Real time secure messaging service for internet of things applications using MQTT (original) (raw)
Related papers
MQTT-PRESENT: Approach to secure internet of things applications using MQTT protocol
International Journal of Electrical and Computer Engineering (IJECE), 2021
The big challenge to raise for deploying the application's domain of the Internet of Things is security. As one of the popular messaging protocols in the IoT world, the message queue telemetry transport (MQTT) is designed for constrained devices and machine-to-machine communications, based on the publish-subscribe model, it offers a basic authentication using username and password. However, this authentication method might have a problem in terms of security and scalability. In this paper, we provide an analysis of the current research in the literature related to the security for the MQTT protocol, before we give a brief description of each algorithm used on our approach, to finally propose a new approach to secure this protocol based on AugPAKE algorithm and PRESENT encryption. This solution provides mutual authentication between the broker and their clients (publishers and subscribers), the confidentiality of the published message is protected twice, the integrity and non-repudiation of MQTT messages which is protected during the process of transmission.
Attack Scenarios and Security Analysis of MQTT Communication Protocol in IoT System
Proceeding of the Electrical Engineering Computer Science and Informatics
Various communication protocols are currently used in the Internet of Things (IoT) devices. One of the protocols that are already standardized by ISO is MQTT protocol (ISO / IEC 20922: 2016). Many IoT developers use this protocol because of its minimal bandwidth requirement and low memory consumption. Sometimes, IoT device sends confidential data that should only be accessed by authorized people or devices. Unfortunately, the MQTT protocol only provides authentication for the security mechanism which, by default, does not encrypt the data in transit thus data privacy, authentication, and data integrity become problems in MQTT implementation. This paper discusses several reasons on why there are many IoT system that does not implement adequate security mechanism. Next, it also demonstrates and analyzes how we can attack this protocol easily using several attack scenarios. Finally, after the vulnerabilities of this protocol have been examined, we can improve our security awareness especially in MQTT protocol and then implement security mechanism in our MQTT system to prevent such attack. Keywords-attack; MQTT; protocol; scenario I. INTRODUCTION Internet of Things (IoT) or inter-machine communication (M2M) over the internet is a concept that allows communication between devices over the Internet. The number of IoT devices is growing rapidly where Cisco IBSG predicts the number of IoT devices will reach 50 billion by 2020 [1]. Moreover, Gartner predicts, by 2020, the internet of things devices will be made up of 20.4 billion units [2]. IoT plays a major role in smart city implementation like smart home, smart transportation, and smart parking. Nowadays, many protocols are used as a communication protocol in the IoT devices. Five of the most prominent protocols used for IoT is Hypertext Transfer Protocol (HTTP), Constrained Application Protocol (CoAP), Extensible Messaging and Presence Protocol (XMPP), Advanced Message Queuing Protocol (AMQP), and MQ Telemetry Protocol (MQTT) [3]. Some considerations that must be taken into account when we choose the protocol are energy efficiency (total consumed energy for the given execution time), performance (total transmission time it takes to send messages and receive their acknowledgments), resource usage (CPU, RAM, and ROM usage), and reliability (ability to avoid packet loss, i.e. QoS) [4]. Moreover, when advanced functionalities (e.g. message persistence, wills, and exactly once delivery), reliability, and ability to secure multicast message are highly considered, MQTT protocol is one of the best options [5].
