Device Authentication - IoT Platform - Alibaba Cloud Documentation Center

There are two ways of device authentication:

Unique-certificate-per-device: Burning a unique certificate (ProductKey, DeviceName and DeviceSecret) into each device.
Unique-certificate-per-product: Burning a same certificate (ProductKey, Product Secret) into all of the devices of a product, this method requires less mocifications to production line. Each device needs to have its own unique identifier and pre-upload it to the Alibaba Cloud IoT Platform, the platform will decide if it can accept a connection from a device based on its identifier.

Invoking IOT_Ioctl() to configure the authentication method:

/* Choose Login Method */
int dynamic_register = 1; /* 0: Do not use unique-certificate-per-product, 1: use unique-certificate-per-product */
IOT_Ioctl(IOTX_IOCTL_SET_DYNAMIC_REGISTER, (void *)&dynamic_register);

Implement unique-certificate-per-device authentication

You need to invoke IOT_Ioctl to set the authentication mode:

// for demo only
    /* Set the authentication mode */

    int dynamic_register = 0;
    IOT_Ioctl(IOTX_IOCTL_SET_DYNAMIC_REGISTER, (void *)&dynamic_register);

Implement unique-certificate-per-product authentication

unique-certificate-per-product just means the content (ProductKey, ProductSecret) burned into the devices of a product are same, it will use a process called dynamic-registration to obtain the DeviceSecret from IoT platform by using the unique identifier of a device, the unique identifier of the device can be its SN, MAC address, and this unique identifier will be treated as DeviceName.

After SDK obtains a device’s DeviceSecret from IoT platform, it will invoke HAL_SetDeviceSecret() to save the DeviceSecret, the device must keep this value in the Flash. DeviceSecret can’t be erased after a device got it through the dynamic-registation process, because the IoT platform will refuse to provide the DeviceSeret if the device has got its DeviceSecret.

If you want to use unique-certificate-per-product, simply call the following interfaces to enable the dynamic registration function.

/* Turn on the dynamic registration function */
int dynamic_register = 1; /* 1: Use unique-certificate-per-product */
IOT_Ioctl(IOTX_IOCTL_SET_DYNAMIC_REGISTER, (void *)&dynamic_register);

Example of unique-certificate-per-product authentication for Basic-Edition products

Visit Alibaba Clout IoT Platform, select the product and enable “Dynamic-Registration”:

Now create a new device under this product:

Open the Link Kit SDK, replace code like this:

#include "iot_import.h"
#include "iot_export.h"
#include "app_entry.h"

// To replace the values of PRODUCT_KEY, PRODUCT_SECRET, DEVICE_NAME
#define PRODUCT_KEY             "a1MZxOdcBnO"
#define PRODUCT_SECRET          "h4I4dneEFp7EImTv"
#define DEVICE_NAME             "Example_dyn1"

//And comment the DEVICE_SECRET
//#define DEVICE_SECRET           "t9GmMf2jb3LgWfXBaZD2r3aJrfVWBv56"

...
...
int main(int argc, char **argv)
{
    IOT_OpenLog("mqtt");
    IOT_SetLogLevel(IOT_LOG_DEBUG);

    user_argc = argc;
    user_argv = argv;
    HAL_SetProductKey(PRODUCT_KEY);
    HAL_SetProductSecret(PRODUCT_SECRET);
    HAL_SetDeviceName(DEVICE_NAME);
// Comment the setting to DeviceSecret, because we will get it from the IoT platform dynamically
    /* HAL_SetDeviceSecret(DEVICE_SECRET); */

    /* Choose Login Server */
    int domain_type = IOTX_CLOUD_DOMAIN_SH;
    IOT_Ioctl(IOTX_IOCTL_SET_DOMAIN, (void *)&domain_type);

    /* Enable Dynamic registration */
    int dynamic_register = 1;
    IOT_Ioctl(IOTX_IOCTL_SET_DYNAMIC_REGISTER, (void *)&dynamic_register);

    mqtt_client();
    IOT_DumpMemoryStats(IOT_LOG_DEBUG);
    IOT_CloseLog();

