Following situation:
our gateways have a TPM and we are going to provision it with per device certificates (issued by our PKI). How could the IoT Hub authentication work?
As far as I know one needs to register the thumbprints of the primary and secondary certificates with the IoT Hub, which is ok.
Later on we would like to use the primary certificate to authenticate a device with the IoT Hub. According to the source code of this project one is supposed to provide certificate's private key
var authWithPrimaryPfx = new DeviceAuthenticationWithX509Certificate(device.Id, primaryCertSecret);
This is something I would like to avoid. I do not want the private key to be in memory (RAM). Is it possible to hash/encrypt and use the result for authentication? How would it work?
We are going to use Windows 10 IoT Enterprise or Linux (NOT Windows 10 IoT Core)
EDIT: Here https://github.com/ms-iot/security/blob/master/Limpet/Limpet.NET/Limpet.cs is the method (SignHmac) used to create a signature for a SAS Token based on the device's primary key directly in the TPM (2.0). I need something similar with a certificate.
#Helikaon,
You can use the new Azure IoT Hub Device Provisioning Service which is now in public preview to register devices using TPM with IoT Hub. You can find more info here:
https://learn.microsoft.com/en-us/azure/iot-dps/about-iot-dps
Rajeev
Related
I am having trouble figuring out how to connect a downstream device to my IoT Central application. There is sample code showing how to do it using symmetric keys, but I am interested in using x509 certificate (https://learn.microsoft.com/en-us/azure/iot-central/core/how-to-connect-iot-edge-transparent-gateway#provision-a-downstream-device). I've tried using the code in the EdgeX509AuthDownstreamDevice sample, but I am not sure what to put for the IOTHUB_HOSTNAME environment variable since IoT Central doesn't expose the IoT Hub. Has anyone gotten this to work?
The variables used are misleading. You don't see the IoTHUB connection string. Below, just replace the device shared key and it should work:
export IOTHUB_DEVICE_CONNECTION_STRING="HostName=edgegateway;DeviceId=thermostat1;SharedAccessKey={your device shared key}"
So, in the first place I have connected a DHT11 (temperature sensor) to my RPi (Raspberry Pi) then, in my azure portal I have created an IOT Hub and registered a Virtual device identity in the hub, while creating this (for the first time) I have selected the symmetric keys option as mentioned in the Azure IoT Hub tutorial documentation and then i have written a python script to be executed on my RPI which captures the temp reading and sends it to my iot hub.
Now to understand the security aspects of iot hub, i am trying to exactly replicate the above functionality (sending temp reading to iot hub) but this time using X.509 authentication method.
as of now i have followed this link and generated a certificate and uploaded it to the azure iot hub and verified it as well
OPENSSL - How to generate a proof of possesion for a X509 certificate?
now when i am trying to send the sensor data (DHT11) to the iot device registered in my iot hub it shows device not authorized
i don't understand how to authorize/authenticate a device with the certificate.
i feel i should copy over the certificate onto my raspberry pi and somehow make changes in the code that i am using to send temp data to the iot hub to intimate the iot hub that this device has already got a certificate (valid one)
i don't know how to do this...can somebody please help me out....i want to do this using python
There is a Python X.509 authentication sample here https://github.com/Azure/azure-iot-sdk-python-preview/blob/master/azure-iot-device/samples/advanced-hub-scenarios/send_message_x509.py
This is using the replacement Python SDK which is still in preview but it should still work.
You will need to create a certificate and private key and sign it with the certificate that you have verified on your IoT hub. This process is explained here: https://github.com/Azure/azure-iot-sdk-c/blob/master/tools/CACertificates/CACertificateOverview.md.
Is there a way to send data to a device in Azure IoT Hub using a shared key without first generating a SAS token? The reason I am trying to do this is because I want to send events via a web hook without writing code for it. The device is connected to our system and we're trying to use our web hooks functionality which can relay an event to a HTTP endpoint with preconfigured headers and format but it can't execute the code to get a temporary SAS token.
Alternatively can I make a SAS token that never expires?
Ended up using Azure IoT Central + the Azure IoT Central Bridge. The IoT Bridge is an Azure function where you put some JS code to convert your message to a format that IoT Central understands and then it deals with the tokens and eventual device registration. This is not an exact answer to the question since IoT Central is not exactly IoT Hub (it is a portal over it) but it turns out it works well enough for our case. Also I think the codebase of the IoT Bridge can be used with the IoT Hub if one wants to dig enough through it. Maybe this solution can serve someone else.
While using Azure IoT Edge as a transparent gateway, can downstream devices authenticate using SAS tokens using the Shared Access Policy keys? (device, iothubowner etc?). We have being able to successfully connect using SAS tokens signed by the device primary keys, but trying to do so with Shared Access Policy keys doesn't seem to work.
Note: The devices are using MQTT
I don't think that script (which is an eventhub script) creates the right SAS tokens for IoT Hub. The easiest way to do it is to do it from the Azure Cloud CLI (in the azure portal, click on the ">_" button up in the top nav bar.. then you can run this command:
az iot hub generate-sas-token -n [your iothub name] --policy device --key-type primary --duration [duration in seconds you want the token to be valid]
Try using that SAS token. I tested this tonight with the python paho.mqtt client and it worked fine. It connected to IoT Edge and successfully sent messages to both a module and IoT Hub.
Yes, this should work if the device is not a child device of the Edge Device in IoTHub. Look at these links to find out more about how to add devices as a child device of an Edge Device https://aka.ms/exofdocs and https://aka.ms/iot-edge-offline.
This is because, if the leaf device is a child device, EdgeHub will try to authenticate it locally, and for that it only uses the device’s key.
If the leaf device is not a child device of the Edge Device, then you should be able to connect to the EdgeHub using the device/iothub scoped key, since then the EdgeHub will authenticate the device with IoTHub. Note that the connection string should be of the format –
HostName=.azure-devices.net;DeviceId=;SharedAccessKeyName=;SharedAccessKey=;GatewayHostName=
Can the Azure IoT hub identify the spoofing of identity during the registration process
Assume a new IoT device is joining the IoT hub which is showing the spoofed MAC id to the IoT hub.
Will the Azure IoT hub detect that the device uses spoofed identity.
The Azure IoT Hub Identity Registry is what manages devices identities. You can read some literature about it here.
When it comes to authenticating devices, IoT Hub offers several options that are detailed here.
In a nutshell you have 3 ways to provision a device with unique identity and credentials: using a connection string with a unique ID and Key (which allows to compute a SAS Token on the device), using a SAS Token (which you would have to create offline), or using an X-509 certificate.
The only way a device could try and spoof an identity would be if someone was able to retrieve these unique id and credentials from a legit device or some other source, reason why we strongly recommend leveraging secure storage solutions on the device to not allow for the device credentials to be stolen and reused.
If a device tries to connect using valid credentials already used by another device, then the first device will be disconnected, but beyond this, you can (and it is recommended) to implement some security strategy such as rolling secure keys regularly. These strategies depend on your scenario, device type, the way you plan to provision the devices... IoT Hub gives you the tools to implement what fits your needs.