MQTT Security Notes

Maybe the naive and easy way to implement the this security layer could be pre-generate user + pass on the device inside a secure layer of SSL using Certs or Pre-shared-key. Also, the client device must be encrypted.

Reading

• Paper about IoT protocols
• They consider MQTT as the better (mature) choice
• MQTT and security (DEFCon presentation)
• Securing the connection:
• User + Pass
• Use encryption
• Segmentation and Trust (by IP)
• IoT gateway to encrypt the data (if possible, may defeat the purpose)
• Securing EDGE nodes (whitepaper)

Authentication in Mosquitto

1. No authentication
2. User + Pass

• Be sure to add network encryption

1. Encryption with certificates

• require_certificate FALSE: if false, the SSL/TLS component of the client will verify the server but there is no requirement for the client to provide anything for the server: authentication is limited to the MQTT built in username/password.
• require_certificate TRUE: he client must provide a valid certificate in order to connect successfully. In this case:
• use_identity_as_username FALSE: causes the Common Name (CN) from the client certificate to be used instead of the MQTT username for access control purposes. The password is not used because it is assumed that only authenticated clients have valid certificates. This means that any CA certificates you include in cafile or capath will be able to issue client certificates that are valid for connecting to your broker.
• use_identity_as_username TRUE: the client must authenticate as normal (if required by password_file) through the MQTT options.

1. Pre-shared-key based encryption

• The client must provide a valid identity and key
• psk_hint: a free form string
• psk_file: the psk file