保护物联网 (IoT) 部署Secure your Internet of Things (IoT) deployment

本文提供保护基于 Azure IoT 的物联网 (IoT) 基础结构的进一步详细信息。This article provides the next level of detail for securing the Azure IoT-based Internet of Things (IoT) infrastructure. 它链接到配置和部署每个组件的实现级别详细信息。It links to implementation level details for configuring and deploying each component. 还提供多种竞争方式间的比较和选择。It also provides comparisons and choices between various competing methods.

保护 Azure IoT 部署可分为以下三个安全区域:Securing the Azure IoT deployment can be divided into the following three security areas:

  • 设备安全:在现实中部署 IoT 设备时,保护 IoT 设备安全。Device Security: Securing the IoT device while it is deployed in the wild.

  • 连接安全:确保 IoT 设备和 IoT 中心之间传输的所有数据的机密性和防篡改性。Connection Security: Ensuring all data transmitted between the IoT device and IoT Hub is confidential and tamper-proof.

  • 云安全:数据移动或存储在云中时,提供一种数据保护方式。Cloud Security: Providing a means to secure data while it moves through, and is stored in the cloud.

三个安全区域

安全的设备预配和身份验证Secure device provisioning and authentication

IoT 解决方案加速器通过以下两种方法保护 IoT 设备:The IoT solution accelerators secure IoT devices using the following two methods:

  • 为每个设备提供唯一标识密钥(安全令牌),设备可使用该密钥与 IoT 中心通信。By providing a unique identity key (security tokens) for each device, which can be used by the device to communicate with the IoT Hub.

  • 使用设备内置 X.509 证书和私钥作为一种向 IoT 中心验证设备的方式。By using an on-device X.509 certificate and private key as a means to authenticate the device to the IoT Hub. 此身份验证方式可确保任何时候都无法在设备外部获知设备上的私钥,从而提供更高级别的安全性。This authentication method ensures that the private key on the device is not known outside the device at any time, providing a higher level of security.

安全令牌方式通过将对称密钥与每个呼叫关联,为每个设备向 IoT 中心作出的呼叫提供身份验证。The security token method provides authentication for each call made by the device to IoT Hub by associating the symmetric key to each call. 基于 X.509 的身份验证允许物理层 IoT 设备的身份验证作为 TLS 连接建立的一部分。X.509-based authentication allows authentication of an IoT device at the physical layer as part of the TLS connection establishment. 基于安全令牌的方式可在没有 X.509 身份验证的情况下使用,但这种模式的安全性较低。The security-token-based method can be used without the X.509 authentication, which is a less secure pattern. 这两种方式的选择主要取决于设备验证需要达到的安全程度和设备上安全储存的可用性(以安全存储私钥)。The choice between the two methods is primarily dictated by how secure the device authentication needs to be, and availability of secure storage on the device (to store the private key securely).

IoT 中心安全令牌IoT Hub security tokens

IoT 中心使用安全令牌对设备和服务进行身份验证,以避免在网络上发送密钥。IoT Hub uses security tokens to authenticate devices and services to avoid sending keys on the network. 并且安全令牌的有效期和范围有限。Additionally, security tokens are limited in time validity and scope. Azure IoT SDK 无需任何特殊配置即可自动生成令牌。Azure IoT SDKs automatically generate tokens without requiring any special configuration. 但在某些情况下,需要用户生成并直接使用安全令牌。Some scenarios, however, require the user to generate and use security tokens directly. 这些方案包括 MQTT、AMQP 或 HTTP 应用层协议的直接使用,以及令牌服务模式的实现。These scenarios include the direct use of the MQTT, AMQP, or HTTP surfaces, or the implementation of the token service pattern.

