This document discusses securing MQTT communication for IoT. It begins with an overview of MQTT and IoT concepts. It then covers MQTT security topics like TLS, authentication using JSON web tokens and OAuth2.0. Finally, it provides steps to secure a Mosquitto MQTT broker using TLS, authentication and access control lists. The goal is to help secure MQTT protocols which are widely used for IoT communication.
4. MQTT in the OSI 7-layer
Image source: https://www.hivemq.com/blog/mqtt-essentials-part-3-client-
broker-connection-establishment
Image source: https://www.slideshare.net/aniruddha.chakrabarti/coap-web-
protocol-for-iot
5. What is MQTT?
Image source: https://www.hivemq.com/blog/how-to-get-started-with-mqtt
7. What is new in MQTT 5
What happened to MQTT 4?
https://www.hivemq.com/mqtt-5
Image source: https://www.hivemq.com/blog/mqtt-5-introduction-to-mqtt-5/
8. What’s new with MQTT 5?
What happen to MQTT 4?
https://www.hivemq.com/mqtt-5
13. SSL/TLS
SSL – Secure Socket Layer (older standard)
o Version 2 and version 3
TLS – Transport Layer Security (newer standard)
o Version 1.1, 1.2 and 1.3
Asymmetric encryption
o Private Key and Public key
Symmetric encryption
o Symmetric key
Hashing
Digital Certificate – e.g. X.509
17. Resources for JSON Web Token
• https://auth0.com/learn/json-web-tokens/
• https://jwt.io/introduction/
• https://scotch.io/tutorials/the-anatomy-of-a-json-web-
token
• https://auth0.com/e-books/jwt-handbook
18. OAuth-2OAuth-2
“Open Authentication” (?)
Authorization delegation
An authorization framework
Defined by RFC 6749 and 6750
OAuth 1 is defined by RFC 5849
OAuth 1 and OAuth 2 are not compatible
21. OAuth2 Authorization Grants
Different ways of getting a token
o Authorization code,
o Implicit grant,
o Resource owner password credentials and
o Client credentials
Which OAuth 2.0 flow should I use?
28. ACL – Access Control ListACL – Access Control List
/etc/mosquitto/mosquitto.conf
/etc/mosquitto/conf.d/default.conf
Add this line:
acl_file /etc/mosquitto/<acl-file>
29. Sample ACL file forSample ACL file for
MosquittoMosquitto
Source: https://jaimyn.com.au/mqtt-use-acls-multiple-user-accounts/
# Give Home user1 full access to everything
user user1
topic readwrite #
# Allow the user2 to read/write to test/# and stat/#
user user2
topic readwrite test/#
topic readwrite stat/#
# Allows user3 to read/write to the sensor topics
user user3
topic cmnd/sensor/#
topic stat/sensor/#