Using emqx cloud to realize one machine one secret verification of IOT devices

Data security is the top priority of Internet of things applications . Manufacturers often use symmetric encryption 、 Asymmetric encryption 、 digital signature 、 Digital certificate and other methods to authenticate the equipment , To prevent the access of illegal devices . In the use of certificates , One type and one density 、 Different schemes such as one machine and one secret , One machine one secret scheme sets a unique device certificate for each device end in advance , Two way verification can be carried out when the device communicates with the server , After the verification is passed , Only when the device end and the server end are in normal data transmission . Compared with other schemes , One machine and one secret can achieve independent verification and authorization for each device , With higher security .

As a safe and reliable full custody MQTT Message cloud service , EMQX Cloud Support multiple authentication methods , Including basic certification （ user name / password , client ID/ password ） And JWT、PSK and X.509 Certification , At the same time, the external database can be configured as the data source to verify the authentication information .

This article will use Redis Store the database as the authentication data source , Explain how to pass the Common Name To verify information , Connect to EMQX Cloud, Realize client-side one machine one secret authentication . If the client certificate does not contain the specified unique Common Name, You cannot pass the certification .

Through this paper , Readers can realize one machine and one secret for their IOT devices 、 The ability of bidirectional identity authentication between the device and the server and establishing a secure channel , Effectively prevent forged device attacks 、 The device key is cracked 、 Forge server instructions 、 Monitor or tamper with key information 、 Attack means such as stealing keys through security vulnerabilities in the equipment production line .

Operation process

One 、 To configure TLS/SSL Two-way authentication

1、 preparation

1. Purchase server certificate , And resolve its domain name to the deployment connection address .

   

2. Generate client root ca Self signed certificate , Use self signed root ca The certificate issuing client certificate needs to ensure Common Name only .

   # CA  Certificate generation  client-ca.crt,subj  Adjust according to actual use .
   openssl req \
       -new \
       -newkey rsa:2048 \
       -days 365 \
       -nodes \
       -x509 \
       -subj "/C=Common Name/O=EMQ Technologies Co., Ltd/Common Name=EMQ CA" \
       -keyout client-ca.key \
       -out client-ca.crt
   
   #  Client secret key generation  client.key
   openssl genrsa -out client.key 2048
   
   #  Generate client certificate request file  client.csr,Common Name  Carry authentication information for the client 
   openssl req -new -key client.key -out client.csr -subj "/Common Name=346a004d-1dab-4016-bb38-03cca7094415"
   
   #  use  CA  The certificate signs the client certificate , Generate  client.crt
   openssl x509 -req -days 365 -sha256 -in client.csr -CA client-ca.crt -CAkey client-ca.key -CAcreateserial -out client.crt
   
   #  View the client certificate information 
   openssl x509 -noout -text -in client.crt
   
   #  Certificate of verification 
   openssl verify -CAfile client-ca.crt client.crt
   

2、 The configuration process

Sign in EMQX Cloud Console . Enter deployment details , Click on +TLS/SSL configure button , Configure certificate content , You can upload files or fill in the certificate directly TLS/SSL Authentication type ：

① One way Authentication ： Only the client verifies the server certificate .

② Two-way authentication ： Client and server mutually verify certificates .

In this sample document, we use Two-way authentication For example , Fill in the following in the deployment console ：

① Public key certificate ： Server certificate

② Certificate chain ： Certificate chain , Usually, when the third-party organization issues the certificate, it will provide

③ Private key ： Private key

④ client CA certificate ： When selecting two-way authentication , You need to provide the client CA certificate

After completion , Click ok , Until the status is running , namely TLS/SSL Two way authentication configuration is complete .

Two 、 To configure Redis authentication / Access control

This article takes Redis authentication / Take access control as an example , Of course, you can also use other external authentication data sources , In the scenario described in this article , Recommended for comparison Redis authentication / Access control .

1、 establish VPC Peer to peer connection

stay EMQX Cloud Deployment details page , establish VPC Peer to peer connection , It is convenient for the professional version to deploy intranet access to you Redis Authentication database .

2、 To configure Redis authentication / Access control

1. redis To configure

   In your ECS , Create a Redis service . For the convenience of demonstration , Use here Docker Quickly build .

   docker run -itd --name redis -p 6379:6379 redis:latest
   

   There are two ways to configure data in this example （ A choice ）：

   HMSET  tls_domain:346a004d-1dab-4016-bb38-03cca7094415 password pubic
   HMSET  tls_subject:346a004d-1dab-4016-bb38-03cca7094415 password pubic
   

   

2. Redis authentication / Access control configuration

   When authenticating ,EMQX Cloud The current client information will be used to populate and execute the user configured authentication query command , Find out that the client is in Redis Authentication data in .

   Can be certified in SQL Use the following placeholders in , Execution time EMQX Cloud Will be automatically populated as client information ：:

   • %u： user name
   • %c： client ID
   • %C：TLS Certificate common name （ Domain name or subdomain name of the certificate ）, Only when the TLS Valid when connected
   • %d：TLS certificate subject, Only when the TLS Valid when connected

   You can adjust the authentication query command according to your business needs , Use any Redis Supported commands (opens new window), However, in any case, the authentication query command needs to meet the following conditions ：

   ① The first data in the query result must be password,EMQX Use this field to compare with the client password

   ② If the salt configuration is enabled , The second data in the query result must be salt Field ,EMQX Use this field as the salt（ salt ） value

   Click authentication in the deployment - External authentication authorization - Redis authentication / Access control , Click Configure authentication , You can create a new certification .

   The authentication query command has the following two ways ：

   HMGET tls_domain:%C password
   HMGET tls_subject:%d password
   

   That is, the device needs to carry the client certificate 、 Client secret key and its Common Name 、password The way to authenticate .

   

Test verification

We use MQTT X The simulation client carries the following information to connect to EMQX Cloud.

① Server side CA

② Common Name by 346a004d-1dab-4016-bb38-03cca7094415 Client certificate for 、 Client secret key

③ password：public

Click on Upper right corner connect, appear connected Indicates that the connection was successful . thus , With designation common name Your device has been successfully connected to EMQX Cloud, That is, one machine and one secret device are verified and connected to EMQX Cloud Have succeeded .

Conclusion

So far we're done EMQX Cloud Client-side one machine one certificate verification process , Successfully connected to deployment . Compared with other schemes , One machine and one secret can achieve independent verification and authorization for each device , With higher security , If you also set up a unique access credential for each of your IOT devices , You can refer to this article for configuration .

Copyright notice ： This paper is about EMQ original , Reprint please indicate the source .

Link to the original text ：https://www.emqx.com/zh/blog/one-device-one-secret-authentication-for-iot-devices-with-emqx-cloud