Reputation: 3471
Azure IoT device provisioning
I'm investigating using Azure IoT hub for communication between software clients and a backend. The software clients should act as devices in IoT hub parlance.
Is it possible to provision the software clients as devices with IoT Hub device provisioning service without each client having been given a unique identifier in a TPM module or a unique X.509 certificate?
I don't have a need for authenticating the clients before provisioning, I just want each client to be able to communicate securely with the IoT hub. After provisioning, the client must be uniquely identifiable. At that time, other clients should not be able to impersonate it.
At the moment, I believe that the client software needs to have an intermediate certificate embedded, which it can use to sign a certificate that it creates when it attempts to provision itself.
Are there other ways to let an IoT hub client-device provision itself without having been preprogrammed with a SAS, token, or other unique identifier?
Upvotes: 0
Views: 986
Answers (2)
Reputation: 96
Use of an HSM is not required to use the Device Provisioning Service (source: I'm the PM for the service). If your clients already all have an intermediate certificate they can use to generate a leaf cert, and if all the intermediate certs for all your devices have a common signer, then you can create an enrollment group in the provisioning service using that common signing cert and allow all your devices to provision via that enrollment group.
The provisioning service doesn't care which entity is the ultimate root of trust for the certificates your device clients present, but you will have to go through a proof of possession step to show you have access to the private portion of the signing cert when using an enrollment group. By proving ownership of a signing cert in the chain (doesn't have to be the root, just one of the intermediates), you're proving that you have permission to generate leaf certificates for the devices that will be registering as a part of that enrollment group.
Upvotes: 2
Reputation: 9710
I am afraid the answer is NO.
To connect Azure IoT Hub, the device(software client) need select either Secuity Keys(related to Tokens) or x509(certificate) as authentication method.
As for Device Provisioning Service, you need select x509 or TPM-based identity to provision device.
Device Provisioning Service is a helper service for IoT Hub that enables zero-touch, just-in-time provisioning to the right IoT hub without requiring human intervention, allowing customers to provision millions of devices in a secure and scalable manner.
Both X.509 certificates and SAS tokens can be stored in Hardware security module, so you don't have to preprogrammed with a SAS, token, or other unique identifier in your device client.
For software client, maybe you can use software-based TPM. But I am not sure your platform is software-based TPM supported. There is a software TPM supported on Windows 10 IoT core.
Upvotes: 0
Related Questions
- create azure IOT hub device using .Net
- Device Provisioning via Enrollment group
- How to provision Azure Iot Device via another device which has Iot Edge Runtime?
- Azure IoT SDK - check if device has been enrolled already
- Hosting an Azure IoT-HuB device client in the cloud
- IoT hub and device provisioning service
- Azure Device Provisioning: Group enrollment
- how to register device to azure iot hub from device(with iot client c sdk)
- How Azure IoT hub registers the new device
- Registering new devices to Azure IOT hub