Device Identity and Network Security
Introduction to device identity
Last updated
Introduction to device identity
Last updated
Blecon Devices internally generate a globally unique Device ID and security material on their first boot. For production devices, this simplifies the manufacturing process and avoids the risks introduced by handling or injecting secrets.
As the Device ID is unique, it provides an easy way to identify a device and index into your own databases.
Blecon device identity consists of a Version 4 UUID, for example:
It's important to note that the Device ID is not sensitive information. Devices broadcast it and can be freely used wherever it is required.
On the first power-up, a modem will generate its identity and credentials (public/private key pair) and register itself in-band with the Blecon infrastructure, ensuring security throughout its lifecycle without a complex provisioning process. The Blecon cloud's public key is part of the firmware image stored on the device.
Upon connection between a Blecon Device and the Blecon Cloud, mutual authentication takes place during a handshake. As part of this procedure, ephemeral secrets are negotiated in order to encrypt and authenticate all data exchanges.
Blecon transparently manages the security of device connections for you, in order to ensure device-to-cloud data confidentiality, integrity and authenticity. This means devices can't be spoofed and gateways need not be trusted. Every device has its own unique credentials.
All Blecon devices and cloud possess a Curve25519 private/public key pair. One of the Blecon cloud’s public keys is known by the Blecon device from manufacturing time, and the device’s public key is shared with the Blecon cloud during the device connection process.
Periodically, a device and cloud agree on a shared key using X25519 based on both parties’ key pairs. The shared key, salt material and random material generated by both parties are derived with HKDF to produce a session secret.
The session secret is split into two keys, each used with data flowing in each direction. The ChaCha20-Poly1305 AEAD algorithm is used with incremental nonces to encrypt and authenticate data using the relevant key. Both recipients authenticate and decrypt incoming data as well - and reject any invalid message.
Secure, device-optimised cryptographic primitives are used as per the table below.
Key Exchange
X25519
Key derivation
HKDF-SHA256
AEAD Cipher
ChaCha20-Poly1305
Hash
SHA256
All events relating to a Blecon Device are tagged with its identity, which is referred to as the Device ID.
When registering a device with a Blecon network, you only need the Device ID.
When a Blecon device reports its identity, it does so in the form of a Device URL. This looks like the following:
A Device URL provides functionality, and can be configured to redirect to a specific URL as part of your virtual network.
The Device ID is designed so that you can store it and use it within your own product or service. You can associate customers with a Device ID, associate additional metadata with a Device ID and use the Device ID as a reliably unique and durable reference to a specific physical device.
Obtaining the Device ID is an essential first step to registering a device.
You can use the to obtain the Device ID during device development.
For a real-world product, a good option is to use the You may also build bespoke mechanisms to obtain the Device ID as required. See the Retrieve a device's identitypage for more details.
