AWS IoT 安全系统如何利用 keyPath、certPath、caPath 建立安全连接?

How does the AWS IoT security system utilize the keyPath, certPath, caPath to establish a secure connection?

要将遥测数据从 thing(比如 Sensor1)发送到 AWS IoT Core 端点,我们需要:

  1. AWS IoT 证书颁发机构Public 证书
  2. 具有适当策略和附加 Sensor1 的证书
  3. 第 2 点的证书私钥
    const deviceName = 'Sensor1'
    
    // Create the thingShadow object with argument data
    const device = awsIoT.device({
       keyPath: 'private.pem.key',
       certPath: 'certificate.pem.crt',
       caPath: '/home/ec2-user/environment/root-CA.crt',
       clientId: deviceName,
       host: endpointFile.endpointAddress
    });

我想大致了解安全系统如何利用keyPath、certPath、caPath建立安全连接。

证书和私钥用于解决三个问题:

  1. 作为客户,我是在与真正的 AWS IoT 服务器而不是冒名顶替者交谈吗?
  2. 作为 AWS IoT 服务器,我是在与注册客户而非冒名顶替者交谈吗?
  3. 客户端和服务器可以在没有人监听的情况下安全通信吗?

证书和私钥用于实现双向 TLS 来解决这些问题。这允许客户端验证 AWS IoT 服务器(问题 1)以及服务器验证客户端(问题 2)。证书还启用客户端和服务器之间的安全 TLS 通信通道(问题 3)

对于验证 AWS IoT 服务器的客户端(来自 https://docs.aws.amazon.com/iot/latest/developerguide/server-authentication.html):

When your device or other client attempts to connect to AWS IoT Core, the AWS IoT Core server will send an X.509 certificate that your device uses to authenticate the server. Authentication takes place at the TLS layer through validation of the X.509 certificate chain This is the same method used by your browser when you visit an HTTPS URL.

客户端使用 caPath 引用的证书来验证它从它所连接的服务器收到的证书。

用于 AWS IoT 服务器对客户端进行身份验证(来自 https://docs.aws.amazon.com/iot/latest/developerguide/x509-client-certs.html#x509-client-cert-basics):

AWS IoT authenticates client certificates using the TLS protocol's client authentication mode.

In TLS client authentication, AWS IoT requests an X.509 client certificate and validates the certificate's status and AWS account against a registry of certificates. It then challenges the client for proof of ownership of the private key that corresponds to the public key contained in the certificate.

服务器通过接收certPath引用的已注册证书来验证客户端,并由客户端使用keyPath引用的私钥签署一条消息,证明客户端持有私钥.