MQTT-Auth: a Token-based Solution to Endow MQTT with Authentication and Authorization Capabilities

Security in the Internet of Things is a current hot topic and it may comprise different aspects such as confidentiality and integrity of personal data, as well as the authentication and the authorization to access smart objects that are spreading more and more in our every-day lives. In this work we focus on MQTT (Message Queue Telemetry Transport), a message-based communication protocol explicitly designed for low-power machine-to-machine communications and based on the publish-subscribe paradigm. First of all, we provide an accurate analysis of some of the most recent security solutions and improvements of MQTT found in the literature. Secondly, we describe in detail a novel secure solution, called MQTT-Auth, to protect specific topics in MQTT. This solution is based on the AugPAKE security algorithm for guaranteeing confidentiality, and onto two tokens which permit to authenticate the usage of a topic and to guarantee authorization in accessing a topic respectively. MQTT-Auth can also be easily extended to a hierarchical structure of topics and entities. Finally, we compare MQTT-Auth with some solutions for securing MQTT being present in the relevant literature, and we provide some details on how MQTT-Auth has been implemented and successfully tested.

[1]  Mahmoud Ammar,et al.  Journal of Information Security and Applications , 2022 .

[2]  Amol Borole,et al.  MQTT based secured home automation system , 2016, 2016 Symposium on Colossal Data Analysis and Networking (CDAN).

[3]  P. Balamuralidhar,et al.  Secure MQTT for Internet of Things (IoT) , 2015, 2015 Fifth International Conference on Communication Systems and Network Technologies.

[4]  Massimo Vecchio,et al.  The Day After Mirai: A Survey on MQTT Security Solutions After the Largest Cyber-attack Carried Out through an Army of IoT Devices , 2017, IoTBDS.

[5]  Wei Peng,et al.  A secure publish/subscribe protocol for Internet of Things using identity-based cryptography , 2016, 2016 5th International Conference on Computer Science and Network Technology (ICCSNT).

[6]  Abdelouahed Zakari,et al.  New approach for securing communication over MQTT protocol A comparaison between RSA and Elliptic Curve , 2016, 2016 Third International Conference on Systems of Collaboration (SysCo).

[7]  Panita Pongpaibool,et al.  Authorization mechanism for MQTT-based Internet of Things , 2016, 2016 IEEE International Conference on Communications Workshops (ICC).

[8]  SeongHan Shin,et al.  A security framework for MQTT , 2016, 2016 IEEE Conference on Communications and Network Security (CNS).

[9]  Mahendra Data,et al.  Architectural design of token based authentication of MQTT protocol in constrained IoT device , 2017, 2017 11th International Conference on Telecommunication Systems Services and Applications (TSSA).

[10]  Peter Priller,et al.  Securing smart maintenance services: Hardware-security and TLS for MQTT , 2015, 2015 IEEE 13th International Conference on Industrial Informatics (INDIN).

[11]  Manish Parmar,et al.  Composite secure MQTT for Internet of Things using ABE and dynamic S-box AES , 2017, 2017 Innovations in Power and Advanced Computing Technologies (i-PACT).

[12]  SeongHan Shin,et al.  Efficient Augmented Password-Only Authentication and Key Exchange for IKEv2 , 2012, RFC.

[13]  Pietro Ducange,et al.  A glimpse on big data analytics in the framework of marketing strategies , 2017, Soft Computing.

[14]  Luca Veltri,et al.  3AKEP: Triple-authenticated key exchange protocol for peer-to-peer VoIP applications , 2016, Comput. Commun..

[15]  Avijit Mathur,et al.  A secure end-to-end IoT solution , 2017 .

[16]  Feng Hao,et al.  privy: Privacy Preserving Collaboration Across Multiple Service Providers to Combat Telecom Spams , 2020, IEEE Transactions on Emerging Topics in Computing.

[17]  Khaled Salah,et al.  COLIDE: a collaborative intrusion detection framework for Internet of Things , 2019, IET Networks.

[18]  Axel Küpper,et al.  Applying Attribute-Based Encryption on Publish Subscribe Messaging Patterns for the Internet of Things , 2015, 2015 IEEE International Conference on Data Science and Data Intensive Systems.

[19]  Luca Veltri,et al.  A Token-based Protocol for Securing MQTT Communications , 2018, 2018 26th International Conference on Software, Telecommunications and Computer Networks (SoftCOM).

[20]  Georgios Kambourakis,et al.  DDoS in the IoT: Mirai and Other Botnets , 2017, Computer.

[21]  Luigi Patrono,et al.  A smart iot-aware system for crisis scenario management , 2018 .