可在以下文章中找到有关安全令牌结构及其用法的详细信息:More details on the structure of the security token and its usage can be found in the following articles:

每个 IoT 中心都有一个标识注册表,可用于在服务中创建各设备的资源(例如包含即时云到设备消息的队列),以及允许访问面向设备的终结点。Each IoT Hub has an identity registry that can be used to create per-device resources in the service, such as a queue that contains in-flight cloud-to-device messages, and to allow access to the device-facing endpoints. IoT 中心标识注册表针对解决方案为设备标识和安全密钥提供安全存储。The IoT Hub identity registry provides secure storage of device identities and security keys for a solution. 可将单个或一组设备标识添加到允许列表或方块列表,以便完全控制设备访问。Individual or groups of device identities can be added to an allow list, or a block list, enabling complete control over device access. 以下文章提供有关标识注册表的结构和受支持操作的详细信息。The following articles provide more details on the structure of the identity registry and supported operations.

IoT 中心支持 MQTT、AMQP 和 HTTP 等协议IoT Hub supports protocols such as MQTT, AMQP, and HTTP. 每个协议使用 IoT 设备到 IoT 中心的安全令牌的方式不同:Each of these protocols uses security tokens from the IoT device to IoT Hub differently:

  • AMQP:基于 SASL PLAIN 和 AMQP 声明的安全性(若是 IoT 中心级别令牌,则为 {policyName}@sas.root.{iothubName};若是设备范围令牌,则为 {deviceId})。AMQP: SASL PLAIN and AMQP Claims-based security ({policyName}@sas.root.{iothubName} with IoT hub-level tokens; {deviceId} with device-scoped tokens).

  • MQTT:CONNECT 数据包使用 {deviceId} 作为 {ClientId}、“用户名” 字段中的 {IoThubhostname}/{deviceId} 以及“密码” 字段中的 SAS 令牌。MQTT: CONNECT packet uses {deviceId} as the {ClientId}, {IoThubhostname}/{deviceId} in the Username field and an SAS token in the Password field.

  • HTTP:有效令牌位于授权请求标头中。HTTP: Valid token is in the authorization request header.

IoT 中心标识注册表可用于配置每个设备的安全凭据和访问控制。IoT Hub identity registry can be used to configure per-device security credentials and access control. 但是,如果 IoT 解决方案已大幅投资于自定义设备标识注册表和/或身份验证方案,则可通过创建令牌服务,将该解决方案集成到具有 IoT 中心的现有基础结构中。However, if an IoT solution already has a significant investment in a custom device identity registry and/or authentication scheme, it can be integrated into an existing infrastructure with IoT Hub by creating a token service.

基于 X.509 证书的设备身份验证X.509 certificate-based device authentication

使用基于设备的 X.509 证书及其关联的私钥和公钥允许在物理层进行其他身份验证。The use of a device-based X.509 certificate and its associated private and public key pair allows additional authentication at the physical layer. 私钥安全存储在设备中,无法在设备外发现。The private key is stored securely in the device and is not discoverable outside the device. X.509 证书包含有关设备的信息(例如设备 ID)以及其他组织详细信息。The X.509 certificate contains information about the device, such as device ID, and other organizational details. 使用公钥生成证书签名。A signature of the certificate is generated by using the private key.

高级设备预配流:High-level device provisioning flow:

  • 将标识符关联到物理设备 - 设备制造或调试过程中将设备标识和/或 X.509 证书关联到设备。Associate an identifier to a physical device – device identity and/or X.509 certificate associated to the device during device manufacturing or commissioning.
  • 在 IoT 中心创建对应的标识条目 - IoT 中心标识注册表中的设备标识和关联的设备信息。Create a corresponding identity entry in IoT Hub – device identity and associated device information in the IoT Hub identity registry.
  • 将 X.509 证书指纹安全存储在 IoT 中心标识注册表中。Securely store X.509 certificate thumbprint in IoT Hub identity registry.

