Contents
Authentication Methods
Choosing the right authentication method depends on security requirements and device capabilities.
| Method | Security | Complexity | Best For |
|---|---|---|---|
| Username/Password | ⭐⭐ | Low | Prototyping |
| Pre-Shared Key | ⭐⭐⭐ | Low | Small deployments |
| X.509 Certificates | ⭐⭐⭐⭐⭐ | Medium | Production |
| JWT Tokens | ⭐⭐⭐⭐ | Medium | Cloud services |
| Hardware Secure Element | ⭐⭐⭐⭐⭐ | High | High security |
X.509 Certificates
Industry standard for IoT device authentication:
Certificate Structure
Certificate:
Version: 3
Serial Number: 0x1234567890
Signature Algorithm: SHA256withRSA
Issuer: CN=MyCA
Validity:
Not Before: Jan 1 2025
Not After: Dec 31 2025
Subject: CN=device-001
Public Key: RSA 2048 bit
Extensions:
Key Usage: Digital Signature
Extended Key Usage: Client AuthGenerate Device Certificate
# Generate device private key
openssl genrsa -out device-001.key 2048
# Create CSR
openssl req -new -key device-001.key -out device-001.csr \
-subj "/CN=device-001/O=MyOrg"
# Sign with CA
openssl x509 -req -days 365 \
-in device-001.csr \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-out device-001.crtPre-Shared Keys (PSK)
Simpler alternative for resource-constrained devices:
// ESP32 MQTT with PSK
#include
const char* pskIdentity = "device-001";
const char* pskKey = "0123456789ABCDEF0123456789ABCDEF";
WiFiClientSecure client;
client.setPreSharedKey(pskIdentity, pskKey);
// Connect to MQTT
if (client.connect("mqtt.example.com", 8883)) {
Serial.println("Connected with PSK!");
}
PSK Security Tips:
- Use 32+ character random keys
- Unique PSK per device
- Store in secure storage (not plaintext)
- Implement key rotation
- Never transmit PSK over network
JWT Tokens
Token-based authentication for cloud IoT platforms:
// Generate JWT for Azure IoT Hub
#include
const char* deviceId = "device-001";
const char* sharedKey = "your-device-key";
const char* resource = "myhub.azure-devices.net/devices/device-001";
// Create JWT
JWT jwt;
jwt.setPayload("aud", resource);
jwt.setPayload("exp", millis() / 1000 + 3600); // 1 hour
String token = jwt.sign(sharedKey);
// Use token as MQTT password
client.connect(deviceId, "SharedAccessSignature", token.c_str()); Secure Elements
Hardware security for key storage:
ATECC608A Integration
#include
#include
ATECC608A ecc;
void setup() {
Wire.begin();
ecc.begin();
// Generate private key (stored in hardware)
ecc.generateKeyPair();
// Sign data
byte signature[64];
ecc.sign(data, signature);
// Private key NEVER leaves the chip!
} | Secure Element | Interface | Features |
|---|---|---|
| ATECC608A | I2C | ECDSA, SHA, TLS |
| OPTIGA Trust X | I2C | X.509, TLS |
| SE050 | I2C | Secure Element |
| TPM 2.0 | SPI/I2C | Full TPM |
AWS IoT Example
// AWS IoT with certificates
#include
const char* AWS_IOT_ENDPOINT = "xxxxxxxxx.iot.us-east-1.amazonaws.com";
const char* CERTIFICATE = "-----BEGIN CERTIFICATE-----...";
const char* PRIVATE_KEY = "-----BEGIN RSA PRIVATE KEY-----...";
const char* ROOT_CA = "-----BEGIN CERTIFICATE-----...";
void setup() {
WiFi.begin(ssid, password);
while (WiFi.status() != WL_CONNECTED) {
delay(500);
}
// Configure AWS IoT
AWS_IoT.begin(AWS_IOT_ENDPOINT);
AWS_IoT.setCertificate(CERTIFICATE);
AWS_IoT.setPrivateKey(PRIVATE_KEY);
AWS_IoT.setCACert(ROOT_CA);
// Connect
if (AWS_IoT.connect("device-001")) {
Serial.println("Connected to AWS IoT!");
}
}
Certificate Management:
- Use unique certs per device
- Set appropriate expiry (6-12 months)
- Implement automated renewal
- Have revocation process
- Monitor for expiring certs
Next Steps
- Implement certificate rotation
- Add secure element for key storage
- Set up certificate monitoring
- Create device provisioning workflow