Wi-Fi Provisionee Manufacturing
This guide describes the provisioning of Device Hardware Authentication (DHA) material during the manufacturing of Wi-Fi provisionees. You must use DHA for Frustration-Free Setup (FFS) to create secure communications between these devices and the Amazon Frustration-Free Setup cloud services. Amazon Frustration-Free Setup cloud services securely associate devices to owners, enable broader Alexa services, and enable Alexa skills developed by non-Amazon developers. FFS uses DHA material to authenticate with the Amazon cloud and services. Amazon requires that you use DHA for all products that incorporate FFS.
- Overview and Definitions
- Requesting a DAK from Amazon
- DHA authentication process
- Manufacturing Line DHA Process
Overview and Definitions
This document uses the following terms to describe DHA security architecture.
Device Type ID and Advertised Product ID
Device Type ID and Advertised Product ID combine to identify a product line uniquely. Amazon issues an unique Device Type ID / Advertised Product ID pair for each of your products you onboard with Frustration-Free Setup. You must use each Device Type ID / Advertised Product ID pair only with a single product. When you onboard a new product with Amazon Frustration-Free Setup, Amazon issues a new Device Type ID / Advertised Product ID pair.
Device Attestation Key (DAK)
A Device Attestation Key acts as a certificate authority for a device type. DAK consists of:
- X.509-based DAK certificate with a public key and additional metadata such as the Device Type ID signed by Amazon using a certificate authority (CA) specific to your device type.
- The private key that corresponds to the public key in the DAK certificate. This key pair is generated together.
There are two DAK types:
- Development DAK. This DAK type is used for the device initial development and testing and the test devices need to be registered via the developer console for internal testing.
- Production DAK. This DAK type is used for device certification and production after the device is certified.
Device Hardware Authentication (DHA) material
Each specific device stores DHA material with the following parts:
- X.509-based DHA certificate with a public key that identifies this device and additional metadata such as the Device Type ID. This certificate has to be signed by a Device Attestation Key described above. Your device should store the DHA certificate in non-volatile storage.
- Private key that corresponds to the public key in the DHA certificate. This key pair is generated together. Your device should store the private key securely on your device. A protected storage is preferable if such a storage is available.
Your device should persist both the DHA certificate and the private key across reboots, factory resets, and firmware updates.
Requesting a DAK from Amazon
To request a new DAK, follow the steps below:
- Follow the device type onboarding steps listed on Amazon Frustration-Free Setup Developer Console to request device type identifiers.
- When your Device Type ID and APID are available then proceed to Manage Keys page and follow the steps to generate a DAK key pair and sign a DAK certificate.
DHA authentication process
A device is authenticated when:
- It can verify its DHA certificate is signed by a trusted DAK
- the DHA device type matches the DAK device type.
A device is authorised to perform automated simple setup when:
- DHA material was registered using control log uploading process described below.
- A device is pre-registered to a customer who is setting up the device.
Manufacturing Line DHA Process
The following describes the DHA manufacturing flow:
- Follow the steps on the Manage Keys page to generate DHA material for each individual device.
- Your manufacturing line station signs the private key using the DAK you downloaded from the Amazon Frustration-Free Setup Developer Console and generates the DHA certificate chain file.
- Your manufacturing line station stores the full DHA certificate chain file on your device preferably in a secure persistent storage.
- Your manufacturing process extracts a DHA public key from DHA certificate as authentication material and generates a device identification value for 1D barcode on the device packaging that enables the Amazon fulfillment center to pre-register you device with the customer's account.
- Your manufacturing process generates and uploads device controls logs to Amazon which contain the device DHA public key and device identification value. Refer to Device Control Log Specification for more information about device control logs usage, format, content and upload process and 1D barcode specification for 1D barcode requirements.
The DHA software on the device is part of the Amazon Frustration-Free Setup SDK.
|1||Sept 25, 2019.||Amazon.||General Availability.|
|1.1||Apr 20, 2020.||Amazon.||Guidance around YubiKey usage and instructions on CSR Signer app.|
|1.2||Sept 23, 2020.||Amazon.||Information about Downloadable DAKs and Control Logs.|
|1.3||Nov 04, 2020.||Amazon.||Additional Soft DAKs and Control Logs updates.|
|1.4||Dec 05, 2020.||Amazon.||Soft DAKs and Control Logs General Availability.|