All Products
Document Center

Device Authentication

Last Updated: May 13, 2020

There are two ways of device authentication:

  • Unique-certificate-per-device:
    Burning a unique certificate (ProductKey, DeviceName and DeviceSecret) into each device.

  • Unique-certificate-per-product:
    Burning a same certificate (ProductKey, Product Secret) into all of the devices of a product, this method requires less mocifications to production line. Each device needs to have its own unique identifier and pre-upload it to the Alibaba Cloud IoT Platform, the platform will decide if it can accept a connection from a device based on its identifier.

Invoking IOT_Ioctl() to configure the authentication method:

  1. /* Choose Login Method */
  2. int dynamic_register = 1; /* 0: Do not use unique-certificate-per-product, 1: use unique-certificate-per-product */
  3. IOT_Ioctl(IOTX_IOCTL_SET_DYNAMIC_REGISTER, (void *)&dynamic_register);

Implement unique-certificate-per-device authentication

You need to invoke IOT_Ioctl to set the authentication mode:

  1. // for demo only
  2. /* Set the authentication mode */
  3. int dynamic_register = 0;
  4. IOT_Ioctl(IOTX_IOCTL_SET_DYNAMIC_REGISTER, (void *)&dynamic_register);

Implement unique-certificate-per-product authentication

unique-certificate-per-product just means the content (ProductKey, ProductSecret) burned into the devices of a product are same, it will use a process called dynamic-registration to obtain the DeviceSecret from IoT platform by using the unique identifier of a device, the unique identifier of the device can be its SN, MAC address, and this unique identifier will be treated as DeviceName.

After SDK obtains a device’s DeviceSecret from IoT platform, it will invoke HAL_SetDeviceSecret() to save the DeviceSecret, the device must keep this value in the Flash. DeviceSecret can’t be erased after a device got it through the dynamic-registation process, because the IoT platform will refuse to provide the DeviceSeret if the device has got its DeviceSecret.

If you want to use unique-certificate-per-product, simply call the following interfaces to enable the dynamic registration function.

  1. /* Turn on the dynamic registration function */
  2. int dynamic_register = 1; /* 1: Use unique-certificate-per-product */
  3. IOT_Ioctl(IOTX_IOCTL_SET_DYNAMIC_REGISTER, (void *)&dynamic_register);

Example of basic unique-certificate-per-product authentication

Visit the IoT Suite console, select the product to enable the unique-certificate-per-product function, and enter the Product Details as shown in the figure below:


As shown in the figure above, you can turn the Dynamic Registration switch to enable the unique-certificate-per-product function.

Now create a new device Example_dyn1 under this product:


Open the Link Kit SDK, replace the quadruple in the sample code (examples/mqtt/mqtt-example.c) with the quadruple of the device Example_dyn1, and use IOT_Ioctl to choose the unique-certificate-per-product:

  1. #if defined(SUPPORT_ITLS)
  2. ...
  3. ...
  4. #else
  5. #define PRODUCT_KEY "a1ExpAkj9Hi"
  6. #define PRODUCT_SECRET "ffFnFlKQW3HYjjPR"
  7. #define DEVICE_NAME "Example_dyn1"
  8. /* #define DEVICE_SECRET "ik0qF60vcdvStygvKOTs3xEUbVj6BbSR" */
  9. #endif
  10. #endif
  11. ...
  12. ...
  13. int main(int argc, char **argv)
  14. {
  15. IOT_OpenLog("mqtt");
  16. IOT_SetLogLevel(IOT_LOG_DEBUG);
  17. user_argc = argc;
  18. user_argv = argv;
  19. HAL_SetProductKey(PRODUCT_KEY);
  20. HAL_SetProductSecret(PRODUCT_SECRET);
  21. HAL_SetDeviceName(DEVICE_NAME);
  22. /* HAL_SetDeviceSecret(DEVICE_SECRET); */
  23. /* Choose Login Server */
  24. int domain_type = IOTX_CLOUD_DOMAIN_SH;
  25. IOT_Ioctl(IOTX_IOCTL_SET_DOMAIN, (void *)&domain_type);
  26. /* Choose Login Method */
  27. int dynamic_register = 1;
  28. IOT_Ioctl(IOTX_IOCTL_SET_DYNAMIC_REGISTER, (void *)&dynamic_register);
  29. mqtt_client();
  30. IOT_DumpMemoryStats(IOT_LOG_DEBUG);
  31. IOT_CloseLog();
  32. EXAMPLE_TRACE("out of sample!") ;
  33. return 0;
  34. }

After you compile the code, execute the sample program:

