Best Practice for Securing Communications between Edge Gateways and EnOS with X.509 Certificates¶
Security is critical in an IoT system. EnOS enforces the following security schemes for securing the connection between the edge gateway and EnOS:
- The communications between the edge gateway and EnOS are enforced to use certificate-based bi-directional authentication.
- Support for RSA algorithm to verify signature, with enforcement for 2048 bits.
- The resource on EnOS is segregated and the API access permissions are controlled by IAM. For more information, see IAM overview.
Setup Phase¶
The following diagram illustrates the process of secure communication between the edge and EnOS based on X.509 certificates:
1. EnOS Acquires X.509 Certificate¶
1a. EnOS creates key pairs and CSR locally, and acquires the X.509 certificate with the CSR by using the X.509 Certificate Service API.
1b. EnOS CA issues the X.509 certificate and sends the certificate to EnOS.
1c. EnOS receives and stores the X.509 certificate.
2. Edge Acquires X.509 Certificate¶
2a. The device provisioner provisions the edge with the necessary information such as the product key, product secret, serial number, and license. The provisioner uses these parameters to create the device in EnOS.
2b. EnOS verifies the identity of the edge and creates the device instance in the Hub, and responds to the edge with the Globally Unique Identifier (GUID) of the device and the device secret.
2c. The edge receives the responses from EnOS, creates key pairs and CSR, calls the API to activate the device, and gets its X.509 certificate.
2d. EnOS receives the request from the edge and after verifying its identity, activates the device and forwards the CSR to EnOS CA.
2e. EnOS CA receives the CSR, issues the certificate and sends it back to EnOS.
2f. EnOS receives the issued X.509 certificate, binds it with the device id, and then sends the certificate to the edge.
2g.The edge receives the issued X.509 certificate and saves it securely in the local repository.
Communication Phase¶
The diagram below illustrates the certificate-based authentication process and the revocation process:
3. Edge Communicates with EnOS Using the Certificate-based Bi-directional Authentication¶
3a. The edge validates the certificate of EnOS.
3b. EnOS validates the certificate of the edge.
When the TLS handshake in steps 3a and 3b succeeds, the TLS connection will be established between the edge and EnOS.
3c. The edge transmits device telemetry through MQTT over the TLS connection.
3d. EnOS transmits configurations and control signals through MQTT over the TLS connection.
Revocation Phase¶
Under some circumstances, the device provisioner needs to revoke the X.509 certificate of the edge.
4. EnOS Revokes the X.509 Certificate of the Edge¶
4a. EnOS calls the revocation API to revoke the X.509 certificate with the serial number of the certificate.
4b. EnOS CA receives the request from EnOS, verifies the identity, revokes the certificate, and update the CRL.
Edge Security Best Practices¶
In the certificate-based security connection, consider the following best practices to secure the edge:
- Create the private key for the edge and keep it secret in a storage such as TPM.
- Use TLS 1.2 when communicating with EnOS and verify that the server certificate is valid.
- Each edge must have a unique public/private key pair.
- The key pair used for authentication by EnOS should not be used for other purposes or communications through other protocols.
- The key must be revoked when the edge is reset.
- When your edge runs on an operating system, make sure your operating system is secured through certain mechanisms, for example, a firewall.
- Ensure that you have a way to update the root CA certificates and CRL.
- Ensure that the clock on the edge is not tampered with.