Lightweight Security Mechanism over MQTT Protocol for IoT Devices
International Journal of Advanced Computer Science and Applications, 2020
Security is one of the main concerns with regard to the Internet of Things (IoT) networks. Since most IoT devices are restricted in resource and power consumption, it is not easy to implement robust security mechanisms. There are different methods to secure network communications; however, they are not applicable to IoT devices. In addition, most authentication methods use certificates in which signing and verifying certificates need more computation and power. The main objective of this paper is to propose a lightweight authentication and encryption mechanism for IoT constrained devices. This mechanism uses ECDHE-PSK which is the Transport Layer Security (TLS) authentication algorithm over Message Queuing Telemetry Transport (MQTT) Protocol. This authentication algorithm provides a Perfect Forward Secrecy (PFS) feature that makes an improvement in security. It is the first time that this TLS authentication algorithm is implemented and evaluated over the MQTT protocol for IoT devices. To evaluate resource consumption of the proposed security mechanism, it was compared with the default security mechanism of the MQTT protocol and the ECDHE-ECDSA that is a certificate-based authentication algorithm. They were evaluated in terms of CPU utilization, execution time, bandwidth, and power consumption. The results show that the proposed security mechanism outperforms the ECDHE-ECDSA in all tests.
Security exploration of MQTT protocol in Internet of Things
International Journal of Advanced Trends in Computer Science and Engineering, 2020
Internet of Things (IoT) connects sensing devices and physical object/things to the internet for the purpose of exchanging information. Things have become smarter than it was before. IoT enables user to communicate and control smart objects to rescue information that is essential. Massive quantities of data will be generated and exchanged which in turn help in making decisions. However, security and privacy is important while exchanging data from anywhere and at anytime. IoT application protocols based on middleware play a key role in order to facilitate two-way communication and remote control of the IoT devices. Message Queuing Telemetry Transport Protocol (MQTT) is widely used lightweight messaging protocol in IoT. This paper describes security analysis and issues in MQTT protocol by considering different attacking Scenarios.
Securing Communication in MQTT enabled Internet of Things with Lightweight security protocol
EAI Endorsed Transactions on Internet of Things
This paper proposes a security algorithm for Internet of Things (IoT) using simple lightweight cryptographic operations. The main advantage of the proposed algorithm is the simplicity, energy efficiency and the speed of algorithm such that it can be computed quickly using a low-power microcontroller. The encryption of the sensed data is performed using simple operations so as to consume smaller amount of node energy. To test the effectiveness, of the proposed algorithm, an experimental rig is set up to implement the proposed algorithm. The analysis confirms that the proposed algorithm provides end-to-end encryption and imparts security against likely attacks such as brute force attack, spoofing attack, and has small code footprint. It is envisaged that the algorithm can be very useful in securing message transmissions in Internet of Things.
A study of secure communication scheme in MQTT: TLS vs AES cryptography
Jurnal Infotel, 2022
The Internet of Things (IoT) technology help devices to send command and request, exchange messages, and also communicate with an entire level of devices and infrastructures. Several IoT-based systems may communicate at a certain level of latency depending on the urgency and purpose of the communications. Therefore, several protocols with respect to their speed and reliability levels can be chosen for achieving the desired quality of services. As for lightweight and fast communication speed for IoT devices, the MQTT protocol is the most commonly known and recommended in the system. However, the MQTT protocol is not equipped with the appropriate security mechanism. As a consequence, the MQTT messages are easily eavesdropped on and modified by the attackers during communication sessions among devices through several levels of network domains including local, internet, and internal cloud-based network. Considering the well-established security approach and commonly strong cipher system, this research studies the use of the AES cryptographybased communication scheme against the TLS-based communication scheme, which can be used to create end-to-end secure communication channels from the MQTT publishers to the MQTT subscribers. Experimental results show that the TLS-based communication scheme possesses the highest cost in terms of communication delay and network cost among all schemes in the experiment. Eventually, the AES-based MQTT communication scheme is more appropriate for IoT environments because of its communication delay and network cost, which are considered equal to the plaintext-based MQTT communications.
A MQTT-API-compatible IoT security-enhanced platform
International Journal of Sensor Networks
Owing to its lightweight and easiness, the message queue telemetry transport (MQTT) has become one of the most popular communication protocols in the internet-of-things (IoT). However, the security supports in the MQTT are very weak. In this paper, we systematically examine the security requirements of a MQTT-based IoT system, identify the gap between the requirements and the supported functions, and design a security-enhanced MQTT framework. The framework facilitates device authentication, key agreement, and policy authorisation. Additionally, it is desirable that any MQTT-security enhancements should be compatible with existent MQTT Application Programming Interfaces (API). We propose a two-phase authentication approach that can smoothly integrate secure key agreement schemes with the current MQTT-API. To evaluate its effectiveness and efficiency, we implement prototype. Compared to its counterparts, the results show the merits of improved communication performance, MQTT-API compliance, and security robustness.