  1. $./output/release/bin/mqtt-example
  2. [inf] IOT_SetupConnInfo(114): DeviceSecret KV does not exist, Now We Need Dynamic Register...
  3. [inf] _calc_dynreg_sign(61): Random Key: 7y4Jg5xdKCy9W2i
  4. [inf] _calc_dynreg_sign(75): Sign: d3b560d5be0c9c19749470e85d912b65685fa4b20edcbd179ccfe98fcca23d5e
  5. [inf] httpclient_common(794): host: '', port: 443
  6. ...
  7. ...
  8. [dbg] httpclient_send_header(326): REQUEST (Length: 211 Bytes)
  9. > POST /auth/register/device HTTP/1.1
  10. > Host:
  11. > Accept: text/xml,text/javascript,text/html,application/json
  12. > Content-Length: 161
  13. > Content-Type: application/x-www-form-urlencoded
  14. >
  15. [dbg] httpclient_send_header(331): Written 211 bytes
  16. [dbg] httpclient_send_userdata(348): client_data->post_buf: productKey=a1ExpAkj9Hi&deviceName=Example_dyn1&random=7y4Jg5xdKCy9W2i&sign=d3b560d5be0c9c19749470e85d912b65685fa4b20edcbd179ccfe98fcca23d5e&signMethod=hmacsha256
  17. [dbg] httpclient_send_userdata(353): Written 161 bytes
  18. [dbg] httpclient_recv(393): 32 bytes have been read
  19. [dbg] httpclient_recv_response(769): RESPONSE (Length: 32 Bytes)
  20. < HTTP/1.1 200 OK
  21. < Server: Tengine
  22. ...
  23. ...
  24. [inf] _fetch_dynreg_http_resp(110): Http Response Payload: {"code":200,"data":{"deviceName":"Example_dyn1","deviceSecret":"KGQQFFlGinIipW9Xn7xQ5U6d6MokPZD4","productKey":"a1ExpAkj9Hi"},"message":"success"}
  25. [inf] _fetch_dynreg_http_resp(127): Dynamic Register Code: 200
  26. [inf] _fetch_dynreg_http_resp(148): Dynamic Register Device Secret: KGQQFFlGinIipW9Xn7xQ5U6d6MokPZD4
  27. [inf] iotx_device_info_init(39): device_info created successfully!
  28. [dbg] iotx_device_info_set(49): start to set device info!
  29. [dbg] iotx_device_info_set(63): device_info set successfully!
  30. [inf] guider_print_dev_guider_info(279): ....................................................
  31. [inf] guider_print_dev_guider_info(280): ProductKey : a1ExpAkj9Hi
  32. [inf] guider_print_dev_guider_info(281): DeviceName : Example_dyn1
  33. [inf] guider_print_dev_guider_info(282): DeviceID : a1ExpAkj9Hi.Example_dyn1
  34. [inf] guider_print_dev_guider_info(284): ....................................................
  35. [inf] guider_print_dev_guider_info(285): PartnerID Buf : ,partner_id=example.demo.partner-id
  36. [inf] guider_print_dev_guider_info(286): ModuleID Buf : ,module_id=example.demo.module-id
  37. [inf] guider_print_dev_guider_info(287): Guider URL :
  38. [inf] guider_print_dev_guider_info(289): Guider SecMode : 2 (TLS + Direct)
  39. [inf] guider_print_dev_guider_info(291): Guider Timestamp : 2524608000000
  40. [inf] guider_print_dev_guider_info(292): ....................................................
  41. [inf] guider_print_dev_guider_info(298): ....................................................
  42. [inf] guider_print_conn_info(256): -----------------------------------------
  43. ...
  44. ...
  45. [inf] iotx_mc_connect(2502): mqtt connect success!

The preceding execution output indicates that the device has acquired the DeviceSecret using unique-certificate-per-product authentication.

  1. (Device Secret): "KGQQFFlGinIipW9Xn7xQ5U6d6MokPZD4"

The SDK automatically calls HAL_Kv_Set to make it persistent. If the user attempts to use the unique-certificate-per-product function on the same device for a second time, the cloud will return the following error:

  1. [inf] _fetch_dynreg_http_resp(110): Http Response Payload: {"code":6289,"message":"device is already active"}

Support the Alibaba Cloud Link Platform for Smart Living

When networking is activated for overseas devices on the Alibaba Cloud Link Platform for Smart Living, they will be uniformly connected to the activation center in Singapore. The platform will automatically assign the devices to the nearest data nodes. For example, devices activated in the United States will automatically connect to the servers in the United States.

The SDK can support the Alibaba Cloud Link Platform for Smart Living mode by performing the following two configurations:

  1. Change the FEATURE_MQTT_DIRECT of make.setting to n, which enables the https authentication mode
  2. Configure the Singapore site as the connection site:
  1. /* Choose Login Server */
  2. int domain_type = IOTX_CLOUD_REGION_SINGAPORE;
  3. IOT_Ioctl(IOTX_IOCTL_SET_REGION, (void *)&domain_type);