Scaleway Elements IoT Station Security

Scaleway Elements IoT Station: Security

Overview

To obtain a secure communication between a Hub and a Device, the MQTT connection may be protected by TLS.

Any Device can use TLS to connect, but it is possible to enforce it: this is the Allow/Deny Insecure toggle.

Modes of connection

Mutual-authentication TLS

This is the strongest security for a Device. The connection is encrypted with TLS, and during the handshake the Hub will verify the identity of the Device, and the Device the identity of the Hub.

For that two-way verification to occur, the client must possess the Device’s certificate and private key, which are displayed only once at the creation of the Device (Scaleway does not store them). It must also possess the certificate authority of the Hub, which can be downloaded from the Hub overview.

If the Device is configured as “Deny Insecure connection”, it must connect in this mode. If the Device is configured as “Allow Insecure connection”, it may connect in this mode.

Server-authentication TLS

This mode offers an intermediate level of security. The connection is still encrypted, but only the Device verifies the identity of the Hub, not the other way around.

For that one-way verification to occur, the physical device must only possess the certificate authority of the Hub.

If the Device is configured as “Deny Insecure connection”, it cannot connect in this mode. If the Device is configured as “Allow Insecure connection”, it may connect in this mode.

Plain

This mode offers no security. The connection is neither encrypted nor authenticated, and is therefore vulnerable to attacks.

If the Device is configured as “Deny Insecure connection”, it cannot connect in this mode. If the Device is configured as “Allow Insecure connection”, it may connect in this mode.

Discover a New Cloud Experience

Deploy SSD Cloud Servers in seconds.