I am trying to securely connect multiple devices(200+) to Microsoft Azure IoT Central. I have an android app running api 19 that connects a single device via https to IoT Central.
I am following the tutorial for SaS group enrollment.
I understand that I need a connection string to connect to IoT central which is composed of the underlying IoT Hub name, device primary key and device id(which can be the device imei or something so that can be auto generated).
However inserting the primary key for each device would require modifying the app for 200+ devices.
In order to auto generate the device primary key it can be derived from the the SAS-IoT-Devices group master key by running: az iot central device compute-device-key --primary-key <enrollment group primary key> --device-id <device ID> or in my case using android studio with the code:
public static byte[] ComputeDerivedSymmetricKey(String masterKey, String registrationId) throws InvalidKeyException, NoSuchAlgorithmException
{
byte[] masterKeyBytes = com.microsoft.azure.sdk.iot.deps.util.Base64.decodeBase64Local(masterKey.getBytes(StandardCharsets.UTF_8));
SecretKeySpec secretKey = new SecretKeySpec(masterKeyBytes, HMAC_SHA256);
Mac hMacSha256 = Mac.getInstance(HMAC_SHA256);
hMacSha256.init(secretKey);
return com.microsoft.azure.sdk.iot.deps.util.Base64.encodeBase64Local(hMacSha256.doFinal(registrationId.getBytes()));
}
But this would expose the master key to all devices which could lead to a serious data breach.
I am wondering how I can securely generate the connection string without modifying the app 200+ times?(Storing the master key in a hardware security module is not really an option here)
Thanks so much!
In absence of unique hardware root of trust, your security posture will always be relatively weak.
One option is to generate device specific key in a Azure service, e.g. Azure Function which can use the master Key stored in a Azure Key vault. The android app will still need to attest its unique identity with the function and request device specific identities. This will avoid having a common master key in the app.
If you have an option to take advantage of unique ID on Android, e.g. FID (https://developer.android.com/training/articles/user-data-ids), it can be used to attest the app identity with the function.
Other option is to generate key pair per device and use that to create CSR, get device specific X509. It will add more complexity and still need bootstrap attestation mechanism.