Your company is operating a traffic monitoring system which is based on thousands of different sensors, most of them being older, legacy devices and the rest are state of the art smart devices.
As part of a transitioning project, you need to upgrade the solution by migrating it to Azure's IoT platform.
You want to make use of the no-touch device provisioning capabilities of DPS and you are planning the device registration process.
Which attestation methods are applicable for the legacy and the new devices, respectively?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: B.
Option A is incorrect because the HSM (Hardware Security Module) is not an attestation method - it is a hardware-based solution for storing secrets on devices.
Option B is CORRECT because in most of the cases, symmetric key attestation is the only viable solution for low-resource legacy devices.
More sophisticated smart devices, however, should use more secure ways of attestation, like X.509 certificates or Trusted Platform Modules.
Option C is incorrect because legacy devices are typically not able to accommodate and use certificates.
In addition, for the smart devices having the capability to use more secure attestation mechanisms, using the simple symmetric key method is not recommended.
Option D is incorrect because, for the lack of resources or due to older technology, legacy devices are typically not able to accommodate and use certificates, hence X.509 attestation is not a right choice.
For smart devices, TPM can be a viable option.
References:
In this scenario, the company is operating a traffic monitoring system based on thousands of different sensors, including older legacy devices and state-of-the-art smart devices. The task is to upgrade the solution by migrating it to Azure's IoT platform using the no-touch device provisioning capabilities of DPS. The question is which attestation methods are applicable for the legacy and the new devices, respectively.
Device Provisioning Service (DPS) is a cloud-based service provided by Azure that enables secure, automated device provisioning, registering, and configuration management. DPS offers several attestation methods for device registration, including symmetric key, X.509 certificate, and Trusted Platform Module (TPM).
Symmetric key attestation is a process of using a shared secret key between the device and the cloud to establish mutual trust. During device registration, the device sends a request to the DPS with its ID and the symmetric key. The DPS verifies the key and registers the device. This method is suitable for legacy devices that may not support X.509 or TPM.
X.509 certificate attestation is a process of using digital certificates to establish mutual trust between the device and the cloud. During device registration, the device sends its X.509 certificate to the DPS, which verifies the certificate and registers the device. This method is suitable for newer devices that support X.509 certificates.
TPM attestation is a process of using a hardware-based security module to store and manage keys and certificates. During device registration, the device sends its TPM identity to the DPS, which verifies the identity and registers the device. This method is suitable for devices that have TPM hardware support.
Based on the above explanations, the attestation methods applicable for the legacy and the new devices, respectively, are:
Therefore, option C (X.509; Symmetric key) is the correct answer as it provides X.509 certificate attestation for the new devices and symmetric key attestation for legacy devices.