This document discusses device authentication in industrial IoT environments. It begins with an overview of asymmetric cryptography and public key infrastructure (PKI), which are important foundations for device identity. It then describes GE's Predix Machine and EdgeManager platform for enrolling and authenticating devices via certificate-based methods. This allows devices to programmatically obtain signed certificates during enrollment and authenticate to Predix Cloud without manual entry of credentials. The document outlines the enrollment process and how devices can then use the signed certificates to obtain access tokens for authentication.

1. PEM1: Device Authentication in
Industrial IoT
Jiaqi Wu

2. 2PREDIX TRANSFORM
Authentication
Human Authentication
Username: bob
Password: Gutsy97rush

3. 3PREDIX TRANSFORM
Authentication – credential extraction
It’s harder to get credentials from people

4. 4PREDIX TRANSFORM
Authentication – credential extraction
Human credentials are easy to guess

5. 5PREDIX TRANSFORM
Authentication – credential extraction
• Devices aren’t people
• “data recovery”
• Make it hard to guess
• Make it hard to
recover

6. 6PREDIX TRANSFORM
Authentication - certificates
Device Authentication

7. 7PREDIX TRANSFORM
Agenda
Cryptography Basics1
PKI Basics
Device Enrollment process
Q&A
2
3
4

8. 8PREDIX TRANSFORM
Asymmetric Cryptography 101

9. 9PREDIX TRANSFORM
Asymmetric Cryptography 101
• Private keys – you keep it secret
• Public keys – give to everybody

10. 10PREDIX TRANSFORM
Asymmetric Cryptography 101
“Will you go out with me”
YES NO
Robby
Teacher sees:

11. 11PREDIX TRANSFORM
Asymmetric Cryptography 101
G*^&!G(@H)(@*J$G)(
*&#H)(*WH(*#FA@
Teacher sees:

12. 12PREDIX TRANSFORM
PKI 101
Private key Public key

13. 13PREDIX TRANSFORM
Certificate Signing
Request (CSR)
CN=<identifier>
Public key
PKI 101
Private key
Certificate Authority

14. 14PREDIX TRANSFORM
Certificate
CN=<identifier>
Public key
PKI 101
Private key
Certificate Authority
signature

15. 15PREDIX TRANSFORM
PKI 101

16. 16PREDIX TRANSFORM
PKI 101

17. 17PREDIX TRANSFORM
Identity Challenges in Industrial IoT
• Devices are headless
• Exposed, accessible
• Control sensitive data and hardware

18. 18PREDIX TRANSFORM
Predix Machine and EdgeManager
Predix
Machine
Predix
Machine
Predix
Machine
Predix Cloud
EdgeManager

19. 19PREDIX TRANSFORM
Predix Machine and Edge Manager

20. 20PREDIX TRANSFORM
Predix Machine - Certificate Based
Enrollment
• Devices programmatically enrolls
to Edge Manager
• Obtain Signed Certificate from
GE root Authority
• Eliminate technician entering
logon & security info by hand
• Devices are able to start up and
authenticate to Predix Cloud

21. 21PREDIX TRANSFORM
Certificate Based Enrollment Overview

22. 22PREDIX TRANSFORM
GE Digital
Step 1
Add a Device
Call /addDevice API,
pass:
1. Serial No
2. Name
3. Shared Secret

23. 23PREDIX TRANSFORM
GE Digital
Step 2
Enroll Device
1. Generate key pair on device
2. Enroll request, pass shared secret

24. 24PREDIX TRANSFORM
GE Digital
Step 2
Enroll Device
3. Create UAA client for
device
4. Pass CSR to Certificate
Service

25. 25PREDIX TRANSFORM
GE Digital
Step 2
Enroll Device
5. Sign CSR using Symantec
6. Return signed certificate
back to device

26. 26PREDIX TRANSFORM
How to use Certificate
JWT Bearer Tokens
Header
{
"alg":"RS256"
}
Payload
{
"iss":
<clientID>
"sub":
<device
ID>
"aud":
<uaa>
"exp":
<expiration
time
of
this
token>
"tenant_id":
<tenant_id>
}
Signature
SHA256withRSA(
<base64(Header)>.<base64(Payload)>,
<private
key>
)

27. 27PREDIX TRANSFORM
How to use Certificate
JWT Bearer Tokens
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iO
nRydWUsImV4cCI6MTIzMTIzfQ.cUyTEK1BKsOU5stpPiM5-­‐
PGT4nUrKwAHajhmb9Ojim7NbEwgsDAju9vlukBYJOSCFyXbG_N0zlQrO8n7yJ9G2OIOerQNqMTNWcqwtcFha1TJyhv4tb40bLO
NfcrMIAO1L-­‐oF9f27xwJQODJz4SmyU1nSI1dKeqN5KmyHVUqOLAI

28. 28PREDIX TRANSFORM
Step 3
Obtaining Access Token from UAA
Authenticate with UAA
1. Device generates JWT
Bearer Token
2. Send to UAA through 2
way TLS
3. UAA verifies
4. UAA returns access token
GE Digital

29. 29PREDIX TRANSFORM
Step 4
Device makes request to application
1. Device attaches access
token to HTTPS/WSS
requests
GE Digital

30. 30PREDIX TRANSFORM
Conclusion
Simple enrollment. From technician perspective:
1. Start device
2. Device automatically enrolls

31. 31PREDIX TRANSFORM
Conclusion
Check out Predix edge software and services
https://www.predix.io/catalog/services
• Predix Machine 16.2
• Predix EdgeManager

32. General Electric reserves the right to make changes in specifications and features, or discontinue the product or service described at any time, without notice or obligation. These materials do
not constitute a representation, warranty or documentation regarding the product or service featured. Illustrations are provided for informational purposes, and your configuration may differ. This
information does not constitute legal, financial, coding, or regulatory advice in connection with your use of the product or service. Please consult your professional advisors for any such advice.
GE, Predix and the GE Monogram are trademarks of General Electric Company. ©2016 General Electric Company – All rights reserved.