MQTT Security Notes

Maybe the naive and easy way to implement the this security layer could be pre-generate user + pass on the device inside a secure layer of SSL using Certs or Pre-shared-key. Also, the client device must be encrypted.

Reading

Authentication in Mosquitto

  1. No authentication
  2. User + Pass
  • Be sure to add network encryption
  1. Encryption with certificates
  • require_certificate FALSE: if false, the SSL/TLS component of the client will verify the server but there is no requirement for the client to provide anything for the server: authentication is limited to the MQTT built in username/password.
  • require_certificate TRUE: he client must provide a valid certificate in order to connect successfully. In this case:
  • use_identity_as_username FALSE: causes the Common Name (CN) from the client certificate to be used instead of the MQTT username for access control purposes. The password is not used because it is assumed that only authenticated clients have valid certificates. This means that any CA certificates you include in cafile or capath will be able to issue client certificates that are valid for connecting to your broker.
  • use_identity_as_username TRUE: the client must authenticate as normal (if required by password_file) through the MQTT options.
  1. Pre-shared-key based encryption
  • The client must provide a valid identity and key
  • psk_hint: a free form string
  • psk_file: the psk file