All Products
Search
Document Center

IoT Platform:Overview

Last Updated:Sep 07, 2023

Before a device can be connected to IoT Platform, the device must pass identity verification. IoT Platform supports device verification by using a DeviceSecret, an IoT Device ID, or an X.509 certificate.

Use DeviceSecrets to verify devices

When you create a product, set the Authentication Mode parameter to Device Secret. When you add a device to the product, IoT Platform issues a ProductSecret and a DeviceSecret to the device. When you connect the device to IoT Platform, IoT Platform verifies the device by using the ProductKey and DeviceSecret of the device.

IoT Platform supports various verification methods to meet the requirements of different environments.

  • Unique-certificate-per-device verification: A device certificate is burned to each device. The device certificate includes a ProductKey, a DeviceName, and a DeviceSecret. For more information, see Unique-certificate-per-device verification.

  • Pre-registration unique-certificate-per-product verification: A product certificate is burned to all devices of a product. The product certificate includes a ProductKey and a ProductSecret. For more information, see Unique-certificate-per-product verification. Enable the dynamic registration feature for the product, and then use the feature to obtain a DeviceSecret for a device.

  • Preregistration-free unique-certificate-per-product verification: A product certificate is burned to all devices of a product. The product certificate includes a ProductKey and a ProductSecret. For more information, see Unique-certificate-per-product verification. Enable the dynamic registration feature for the product, and then use the feature to obtain a combination of the ClientID and DeviceToken.

  • Dynamic registration for sub-devices: After a sub-device connects to IoT Platform by using a gateway, you can use the dynamic registration feature to obtain a DeviceSecret for the sub-device. For more information, see MQTT-based dynamic registration for sub-devices.

The preceding verification methods have their unique advantages in terms of accessibility and security. You can select a verification method based on the security requirements of the device and the actual production condition. The following table describes the differences among the preceding methods.

Table 1. Differences among the verification methods

Item

Unique-certificate-per-device verification

Pre-registration unique-certificate-per-product verification

Preregistration-free unique-certificate-per-product verification

Dynamic registration for sub-devices

Information burned to the device

ProductKey, DeviceName, and DeviceSecret

ProductKey and ProductSecret

ProductKey and ProductSecret

ProductKey

Enable dynamic registration in IoT Platform

Not required. By default, the dynamic registration feature is enabled.

Required

Required

Required

Create a device in IoT Platform and register the DeviceName

Required. Make sure that the DeviceName is unique in a product.

Required. Make sure that the DeviceName is unique in a product.

Not required.

Required. Make sure that the DeviceName is unique in a product.

Certificate burning requirement

Burn a unique device certificate to each device. Ensure the security of each device certificate.

Burn the same product certificate to all devices of a product. Make sure that the product certificate is securely stored.

Burn the same product certificate to all devices of a product. Make sure that the product certificate is securely stored.

  • A gateway can obtain the ProductKeys of all sub-devices over an on-premises network.

  • Burn the ProductKey of each sub-device on the gateway.

Security

High

Moderate

Moderate

Moderate

Upper limit for registrations

The limit varies based on the product, instance, or Alibaba Cloud account that you use to connect a device to IoT Platform. For more information, see Limits.

Up to 1,500 sub-devices can be registered in a gateway.

Other external dependencies

Not supported

Gateway security.

Use X.509 certificates for verification

X.509 is a digital certificate standard that is formulated by the International Telecommunication Union-Telecommunication Standardization Sector (ITU-T) and has a verification mechanism for communication entities. Only devices that are connected to an IoT Platform Exclusive Enterprise Edition instance by using a gateway can be verified by using X.509 certificates.

For more information, see Use X.509 certificates to verify devices.

Use MQTT parameters for device verification

If you use a self-developed Message Queuing Telemetry Transport (MQTT) tool to connect a device to IoT Platform, specify the following MQTT parameters for verification: username, passwd, and mqttClientId. You can use the value of the deviceSecret parameter to obtain MQTT parameters for signature verification. For more information, see How do I obtain MQTT parameters for verification?