Securing MQTT - BuildingIoT 2016 slides

Dominik Obermaier
Dominik ObermaierCTO at HiveMQ
www.bestppt.com
Securing
MQTT
#buildingIoT	2016
INTRODUCTION
Dominik Obermaier
@dobermai
Disclaimer
All	security	suggestions	and	guidelines	in	this	talk	are	
collected	from	real-world	projects	and	experiences.	
When	in	doubt	how	to	apply	these	techniques	in	your	own	
projects,	please	consult	a	security	professional	you	trust.
Obligatory	Disclaimer:
www.bestppt.com
Key Protocol Facts
MQTT Protocol Characteristics
Messaging
Protocol
Binary
Publish /
Subscribe
Data Agnostic
Lightweight
Easy
Publish / Subscribe
temperature
sensor
MQTT-Broker
laptop
mobile device
publish: “21°C“
publish: “21°C“
publish: “21°C“
subscribe
subscribe
www.bestppt.com
Security
The mantra of any good security engineer is:
'Security is a not a product, but a process.' It's
more than designing strong cryptography into a
system; it's designing the entire system such that all
security measures, including cryptography, work
together.	
- Bruce Schneier
“
www.bestppt.com
Multiple Security
Layers and Aspects
Security Layers
Data
Application
Host
Network
Network & Secure
Communication
Reduced Attack Surface
Reduced Attack Surface
— Client initiates TCP
connection
— Client doesn’t need (and
shouldn’t be) addressable
from outside
— IPv6 Privacy Mode should
be used
— NATs can further decrease
attack surface
NAT
Transport Layer
Security (TLS)
Secure communication is when two entities are
communicating and do not want a third party to listen
in. For that they need to communicate in a way not
susceptible to eavesdropping or interception.	
- Wikipedia on “Secure Communication”
“
Network Stack
TLS
— Cryptographic protocol
— Provides a secure
communication channel
between client and server
— TLS handshake initiates
TLS session
— Client validates X509
certificate from server
TLS Handshake
Source:	Wikimedia	Commons:	https://commons.wikimedia.org/wiki/File%3AFull_TLS_1.2_Handshake.svg
Best Practices
1 Always use TLS if possible
2 Use Certificates from trusted CAs
3 Always validate the
X509 certificate chain
4
Use highest TLS version and
secure cipher suites
TLS
— Encrypted communication
— Widely available
— Session Resumption Possible
— Prohibits Man-In-The-Middle
attacks
— CPU, RAM & Network
Overhead
ADVANTAGES DISADVANTAGES
TLS Session Resumption
— Reuse an already
negotiated TLS session
— Not all TLS libraries and
MQTT brokers implement
session resumption
— Session IDs &

