Certificates & Authentication
Why certificates and not a User/Password Authentication?
Certificates are easier to deal with to ensure end-to-end security, and are not human readable.
Certificate installation can be done on a secure element at the hardware level, where as often the username and password are stored in code.
OTA Updates to Application Partitions cannot override installed Certificates.
What are X.509 certificates and how do they work?
We learnt this from Let’s Encrypt’s excellent documentation - and it is still best learnt from them !
Let’s Encrypt: https://letsencrypt.org/how-it-works/
An Excellent diagram that breaks down the conversation between a client and the server : https://imgur.com/gallery/5T2fJsG/
Managed Authentication
Here, Golain will provide you with certificates to install onto your device during the device creation step.
There will also be a Bulk Device creation API as well as a CLI tool and SDK to use on a manufacturing floor to make certificate installation as hassle free and secure as possible.
Self Authentication
The client can create their own Certificate Authority and subsequently their own Chain-of-Trust. Guide for this will be available soon.
This removes the dependency on Golain Authenticated certificates, and will be just as secure as the same.
What kind of Security is involved?
Golain platform enforces mTLS MQTT connections - the client MUST verify the identity of the server and likewise, the server MUST verify the certificate and identity that the client presents to it.
The above removes the possibility of a machine-in-the-middle attack or for a data sniffer to decrypt data that moves from device to platform or the other way around.