Questions tagged with Device Security

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

  • 1
  • 12 / page
We have several environments in IoT core for the shale of this questions let's call them dev and Staging. Dev environment has aaaaaaaa-ats.iot.eu-west-1.amazonaws.com endpoint and staging has bbbbbbbbb-ats.iot.eu-west-1.amazonaws.com endpoint. We have a device provisioned with JITP in dev environment which connects without any issue to dev environment as expected. Now, if we change the device endpoint to "bbbbbbb...." keeping dev certificates and we try to publish a message. The device connects to dev environment and we get the message in dev environment. Is this an expected behaviour?
2
answers
0
votes
27
views
asked a month ago
Hi, want to create an ec2 instance with nitroTPM 2.0 enabled. I followed the instructions from this site: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-nitrotpm-support-on-ami.html ``` { "Images": [ { "Architecture": "x86_64", "CreationDate": "2022-11-21T20:07:43.000Z", "ImageId": "ami-05683f60db56ff1b5", "ImageLocation": "293786889684/DebianImage", "ImageType": "machine", "Public": false, "OwnerId": "293786889684", "PlatformDetails": "Linux/UNIX", "UsageOperation": "RunInstances", "State": "available", "BlockDeviceMappings": [ { "DeviceName": "/dev/xvda", "Ebs": { "DeleteOnTermination": true, "SnapshotId": "snap-0c493ccaccd018881", "VolumeSize": 8, "VolumeType": "gp2", "Encrypted": false } }, { "DeviceName": "/dev/xvdf", "Ebs": { "DeleteOnTermination": true, "VolumeSize": 10, "VolumeType": "gp2", "Encrypted": false } } ], "EnaSupport": true, "Hypervisor": "xen", "Name": "DebianImage", "RootDeviceName": "/dev/xvda", "RootDeviceType": "ebs", "SriovNetSupport": "simple", "VirtualizationType": "hvm", "BootMode": "uefi", "TpmSupport": "v2.0" } ] } ``` So far it looks good, but if I try to launch an instance of this AMI, I cannot connect to the machine. If I create an instance from the management console without nitroTPM support I can connect to the machine via my Key. Also, I would like to get some measurements from the TPM, but I don't see any of the hashes in the response. I appreciate any help you can offer. Heres my ec2 description ``` { "Reservations": [ { "Groups": [], "Instances": [ { "AmiLaunchIndex": 0, "ImageId": "ami-05683f60db56ff1b5", "InstanceId": "i-03435c99e5a3a83b5", "InstanceType": "m6a.xlarge", "KeyName": "OPTI_PLEX_KEY_PAIR", "LaunchTime": "2022-11-21T20:53:29.000Z", "Monitoring": { "State": "disabled" }, "Placement": { "AvailabilityZone": "eu-central-1a", "GroupName": "", "Tenancy": "default" }, "PrivateDnsName": "ip-172-31-16-168.eu-central-1.compute.internal", "PrivateIpAddress": "172.31.16.168", "ProductCodes": [], "PublicDnsName": "ec2-18-159-62-7.eu-central-1.compute.amazonaws.com", "PublicIpAddress": "18.159.62.7", "State": { "Code": 16, "Name": "running" }, "StateTransitionReason": "", "SubnetId": "subnet-12bdf778", "VpcId": "vpc-d90e6cb3", "Architecture": "x86_64", "BlockDeviceMappings": [ { "DeviceName": "/dev/xvda", "Ebs": { "AttachTime": "2022-11-21T20:53:30.000Z", "DeleteOnTermination": true, "Status": "attached", "VolumeId": "vol-05814aff540510c1f" } }, { "DeviceName": "/dev/xvdf", "Ebs": { "AttachTime": "2022-11-21T20:53:30.000Z", "DeleteOnTermination": true, "Status": "attached", "VolumeId": "vol-03027ae670649544f" } } ], "ClientToken": "45856522-8833-4e31-985f-f5209b014fa1", "EbsOptimized": true, "EnaSupport": true, "Hypervisor": "xen", "ElasticGpuAssociations": [], "ElasticInferenceAcceleratorAssociations": [], "NetworkInterfaces": [ { "Association": { "IpOwnerId": "amazon", "PublicDnsName": "ec2-18-159-62-7.eu-central-1.compute.amazonaws.com", "PublicIp": "18.159.62.7" }, "Attachment": { "AttachTime": "2022-11-21T20:53:29.000Z", "AttachmentId": "eni-attach-01e82b7e623e8e9da", "DeleteOnTermination": true, "DeviceIndex": 0, "Status": "attached", "NetworkCardIndex": 0 }, "Description": "", "Groups": [ { "GroupName": "launch-wizard-10", "GroupId": "sg-05676ad26b7f6ed13" } ], "Ipv6Addresses": [], "MacAddress": "02:b8:28:63:4f:fc", "NetworkInterfaceId": "eni-095492d80db0313b8", "OwnerId": "293786889684", "PrivateDnsName": "ip-172-31-16-168.eu-central-1.compute.internal", "PrivateIpAddress": "172.31.16.168", "PrivateIpAddresses": [ { "Association": { "IpOwnerId": "amazon", "PublicDnsName": "ec2-18-159-62-7.eu-central-1.compute.amazonaws.com", "PublicIp": "18.159.62.7" }, "Primary": true, "PrivateDnsName": "ip-172-31-16-168.eu-central-1.compute.internal", "PrivateIpAddress": "172.31.16.168" } ], "SourceDestCheck": true, "Status": "in-use", "SubnetId": "subnet-12bdf778", "VpcId": "vpc-d90e6cb3", "InterfaceType": "interface", "Ipv4Prefixes": [], "Ipv6Prefixes": [] } ], "RootDeviceName": "/dev/xvda", "RootDeviceType": "ebs", "SecurityGroups": [ { "GroupName": "launch-wizard-10", "GroupId": "sg-05676ad26b7f6ed13" } ], "SourceDestCheck": true, "Tags": [ { "Key": "Name", "Value": "Ubuntu bla" } ], "VirtualizationType": "hvm", "CpuOptions": { "CoreCount": 2, "ThreadsPerCore": 2 }, "CapacityReservationSpecification": { "CapacityReservationPreference": "open" }, "HibernationOptions": { "Configured": false }, "Licenses": [], "MetadataOptions": { "State": "applied", "HttpTokens": "optional", "HttpPutResponseHopLimit": 1, "HttpEndpoint": "enabled", "HttpProtocolIpv6": "disabled", "InstanceMetadataTags": "enabled" }, "EnclaveOptions": { "Enabled": true }, "BootMode": "uefi", "PlatformDetails": "Linux/UNIX", "UsageOperation": "RunInstances", "UsageOperationUpdateTime": "2022-11-21T20:53:29.000Z", "PrivateDnsNameOptions": { "HostnameType": "ip-name", "EnableResourceNameDnsARecord": true, "EnableResourceNameDnsAAAARecord": false }, "TpmSupport": "v2.0", "MaintenanceOptions": { "AutoRecovery": "default" } } ], "OwnerId": "293786889684", "ReservationId": "r-0089af1cf650fc657" } ] } ```
1
answers
0
votes
43
views
asked 2 months ago
I failed to run the sample code for [basic_connect](https://github.com/aws/aws-iot-device-sdk-cpp-v2/tree/main/samples/mqtt/basic_connect). While running it with the following argument: `basic_connect.exe --client_id "ME" --endpoint "*-ats.iot.eu-west-1.amazonaws.com" --cert "<>/MyCertificate.crt" --key "<>/MyPrivate.key" --verbosity "Debug"` i receive the following output: ``` [DEBUG] [2022-09-29T13:02:54Z] [00001648] [mqtt-client] - client=*: Initalizing MQTT client [DEBUG] [2022-09-29T13:02:56Z] [00001648] [tls-handler] - static: This library was built with Windows 8.1 or later, probing OS to see what we're actually running on. [DEBUG] [2022-09-29T13:02:56Z] [00001648] [tls-handler] - static: We're running on Windows 8.1 or later. ALPN is available. [DEBUG] [2022-09-29T13:02:56Z] [00001648] [tls-handler] - static: This library was built with Windows 8.1 or later, probing OS to see what we're actually running on. [DEBUG] [2022-09-29T13:02:56Z] [00001648] [tls-handler] - static: We're running on Windows 8.1 or later. ALPN is available. [DEBUG] [2022-09-29T13:02:56Z] [00001648] [tls-handler] - static: certificate and key have been set, setting them up now. [INFO] [2022-09-29T13:02:56Z] [00001648] [pki-utils] - static: loading certificate chain with 1 certificates. [ERROR] [2022-09-29T13:03:04Z] [00001648] [pki-utils] - static: no acceptable private key found, error