Session Tickets
X509 Client
Certificates
X509 Client Certificates
— Client sends certificate as
part of the TLS handshake
— The server is able to
verify the identity of the
client and can abort the
handshake
— Authentication on
Transport Layer
— Some brokers can use
certificates for
authorization
The challenge:
Provisioning and revocation
X509 Client Certificate Provisioning + Revocation
— How to deploy certificates
to MQTT clients?
— Works great if PKI is
already in place
— Certificate Revocation
Lists for small
deployments
— Online Certificate Status
Protocol for online
certificate validation
Security Layers
Data
Application
Host
Network
Firewall
MQTT Ports
8883
Official IANA Port
MQTT + TLSMQTT + TCP
1883
Official IANA Port
80 / 443
Standard HTTP Ports
MQTT + Websockets
Firewall Best Practices
— Only listen on defined
ports
— Only allow traffic from a
specific IP range if
possible
— Block all protocols except
TCP *
— Create iptables rules for
common attacks
*	ICMPv6	may	be	needed	for	IPv6
OS Best Practices (Linux)
— Keep libraries and
software updated
— Disallow Root Access and
use SSH Keys for SSH
— Setup SELinux
— Install Tools like Fail2Ban,
Snort, OSSEC
Security Layers
Data
Application
Host
Network
Choose your MQTT Broker
wisely
Broker Selection
Broker specific security mechanisms
— Authentication
— Authorization
— Throttling
— Message Size Restrictions
Criteria for choosing MQTT
brokers
Criteria for Broker selection
— What security features
does the broker have out
of the box?
— Does the broker have a
pluggable security
mechanism
— Is TLS supported?
— Do security features
thwart the broker?
Authentication
Authentication is the act of confirming the truth
of an attribute of a single piece of data or entity.	
- Wikipedia on “Authentication”
“
Securing MQTT - BuildingIoT 2016 slides
But how does Authentication
work with MQTT?
Authentication
Authentication
CONNECT Response Codes
Response Code Description
0 Connection	Accepted
4
Connection	Refused,	bad	user	name	or	
password	
5 Connection	Refused,	not	authorized
Authentication Information
— Username + Password
— Client Identifier
— IP Address
— X509 Client certificate
Authorization
Authorization and MQTT
— Authorization can restrict
Topics a client can publish
or subscribe to.
— Black and Whitelists
— Message characteristics
also possible to restrict
(Retained, QoS)
OAuth 2.0
OAuth 2.0
— Only Client Credentials
Flow Applicable to MQTT
— Designed for HTTP but
also usable for MQTT
— Uses JWT for Access
Tokens on CONNECT
— Online (JWKS) and Offline
Validation (Signature	
Validation) Possible
OAuth 2.0 Client Credentials Flow
Why OAuth 2.0 instead of plain
User Credentials?
OAuth 2.0 Advantage over Credentials
— MQTT Brokers will never
see a password - Only
Authorization Servers
which issue Access Tokens
— Online and Offline
Validation Possible
— Access Tokens only have a
limited lifetime and can
get revoked
— Brokers are just Resource
Servers - Access Tokens
could also be valid for
other Resource Servers
— Authorization information
can get encoded in the
JWT by using custom
claims
Security Layers
Data
Application
Host
Network
Payload Encryption
MQTT PUBLISH
MQTT Encrypted PUBLISH
Payload Encryption - Advantages
— A completely secure end-to-
end encryption of application
data can be achieved
— Works well on constrained
devices where no TLS can be
used.
— Adds another layer of
security for topics which are
used for delivering
confidential information
— Encryption / decryption can
be resource intensive on
constrained devices
— A secure provisioning of the
keys to the MQTT clients
must be implemented.
— Doesn’t prevent from man-in-
the-middle attacks and replay
attacks.
ADVANTAGES DISADVANTAGES
End-to-End Encryption
Client-to-Broker Encryption
Message Data Integrity
MQTT Message Data Integrity
Mechanisms
Checksum MAC Digital Signature
Data	Integrity
✔							 ✔							 ✔							
Authentication
✘								 ✔	 ✔							
Non-Repudiation
✘								 ✘								 ✔							
Key None Symmetric Assymetric
Data	Integrity:	The	recipient	can	make	sure	that	the	data	was	not	modified	(accidentally).	
Authentication:	The	recipient	can	make	sure	that	the	message	originates	from	a	trusted	sender,	
because	only	trusted	parties	have	access	to	the	key	for	creating	and	verifying	the	stamp.	
Non-Repudiation:	Only	the	sender	of	the	message	–	who	has	access	to	the	private	key	–	is	able	to	
create	the	stamp.	Other	parties	can	verify	the	signature	with	the	public	key	but	they	are	not	able	to	
create	the	stamp	themselves.
Security Layers
Data
Application
Host
Network
A key concept is that security is an enabler, not a
disabler... security enables you to keep your job,
security enables you to move into new markets,
security enables you to have confidence in what
you're doing.
- Gene Spafford
“
www.bestppt.com
THANK YOU
QUESTIONS?
1 of 65

