Using emqx cloud to realize one machine one secret verification of IOT devices

Data security is the top priority of Internet of things applications . Manufacturers often use symmetric encryption 、 Asymmetric encryption 、 digital signature 、 Digital certificate and other methods to authenticate the equipment , To prevent the access of illegal devices . In the use of certificates , One type and one density 、 Different schemes such as one machine and one secret , One machine one secret scheme sets a unique device certificate for each device end in advance , Two way verification can be carried out when the device communicates with the server , After the verification is passed , Only when the device end and the server end are in normal data transmission . Compared with other schemes , One machine and one secret can achieve independent verification and authorization for each device , With higher security .

As a safe and reliable full custody MQTT Message cloud service , EMQX Cloud Support multiple authentication methods , Including basic certification （ user name / password , client ID/ password ） And JWT、PSK and X.509 Certification , At the same time, the external database can be configured as the data source to verify the authentication information .

This article will use Redis Store the database as the authentication data source , Explain how to pass the Common Name To verify information , Connect to EMQX Cloud, Realize client-side one machine one secret authentication . If the client certificate does not contain the specified unique Common Name, You cannot pass the certification .

Through this paper , Readers can realize one machine and one secret for their IOT devices 、 The ability of bidirectional identity authentication between the device and the server and establishing a secure channel , Effectively prevent counterfeiting equipment 、 The device key is 、 Forge server instructions 、 Monitor or tamper with key information 、 Steal the key through the security vulnerability of the equipment production line .

Operation process

One 、 To configure TLS/SSL Two-way authentication

1、 preparation

Purchase server certificate , And resolve its domain name to the deployment connection address .

Purchase server certificate

Generate client root ca Self signed certificate , Use self signed root ca The certificate issuing client certificate needs to ensure Common Name only .

# CA Certificate generation client-ca.crt,subj Adjust according to actual use .

openssl req \

-new \

-newkey rsa:2048 \

-days 365 \

-nodes \

-x509 \

-subj "/C=Common Name/O=EMQ Technologies Co., Ltd/Common Name=EMQ CA" \

-keyout client-ca.key \

-out client-ca.crt

# Client secret key generation client.key

openssl genrsa -out client.key 2048

# Generate client certificate request file client.csr,Common Name Carry authentication information for the client

openssl req -new -key client.key -out client.csr -subj "/Common Name=346a004d-1dab-4016-bb38-03cca7094415"

# use CA The certificate signs the client certificate , Generate client.crt

openssl x509 -req -days 365 -sha256 -in client.csr -CA client-ca.crt -CAkey client-ca.key -CAcreateserial -out client.crt

# View the client certificate information

openssl x509 -noout -text -in client.crt

# Certificate of verification

openssl verify -CAfile client-ca.crt client.crt

2、 The configuration process

Sign in EMQX Cloud Console . Enter deployment details , Click on +TLS/SSL configure button , Configure certificate content , You can upload files or fill in the certificate directly TLS/SSL Authentication type ：

① One way Authentication ： Only the client verifies the server certificate .

② Two-way authentication ： Client and server mutually verify certificates .

In this example document, we take two-way authentication as an example , Fill in the following in the deployment console ：

① Public key certificate ： Server certificate

② Certificate chain ： Certificate chain , Usually, when the third-party organization issues the certificate, it will provide

③ Private key ： Private key

④ client CA certificate ： When selecting two-way authentication , You need to provide the client CA certificate

MQTT Cloud TLS SSL Two-way authentication

After completion , Click ok , Until the status is running , namely TLS/SSL Two way authentication configuration is complete .

Two 、 To configure Redis authentication / Access control

This article takes Redis authentication / Take access control as an example , Of course, you can also use other external authentication data sources , In the scenario described in this article , Recommended for comparison Redis authentication / Access control .

1、 establish VPC Peer to peer connection

stay EMQX Cloud Deployment details page , establish VPC Peer to peer connection , It is convenient for the professional version to deploy intranet access to you Redis Authentication database .

EMQX Cloud establish VPC Peer to peer connection

2、 To configure Redis authentication / Access control

redis To configure

In your ECS , Create a Redis service . For the convenience of demonstration , Use here Docker Quickly build .

docker run -itd --name redis -p 6379:6379 redis:latest

There are two ways to configure data in this example （ A choice ）：

HMSET  tls_domain:346a004d-1dab-4016-bb38-03cca7094415 password pubic

HMSET  tls_subject:346a004d-1dab-4016-bb38-03cca7094415 password pubic

redis To configure

Redis authentication / Access control configuration

When authenticating ,EMQX Cloud The current client information will be used to populate and execute the user configured authentication query command , Find out that the client is in Redis Authentication data in .

Can be certified in SQL Use the following placeholders in , Execution time EMQX Cloud Will be automatically populated as client information ：:

%u： user name

%c： client ID

%C：TLS Certificate common name （ Domain name or subdomain name of the certificate ）, Only when the TLS Valid when connected

%d：TLS certificate subject, Only when the TLS Valid when connected

You can adjust the authentication query command according to your business needs , Use any Redis Supported commands (opens new window), However, in any case, the authentication query command needs to meet the following conditions ：

① The first data in the query result must be password,EMQX Use this field to compare with the client password

② If the salt configuration is enabled , The second data in the query result must be salt Field ,EMQX Use this field as the salt（ salt ） value

Click authentication in the deployment - External authentication authorization - Redis authentication / Access control , Click Configure authentication , You can create a new certification .

The authentication query command has the following two ways ：

HMGET tls_domain:%C password

HMGET tls_subject:%d password

That is, the device needs to carry the client certificate 、 Client secret key and its Common Name 、password The way to authenticate .

Redis authentication

Test verification

We use MQTT X The simulation client carries the following information to connect to EMQX Cloud.

① Server side CA

② Common Name by 346a004d-1dab-4016-bb38-03cca7094415 Client certificate for 、 Client secret key

③ password：public

MQTT X

Click on Upper right corner connect, appear connected Indicates that the connection was successful . thus , With designation common name Your device has been successfully connected to EMQX Cloud, That is, one machine and one secret device are verified and connected to EMQX Cloud Have succeeded .

MQTT X1

Conclusion

So far we're done EMQX Cloud Client-side one machine one certificate verification process , Successfully connected to deployment . Compared with other schemes , One machine and one secret can achieve independent verification and authorization for each device , With higher security , If you also set up a unique access credential for each of your IOT devices , You can refer to this article for configuration .