Message Queuing Telemetry Transport (MQTT) protocol is widely used for IoT devices. MQTT is based on a message broker with clients that subscribe and publish to topics. Clients never communicate directly with each other.
MQTT is a very lightweight protocol which is desirable for low resource microcontrollers. Due to the simplicity of the protocol a secure connection is not handled directly. There are many security features that an administrator can implement however these will have a bearing on the CPU, power, and bandwidth capabilities of the client. In many cases the client may be a battery powered low cost microcontroller with limited processing and memory.
In this article we will describe a lightweight authentication method using the Solar Blockchain or other ARK core based Blockchains.
Common Authentication Methods
- In the most basic connection anonymous clients are free to connect without any authentication. Authorization and read/write permissions of specific topics are dependent on the administrator of the broker.
- The broker can also be setup to authenticate a client using username, password and optionally clientID. This information is sent in plain text. The broker will validate these credentials with info stored locally in a database.
- TLS/SSL can be enabled so the that client and broker can authenticate each other initially with an anonymous connection and then proceed with username/password authentication using the encrypted connection. Unfortunately it is not possible in all IoT scenarios to implement this.
For a more detailed review of MQTT security issues please see the following references:
- A Brief Review on MQTT’s Security Issues within the Internet of Things (IoT)
- MQTT Security: What You Did Not Consider
- DEF CON – Lucas Lundgren’s MQTT security video presentation
- Mitigate IoT Attacks with Key MQTT Security Principles
- Comparison of authentication options for MQTT communication in an IoT based smart grid solution
- TLS/SSL – MQTT Security Fundamentals
Proposed Blockchain Framework
The following outlines a basic framework for using blockchain as a lightweight client authentication method by the MQTT broker.
Variations:
- Time Stamped Signed Authentication
- Username: Public Key
- ClientID: Message = (Timestamp | UID)
- Password: Signature
- Signed Authentication
- Username: Public Key
- ClientID: Message = UID
- Password: Signature
- Signed Authentication
- Username: Public Key
- ClientID: undefined. could be UID but is not used for authentication
- Password: Message = UID | Signature
MQTT Broker Integration of Proposed Authentication Method
A standard authentication method for most MQTT brokers is a local file containing username and hashed passwords along with an additional file with access control permissions. Two popular open source brokers are Mosquitto and RabbitMQ.
Both of these brokers support additional authentication plugins. A custom plugin could be developed however our implementation uses existing plugins for authenticating with external HTTP server. This HTTP server could retrieve account data from a database however the proposed method queries the Solar blockchain for access control.
Our implementation uses RabbitMQ and its HTTP Auth plugin however Mosquitto also has an Auth plugin with similar functionality.
We have launched a free public MQTT broker that implements the proposed framework.