An Experimental Evaluation of MQTT Authentication and Authorization in IoT
Proceedings of the 15th ACM Workshop on Wireless Network Testbeds, Experimental evaluation & CHaracterization, 2021
Security vulnerabilities make the Internet of Things (IoT) systems open to online attacks that threaten both their operation and user privacy. Among the many protocols governing IoT operation, MQTT has seen wide adoption, but comes with rudimentary security support. Specifically, while the MQTT standard strongly recommends that servers (brokers) offer Transport Layer Security (TLS), it is mainly concerned with the message transmission protocol, leaving to implementers the responsibility for providing appropriate security features. However, well-known solutions for Web Security (OAuth2) exist, which may benefit MQTT. This paper presents systematic implementation efforts and practical experimentation to evaluate the feasibility of one such approach, namely the MQTT-TLS profile for the Authentication and Authorization in Constrained Environments (ACE), recently specified by the IETF. Our implementation includes the functionality for (1) the Authorization Server (AS), to handle client registration, authorization policies, and Access Tokens; (2) the MQTT broker, to enforce authentication in both MQTT versions 3.1.1 and 5. Together, these enable ACE-MQTT clients to use (3) OAuth2-based authentication and authorization via Proof of Possession tokens. We make the source-code of our ACE-MQTT implementation publicly available, and evaluate it against plain MQTT systems in realistic settings with different computation constraints. To assess the cost of security, we measure the CPU, memory, network usage, and energy consumption. The results obtained confirm that the ACE requirements match the capabilities of moderately constrained devices, hence providing an affordable mechanism to secure MQTT systems. CCS CONCEPTS • Networks → Network experimentation; Cyber-physical networks; • Security and privacy → Security protocols.
AES and MQTT based security system in the internet of things
Journal of Discrete Mathematical Sciences and Cryptography, 2019
Internet of Things grew rapidly over the last few years, the focus on security has not been kept up. In today's world, smart city has developed as a contemporary paradigm to dynamically optimize the resources in cities and serve better facilities and excellence of life for the citizens. In this paper, a model is proposed using Advanced Encryption Standard-256 and Secure Hashing Algorithm-256 to attain the security in the IoT system. The data collected from devices is first encrypted using AES-256 with a symmetric key that has been created by using SHA-256 and finally the ciphertext is created. Now, this ciphertext is added to a new layer of security called Message Queuing Telemetry Transport protocol, which is an ISO standard (ISO/IEC PRF 20922) publish-subscribe based model used for the secure transmission of data. On the receiver side, the original data is extracted. In this way, threelayer security has been added to data collected by smart objects before transmission.
A Study on MQTT Protocol and its Cyber Attacks
IARJSET, 2022
The Internet of Thing (IoT) is a model of interconnected objects, devices, systems, and other items which are embedded with communication hardware, software, processors and network connectivity, which enables these objects to congregate and swap information. Fast revolution in the field of information communication, technologies, and digital things, are compelling quick information of IoT over the world. In IoT, device to device communication is considered through either Pushing or pulling protocol. Push protocol is more suitable for IoT devices because of its lightweight and high productivity. There are many push protocols available for IoT, where a user does not look for any kind of information. In which MQTT is widely utilized because of its frivolous and bandwidth efficiency. Security is one of the main cares with regards to IoT networks. Since it is not easy to implement robust security mechanism in most of IoT devices because of its restriction in resources and power consumption. MQTT protocol has been implemented because of its little cost and ease software platform which is appropriate for IoT application. This paper gives idea about various attacking scenarios in MQTT protocol and its introduction.