Microsoft Azure IoT Hub grants permissions using shared access policies. These policies can grant any combination of permissions that are defined using the Azure portal or using REST API’s. The per-device security policies are based on device credentials that are verified through authentication. Azure’s device identity registry maintains these credentials. Each device also maintains its own credentials and uses them to gain read, write and connection permissions. The secrets maintained by the device endpoints should be protected from any kind of system compromise. The only way to do this is to use a hardware device fit for this purpose like the SPYRUS Rosetta family of HSM’s.
Azure IoT Hub supports both Shared Access Signatures (SAS) tokens as well as X.509 certificates. The SAS token permits authentication while avoiding sending keys or secrets over the wire/air. These tokens are also limited in time validity and scope. This is accomplished through the use of a secure keyed-hash message authentication. The secret key used for the HMAC algorithm can be maintained within the Rosetta® HSM module. The HMAC operation used to generate the SAS token can be computed within the HSM for a higher level of assurance.
X.509 certificates can also be used to authenticate a device to Azure IoT Hub. The private keys can be generated and stored within the Rosetta HSM. The Rosetta HSM can generate and verify digital signatures within a secure and trusted hardware platform. This is the only way to guarantee proof of possession of the private key associated with the digital certificate.
Rosetta HSM modules and Microsoft Azure IoT Hubs add security capabilities to IoT customers, making it possible to create custom device authentication token services and extend the authentication capabilities used by your Azure IoT service. Other possibilities with Rosetta HSMs include Elliptic Curve certificates, split key algorithms, AES challenge response, and more.
Finally, Azure IoT supports and recommends use of SSL/TLS for securing communications. The credentials used for this encrypted communications may be maintained within the Rosetta module and signatures and key management can be offloaded to a security device designed and certified for this very purpose. In summary:
Device Security – use of a hardened HSM for:
- Device Identity
- Symmetric / Secret Keys
- 509 Certificates / Private Keys
- New security algorithms
- TLS (RSA and ECC)
Looking beyond Azure IoT authentication:
The Rosetta microSDHC™ is a special member of the Rosetta HSM family with TrustedFlash®. Not only can a Rosetta microSDHC provide ultimate device security by protecting shared secrets and x.509 certificates / private keys, it can provide encrypted storage for ultimate data at rest protection. When locked the flash drive contained within Rosetta microSD is hardware encrypted with an AES-256 bit key. A device could boot from it or use it for secure storage.