Common Misconceptions and False Statements

Correct Answer: B and E.

Option A is incorrect because actually, the devices must be signed with the chain of certificates as well as their unique device (leaf) certificate.

They can prove the possession of the certificate by their secret private key.

Option B is CORRECT because Hardware Secure Module in a device is intended to generate the private key for the device and to keep it secret.

The Public key is visible to the outside world.

Option C is incorrect because the trusted (purchased) X.509 must be uploaded and registered on the IoT Hub so that it can be used to verify the devices during their connection.

Option D is incorrect because, for maximum security in production environments, users should purchase trusted CA certificates from a root CA.

For experimentation, self-signed certificates can also be suitable.

Option E is CORRECT because one of the advantages of using the X.509 certificate-based authentication is its 1-to-many hierarchy.

In this case, it means that only the top-level certificate must be present on the IoT Hub while any number of end devices can authenticate through the trusted chain of certificates.

Diagram:

References:

X.509 certificates are a standard for digital certificates that are used for authentication and encryption in various scenarios, including IoT. When using X.509 certificates for device authentication, the following statements are true:

A. End devices must possess the chain of certificates and their unique device certificate This statement is true. Each end device should have a unique X.509 certificate that identifies it and proves its authenticity. In addition, the device should also possess the chain of certificates that leads up to the trusted root certificate that issued the device certificate. This chain is used to validate the authenticity of the device certificate.

B. The Public key of the device certificates should be kept in HSM This statement is false. While it is generally a good security practice to store private keys in a Hardware Security Module (HSM), there is no requirement to store the public key of a device certificate in an HSM. The public key can be stored in a secure manner on the device itself or on a separate system.

C. X.509 CA certificate must be uploaded to the IoT Hub This statement is true. The IoT Hub needs to know the trusted root certificate that issued the device certificates in order to validate them. Therefore, the X.509 CA certificate that corresponds to the trusted root certificate must be uploaded to the IoT Hub.

D. You should purchase trusted X.509 certificates for your scenario This statement is true. To ensure maximum security, it is recommended to use trusted X.509 certificates that are issued by a trusted certificate authority (CA). These certificates are signed by the CA and are therefore trusted by other parties. In contrast, self-signed certificates are not trusted by default and require additional configuration.

E. Unique device certificates must be uploaded to the IoT Hub. This statement is false. While the IoT Hub needs to know the trusted root certificate that issued the device certificates, it does not need to know the unique device certificates themselves. The device certificates are used for authentication between the device and the IoT Hub, and the authentication process does not involve the IoT Hub storing or accessing the device certificates. Instead, the device presents its certificate during the authentication process, and the IoT Hub verifies it using the trusted root certificate.