution can serve someone else.

Idiomatic way to encrypt data from an Azure IoT Edge Module?

I have a pair of IoT Edge modules, one which saves data and one which uploads data. I would like to encrypt the data while it is at rest on the device.
There are many ways I could go about encrypting this data, but I would like to know what the most idiomatic way to do this within an Azure IoT Edge module is.
I know that the secure daemon uses the TPM for a few things, and all of our devices have TPM 2.0 chips, we're using the TPM endorsement keys with the DPS.
I'm wondering if there's a way for the secure daemon to encrypt generic blobs of data for us using the TPM, or if we are expected to try to communicate with the TPM from inside the container somehow to do this?
More Info:
This is the secure daemon: https://github.com/Azure/iotedge/tree/master/edgelet it is an iot edge specific component which acts as a bootstrapper to fire up the iot edge agent module which then fires up the other modules. the daemon runs under systemd and all other modules are docker containers as described here https://learn.microsoft.com/en-us/azure/iot-edge/about-iot-edge
The runtime is described as "Maintains Azure IoT Edge security standards on the device." so I was wondering if there was some kind of easy way to just give it some data to encrypt, and have that encrypted.
Since the secure daemon is already interfacing with the TPM for device registration etc. I was wondering if there was some way to ask the secure daemon to encrypt data, or if there was some other idiomatic solution specific to the iot edge runtime.
My Question has been answered here https://github.com/Azure/iotedge/issues/60
The idiomatic way to encrypt/decrypt data in an iot edge module at the moment seems to be to communicate with the daemon via a unix socket (see env var IOTEDGE_WORKLOADURI)

Azure IoT Hub : X509 certificate location

I am doing a hands on IoT Hub, so everything is only my local desktop. In production, I was curious to know where each of the certificates would be placed i.e on Device or IoT Hub or somewhere else :
Root Certificate - Uploaded on Azure Portal
Verified Certificate - Uploaded on Azure Portal
PFX File - On Device
Intermediate Certificates (Chain of Trust) - ???
Root Certificate PEM File - ???
Sorry for this insane question. But I want to know the same. Thanks in advance.
On the device the certificate can be anywhere that makes sense, but the certificate store is probably the best option. You don't need to store the root certificate anywhere though. The IoT Hub service only checks that the thumbprint is valid, but doesn't do any chain validation. The place to do that is in whatever process you're using to register the devices.
That's all different if you're using IoT Hub Provisioning Service though, as that will do chain validation, and the device cert must reside on a TPM.

Azure IoT Hub with x509 certificate and TPM

Following situation:
our gateways have a TPM and we are going to provision it with per device certificates (issued by our PKI). How could the IoT Hub authentication work?
As far as I know one needs to register the thumbprints of the primary and secondary certificates with the IoT Hub, which is ok.
Later on we would like to use the primary certificate to authenticate a device with the IoT Hub. According to the source code of this project one is supposed to provide certificate's private key
var authWithPrimaryPfx = new DeviceAuthenticationWithX509Certificate(device.Id, primaryCertSecret);
This is something I would like to avoid. I do not want the private key to be in memory (RAM). Is it possible to hash/encrypt and use the result for authentication? How would it work?
We are going to use Windows 10 IoT Enterprise or Linux (NOT Windows 10 IoT Core)
EDIT: Here https://github.com/ms-iot/security/blob/master/Limpet/Limpet.NET/Limpet.cs is the method (SignHmac) used to create a signature for a SAS Token based on the device's primary key directly in the TPM (2.0). I need something similar with a certificate.
#Helikaon,
You can use the new Azure IoT Hub Device Provisioning Service which is now in public preview to register devices using TPM with IoT Hub. You can find more info here:
https://learn.microsoft.com/en-us/azure/iot-dps/about-iot-dps
Rajeev

Resources