设备上的根证书Root certificate on device

与 IoT 中心建立安全的 TLS 连接时,IoT 设备使用作为设备 SDK 的一部分的根证书验证 IoT 中心。While establishing a secure TLS connection with IoT Hub, the IoT device authenticates IoT Hub using a root certificate that is part of the device SDK. 对于 C 客户端 SDK,该证书位于存储库根下的“\c\certs”文件夹中。For the C client SDK, the certificate is located under the folder "\c\certs" under the root of the repo. 虽然这些根证书长期有效,但仍可能过期或被撤销。Though these root certificates are long-lived, they still may expire or be revoked. 如果无法更新设备上的证书,该设备随后可能无法连接到 IoT 中心(或任何其他云服务)。If there is no way of updating the certificate on the device, the device may not be able to subsequently connect to the IoT Hub (or any other cloud service). IoT 设备部署后提供更新根证书的方法可有效减轻此风险。Having a means to update the root certificate once the IoT device is deployed effectively mitigates this risk.

保护连接安全Securing the connection

使用传输层安全性 (TLS) 标准来保护 IoT 设备和 IoT 中心之间的 Internet 连接安全。Internet connection between the IoT device and IoT Hub is secured using the Transport Layer Security (TLS) standard. Azure IoT 支持 TLS 1.2、TLS 1.1 和 TLS 1.0(按此顺序)。Azure IoT supports TLS 1.2, TLS 1.1, and TLS 1.0, in this order. 对 TLS 1.0 的支持仅为向后兼容性提供。Support for TLS 1.0 is provided for backward compatibility only. 如果可能,请使用 TLS 1.2,因为它可提供最大安全性。If possible, use TLS 1.2 as it provides the most security.

保护云的安全Securing the cloud

Azure IoT 中心允许为每个安全密钥定义访问控制策略Azure IoT Hub allows definition of access control policies for each security key. 它使用以下一组权限向每个 IoT 中心的终结点授予访问权限。It uses the following set of permissions to grant access to each of IoT Hub's endpoints. 权限可根据功能限制对 IoT 中心的访问。Permissions limit the access to an IoT Hub based on functionality.

  • RegistryReadRegistryRead. 授予对标识注册表的读取访问权限。Grants read access to the identity registry. 有关详细信息,请参阅标识注册表For more information, see identity registry.

  • RegistryReadWriteRegistryReadWrite. 授予对标识注册表的读取和写入访问权限。Grants read and write access to the identity registry. 有关详细信息,请参阅标识注册表For more information, see identity registry.

  • ServiceConnectServiceConnect. 授予对面向云服务的通信和监视终结点的访问权限。Grants access to cloud service-facing communication and monitoring endpoints. 例如,它授权后端云服务接收设备到云的消息、发送云到设备的消息,以及检索对应的传送确认。For example, it grants permission to back-end cloud services to receive device-to-cloud messages, send cloud-to-device messages, and retrieve the corresponding delivery acknowledgments.

  • DeviceConnectDeviceConnect. 授予对面向设备的终结点的访问权限。Grants access to device-facing endpoints. 例如,它授予发送设备到云的消息和接收云到设备的消息的权限。For example, it grants permission to send device-to-cloud messages and receive cloud-to-device messages. 此权限由设备使用。This permission is used by devices.

有两种方法可以使用安全令牌来获取 IoT 中心的 DeviceConnect 权限:使用设备标识密钥,或者使用共享访问密钥。There are two ways to obtain DeviceConnect permissions with IoT Hub with security tokens: using a device identity key, or a shared access key. 此外,必须注意的是,可从设备访问的所有功能都故意显示在前缀为 /devices/{deviceId}的终结点上。Moreover, it is important to note that all functionality accessible from devices is exposed by design on endpoints with prefix /devices/{deviceId}.

服务组件只能使用共享访问策略生成安全令牌,授予适当权限。Service components can only generate security tokens using shared access policies granting the appropriate permissions.

Azure IoT 中心和其他可能是解决方案的一部分的服务允许使用 Azure Active Directory 管理用户。Azure IoT Hub and other services that may be part of the solution allow management of users using the Azure Active Directory.

