简体繁体 English

减少受约束设备的所需根证书列表

[英]Reduce Required Root Certificate List For Constrained Devices

原文 2019-04-04 14:30:52 3 1 mqtt/ tls1.2/ google-cloud-iot/ root-certificate

I'm developing a memory constrained IoT device and would like to connect it to Google IoT Core via MQTT. 我正在开发内存受限的IoT设备，并希望通过MQTT将其连接到Google IoT Core。 The list of required root certificates that must be trusted to allow for server TLS certificate validation is very long. 必须受信任才能允许服务器TLS证书验证的必需根证书列表很长。 I am seeking a smaller list that is appropriate for limited-resource IoT devices but won't suddenly stop working. 我正在寻找适合资源有限的IoT设备的较小列表，但不会突然停止工作。 Is there a way to safely reduce this list of required certificates? 有没有办法安全地减少所需证书的列表？

From the online documentation ( https://cloud.google.com/iot/docs/concepts/device-security ) under the Device Security Recommendations section it states: 在“设备安全建议”部分下的在线文档（ https://cloud.google.com/iot/docs/concepts/device-security ）中指出：

'Use TLS 1.2 when communicating with mqtt.googleapis.com:8883 (or :443), and verify that the server certificate is valid using root certificate authorities. '与mqtt.googleapis.com:8883（或：443）通信时，请使用TLS 1.2，并使用根证书颁发机构验证服务器证书是否有效。 Read this security note for detailed TLS requirements and future compatibility.' 阅读此安全说明，以获取详细的TLS要求和将来的兼容性。

From the security note ( https://security.googleblog.com/2015/09/disabling-sslv3-and-rc4.html ) it states: 在安全说明（ https://security.googleblog.com/2015/09/disabling-sslv3-and-rc4.html ）中指出：

'At least the certificates in https://pki.google.com/roots.pem must be trusted.' “至少必须信任https://pki.google.com/roots.pem中的证书。”

I can clearly see that the documentation states the full list is required but this doesn't seem acceptable for memory constrained IoT devices. 我可以清楚地看到文档说明了完整列表是必需的，但这对于内存受限的IoT设备似乎不可接受。 As an example AWS requires only a single certificate - depending on the TLS cipher selected. 例如，AWS仅需要一个证书-取决于所选的TLS密码。 See the AWS documentation under Server Authentication ( https://docs.aws.amazon.com/iot/latest/developerguide/managing-device-certs.html ) 请参阅服务器身份验证下的AWS文档（ https://docs.aws.amazon.com/iot/latest/developerguide/managing-device-certs.html ）

Any help on understanding ways that the list of root certificates can be reduced - such as elemination based on ECC-based validation vs RSA-based validation - would be helpful. 任何有助于理解如何减少根证书列表的帮助（例如基于ECC验证与基于RSA验证的消除）都是有帮助的。

1 个解决方案

Thanks to a helpful Google engineer on Github who answered the Issue Clarify how trusted_RootCA_certs were chosen in the Google provided iot-device-sdk-embedded-c project, the solution is to use a long-term support (LTS) domain . 感谢Github上一位乐于助人的Google工程师回答了问题。澄清在Google提供的iot-device-sdk-embedded-c项目中如何选择 trust_RootCA_certs，该解决方案是使用长期支持（LTS）域。

From the documentation, the special domain " mqtt.2030.ltsapis.goog " can be used instead of "mqtt.googleapis.com" allowing the need of only two root CA certs w/ small ECC 256 public keys instead of the entire root.pem package (128KB). 从文档中，可以使用特殊域“ mqtt.2030.ltsapis.goog ”代替“ mqtt.googleapis.com”，从而仅需要两个带有小型ECC 256公钥的根CA证书，而不需要整个根。 pem程序包（128KB）。

These root CA certs are fixed through year 2030. 这些根CA证书到2030年都是固定的。

The required root CAs are: 所需的根CA是：