More Related Content

What's hot(20)

kubernetes, pourquoi et commentkubernetes, pourquoi et comment
kubernetes, pourquoi et comment
Jean-Baptiste Claramonte4.8K views
The Testing LandscapeThe Testing Landscape
The Testing Landscape
Alistair McKinnell1.1K views
What is a blockchain?What is a blockchain?
What is a blockchain?
Kevin Koo301 views
Block chainBlock chain
Block chain
JEEVARATHINAM ANTONY1K views
Robot Framework IntroductionRobot Framework Introduction
Robot Framework Introduction
Pekka Klärck226.4K views
Introduction To OpenStackIntroduction To OpenStack
Introduction To OpenStack
Haim Ateya2.2K views
Apigee Edge: Intro to MicrogatewayApigee Edge: Intro to Microgateway
Apigee Edge: Intro to Microgateway
Apigee | Google Cloud10.4K views
Containers technologiesContainers technologies
Containers technologies
Joris Bonnefoy2K views
An Introduction to OpenStackAn Introduction to OpenStack
An Introduction to OpenStack
Scott Lowe6.4K views
Introduction to robot frameworkIntroduction to robot framework
Introduction to robot framework
Chonlasith Jucksriporn1.7K views
Mqtt overview (iot)Mqtt overview (iot)
Mqtt overview (iot)
David Fowler1.2K views
Keystone at openstack multi sitesKeystone at openstack multi sites
Keystone at openstack multi sites
Vietnam Open Infrastructure User Group542 views
Introduction to Robot FrameworkIntroduction to Robot Framework
Introduction to Robot Framework
Somkiat Puisungnoen12.7K views
Serverless Spring 오충현Serverless Spring 오충현
Serverless Spring 오충현
VMware Tanzu Korea1.2K views

Similar to Securing MQTT - BuildingIoT 2016 slides(20)

Is your MQTT broker IoT ready?Is your MQTT broker IoT ready?
Is your MQTT broker IoT ready?
Eurotech4.5K views
Securing your IBM MQ environment.Securing your IBM MQ environment.
Securing your IBM MQ environment.
Robert Parker879 views
End to end IoT Solution using Mongoose OS.End to end IoT Solution using Mongoose OS.
End to end IoT Solution using Mongoose OS.
Emertxe Information Technologies Pvt Ltd517 views
MqttMqtt
Mqtt
abinaya m89 views
Geef Industry 4.0 een boostGeef Industry 4.0 een boost
Geef Industry 4.0 een boost
Howest_ENM152 views
Io t meetup-detroit-mqtt-5Io t meetup-detroit-mqtt-5
Io t meetup-detroit-mqtt-5
Florian Raschbichler66 views

More from Dominik Obermaier(20)

A pure Java MQTT Stack for IoTA pure Java MQTT Stack for IoT
A pure Java MQTT Stack for IoT
Dominik Obermaier726 views
MQTT 5 - What's New?MQTT 5 - What's New?
MQTT 5 - What's New?
Dominik Obermaier3.5K views
MQTT Deep Dive Workshop [GERMAN]MQTT Deep Dive Workshop [GERMAN]
MQTT Deep Dive Workshop [GERMAN]
Dominik Obermaier3.1K views
JAX 2014 - M2M for Java Developers with MQTTJAX 2014 - M2M for Java Developers with MQTT
JAX 2014 - M2M for Java Developers with MQTT
Dominik Obermaier7.5K views
Push! - MQTT for the Internet of ThingsPush! - MQTT for the Internet of Things
Push! - MQTT for the Internet of Things
Dominik Obermaier5.8K views

Recently uploaded(20)

Liqid: Composable CXL PreviewLiqid: Composable CXL Preview
Liqid: Composable CXL Preview
CXL Forum118 views
ThroughputThroughput
Throughput
Moisés Armani Ramírez28 views

Securing MQTT - BuildingIoT 2016 slides