AWS_IO_FILE_VALIDATION_FAILURE [ERROR] [2022-09-29T13:03:04Z] [00001648] [tls-handler] - static: failed to import certificate and private key with error 1038. Client Configuration initialization failed with error aws-c-io: AWS_IO_FILE_VALIDATION_FAILURE, A file was read and the input did not match the expected value ``` I have been trying to follow this AWS_IO_FILE_VALIDATION_FAILURE, and i endup with the following callstack: ``` basic-connect.exe!aws_import_key_pair_to_cert_context(aws_allocator * alloc, const aws_byte_cursor * public_cert_chain, const aws_byte_cursor * private_key, bool is_client_mode, void * * store, const _CERT_CONTEXT * * certs, unsigned __int64 * crypto_provider, unsigned __int64 * private_key_handle) Line 691 C basic-connect.exe!s_ctx_new(aws_allocator * alloc, const aws_tls_ctx_options * options, bool is_client_mode) Line 2010 C basic-connect.exe!aws_tls_client_ctx_new(aws_allocator * alloc, const aws_tls_ctx_options * options) Line 2044 C basic-connect.exe!Aws::Crt::Io::TlsContext::TlsContext(Aws::Crt::Io::TlsContextOptions & options, Aws::Crt::Io::TlsMode mode, aws_allocator * allocator) Line 423 C++ basic-connect.exe!Aws::Iot::MqttClientConnectionConfigBuilder::Build() Line 493 C++ basic-connect.exe!Utils::CommandLineUtils::GetClientConnectionForMQTTConnection(Aws::Iot::MqttClient * client, Aws::Iot::MqttClientConnectionConfigBuilder * clientConfigBuilder) Line 542 C++ basic-connect.exe!Utils::CommandLineUtils::BuildDirectMQTTConnection(Aws::Iot::MqttClient * client) Line 459 C++ basic-connect.exe!main(int argc, char * * argv) Line 41 C++ [External Code] ``` None of the call to `CryptDecodeObjectEx` will succeed in the function `aws_import_key_pair_to_cert_context`. It sounds like there is a problem with my private key which i generated as follow: `openssl req -newkey rsa:4096 -sha256 -nodes -keyout MyPrivate.key -out MyRequest.csr -config MyConfig.cnf` I am not sure to understand what this function is meant to do and what is wrong with my key. I am using win10 with msbuild (tryied in python as well).
2
answers
0
votes
109
views
asked 4 months ago
I am trying to connect to my server using MobaXterm and it keeps saying the server refused my key. It then asked for password and each time I type my password, It says access denied. Please can you help with this? Thanks
2
answers
0
votes
164
views
asked 10 months ago
Hello Sir, For a few days I have not been able to SSH with MobaXterm to a Jenkins server I created on my EC2. This has been the same problem I attempt to SSH with GIT as well. The message I get is as shown below. Even after I restart the session I get the same problem. Please could you verify if my AWS account has issues. I changed my computer as well but same problem. I disabled firewall, cleared cache and a few other stuff, yet no solutions. Network error: Connection timed out ──────────────────────────────────────────────────────────────────────────────── Session stopped - Press <return> to exit tab - Press R to restart session - Press S to save terminal output to file I have searched online for resource and have done everything possible but I cannot move forward. I disabled my firewall, cleared my cache, and a lot more but I still cannot connect through SSH. I bought a new computer thinking it would be different but same problem. When I log into the chrome using public IP and port 8080, all I get is "website not reachable" or " Connection time out". Please revert with a response as soon as you have time. Thanks
2
answers
1
votes
366
views
asked a year ago
Can my customer create a private group that is only viewable by their own employees?
