Info about authorization and authentication in IoT devices
296 views
Skip to first unread message
Roger Casaponsa
Sep 19, 2022, 9:52:16 PM9/19/22
to nat...@googlegroups.com
hy,
we are developing an app that uses nats for communication between some kind of IoT devices and the cloud.
Each of these IoT devices has a leaf node nats instance running on it and a nats client who interacts with this nats instance to send and receive messages from/to the cloud (via mirror and aggregates streams and request/reply).
Now we start to think about the authorization and authentication and I have some doubts about which is the best way to implement them.
In this implementation we have two different connections to be authorized/authenticated:
- the client into the leaf node
- the leaf node with the cloud
Authentication:
Because these IoT devices are computers where some users can login and do some work we prefer to do not to store this information in any file of the hard disk.
Another important thing is that we have the capacity to encrypt our binaries. This means that if we do not need any config file (we can pass all the options via parameters) we can be sure that nobody will read them.
To make the client we use the python library nats.py. In this library the only, documented, way to use nkeys is to pass a file with the keys in the connect method:
await nats.connect("tls://connect.ngs.global:4222", user_credentials="/path/to/secret.creds")
There is any parameter to set the nkey directly and avoid using this file?
For the connection from the leaf node to the cloud, we have the same problem. We would like to use parameters to set all the authentication and not store them in a file. There is any way to achieve that?
Or maybe our approach is not the correct one?
Authorization:
In the cloud, we use Kubernetes to run the nats server.
There is an implementation of nsc ready to run in Kubernetes? with persistent storage to keep all the jwt files. I understand that this is all we need to be able to create and push all the jwt files that the cloud nat instances will use.
In the leaf nodes, I'm not sure if we need authorization for the client. Because the control about what the leaf node can send and receive to/from the cloud will be made in the user that the leaf node will use to connect to the cloud.
Thanks for all the help and if something is not clear explained please just ask.
.- Roger
we are developing an app that uses nats for communication between some kind of IoT devices and the cloud.
Each of these IoT devices has a leaf node nats instance running on it and a nats client who interacts with this nats instance to send and receive messages from/to the cloud (via mirror and aggregates streams and request/reply).
Now we start to think about the authorization and authentication and I have some doubts about which is the best way to implement them.
In this implementation we have two different connections to be authorized/authenticated:
- the client into the leaf node
- the leaf node with the cloud
Authentication:
Because these IoT devices are computers where some users can login and do some work we prefer to do not to store this information in any file of the hard disk.
Another important thing is that we have the capacity to encrypt our binaries. This means that if we do not need any config file (we can pass all the options via parameters) we can be sure that nobody will read them.
To make the client we use the python library nats.py. In this library the only, documented, way to use nkeys is to pass a file with the keys in the connect method:
await nats.connect("tls://connect.ngs.global:4222", user_credentials="/path/to/secret.creds")
There is any parameter to set the nkey directly and avoid using this file?
For the connection from the leaf node to the cloud, we have the same problem. We would like to use parameters to set all the authentication and not store them in a file. There is any way to achieve that?
Or maybe our approach is not the correct one?
Authorization:
In the cloud, we use Kubernetes to run the nats server.
There is an implementation of nsc ready to run in Kubernetes? with persistent storage to keep all the jwt files. I understand that this is all we need to be able to create and push all the jwt files that the cloud nat instances will use.
In the leaf nodes, I'm not sure if we need authorization for the client. Because the control about what the leaf node can send and receive to/from the cloud will be made in the user that the leaf node will use to connect to the cloud.
Thanks for all the help and if something is not clear explained please just ask.
.- Roger
derek
Sep 22, 2022, 7:25:57 PM9/22/22
to nats
Roger great questions and we are seeing quite a bit of these patterns with users and customers.
Credential files are a pair of public claims (JWT) and a signing key. For convenience most clients allow a simple file access to utilize. However, most clients also allow both of these to be delivered via callback where the application is in control. You can imagine evening using compatible HSMs to sign the server challenge nonces, such that applications, or leafnode servers never have access to the signing key.
wally at nats dot io will have the most up to date information on the Python client. I recommend reaching out to him via email or our slack channel.
Again the JWTs should be considered public and tamper proof, the only think you may want to protect is the signing key and the process of signing the challenge nonce which is how a NATS system validates that you are the owner of the signing key associated with the public key in the user JWT.
Hope that help.s
Roger Casaponsa
Sep 27, 2022, 7:26:25 AM9/27/22
to nat...@googlegroups.com
Hy,
thanks for the answer.
But I don't know how I can protect the private key (seed) of the user in the leafnode configuration. The only option I see (https://docs.nats.io/running-a-nats-service/configuration/leafnodes/leafnode_conf#leafnode-remotes-entry-block) to set the credentials is in a file, and the user can get access to it.
There is any other parameter to set the seed and do not need to create a file? maybe as an environment variable...
