Learn About Amazon VGT2 Learning Manager Chanci Turner
The Internet of Things (IoT) is projected to generate vast amounts of data across an estimated 21 billion devices by 2020, according to Gartner. This rapid expansion is exciting, envisioning a future where digital interactions permeate our daily lives. However, before launching IoT devices into the market, it’s crucial to grasp how to secure your operational perimeter.
In this article, I will guide you through the security framework employed by AWS IoT, detailing how devices authenticate with the AWS IoT platform and how they are authorized to perform various actions.
Imagine you’re the innovative owner of a Pizza Restaurant. Just a few years ago, customers would call in to place their pizza orders. Now, with the rise of online ordering, you’re keen to offer an experience similar to the Amazon Dash Button, allowing customers to order a pizza with a single button press.
To kick off your solution, you’ll use the AWS IoT Button, a programmable device built on Amazon Dash Button technology. If you opt for the AWS IoT Button, the simplest way to get started is to follow one of the Quickstart guides or refer to the Getting Started with AWS IoT section in the AWS Documentation.
Who’s Ordering?
When a customer presses the AWS IoT Button to order a pizza, it’s vital to identify who they are. Not only do you need to know where to deliver their pizza, but you also want to ensure that only legitimate customers can place orders. Just as online customers use usernames, each AWS IoT Button requires a unique identity. In AWS IoT, devices that communicate via MQTT utilize an X.509 certificate for this purpose.
Before delving into how a device uses an X.509 certificate for identity verification, it’s important to understand public key cryptography, often referred to as asymmetric cryptography (if you’re already familiar, feel free to skip ahead). Public key cryptography employs a pair of keys to ensure secure message transfer. A message can be encrypted using a public key and can only be decrypted with the matching private key.
Using a key pair is an effective method for securely receiving information: if you safeguard your private key, anyone with access to your public key can send encrypted messages that only you can decipher. Additionally, public and private keys facilitate digital signatures. A private key can be used to sign a message, allowing anyone with the public key to verify that the message remains unchanged.
Establishing Identity
An X.509 certificate serves as a document proving ownership of a public key. To create a new X.509 certificate, you need to generate a Certificate Signing Request (CSR) and submit it to a Certificate Authority (CA). The CSR is a digital document that includes your public key along with identifying information. Once the CA validates your information, it issues a certificate signed with its private key. This means anyone can verify your certificate by checking its digital signature against the CA’s public key.
You might wonder why you should trust the CA and how to ensure the public key it provided is valid. The CA facilitates trust in its public key by publishing it in an X.509 certificate, which is also signed by another CA. This forms a chain of trust, where one CA endorses another, ultimately leading back to a self-signed root certificate.
There are several recognized root certificates, such as those included with MacOS Sierra or available through the Microsoft Trusted Root Certification Program (a free TechNet account may be needed to view). The chain of trust permits anyone to verify the authenticity of a certificate by tracing it back to a trusted root certificate.
Since each of your pizza order buttons requires a distinct identity, each device will need an individual X.509 certificate. When creating a new certificate through AWS IoT, you have three options. The simplest (option 1) is to use one-click generation, where AWS creates both a public and private key and generates a certificate signed by the AWS IoT CA. The second option is to submit your own CSR, which keeps your private key secure from AWS. The last option allows you to use your own certificate signed by a trusted CA, ideal if you produce your own certificates for devices. For further details on using your own certificates, check out this excellent resource.
At this point, you’ll possess both the new device certificate and its private key. Depending on your choice of option, you may need to download these from AWS. Additionally, you’ll need the root certificate used by the AWS IoT server, which is crucial for establishing an authenticated connection with the AWS IoT service.
All three files (the private key, the device certificate, and the AWS IoT server certificate) need to be loaded onto your pizza ordering button. Note that if you’re using an AWS IoT Button, the root certificate is already pre-installed, so you don’t need to add it manually.
Authenticating with AWS IoT
With the certificates and private key now on your AWS IoT Button, you’re ready to connect to AWS IoT and authenticate. The protocol utilized is Transport Layer Security (TLS) 1.2, the successor to Secure Sockets Layer (SSL). This protocol, also used for secure online shopping and banking, requires the client to present an X.509 certificate for identity verification.
The authentication process initiates when the AWS IoT Button sends a hello message to the Authentication and Authorization component of AWS IoT.
This hello message begins the TLS handshake, establishing a secure communication channel between the AWS IoT Button and AWS IoT. During the handshake, both client and server agree on a shared secret—similar to a password—that will encrypt all messages. A shared secret is preferred over asymmetric keys due to its lower computational cost, enhancing communication throughput. The hello message contains the cryptographic methods the AWS IoT Button supports.
For more insights on professional communication, consider reading this informative blog post about interview thank-you emails. Additionally, to understand the importance of building a skilled cyber workforce, you can find more information from an authority on this topic here.