IoT 中心设备预配服务设备概念IoT Hub Device Provisioning Service device concepts

IoT 中心设备预配服务是一项 IoT 中心帮助程序服务,该服务用于将零接触设备预配到指定 IoT 中心。IoT Hub Device Provisioning Service is a helper service for IoT Hub that you use to configure zero-touch device provisioning to a specified IoT hub. 使用设备预配服务,可以通过安全且可缩放的方式预配数百万台设备。With the Device Provisioning Service, you can provision millions of devices in a secure and scalable manner.

本文概述了设备预配中涉及的设备概念 。This article gives an overview of the device concepts involved in device provisioning. 本文与设备部署准备工作的制造步骤中提及的角色最为相关。This article is most relevant to personas involved in the manufacturing step of getting a device ready for deployment.

证明机制Attestation mechanism

证明机制是用于确认设备标识的方法。The attestation mechanism is the method used for confirming a device's identity. 证明机制也与注册列表相关,注册列表告知预配服务对给定设备使用哪种认证方法。The attestation mechanism is also relevant to the enrollment list, which tells the provisioning service which method of attestation to use with a given device.

备注

IoT 中心将该服务中类似的概念称为“身份验证方案”。IoT Hub uses "authentication scheme" for a similar concept in that service.

设备预配服务支持以下证明形式:The Device Provisioning Service supports the following forms of attestation:

  • 基于标准 X.509 证书身份验证流的 X.509 证书 。X.509 certificates based on the standard X.509 certificate authentication flow.
  • 基于 nonce 质询的受信任平台模块 (TPM),使用密钥的 TPM 标准显示已签名的共享访问签名 (SAS) 令牌 。Trusted Platform Module (TPM) based on a nonce challenge, using the TPM standard for keys to present a signed Shared Access Signature (SAS) token. 这不需要设备上的物理 TPM,但是服务要求按照 TPM 规范使用认可密钥来证明。This does not require a physical TPM on the device, but the service expects to attest using the endorsement key per the TPM spec.
  • 基于共享访问签名 (SAS) 安全令牌的“对称密钥”,包括哈希签名和嵌入的到期期限。Symmetric Key based on shared access signature (SAS) Security tokens, which include a hashed signature and an embedded expiration. 有关详细信息,请参阅对称密钥证明For more information, see Symmetric key attestation.

硬件安全模块Hardware security module

硬件安全模块(或称 HSM)用于安全的、基于硬件的设备机密存储,是最安全的机密存储形式。The hardware security module, or HSM, is used for secure, hardware-based storage of device secrets, and is the most secure form of secret storage. X.509 证书和 SAS 令牌都可以存储在 HSM 中。Both X.509 certificates and SAS tokens can be stored in the HSM. HSM 可以与预配服务支持的证明机制一起使用。HSMs can be used with both attestation mechanisms the provisioning service supports.

提示

我们强烈建议将 HSM 用于设备,以便安全地存储设备上的机密。We strongly recommend using an HSM with devices to securely store secrets on your devices.

设备机密也可以存储在软件(内存)中,但它是比 HSM 更不安全的存储形式。Device secrets may also be stored in software (memory), but it is a less secure form of storage than an HSM.

注册 IDRegistration ID

注册 ID 用于唯一标识设备预配服务中的设备。The registration ID is used to uniquely identify a device in the Device Provisioning Service. 设备 ID 在预配服务 ID范围中必须是唯一的。The device ID must be unique in the provisioning service ID scope. 每个设备必须具有注册 ID。Each device must have a registration ID. 注册 ID 是字母数字、不区分大小写,并可以包含特殊字符(包括冒号、句点、下划线和连字符)。The registration ID is alphanumeric, case insensitive, and may contain special characters including colon, period, underscore and hyphen.

  • 对于使用 TPM 的情况,注册 ID 由 TPM 本身提供。In the case of TPM, the registration ID is provided by the TPM itself.
  • 对于使用基于 X.509 证明的情况,提供注册 ID 作为证书的使用者名称。In the case of X.509-based attestation, the registration ID is provided as the subject name of the certificate.

设备 IDDevice ID

设备 ID 是设备在 IoT 中心中显示的 ID。The device ID is the ID as it appears in IoT Hub. 可以在注册项目中设置所需的设备 ID,但不需要进行设置。The desired device ID may be set in the enrollment entry, but it is not required to be set. 设置所需设备 ID 仅在单独注册中受支持。Setting the desired device ID is only supported in individual enrollments. 如果注册列表中未指定所需设备 ID,注册设备时将使用注册 ID 作为设备 ID。If no desired device ID is specified in the enrollment list, the registration ID is used as the device ID when registering the device. 详细了解 IoT 中心中的设备 IDLearn more about device IDs in IoT Hub.

ID 范围ID scope

ID 范围在由用户创建时分配给设备预配服务,用于唯一标识设备将通过其注册的特定预配服务。The ID scope is assigned to a Device Provisioning Service when it is created by the user and is used to uniquely identify the specific provisioning service the device will register through. ID 范围由服务生成且不可变,这保证了唯一性。The ID scope is generated by the service and is immutable, which guarantees uniqueness.

备注

唯一性对于长期运行的部署操作以及合并和收购方案而言非常重要。Uniqueness is important for long-running deployment operations and merger and acquisition scenarios.