So, in the first place I have connected a DHT11 (temperature sensor) to my RPi (Raspberry Pi) then, in my azure portal I have created an IOT Hub and registered a Virtual device identity in the hub, while creating this (for the first time) I have selected the symmetric keys option as mentioned in the Azure IoT Hub tutorial documentation and then i have written a python script to be executed on my RPI which captures the temp reading and sends it to my iot hub.
Now to understand the security aspects of iot hub, i am trying to exactly replicate the above functionality (sending temp reading to iot hub) but this time using X.509 authentication method.
as of now i have followed this link and generated a certificate and uploaded it to the azure iot hub and verified it as well
OPENSSL - How to generate a proof of possesion for a X509 certificate?
now when i am trying to send the sensor data (DHT11) to the iot device registered in my iot hub it shows device not authorized
i don't understand how to authorize/authenticate a device with the certificate.
i feel i should copy over the certificate onto my raspberry pi and somehow make changes in the code that i am using to send temp data to the iot hub to intimate the iot hub that this device has already got a certificate (valid one)
i don't know how to do this...can somebody please help me out....i want to do this using python
There is a Python X.509 authentication sample here https://github.com/Azure/azure-iot-sdk-python-preview/blob/master/azure-iot-device/samples/advanced-hub-scenarios/send_message_x509.py
This is using the replacement Python SDK which is still in preview but it should still work.
You will need to create a certificate and private key and sign it with the certificate that you have verified on your IoT hub. This process is explained here: https://github.com/Azure/azure-iot-sdk-c/blob/master/tools/CACertificates/CACertificateOverview.md.
Related
I am trying to figure out how to use DPS to pass down to a device which edge device to connect to. Is this an option to do with DPS or do we have do to this manually?
The DPS is a helper service for IoT hub that will provide the right IoT hub without requiring human intervention
The IoT Hub Device Provisioning Service (DPS) is a helper service for IoT Hub that enables zero-touch, just-in-time provisioning to the right IoT hub without requiring human intervention.
Below are the scenarios in which DPS is an excellent choice for getting devices connected and configured to IoT Hub.
Zero-touch provisioning to a single IoT solution without hardcoding IoT Hub connection information at the factory (initial setup)
Load-balancing devices across multiple hubs
Connecting devices to their owner's IoT solution based on sales transaction data (multitenancy)
Connecting devices to a particular IoT solution depending on use-case (solution isolation)
Connecting a device to the IoT hub with the lowest latency (geo-sharding)
Reprovisioning based on a change in the device
Rolling the keys used by the device to connect to IoT Hub (when not using X.509 certificates to connect)
Here are a few references which have the complete information on DPS.
https://learn.microsoft.com/en-us/azure/iot-dps/about-iot-dps
https://learn.microsoft.com/en-us/azure/iot-dps/
I am having trouble figuring out how to connect a downstream device to my IoT Central application. There is sample code showing how to do it using symmetric keys, but I am interested in using x509 certificate (https://learn.microsoft.com/en-us/azure/iot-central/core/how-to-connect-iot-edge-transparent-gateway#provision-a-downstream-device). I've tried using the code in the EdgeX509AuthDownstreamDevice sample, but I am not sure what to put for the IOTHUB_HOSTNAME environment variable since IoT Central doesn't expose the IoT Hub. Has anyone gotten this to work?
The variables used are misleading. You don't see the IoTHUB connection string. Below, just replace the device shared key and it should work:
export IOTHUB_DEVICE_CONNECTION_STRING="HostName=edgegateway;DeviceId=thermostat1;SharedAccessKey={your device shared key}"
Is there a way to send data to a device in Azure IoT Hub using a shared key without first generating a SAS token? The reason I am trying to do this is because I want to send events via a web hook without writing code for it. The device is connected to our system and we're trying to use our web hooks functionality which can relay an event to a HTTP endpoint with preconfigured headers and format but it can't execute the code to get a temporary SAS token.
Alternatively can I make a SAS token that never expires?
Ended up using Azure IoT Central + the Azure IoT Central Bridge. The IoT Bridge is an Azure function where you put some JS code to convert your message to a format that IoT Central understands and then it deals with the tokens and eventual device registration. This is not an exact answer to the question since IoT Central is not exactly IoT Hub (it is a portal over it) but it turns out it works well enough for our case. Also I think the codebase of the IoT Bridge can be used with the IoT Hub if one wants to dig enough through it. Maybe this solution can serve someone else.
Following situation:
our gateways have a TPM and we are going to provision it with per device certificates (issued by our PKI). How could the IoT Hub authentication work?
As far as I know one needs to register the thumbprints of the primary and secondary certificates with the IoT Hub, which is ok.
Later on we would like to use the primary certificate to authenticate a device with the IoT Hub. According to the source code of this project one is supposed to provide certificate's private key
var authWithPrimaryPfx = new DeviceAuthenticationWithX509Certificate(device.Id, primaryCertSecret);
This is something I would like to avoid. I do not want the private key to be in memory (RAM). Is it possible to hash/encrypt and use the result for authentication? How would it work?
We are going to use Windows 10 IoT Enterprise or Linux (NOT Windows 10 IoT Core)
EDIT: Here https://github.com/ms-iot/security/blob/master/Limpet/Limpet.NET/Limpet.cs is the method (SignHmac) used to create a signature for a SAS Token based on the device's primary key directly in the TPM (2.0). I need something similar with a certificate.
#Helikaon,
You can use the new Azure IoT Hub Device Provisioning Service which is now in public preview to register devices using TPM with IoT Hub. You can find more info here:
https://learn.microsoft.com/en-us/azure/iot-dps/about-iot-dps
Rajeev
Can the Azure IoT hub identify the spoofing of identity during the registration process
Assume a new IoT device is joining the IoT hub which is showing the spoofed MAC id to the IoT hub.
Will the Azure IoT hub detect that the device uses spoofed identity.
The Azure IoT Hub Identity Registry is what manages devices identities. You can read some literature about it here.
When it comes to authenticating devices, IoT Hub offers several options that are detailed here.
In a nutshell you have 3 ways to provision a device with unique identity and credentials: using a connection string with a unique ID and Key (which allows to compute a SAS Token on the device), using a SAS Token (which you would have to create offline), or using an X-509 certificate.
The only way a device could try and spoof an identity would be if someone was able to retrieve these unique id and credentials from a legit device or some other source, reason why we strongly recommend leveraging secure storage solutions on the device to not allow for the device credentials to be stolen and reused.
If a device tries to connect using valid credentials already used by another device, then the first device will be disconnected, but beyond this, you can (and it is recommended) to implement some security strategy such as rolling secure keys regularly. These strategies depend on your scenario, device type, the way you plan to provision the devices... IoT Hub gives you the tools to implement what fits your needs.