Azure IoT Hub - Generating the SAS Token connection string

IoT devices identify themselves by presenting credentials when they connect to an IoT hub.  Unique credentials are burned into each IoT device.

The simplest way to prototype IoT Hub connected devices is to use Shared Access Signature Tokens.  SAS Tokens are created by signing configuration information with the device's symmetric key that was generated when the device was provisioned in the IoT hub. There are several different ways to manage device credentials on the device itself.

  1. Embed the Symmetric key in the device and have the device generate the token. This has the advantage of letting the device refresh its tokens. It has the disadvantage that the symmetric key has been installed on a device that you can lose control of.
  2. Embed the SAS Token directly in your device if the device does not have a library to generate them. This has the advantage of not needing the signing library. It has the disadvantage that you have hard-coded a future death date into the device with a fixed expiration date.
  3. Embed credentials to some other service that generates SAS tokens.  The IoT device requests new tokens as they expire.  This has the disadvantage that you must have a second set of credentials and credentials service.  It has the advantage that IoT Hub secrets are not permanently installed in the device.
Embedding a long-lived token may be the simplest way to prototype on some devices.

Portal Workflow for prototyping.

The Azure Portal GUI does not provide a UI for IoT device SAS Token generation. The Azure IoT Explorer (pre-release) app does provide a UI to generate SAS tokens.

The UI workflow for creating IoTHub devices and their associated SAS tokens are as follows:

  1. Create an IoT Hub in the Azure Portal
  2. Create a Device in the IoT Hub in the Azure Portal
  3. Find the IoT Hub admin connection string and credentials in Azure Portal
  4. Generate IoT SAS token using Azure IoT Explorer specifying the expiry time in the number of minutes since the epoch.
  5. Embed that SAS token in your IoT device - not shown above.
Azure CLI tools and Azure SDKs can also generate SAS Tokens. They may be better suited when provisioning multiple devices.

Video

Open IoT Hub in the Azure Portal

The next couple sections walk you through that workflow.

Start the Create IoT Hub wizard



Create an IoT Hub in the Azure Portal

Enter a hub name and resource group


Make sure the device can reach the IoT Hub

Pick the Tier 


Shared Access Policy + RBAC


Make it so!



Open the IoT Hub in the Azure Portal


Create a Device in the IoT Hub




Symmetric Keys are the simplest


Examine the newly created Device

Credentials and keys


Find the Hub's credentials for CLI or Explorer

Shared Access Policies


Credential string for this role for this hub


Expose connection string used to manipulate the hub



Generate SAS Token using AWS IOT Explorer

Connect to the IoT Hub using the connection String

Navigate to the Device

Select the Device

Generate the Connection string with embedded SAS Token


SAS - From the Docs

Microsoft describes symmetric key attestation as having the following form:

SharedAccessSignature sig={signature}&se={expiry}&skn={policyName}&sr={URL-encoded-resourceURI}

Here are the components of each token:
  • {signature}
    An HMAC-SHA256 signature string. For individual enrollments, this signature is produced by using the symmetric key (primary or secondary) to perform the hash. For enrollment groups, a key derived from the enrollment group key is used to perform the hash. The hash is performed on a message of the form: URL-encoded-resourceURI + "\n" + expiry. Important: The key must be decoded from base64 before being used to perform the HMAC-SHA256 computation. Also, the signature result must be URL-encoded.
  • {resourceURI}
    URI of the registration endpoint that can be accessed with this token, starting with scope ID for the Device Provisioning Service instance. For example, {Scope ID}/registrations/{Registration ID}
  • {expiry}
    UTF8 strings for number of seconds since the epoch 00:00:00 UTC on 1 January 1970.
  • {URL-encoded-resourceURI}
    Lower case URL-encoding of the lower case resource URI
  • {policyName}
    The name of the shared access policy to which this token refers. The policy name used when provisioning with symmetric key attestation is registration.

Other Methods

Certificates and trust enclaves provide can be used where a higher level of security is required. Unique certificates are burned into each device.  Those certificates are registered/paired with device definitions. Secure enclaves make it harder to change the identity of the device.

References


Created 11/2021






























Comments

Post a Comment

Popular posts from this blog

Understanding your WSL2 RAM and swap - Changing the default 50%-25%

Image
The Windows Subsystem for Linux operates as a virtual machine that can dynamically grow the amount of RAM to a maximum set at startup time.  Microsoft sets a default maximum RAM available to 50% of the physical memory and a swap-space that is 1/4 of the maximum WSL RAM.  You can scale those numbers up or down to allocate more or less RAM to the Linux instance. The first drawing shows the default WSL memory and swap space sizing. The images below show a developer machine that is running a dev environment in WSL2 and Docker Desktop.  Docker Desktop has two of its own WSL modules that need to be accounted for.  You can see that the memory would actually be oversubscribed, 3 x 50% if every VM used its maximum memory.  The actual amount of memory used is significantly smaller allowing every piece to fit. Click to Enlarge The second drawing shows the memory allocation on my 64GB laptop. WSL Linux defaults to a maximum RAM size of 5
Read more

Installing the RNDIS driver on Windows 11 to use USB Raspberry Pi as network attached

Image
I do a lot of my development and configuration via ssh into my Raspberry Pi Zero over the RNDIS connection. Some models of the Raspberry PIs can be configured with  gadget drivers  that let the Raspberry pi emulate different devices when plugged into computers via USB. My favorite gadget  is the network profile that makes a Raspberry Pi look like an RNDIS-attached network device.  All types of network services travel over an RNDIS device without knowing it is a USB hardware connection. A Raspberry Pi shows up as a Remote NDIS (RNDIS) device when you plug the Pi into a PC or Mac via a USB cable. The gadget  in the Windows Device Manager picture shows this RNDIS Gadget connectivity between a Windows machine and a Raspberry Pi. The Problem Windows 11 and Windows 10 no longer auto-installs the RNDIS driver that makes magic happen. Windows recognizes that the Raspberry Pi is some type of generic USB COM device. Manually running W indows Update  or  Update Driver  does  not  install the RNDI
Read more

DNS for Azure Point to Site (P2S) VPN - getting the internal IPs

Image
I wanted to access all my Azure resources without making any of them visible to the Internet.   The easiest give my local machine access to everything on my Azure Virtual Network (VNET) was to connect to it over VPN. It turns out creating Azure VPN gateways and connecting to Azure VPN endpoints is easy.  There are some subtleties in getting DNS name resolution to work that can confuse when first starting out. Setting the Stage There are a few ways to get to Azure endpoints and resources that are blocked from the internet.  We can  Create a Point-to-Site connection from our local machines to Azure Network Gateways Create a Site-to-Site network connection from our local networks to Azure Network Gateways. Use Bastion Hosts Use Cloud Shell Leave everything open to the internet. I chose a Point-to-Site (P2S) VPN connection that connects from my laptop to a VNet Gateway.  That joins my laptop
Read more