1
answers
0
votes
32
views
AWS
asked a year ago
Hello, I have a problem during the provisioning of the IoT thing using claim certificates. We are using the fleet provisioning by claim mechanism. We are following the steps described in this PDF: https://d1.awsstatic.com/whitepapers/device-manufacturing-provisioning.pdf When we start the provisioning process, we are providing the `AwsIotMqttConnectionBuilder` with the claim certificate and claim private key(which are generated in previous step). The problem comes when we are building the `MqttClientConnection` with which to make the request to the AWS IoT core for the provisioning. Here is a detailed exception: ``` Exception occurred during fleet provisioning by claim at com.iav.de.ota.provisioning.flow.FleetProvisioningByClaimFlowExecutor.execute(FleetProvisioningByClaimFlowExecutor.java:50) at com.iav.de.ota.provisioning.ProvisioningFacade.provision(ProvisioningFacade.java:60) at com.iav.de.ota.provisioning.ProvisioningFacade.provisionToDeviceManagementCloud(ProvisioningFacade.java:54) at com.iav.de.ota.provisioning.ProvisioningFacade.provision(ProvisioningFacade.java:39) at com.iav.de.ota.Main.main(Main.java:42) Caused by: software.amazon.awssdk.crt.CrtRuntimeException: TlsContext.tls_ctx_new: Failed to create new aws_tls_ctx (aws_last_error: AWS_IO_FILE_VALIDATION_FAILURE(1038), A file was read and the input did not match the expected value) AWS_IO_FILE_VALIDATION_FAILURE(1038) at software.amazon.awssdk.crt.io.TlsContext.tlsContextNew(Native Method) at software.amazon.awssdk.crt.io.TlsContext.<init>(TlsContext.java:24) at software.amazon.awssdk.crt.io.ClientTlsContext.<init>(ClientTlsContext.java:26) at software.amazon.awssdk.iot.AwsIotMqttConnectionBuilder.build(AwsIotMqttConnectionBuilder.java:502) at com.iav.de.ota.mqtt.MqttConnectionFactory.create(MqttConnectionFactory.java:44) at com.iav.de.ota.provisioning.flow.FleetProvisioningByClaimFlowExecutor.execute(FleetProvisioningByClaimFlowExecutor.java:42) ``` Going throught the error, I have found that this error `AWS_IO_FILE_VALIDATION_FAILURE(1038)` indicates that the expected claim private key/certificate is not matching the ones which we are giving it to it. So, I started going further into the issue and found that the library which we are using for reading the private key(bouncy castle) is reading a key which different than the input one. In other words, when I inspect the claim private key with Notepad and compare it with the one which the BouncyCastle has read - they are different. The problem is more interesting because this does not happen on Linux machines and only on Windows machines. I have even tried to read the claim private key as plain string from the file and pass it to the MqttConnection and this works. Unfortunately, this is not a solution because later on(after the provisioning) we are storing the real certificate and private key, for later on communication with the AWS IoT Core, in a KeyStore which we are reading with BouncyCastle, again. So, we need the library(BouncyCastle or other) in order to read the private key/certificate in any moment of the execution of the progam(either during the provisioning or later on during the other AWS IoT Core calls with the real certificates). Forgot to mention, the claim private key and claim certificate are stored in PEM format. Could you tell me what can be done here? Is there any AWS supported library for reading the claim private key/certificate without using BouncyCastle? Any suggestions here are welcomed because we are stucked and the requirements are that each AWS IoT Things will be running on Windows OS. Thanks a lot, Encho
1
answers
0
votes
154
views
asked a year ago
  • 1
  • 12 / page