1

From Azure development guide https://azure.microsoft.com/en-us/documentation/articles/iot-hub-devguide, there is a small section (shown as below) talking about device anti-spoofing. It is not clear for me, it says IoT hub stamps every message with properties, but for me device anti-spoofing is that IoT hub to stop receiving messages sent from any spoofed device. Please help to explain how does this work?

Anti-spoofing properties

To avoid device spoofing in device-to-cloud messages, IoT Hub stamps all messages with the following properties:

  • ConnectionDeviceId
  • ConnectionDeviceGenerationId
  • ConnectionAuthMethod
Shuping
  • 5,388
  • 6
  • 43
  • 66

1 Answers1

3

In IoT Hub there is a device registry that is used to authorize devices to the gateway. After authentication the device is checked against the registry.

When a device is registered with IoT Hub, the device's identity and key are saved in the device registry. This device and key is what the device uses to authenticate to the service.

The generation ID is a key part of this too. When the device is first registered with IoT Hub, a generation ID is assigned to the device. The purpose of this is to distinguish between identity registrations of the same device ID (added, removed, and then later added).

If you're interested in a deeper dive into the IoT Hub architecture see Clemen's 2015 Build talk here.

Rick Rainey
  • 11,096
  • 4
  • 30
  • 48
  • Hi @Rick, the link you provided is very helpful! I am still not very clear: by my understanding, anti-spoofing is something to identify the originator of the message is not cheated. In IoT hub case, if an attacker sends a message mimics some other device such as using that device's Id, then anti-spoofing is that IoT hub can identify this message is not actually from the tagged device (by Id) but is spoofed. – Shuping Jan 19 '16 at 05:15
  • You could do that with Event Hubs (AFIK). However, IoT Hub won't allow you to specify the device ID. Instead, it is stamped on the IoT Hub side based on the data from the authentication object associated with that session. – Rick Rainey Jan 19 '16 at 16:42