While using Azure IoT Edge as a transparent gateway, can downstream devices authenticate using SAS tokens using the Shared Access Policy keys? (device, iothubowner etc?). We have being able to successfully connect using SAS tokens signed by the device primary keys, but trying to do so with Shared Access Policy keys doesn't seem to work.
Note: The devices are using MQTT
I don't think that script (which is an eventhub script) creates the right SAS tokens for IoT Hub. The easiest way to do it is to do it from the Azure Cloud CLI (in the azure portal, click on the ">_" button up in the top nav bar.. then you can run this command:
az iot hub generate-sas-token -n [your iothub name] --policy device --key-type primary --duration [duration in seconds you want the token to be valid]
Try using that SAS token. I tested this tonight with the python paho.mqtt client and it worked fine. It connected to IoT Edge and successfully sent messages to both a module and IoT Hub.
Yes, this should work if the device is not a child device of the Edge Device in IoTHub. Look at these links to find out more about how to add devices as a child device of an Edge Device https://aka.ms/exofdocs and https://aka.ms/iot-edge-offline.
This is because, if the leaf device is a child device, EdgeHub will try to authenticate it locally, and for that it only uses the device’s key.
If the leaf device is not a child device of the Edge Device, then you should be able to connect to the EdgeHub using the device/iothub scoped key, since then the EdgeHub will authenticate the device with IoTHub. Note that the connection string should be of the format –
HostName=.azure-devices.net;DeviceId=;SharedAccessKeyName=;SharedAccessKey=;GatewayHostName=
Related
So, in the first place I have connected a DHT11 (temperature sensor) to my RPi (Raspberry Pi) then, in my azure portal I have created an IOT Hub and registered a Virtual device identity in the hub, while creating this (for the first time) I have selected the symmetric keys option as mentioned in the Azure IoT Hub tutorial documentation and then i have written a python script to be executed on my RPI which captures the temp reading and sends it to my iot hub.
Now to understand the security aspects of iot hub, i am trying to exactly replicate the above functionality (sending temp reading to iot hub) but this time using X.509 authentication method.
as of now i have followed this link and generated a certificate and uploaded it to the azure iot hub and verified it as well
OPENSSL - How to generate a proof of possesion for a X509 certificate?
now when i am trying to send the sensor data (DHT11) to the iot device registered in my iot hub it shows device not authorized
i don't understand how to authorize/authenticate a device with the certificate.
i feel i should copy over the certificate onto my raspberry pi and somehow make changes in the code that i am using to send temp data to the iot hub to intimate the iot hub that this device has already got a certificate (valid one)
i don't know how to do this...can somebody please help me out....i want to do this using python
There is a Python X.509 authentication sample here https://github.com/Azure/azure-iot-sdk-python-preview/blob/master/azure-iot-device/samples/advanced-hub-scenarios/send_message_x509.py
This is using the replacement Python SDK which is still in preview but it should still work.
You will need to create a certificate and private key and sign it with the certificate that you have verified on your IoT hub. This process is explained here: https://github.com/Azure/azure-iot-sdk-c/blob/master/tools/CACertificates/CACertificateOverview.md.
Is there a way to send data to a device in Azure IoT Hub using a shared key without first generating a SAS token? The reason I am trying to do this is because I want to send events via a web hook without writing code for it. The device is connected to our system and we're trying to use our web hooks functionality which can relay an event to a HTTP endpoint with preconfigured headers and format but it can't execute the code to get a temporary SAS token.
Alternatively can I make a SAS token that never expires?
Ended up using Azure IoT Central + the Azure IoT Central Bridge. The IoT Bridge is an Azure function where you put some JS code to convert your message to a format that IoT Central understands and then it deals with the tokens and eventual device registration. This is not an exact answer to the question since IoT Central is not exactly IoT Hub (it is a portal over it) but it turns out it works well enough for our case. Also I think the codebase of the IoT Bridge can be used with the IoT Hub if one wants to dig enough through it. Maybe this solution can serve someone else.
I am currently looking for a way to revoke the device session of a device that is connected to the Azure Iot Hub.
For example, when a device connects using a certificate and the certificate expires, the device can still send and receive data while it has a valid token.
Our case is if a device overloads our IoT Hub for whatever reason, we would like to be able to revoke the connection immediately.
We want to be able to revoke such token in order to immediately disconnect a certain device.
Is it even possible to do so? If not, are there workarounds for that?
You can disable a device to connect to the IoT Hub. I just tried this with a simulated device (using the .NET SDK) that was actively sending data. After I turned the switch to Disabled, the connection broke off after a few seconds. This was using the device key, not certificates but I would assume this might work as well.
There is no such as the REST API in the Azure IoT Hub to disconnect connected device. However the following workarounds can help it:
Based on the MQTT Device protocol, only one device with the same ID can be connected to the Azure IoT Hub, so connecting the same device (simulated the same ID) will automatically disconnect a connected one. This workaround doesn't require any change in the device code. You can test it using a tools such as MQTTBox, MQTT.fx, etc.
This workaround is based on invoking a device method to perform closing a device from the device side. You can create a job for Azure IoT Hub background process to "invoke device method". Note, that this workaround needs to built this feature into the device code.
Also, using a notification event on the twin desired property change received by device side can be used for your workaround to perform a closing or re-connecting connection with an Azure IoT Hub.
Edit:
Like #silent answered, changing the state Enable to Disable, the device is going automatically disconnect from the Azure IoT Hub. You can use a REST API to change this status.
I do recommend to built in the device some retrying policy for re-connecting a device to the Azure IoT Hub based on the disconnecting reason such as connection lost, user disconnected, etc.
Following situation:
our gateways have a TPM and we are going to provision it with per device certificates (issued by our PKI). How could the IoT Hub authentication work?
As far as I know one needs to register the thumbprints of the primary and secondary certificates with the IoT Hub, which is ok.
Later on we would like to use the primary certificate to authenticate a device with the IoT Hub. According to the source code of this project one is supposed to provide certificate's private key
var authWithPrimaryPfx = new DeviceAuthenticationWithX509Certificate(device.Id, primaryCertSecret);
This is something I would like to avoid. I do not want the private key to be in memory (RAM). Is it possible to hash/encrypt and use the result for authentication? How would it work?
We are going to use Windows 10 IoT Enterprise or Linux (NOT Windows 10 IoT Core)
EDIT: Here https://github.com/ms-iot/security/blob/master/Limpet/Limpet.NET/Limpet.cs is the method (SignHmac) used to create a signature for a SAS Token based on the device's primary key directly in the TPM (2.0). I need something similar with a certificate.
#Helikaon,
You can use the new Azure IoT Hub Device Provisioning Service which is now in public preview to register devices using TPM with IoT Hub. You can find more info here:
https://learn.microsoft.com/en-us/azure/iot-dps/about-iot-dps
Rajeev
Can the Azure IoT hub identify the spoofing of identity during the registration process
Assume a new IoT device is joining the IoT hub which is showing the spoofed MAC id to the IoT hub.
Will the Azure IoT hub detect that the device uses spoofed identity.
The Azure IoT Hub Identity Registry is what manages devices identities. You can read some literature about it here.
When it comes to authenticating devices, IoT Hub offers several options that are detailed here.
In a nutshell you have 3 ways to provision a device with unique identity and credentials: using a connection string with a unique ID and Key (which allows to compute a SAS Token on the device), using a SAS Token (which you would have to create offline), or using an X-509 certificate.
The only way a device could try and spoof an identity would be if someone was able to retrieve these unique id and credentials from a legit device or some other source, reason why we strongly recommend leveraging secure storage solutions on the device to not allow for the device credentials to be stolen and reused.
If a device tries to connect using valid credentials already used by another device, then the first device will be disconnected, but beyond this, you can (and it is recommended) to implement some security strategy such as rolling secure keys regularly. These strategies depend on your scenario, device type, the way you plan to provision the devices... IoT Hub gives you the tools to implement what fits your needs.