Device Identity and Network Security

Introduction to device identity

Blecon Devices internally generate a globally unique Device ID and security material on their first boot. For production devices, this simplifies the manufacturing process and avoids the risks introduced by handling or injecting secrets.

As the Device ID is unique, it provides an easy way to identify a device and index into your own databases.

Blecon device identity consists of a Version 4 UUID, for example:

2c62f204-b192-4c7c-a83c-b0ee9a0de391

It's important to note that the Device ID is not sensitive information. Devices broadcast it and can be freely used wherever it is required.

Self-Provisioning

On the first power-up, a modem will generate its identity and credentials (public/private key pair) and register itself in-band with the Blecon infrastructure, ensuring security throughout its lifecycle without a complex provisioning process. The Blecon cloud's public key is part of the firmware image stored on the device.

Provisioning Procedure

Security

Upon connection between a Blecon Device and the Blecon Cloud, mutual authentication takes place during a handshake. As part of this procedure, ephemeral secrets are negotiated in order to encrypt and authenticate all data exchanges.

Blecon transparently manages the security of device connections for you, in order to ensure device-to-cloud data confidentiality, integrity and authenticity. This means devices can't be spoofed and gateways need not be trusted. Every device has its own unique credentials.

Credentials

All Blecon devices and cloud possess a Curve25519 private/public key pair. One of the Blecon cloud’s public keys is known by the Blecon device from manufacturing time, and the device’s public key is shared with the Blecon cloud during the device connection process.

Key exchange

Periodically, a device and cloud agree on a shared key using X25519 based on both parties’ key pairs. The shared key, salt material and random material generated by both parties are derived with HKDF to produce a session secret.

Data exchange

The session secret is split into two keys, each used with data flowing in each direction. The ChaCha20-Poly1305 AEAD algorithm is used with incremental nonces to encrypt and authenticate data using the relevant key. Both recipients authenticate and decrypt incoming data as well - and reject any invalid message.

Primitives

Secure, device-optimised cryptographic primitives are used as per the table below.

Function
Primitive

Key Exchange

X25519

Key derivation

HKDF-SHA256

AEAD Cipher

ChaCha20-Poly1305

Hash

SHA256

Where Device Identity is used

All events relating to a Blecon Device are tagged with its identity, which is referred to as the Device ID.

When registering a device with a Blecon network, you only need the Device ID.

When a Blecon device reports its identity, it does so in the form of a Device URL. This looks like the following:

https://blecon.dev/2c62f204-b192-4c7c-a83c-b0ee9a0de391

A Device URL provides functionality, and can be configured to redirect to a specific URL as part of your virtual network.

Using Device IDs in your products and services

The Device ID is designed so that you can store it and use it within your own product or service. You can associate customers with a Device ID, associate additional metadata with a Device ID and use the Device ID as a reliably unique and durable reference to a specific physical device.

Obtaining the Device ID

Obtaining the Device ID is an essential first step to registering a device.

You can use the Blecon CLI to obtain the Device ID during device development.

For a real-world product, a good option is to use the Blecon Scanner. You may also build bespoke mechanisms to obtain the Device ID as required. See the Retrieve a device's identitypage for more details.

Last updated