This document discusses device authentication in industrial IoT environments. It begins with an overview of asymmetric cryptography and public key infrastructure (PKI), which are important foundations for device identity. It then describes GE's Predix Machine and EdgeManager platform for enrolling and authenticating devices via certificate-based methods. This allows devices to programmatically obtain signed certificates during enrollment and authenticate to Predix Cloud without manual entry of credentials. The document outlines the enrollment process and how devices can then use the signed certificates to obtain access tokens for authentication.
5. 5PREDIX TRANSFORM
Authentication – credential extraction
• Devices aren’t people
• “data recovery”
• Make it hard to guess
• Make it hard to
recover
20. 20PREDIX TRANSFORM
Predix Machine - Certificate Based
Enrollment
• Devices programmatically enrolls
to Edge Manager
• Obtain Signed Certificate from
GE root Authority
• Eliminate technician entering
logon & security info by hand
• Devices are able to start up and
authenticate to Predix Cloud
26. 26PREDIX TRANSFORM
How to use Certificate
JWT Bearer Tokens
Header
{
"alg":"RS256"
}
Payload
{
"iss":
<clientID>
"sub":
<device
ID>
"aud":
<uaa>
"exp":
<expiration
time
of
this
token>
"tenant_id":
<tenant_id>
}
Signature
SHA256withRSA(
<base64(Header)>.<base64(Payload)>,
<private
key>
)
27. 27PREDIX TRANSFORM
How to use Certificate
JWT Bearer Tokens
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iO
nRydWUsImV4cCI6MTIzMTIzfQ.cUyTEK1BKsOU5stpPiM5-‐
PGT4nUrKwAHajhmb9Ojim7NbEwgsDAju9vlukBYJOSCFyXbG_N0zlQrO8n7yJ9G2OIOerQNqMTNWcqwtcFha1TJyhv4tb40bLO
NfcrMIAO1L-‐oF9f27xwJQODJz4SmyU1nSI1dKeqN5KmyHVUqOLAI
28. 28PREDIX TRANSFORM
Step 3
Obtaining Access Token from UAA
Authenticate with UAA
1. Device generates JWT
Bearer Token
2. Send to UAA through 2
way TLS
3. UAA verifies
4. UAA returns access token
GE Digital