In the wonderful world of IoT devices, embedding security at manufacturing time is always a good idea. Typically it can be performed using a "Secure Element" (SE) chip which contains per-device credentials and mechanisms to secure them. Those secure elements are programmed directly at the chip vendor’s factory, using a state-of-the-art security process.
If you wish to learn more about securing device communications, you can read our previous blog post on how to ensure device security. You may also want to go a bit further and read more about certificates are and how they are used here.
Here is what your typical supply chain looks like:
Even though the supply chain above seems perfect, the device identification is delegated to a third party, with no relation to Scaleway. Therefore, you will not be able to add those devices to your IoT Hub.
How do we link each physical device to an IoT Hub Device? Well, this is called device provisioning and Scaleway offers two options for that: Auto Provisioning and Batch Provisioning.
With auto-provisioning, we take advantage of the certificate signing mechanism. Each certificate contains a cryptographic signature which guarantees that this certificate has been "approved" by a certificate authority. If you trust the certificate authority, you can therefore trust all certificates signed by this certificate authority.
Here is how you can do it with your secure elements’ manufacturer:
- You generate a “root” certificate authority.
- Your manufacturer generates an “intermediate” certificate authority, and you sign it with your “root” certificate authority.
- The manufacturer uses this “intermediate” certificate authority to sign the certificate he generates for each secure device.
Once this is set up, each device will have a certificate trusted by your certificate authority (via the intermediate certificate authority).
Finally, you provide the public part of the “root” certificate authority to your IoT Hub and the Hub will automagically trust your devices and add them to its device list at the first connection. You're all set!
Now you may want to also delegate the “root” certificate authority to a third party, typically the secure elements' manufacturer. These elements are not simple to use and to keep secure.
When providing the “root “certificate authority to your IoT Hub, your cloud provider will request you to prove that you own the secret key associated with it, so no customer can impersonate another. In order to do so, your cloud provider will ask you to issue and sign a “verification” certificate containing specific information it will provide.
Some secure element manufacturers do not have a process to issue this “verification” certificate for you. In this case you cannot use auto-provisioning.
The good news is that your manufacturer will provide you with a list of the devices he produced for you and, for each device, the public part of its certificate. You can then add devices to your IoT Hub and provide each with a certificate from the list, so the IoT Hub can authenticate your devices.
Whether you own the “root” certificate authority or not, Scaleway has a solution to provision your devices on IoT Hub.
Please refer to the IoT Hub documentation to learn how to set this up on your Hub.
As always, happy scaling with us!