    EXAMPLE_TRACE("out of sample!") ;

    return 0;
}

After you compile the code, execute the sample program, the output will be like:

$./output/release/bin/mqtt-example
[inf] IOT_SetupConnInfo(114): DeviceSecret KV does not exist, Now We Need Dynamic Register...
[inf] _calc_dynreg_sign(61): Random Key: 7y4Jg5xdKCy9W2i
[inf] _calc_dynreg_sign(75): Sign: d3b560d5be0c9c19749470e85d912b65685fa4b20edcbd179ccfe98fcca23d5e
[inf] httpclient_common(794): host: 'iot-auth.cn-shanghai.aliyuncs.com', port: 443
...
...
...
[inf] _fetch_dynreg_http_resp(110): Http Response Payload: {"code":200,"data":{"deviceName":"Example_dyn1","deviceSecret":"KGQQFFlGinIipW9Xn7xQ5U6d6MokPZD4","productKey":"a1ExpAkj9Hi"},"message":"success"}
[inf] _fetch_dynreg_http_resp(127): Dynamic Register Code: 200
[inf] _fetch_dynreg_http_resp(148): Dynamic Register Device Secret: KGQQFFlGinIipW9Xn7xQ5U6d6MokPZD4
[inf] iotx_device_info_init(39): device_info created successfully!

...

[dbg] iotx_device_info_set(49): start to set device info!
[dbg] iotx_device_info_set(63): device_info set successfully!
[inf] guider_print_dev_guider_info(279): ....................................................
[inf] guider_print_dev_guider_info(280):           ProductKey : a1ExpAkj9Hi
[inf] guider_print_dev_guider_info(281):           DeviceName : Example_dyn1
[inf] guider_print_dev_guider_info(282):             DeviceID : a1ExpAkj9Hi.Example_dyn1
[inf] guider_print_dev_guider_info(284): ....................................................
[inf] guider_print_dev_guider_info(285):        PartnerID Buf : ,partner_id=example.demo.partner-id
[inf] guider_print_dev_guider_info(286):         ModuleID Buf : ,module_id=example.demo.module-id
[inf] guider_print_dev_guider_info(287):           Guider URL :
[inf] guider_print_dev_guider_info(289):       Guider SecMode : 2 (TLS + Direct)
[inf] guider_print_dev_guider_info(291):     Guider Timestamp : 2524608000000
[inf] guider_print_dev_guider_info(292): ....................................................
[inf] guider_print_dev_guider_info(298): ....................................................
[inf] guider_print_conn_info(256): -----------------------------------------
...
...
[inf] iotx_mc_connect(2502): mqtt connect success!

The preceding execution output indicates that the device has acquired the DeviceSecret using dynamic-registration.

(Device Secret): "KGQQFFlGinIipW9Xn7xQ5U6d6MokPZD4"

The SDK automatically calls HAL_Kv_Set to make it persistent, and SDK will get it from the Flash for the next time when the device connectes to the IoT Platform. If the user attempts to use the unique-certificate-per-product function on the same device for a second time, the cloud will return the following error:

[inf] _fetch_dynreg_http_resp(110): Http Response Payload: {"code":6289,"message":"device is already active"}

Support the Alibaba Cloud Link Platform for Smart Living

When networking is activated for overseas devices on the Alibaba Cloud Link Platform for Smart Living, they will be uniformly connected to the activation center in Singapore. The platform will automatically assign the devices to the nearest data nodes. For example, devices activated in the United States will automatically connect to the servers in the United States.

The SDK can support the Alibaba Cloud Link Platform for Smart Living mode by performing the following two configurations:

Change the FEATURE_MQTT_DIRECT of make.setting to n, which enables the https authentication mode
Configure the Singapore site as the connection site:

/* Choose Login Server */
    int domain_type = IOTX_CLOUD_REGION_SINGAPORE;
    IOT_Ioctl(IOTX_IOCTL_SET_REGION, (void *)&domain_type);