Azure IoT中心反欺骗 [英] Azure IoT Hub anti-spoofing
问题描述
只需阅读此线程
我仍然在问自己,IoT中心是否会检测到存在使用相同设备ID和凭据的多个活动连接? 如果攻击者窃取了设备的身份验证密钥或SAS令牌,则可能是这种情况.
What I am still asking myself though is whether the IoT Hub does detect that there are multiple active connections that use the same deviceid and credentials? This could be the case if an attacker would steal the device auth key or the SAS token.
由于以下原因,似乎没有为此使用反欺骗属性 ConnectionDeviceGenerationId :
The anti-spoofing property ConnectionDeviceGenerationId does not seem to be used for this since:
generationId-IoT中心生成的区分大小写的字符串,最长128个字符.该值用于在删除并重新创建具有相同deviceId的设备时对其进行区分.
generationId - An IoT hub-generated, case-sensitive string up to 128 characters long. This value is used to distinguish devices with the same deviceId, when they have been deleted and re-created.
推荐答案
我仍然在问自己的是IoT中心是否 检测到有多个活动连接使用相同的连接 设备ID和凭据?
What I am still asking myself though is whether the IoT Hub does detect that there are multiple active connections that use the same deviceid and credentials?
对于AMQP和HTTP,在发送设备到云"消息时,使用相同设备ID的多个活动连接可以正常工作.但是,当接收到云到设备"消息时,该消息将无法正常工作.
For AMQP and HTTP, when sending Device-To-Cloud messages,multiple active connections using the same device id are able to work properly. But when receiving Cloud-To-Device messages it doesn't work.
但是对于MQTT,仅仅IoT中心每个设备支持一个活动的MQTT连接.代表相同设备ID的任何新MQTT连接都会导致IoT中心删除现有连接.
But for MQTT, IoT Hub only supports one active MQTT connection per device. Any new MQTT connection on behalf of the same device ID causes IoT Hub to drop the existing connection.
更新:
IoT中心允许设备以使用MQTT,基于WebSocket的MQTT,AMQP,基于WebSocket的AMQP和HTTP协议进行设备端通信.下表为您选择协议提供了高级建议:
-
MQTT(基于WebSocket的MQTT)
MQTT(MQTT over WebSocket)
在不需要通过同一TLS连接连接多个设备(每个设备具有其自己的每设备凭据)的所有设备上使用.
Use on all devices that do not require to connect multiple devices (each with its own per-device credentials) over the same TLS connection.
AMQP(基于WebSocket的AMQP)
AMQP (AMQP over WebSocket)
在现场和云网关上使用,以利用跨设备的连接多路复用.
Use on field and cloud gateways to take advantage of connection multiplexing across devices.
HTTP
用于不支持其他协议的设备.
Use for devices that cannot support other protocols.
这篇关于Azure IoT中心反欺骗的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
