Before a device can be connected to IoT Platform, the device must pass identity verification. IoT Platform supports device verification by using a DeviceSecret, an IoT Device ID, or an X.509 certificate.
Use DeviceSecrets to verify devices
When you create a product, set the Authentication Mode parameter to Device Secret. When you add a device to the product, IoT Platform issues a ProductSecret and a DeviceSecret to the device. When you connect the device to IoT Platform, IoT Platform verifies the device by using the ProductKey and DeviceSecret of the device.
IoT Platform supports various verification methods to meet the requirements of different environments.
Unique-certificate-per-device verification: A device certificate is burned to each device. The device certificate includes a ProductKey, a DeviceName, and a DeviceSecret. For more information, see Unique-certificate-per-device verification.
Pre-registration unique-certificate-per-product verification: A product certificate is burned to all devices of a product. The product certificate includes a ProductKey and a ProductSecret. For more information, see Unique-certificate-per-product verification. Enable the dynamic registration feature for the product, and then use the feature to obtain a DeviceSecret for a device.
Preregistration-free unique-certificate-per-product verification: A product certificate is burned to all devices of a product. The product certificate includes a ProductKey and a ProductSecret. For more information, see Unique-certificate-per-product verification. Enable the dynamic registration feature for the product, and then use the feature to obtain a combination of the ClientID and DeviceToken.
Dynamic registration for sub-devices: After a sub-device connects to IoT Platform by using a gateway, you can use the dynamic registration feature to obtain a DeviceSecret for the sub-device. For more information, see MQTT-based dynamic registration for sub-devices.
The preceding verification methods have their unique advantages in terms of accessibility and security. You can select a verification method based on the security requirements of the device and the actual production condition. The following table describes the differences among the preceding methods.
Item | Unique-certificate-per-device verification | Pre-registration unique-certificate-per-product verification | Preregistration-free unique-certificate-per-product verification | Dynamic registration for sub-devices |
Information burned to the device | ProductKey, DeviceName, and DeviceSecret | ProductKey and ProductSecret | ProductKey and ProductSecret | ProductKey |
Enable dynamic registration in IoT Platform | Not required. By default, the dynamic registration feature is enabled. | Required | Required | Required |
Create a device in IoT Platform and register the DeviceName | Required. Make sure that the DeviceName is unique in a product. | Required. Make sure that the DeviceName is unique in a product. | Not required. | Required. Make sure that the DeviceName is unique in a product. |
Certificate burning requirement | Burn a unique device certificate to each device. Ensure the security of each device certificate. | Burn the same product certificate to all devices of a product. Make sure that the product certificate is securely stored. | Burn the same product certificate to all devices of a product. Make sure that the product certificate is securely stored. |
|
Security | High | Moderate | Moderate | Moderate |
Upper limit for registrations | The limit varies based on the product, instance, or Alibaba Cloud account that you use to connect a device to IoT Platform. For more information, see Limits. | Up to 1,500 sub-devices can be registered in a gateway. | ||
Other external dependencies | Not supported | Gateway security. |
Use X.509 certificates for verification
X.509 is a digital certificate standard that is formulated by the International Telecommunication Union-Telecommunication Standardization Sector (ITU-T) and has a verification mechanism for communication entities. Only devices that are connected to an IoT Platform Exclusive Enterprise Edition instance by using a gateway can be verified by using X.509 certificates.
For more information, see Use X.509 certificates to verify devices.
Use MQTT parameters for device verification
If you use a self-developed Message Queuing Telemetry Transport (MQTT) tool to connect a device to IoT Platform, specify the following MQTT parameters for verification: username, passwd, and mqttClientId. You can use the value of the deviceSecret parameter to obtain MQTT parameters for signature verification. For more information, see How do I obtain MQTT parameters for verification?