Azure IoT 中心引入的数据可供多种服务(例如 Azure 流分析和 Azure Blob 存储)使用。Data ingested by Azure IoT Hub can be consumed by a variety of services such as Azure Stream Analytics and Azure blob storage. 这些服务允许管理访问权限。These services allow management access. 了解有关这些服务和可用选项的详细信息:Read more about these services and available options:

  • Azure Cosmos DB:适用于半结构化数据的可缩放且已完全编制索引的数据库服务,可管理预配的设备的元数据,例如,属性、配置和安全属性。Azure Cosmos DB: A scalable, fully-indexed database service for semi-structured data that manages metadata for the devices you provision, such as attributes, configuration, and security properties. Azure Cosmos DB 提供高性能和高吞吐量处理、与架构无关的数据索引,以及丰富的 SQL 查询接口。Azure Cosmos DB offers high-performance and high-throughput processing, schema-agnostic indexing of data, and a rich SQL query interface.
  • Azure 流分析:通过云中处理的实时流可以快速开发和部署低成本分析解决方案,以便从设备、传感器、基础结构和应用程序实时获取深入了解。Azure Stream Analytics: Real-time stream processing in the cloud that enables you to rapidly develop and deploy a low-cost analytics solution to uncover real-time insights from devices, sensors, infrastructure, and applications. 来自这种完全托管服务的数据可缩放为任何数量,同时保持高吞吐量、低延迟和复原能力。The data from this fully-managed service can scale to any volume while still achieving high throughput, low latency, and resiliency.
  • Azure 应用服务:一个云平台,用以构建能够连接到任何地方(在云中或本地)的数据的强大 Web 和移动应用。Azure App Services: A cloud platform to build powerful web and mobile apps that connect to data anywhere; in the cloud or on-premises. 构建具有吸引力的 iOS、Android 和 Windows 移动应用。Build engaging mobile apps for iOS, Android, and Windows. 与软件即服务 (SaaS) 和企业应用程序相集成,这些应用程序一经使用便可直接连接到数十种基于云的服务和企业应用程序。Integrate with your Software as a Service (SaaS) and enterprise applications with out-of-the-box connectivity to dozens of cloud-based services and enterprise applications. 使用偏好的语言(.NET、Node.js、PHP、Python 或 Java)在 IDE 中编写代码,快速构建 Web 应用和 API。Code in your favorite language and IDE (.NET, Node.js, PHP, Python, or Java) to build web apps and APIs faster than ever.
  • [逻辑应用][lnk-logicapps]:Azure 应用服务的逻辑应用功能可帮助用户将 IoT 解决方案集成到现有业务线系统并自动执行工作流程。[Logic Apps][lnk-logicapps]: The Logic Apps feature of Azure App Service helps integrate your IoT solution to your existing line-of-business systems and automate workflow processes. Logic Apps 可让开发人员设计从触发过程开始,并运行一系列步骤的工作流 — 使用功能强大的连接器来与业务过程集成的规则和操作。Logic Apps enables developers to design workflows that start from a trigger and then execute a series of steps—rules and actions that use powerful connectors to integrate with your business processes. Logic Apps 提供与 SaaS、基于云和本地应用程序的广泛生态系统的实时连接。Logic Apps offers out-of-the-box connectivity to a vast ecosystem of SaaS, cloud-based, and on-premises applications.
  • Azure Blob 存储:可靠且符合经济效益的云存储,适用于设备要发送到云的数据。Azure blob storage: Reliable, economical cloud storage for the data that your devices send to the cloud.

结论Conclusion

本文概述了使用 Azure IoT 来设计和部署 IoT 基础结构的实现级别的详细信息。This article provides overview of implementation level details for designing and deploying an IoT infrastructure using Azure IoT. 将每个组件配置为安全状态是保护 IoT 总体基础结构安全的关键。Configuring each component to be secure is key in securing the overall IoT infrastructure. Azure IoT 中可用的设计选择提供了一定程度的灵活性和选择性;但是,每个选择都可能具有安全隐患。The design choices available in Azure IoT provide some level of flexibility and choice; however, each choice may have security implications. 推荐通过风险/成本评估对这些选择进行评估。It is recommended that each of these choices be evaluated through a risk/cost assessment.

另请参阅See also

若要进一步探索 IoT 中心的功能,请参阅:To further explore the capabilities of IoT Hub, see: