The main purpose of this series is to record the learning notes of Tencent cloud Internet of things device , And on the device side SDK Make a supplementary explanation .

network connections

MQTT Is based on reliable protocols , It's usually used TCP、 perhaps TCP+TLS, among TLS Based on PSK Authentication and certificate based authentication .

Tencent cloud Internet of things C SDK adopt network The network layer implements different adaptations to the network protocols under , It mainly includes three categories ：

• TLS：SDK Mainly adapted to mbedtls The corresponding interface of , Use tls Access can be directly adapted mbedtls
• TCP socket： about TCP Access mode , Most uses are socket Interface form , Through adaptation HAL Layer of socket Interface can be implemented TCP Access
• AT： For partial use AT Command controlled equipment ,SDK It also provides general AT frame , By adapting the underlying AT Instruction can realize access

Because it involves security , Most scenarios use mbedtls Mode access , This requires the equipment to mbedtls adapter , Fortunately mbedtls The adaptation is very mature , And not complicated .

Device access authentication

For equipment type , It can be divided into two categories ：

• PSK equipment ：
  • TCP： in the light of TCP Connect , Key authentication is used , adopt PSK Use MQTT Of user name and password For authentication , Please see the Key authentication device access guide
  • TCP+TLS+PSK： according to PSK be based on TLS_PSK_WITH_AES_128_CBC_SHA or TLS_PSK_WITH_AES_256_CBC_SHA Suite for authentication and key exchange , This can be done by capturing packets in Client Hello see .

• Certificate equipment ： Use TLS Certificate mode for authentication , You can see TLS The handshake process

Other authentication

In addition to device access authentication , Other authentication is also included in the whole Tencent cloud IOT , No more details. , Briefly describe , Understanding can . It mainly includes ：

• Device log upload authentication ： Use equipment PSK Or certificate key pair hmac_sha1 Sign the time and log content
• Dynamic registration authentication ： Use the product key （ Note here is the product PSK, Not equipment PSK）, use hmac_sha1 For device information 、 Random number and time
• Dynamic binding authentication of sub devices ： Adopt sub equipment PSK Or certificate key pair hmac_sha1 For device information 、 Random number and time

Because it is convenient for device implementation and code reuse , Most authentications are similar , Mainly through the key to the device information , random number 、 Time stamp 、 Other information HMAC, Generate message authentication code , Thus, the server can confirm that the message is sent by the device according to the message authentication code .