Device Attestation Methods for Legacy and Smart Devices
Question
Your company is operating a traffic monitoring system which is based on thousands of different sensors, most of them being older, legacy devices and the rest are state of the art smart devices.
As part of a transitioning project, you need to upgrade the solution by migrating it to Azure's IoT platform.
You want to make use of the no-touch device provisioning capabilities of DPS and you are planning the device registration process.
Which attestation methods are applicable for the legacy and the new devices, respectively?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: B.
Option A is incorrect because the HSM (Hardware Security Module) is not an attestation method - it is a hardware-based solution for storing secrets on devices.
Option B is CORRECT because in most of the cases, symmetric key attestation is the only viable solution for low-resource legacy devices.
More sophisticated smart devices, however, should use more secure ways of attestation, like X.509 certificates or Trusted Platform Modules.
Option C is incorrect because legacy devices are typically not able to accommodate and use certificates.
In addition, for the smart devices having the capability to use more secure attestation mechanisms, using the simple symmetric key method is not recommended.
Option D is incorrect because, for the lack of resources or due to older technology, legacy devices are typically not able to accommodate and use certificates, hence X.509 attestation is not a right choice.
For smart devices, TPM can be a viable option.
References:
In order to migrate the traffic monitoring system to Azure IoT platform, you need to provision the devices on the Azure IoT hub. The no-touch device provisioning capabilities of the Azure Device Provisioning Service (DPS) can be used for this purpose. DPS provides various attestation methods that can be used to register and authenticate devices with the IoT hub.
For the legacy devices, the applicable attestation method is Symmetric key. Symmetric key attestation involves the use of a shared secret key that is pre-provisioned on the device and on the DPS. During the device registration process, the device sends its unique identifier and the shared key to DPS. DPS then verifies the key and provisions the device with the necessary connection details for connecting to the IoT hub. Since legacy devices may not have the necessary hardware for secure storage of keys, symmetric key attestation is often used for such devices.
For the new smart devices, the applicable attestation method is X.509. X.509 attestation involves the use of digital certificates that are issued to devices by a trusted certificate authority (CA). During the device registration process, the device presents its digital certificate to DPS for verification. DPS then verifies the certificate and provisions the device with the necessary connection details for connecting to the IoT hub. Since new smart devices typically have hardware security modules (HSMs) for secure storage of keys and certificates, X.509 attestation is often used for such devices.
Therefore, the answer to the question is C. X.509; Symmetric key, where X.509 attestation is applicable for the new smart devices and Symmetric key attestation is applicable for the legacy devices.
