Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

AWS IoT Core credential provider requires private key to be sent

0

I was reading through these docs and noticed that the steps to request a security token requires the client to send its private key to credential provider service.

curl --cert your certificate --key your device certificate key pair -H "x-amzn-iot-thingname: your thing name" --cacert AmazonRootCA1.pem https://your endpoint /role-aliases/your role alias/credentials

This is mentioned in these docs: https://docs.aws.amazon.com/iot/latest/developerguide/authorizing-direct-aws.html https://aws.amazon.com/blogs/security/how-to-eliminate-the-need-for-hardcoded-aws-credentials-in-devices-by-using-the-aws-iot-credentials-provider/

Looking at it superficially, I would think this is a security flaw and would defeat the purpose of using asymmetric keys in the first place.

Any help to help me understand what is going on is greatly appreciated.

Themen
Internet der Dinge (IoT)Sicherheit, Identität & KonformitätAWS Framework mit guter Struktur
Tags
AWS IoT CoreInternet der Dinge (IoT)GerätesicherheitSicherheit
Sprache
English
AmuletxHeart
gefragt vor einem Jahr460 Aufrufe
1 Antwort
0
Akzeptierte Antwort

Hi,

The private key is never sent to the Credential Provider. It is used to establish a mutual (mTLS) connection with the endpoint. That gives Credential Provider the ability to verify the presented X.509 certificates.

AWS
Gavin_A
beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt