This document discusses securing MQTT communication for IoT. It begins with an overview of MQTT and IoT concepts. It then covers MQTT security topics like TLS, authentication using JSON web tokens and OAuth2.0. Finally, it provides steps to secure a Mosquitto MQTT broker using TLS, authentication and access control lists. The goal is to help secure MQTT protocols which are widely used for IoT communication.

1. Securing MQTT for IoT
Communication
SCALE x16
March 9, 2018
Anthony Chow
http://cloudn1n3.blogspot.com/
Twitter: @vCloudernBeer
Auth0 Ambassador
Intel Innovator
VMware vExpert 2015 - 2018

2. IoT Ecosystems
Image source: https://techcrunch.com/2013/05/25/making-sense-of-the-internet-of-things

3. IoT Gateway
Image source: https://medium.com/@darshipatel/internet-of-things-and-powerful-iot-gateways-a1673cba6cb9

4. MQTT in the OSI 7-layer
Image source: https://www.hivemq.com/blog/mqtt-essentials-part-3-client-
broker-connection-establishment
Image source: https://www.slideshare.net/aniruddha.chakrabarti/coap-web-
protocol-for-iot

5. What is MQTT?
Image source: https://www.hivemq.com/blog/how-to-get-started-with-mqtt

6. MQTT Terminologies
 Publish/Subscribe
 QoS
 Topics
 Persistent vs Clean Session
 LWT – Last Will and Testament

7. What is new in MQTT 5
 What happened to MQTT 4?
 https://www.hivemq.com/mqtt-5
Image source: https://www.hivemq.com/blog/mqtt-5-introduction-to-mqtt-5/

8. What’s new with MQTT 5?
What happen to MQTT 4?
https://www.hivemq.com/mqtt-5

9. MQTT Resources
 http://mqtt.org
 https://github.com/mqtt/mqtt.github.io/wiki
 https://
www.hivemq.com/blog/mqtt-essentials-wrap-up
 https://www.hivemq.com/blog/mqtt-security-fundamentals
/
 https://
auth0.com/docs/integrations/authenticating-devices-using-mqtt

10. MQTT Broker/Server - Mosquitto
 sudo apt-get install mosquitto
 sudo apt-get install mosquitto-client
 /etc/mosquitto/mosquitto.conf

11. Ways to secure MQTT
 Network: VPN
 Transport: SSL/TLS
 Application: client-id; Access Token;
Username/password

12. Securing MQTT broker –
Mosquitto on Ubuntu
 sudo apt-get install mosquotto
 sudo apt-get install mosquotto-client
 /etc/mosquotto
 Different option to secure Mosquotto broker:
 Password
 ACL
 SSL/TLS
 Third-party – OAuth2

13. SSL/TLS
 SSL – Secure Socket Layer (older standard)
o Version 2 and version 3
 TLS – Transport Layer Security (newer standard)
o Version 1.1, 1.2 and 1.3
 Asymmetric encryption
o Private Key and Public key
 Symmetric encryption
o Symmetric key
 Hashing
 Digital Certificate – e.g. X.509

14. SSL-Handshake
Image source: https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.1.0/com.ibm.mq.doc/sy10660a.gif

15. SSL – X.509 Digital Certificate

16. JWT- JSON Web Token
Image source: youtube.com

17. Resources for JSON Web Token
• https://auth0.com/learn/json-web-tokens/
• https://jwt.io/introduction/
• https://scotch.io/tutorials/the-anatomy-of-a-json-web-
token
• https://auth0.com/e-books/jwt-handbook

18. OAuth-2OAuth-2
 “Open Authentication” (?)
 Authorization delegation
 An authorization framework
 Defined by RFC 6749 and 6750
 OAuth 1 is defined by RFC 5849
 OAuth 1 and OAuth 2 are not compatible

19. OAuth2 ActorsOAuth2 Actors
Image source: https://www.linkedin.com/pulse/microservices-security-openid-connect-manish-singh/

20. OAuth2 Flows (grants)OAuth2 Flows (grants)
image source: https://www.slideshare.net/rcandidosilva/javaone-2014-securing-restful-resources-with-oauth2

21. OAuth2 Authorization Grants
 Different ways of getting a token
o Authorization code,
o Implicit grant,
o Resource owner password credentials and
o Client credentials
 Which OAuth 2.0 flow should I use?

22. OAuth2 Tokens
 Access Token
 Refresh Token

23. OAuth2 Tokens
• Access Token
• Refresh Token

24. OAuth2 simplified viewOAuth2 simplified view
Image source: https://www.hivemq.com/wp-content/uploads/oauth-simple.png

25. Resource for OAuth2Resource for OAuth2
• RFC 6749 - https://tools.ietf.org/html/rfc6749
• RFC 6750 - https://tools.ietf.org/html/rfc6750
• https://auth0.com/docs/protocols/oauth2
• https://developers.google.com/oauthplayground/

26. Authenticating & Authorizing Devices
using MQTT with Auth0

27. Username and PasswordUsername and Password
 mosquitto_passwd –U <password-file>
 mosquitto_passwd –c <password-file> <user>
{password}
 Edit /etc/mosquitto.conf:
 allow_anonymous false
 password_file /etc/mosquitto/<password-file>

28. ACL – Access Control ListACL – Access Control List
 /etc/mosquitto/mosquitto.conf
 /etc/mosquitto/conf.d/default.conf
 Add this line:
 acl_file /etc/mosquitto/<acl-file>

29. Sample ACL file forSample ACL file for
MosquittoMosquitto
Source: https://jaimyn.com.au/mqtt-use-acls-multiple-user-accounts/
# Give Home user1 full access to everything
user user1
topic readwrite #
# Allow the user2 to read/write to test/# and stat/#
user user2
topic readwrite test/#
topic readwrite stat/#
# Allows user3 to read/write to the sensor topics
user user3
topic cmnd/sensor/#
topic stat/sensor/#

30. SSL/TLSSSL/TLS
 openssl genrsa -out ca.key 2048
 openssl req -new -x509 -days365 -key ca.key -out ca.crt
 openssl genrsa -out serv.key 2048
 openssl req -new -key serv.key -out serv.csr
 openssl x509 -req -in serv.csr -CA mosq-ca.crt -CAkey ca.key -CAcreateserial
-out serv.crt -days 365 -sha256
 Add this line:
 Listener 8883
 cafile /home/mosquitto/ca.crt
 certfile /home/mosquitto/serv.crt
 keyfile /home/mosquitto/serv.key

31. 33rdrd
Party – OAuth2/Auth0Party – OAuth2/Auth0
 https://auth0.com/docs/integrations/authenticating-devices-using-mqtt
 openssl genrsa -out serv.key 204
 openssl req -new -key serv.key -out serv.csr
 openssl x509 -req -in serv.csr -CA mosq-ca.crt -CAkey ca.key -CAcreateserial
-out serv.crt -days 365 -sha256
 Add this line:
 Listener 8883
 cafile /home/mosquitto/ca.crt
 certfile /home/mosquitto/serv.crt
 keyfile /home/mosquitto/serv.key

32. How can I start?

Let’s secure a MQTT server now.

33. Thanks for coming and enjoy the rest of
SCALE.
Have a nice day!