I am trying to securely connect multiple devices(200+) to Microsoft Azure IoT Central. I have an android app running api 19 that connects a single device via https to IoT Central.
I am following the tutorial for SaS group enrollment.
I understand that I need a connection string to connect to IoT central which is composed of the underlying IoT Hub name, device primary key and device id(which can be the device imei or something so that can be auto generated).
However inserting the primary key for each device would require modifying the app for 200+ devices.
In order to auto generate the device primary key it can be derived from the the SAS-IoT-Devices group master key by running: az iot central device compute-device-key --primary-key <enrollment group primary key> --device-id <device ID> or in my case using android studio with the code:
public static byte[] ComputeDerivedSymmetricKey(String masterKey, String registrationId) throws InvalidKeyException, NoSuchAlgorithmException
{
byte[] masterKeyBytes = com.microsoft.azure.sdk.iot.deps.util.Base64.decodeBase64Local(masterKey.getBytes(StandardCharsets.UTF_8));
SecretKeySpec secretKey = new SecretKeySpec(masterKeyBytes, HMAC_SHA256);
Mac hMacSha256 = Mac.getInstance(HMAC_SHA256);
hMacSha256.init(secretKey);
return com.microsoft.azure.sdk.iot.deps.util.Base64.encodeBase64Local(hMacSha256.doFinal(registrationId.getBytes()));
}
But this would expose the master key to all devices which could lead to a serious data breach.
I am wondering how I can securely generate the connection string without modifying the app 200+ times?(Storing the master key in a hardware security module is not really an option here)
Thanks so much!
