Authentication of Edge-Device in AWS IoT

Security is the major concern for any IoT system even if it is just some inconsequential data. Because the future of the technology is IoT and an IoT system can be built to control something as insignificant as a thermostat to something as significant as autopiloting a car. AWS has not taken IoT security as an afterthought but as a security-first while designing their AWS IoT platform. AWS IoT uses MQTT to receive messages from the edge devices. Since MQTT doesn’t have a strong security (it has a minimal password based security), they use ‘Mutual authentication TLS’ i.e. the device authenticates the AWS IoT server, and the AWS IoT server authenticates the device.

authentication-of-edge-device-in-aws-iot-1

Certificates used for mutual authentication:

  1. Server Certificate(AWS IoT server)
  2. Device Certificate(IoT Device)
  3. Root CA Certificate(VeriSign)

Keys used with mutual authentication:

  1. Public Key (AWS IoT server)
  2. Private Key (AWS IoT server)
  3. Public Key (IoT Device)
  4. Private Key (IoT Device)

Server Certificate: It is a digital certificate issued to AWS IoT by VeriSign CA, used to authenticate AWS IoT server.

Device Certificate: Can be either generated by AWS IoT or signed by a trusted CA certificate. This certificate will be copied into the IoT Device and will be used for device authentication.

Root CA Certificate: A root certificate is a self-signed certificate, created by the CA authority. All certificates below the root certificate inherit the trustworthiness of the root certificate. In mutual authentication TLS, the device as well as the AWS IoT server, possess X.509 certificates and a private key.

Working of Mutual TLS:

  1.  The Edge Device will send a ClientHello message to AWS IoT server.
  2.  The server will responds back with a ServerHello message to the Edge device.
  3.  AWS IoT Server sends Certificate message, which contains the server’s certificate.
  4.  Server requests client’s certificate in CertificateRequest message so that the connection can be mutually  authenticated.
  5.  Server concludes its part of the negotiation with ServerHelloDone message.
  6.  The Edge Device will verify that the server certificate is signed by a trusted certification authority. The Edge device  will a list of Root.  certificates of trusted certification authorities In our case Verisign root certificate.
  7.  After verification of the server certificate, the Edge Device will respond with Certificate message, which contains  the Edge Device  certificate.
  8.  The Edge Device will send session key information (encrypted with AWS IoT server’s public key) in  ClientKeyExchange message.
  9.  Edge Device sends a CertificateVerify message to let the AWS server know it owns the sent certificate.
  10.  Edge Device sends ChangeCipherSpec message to activate the negotiated options for all future messages it will  send.
  11.  Edge Device sends a Finished message to let the server check the newly activated options.
  12.  Server sends ChangeCipherSpec message to activate the negotiated options for all future messages it will send.
  13.  Server sends a Finished message to let the Edge Device check the newly activated options.

The procedure of authentication of edge device by AWS IoT:

The Edge Device certificate, public and private keys are generated, when a ‘Thing’ is created in AWS IoT. This device certificate and the both the keys are copied into the device memory along with a VeriSign root certificate.

When the device wants to connect and send a message to AWS IoT, it will fallow of Mutual TLS process to authenticate both the Edge Device and the AWS IoT server.

Once Mutual TLS authentication is done the data points(Status of a device or temperature of a room) exchanged between the edge device and the AWS IoT server will be encrypted using session key created by the edge device during Mutual TLS process, thereby securing all communications between the Edge device and the AWS IoT server.

Reference: https://aws.amazon.com/iot/how-it-works/

FacebookTwitterGoogle+Share
About Mehter Muzzamil

Mehter Muzzamil is a software developer at Vmoksha Technologies who is having knowledge in the android domain and Internet of Things. He is passionate about exploring emerging technologies like Internet of Things and loves the varieties of challenges that these technologies bring. Apart from this, he likes to spend his time in reading books, watching movies, and playing games.



Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>