Regards
--
You received this message because you are subscribed to the Google Groups "nats" group.
To unsubscribe from this group and stop receiving emails from it, send an email to natsio+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/natsio/ed6037ea-e500-4424-94cb-3a0d216845b2n%40googlegroups.com.
derek
Sep 27, 2022, 9:31:40 PM9/27/22
to nats
The latest version of the NATS server can allow the leafnode to be configured such that a call function is invoked.
You would have to embed the server inside your own application which might be what you need.
Roger Casaponsa
Oct 4, 2022, 9:29:02 AM10/4/22
to nat...@googlegroups.com
Hy Derek,
thanks for this but unfortunately is not useful in our case.
The leafnode server is running not embeded, and this call is only usable with nats embeded in a go program.
I think we do not have any other option than create the credentials file in the storage of the iot devices. We will try to protect it with file permissions. If you have any other idea how we could do that just let me know.
Thanks for all the help!
To view this discussion on the web visit https://groups.google.com/d/msgid/natsio/a0253fd8-e438-4a6c-a536-f2a59c913124n%40googlegroups.com.
Derek Collison
Oct 4, 2022, 11:41:07 AM10/4/22
to nat...@googlegroups.com
I was suggesting you wrap the server in a simple Go program you and the team there maintains to reach your goals.
How do you run clients on the edge device?
To view this discussion on the web visit https://groups.google.com/d/msgid/natsio/CAPGv-1FkG6MrGLKkQkNSZ%2BLWnh7zmhtRuSUYB1hPdEHWdsR07w%40mail.gmail.com.
Roger Casaponsa
Oct 4, 2022, 12:32:35 PM10/4/22
to nat...@googlegroups.com
hy,
sorry I didn't get that point.
We have various python processes running on the device. We use the leafnode nats server to:
- to some of these processes interact between them in the iot device
- interact between the whole device and the infrastructure we have in the cloud (where we have a nats cluster). All this is in python too.
Our software use the python library https://github.com/nats-io/nats.py to interact with nats.
Regards,
To view this discussion on the web visit https://groups.google.com/d/msgid/natsio/CAGMFj-PKmzufDbxEk7nz_bOgWKKwF70fauVJQNPUf%2BDNVJ%3Dz0Q%40mail.gmail.com.
Derek Collison
Oct 4, 2022, 12:45:02 PM10/4/22
to nat...@googlegroups.com
So do you want to secure the signing key for the apps or the leafnode connection or both?
Are you concerned about apps having access to the leafnode server or what is allowed to move between the leafnode server and the cloud?
To view this discussion on the web visit https://groups.google.com/d/msgid/natsio/CAPGv-1E7EEO3M6YHWVBsLQws5qVDO8xyCirAOAa1Z6kuoJE7_w%40mail.gmail.com.
Roger Casaponsa
Oct 4, 2022, 1:14:38 PM10/4/22
to nat...@googlegroups.com
Hy,
We are designing all that but the idea is:
Apps - leafnode auth:
We distribute our python code as an exe. We also encrypt it to be sure that the user has a license to run it. Because our software is encrypted we can put a passphrase in it. We can encrypt the nkey that the user will use to connect to the leaf node and store it into the hard drive (a file, or windows registry). When our code needs to connect to the nats leafnode it just have to read the encrypted nkey, decrypt it and connect (I hope python library can use an argument to set the nkey, do not relay into files for that) and the jwt signed with the account can be stored in the hard drive.
We do not need to set any permissions to this user because want can recieve and send to the cloud will be limited by the permissions of the user that the leafnode use to connect to the cloud.
Leafnode - cloud auth:
We do not know how to make it secure. The only option we have now is to create a credentials file. But anyone with physical access to the system will be able to read.
The administration of the users and permissions will be done by our software:
- create nkeys
- create jwt to sign the nkeys with the account seed
- create jwt's for permissions
- push all the info into the nats server
The leafnodes will synchronize with the servers to get all the information.
If you see anything that is not possible or there is a better way to implement it, we will be glad to know it, as I say we are just designing it and we do not know if there is a better aproach.
Thanks!
To view this discussion on the web visit https://groups.google.com/d/msgid/natsio/CAGMFj-PyfNF89OAqQDzQoGi1uWE2Y_y4Cwoe%2B3GFUsrKsZYjSg%40mail.gmail.com.
Derek Collison
Oct 4, 2022, 1:47:33 PM10/4/22
to nat...@googlegroups.com
The leafnode credentials are signed by the account owner in the cloud and are tamper proof. Meaning they can't tamper or change them.
You might be concerned that the credentials could be used on a different device, and that is a legit concern. You could pin the credentials to a CIDR block or an individual IP if the IP of the device is known and static.
To view this discussion on the web visit https://groups.google.com/d/msgid/natsio/CAPGv-1HiGS%2BG5NRSLiEe08zPbp8yvAbDj33ySN8uYMXZymw%2B9Q%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages