We all know that our world is more connected. Billions of intelligent tools and machines are generating enormous amounts of data, which creates enormous potential for businesses and other organizations to optimize their operations and achieve efficiency. As IoT devices continue to evolve, every newly connected product is vulnerable to hackers, and security turns into a significant concern. Fighting the industrial data security break is 100% mandate to protect critical data in any place it dwells. Bevywise MQTTRoute provides an option to enable encrypted data transmission for better MQTT data security. It works with all standard SSL / TLS certificates and runs with a self-signed certificate. This article provides complete guidance on securing the delicate data that you transfer over the Enterprise MQTT Broker.
MQTT Broker Security Fundamentals
With regards to security in Enterprise MQTT Broker, there are some fundamental concepts to take into account. They are : identity, authentication, authorization, and encryption. In this tutorial, we take a gander at how you can confine access to a broker, and protect your data using different security systems.
Every client has a unique Client ID. The Enterprise MQTT broker indicates that the client must report the client ID when requesting a connection. When the broker receives a connect command from the client, it determines whether to allow the client to connect only if the received message contains a legitimate client ID, user name, and password. The client can use UUID, mac address of the network device, or other unique client information as the client ID.
Authentication With X.509
This is the safest method for client authentication. In addition to authentication with username and password, the MQTT broker allows a device to authenticate with an X.509 certificate. This certificate provides authentication at the transport level. X.509 uses a public key infrastructure to verify that a public key belongs to a client. In the X.509, a certificate authority is introduced to verify the identity of a client. During the handshake process, the client presents the broker with its certificate, which contains information such as identity and public key. Then the broker relays this certificate to the certificate authority for verification. After verifying the client certificate, the broker ensures it is genuine or not and gain trust in the binding with the client name and public key.
There are three ways to verify the identity of the MQTT client on Bevywise MQTT broker : the Client IDs, Usernames and Passwords, and the Client Certificates.
All MQTT clients must provide a client id. When a client subscribes to a topic the client id links the topic to the client and the TCP connection. With constant connections, the broker remembers client IDs and subscribed topics. When configuring the MQTT client you need to relegate the Name / ID to the client. However the Bevywise MQTT Broker allows you to impose client id prefix restrictions on the client name, and this provides some basic client security. You will find this setting in the security settings section of the broker.conf file.
########### prefix for Random Clientid Generation ###########
CLIENTID_PREFIX = Bevywise-
Username and Password
An Enterprise MQTT broker can request a valid username and password from a client before allowing a connection. The username and password combination is transmitted in plain text and is not secure without some form of transport encryption. However, it does provide an easy way of restricting access to a broker and is probably the most common form of identification used. The username used for authentication can also be used in restricting access to topics. On the Bevywise MQTT broker, you need to configure settings for this to work. Again you will find these settings in the security section of the broker.conf file. The devices can connect using MQTT Username / Password or you can connect it without the username and password. You have to change NO to YES if you are planning to use Authentication.
################ Device Authentication #################
AUTHENTICATION_ENABLED = YES
# YES || NO
To create the passwords you will need to use the utility that comes with the broker. You can add the Username and passwords on the UI under the Security tab for secure client connections.
Authorization is managing the clients’ rights. The most common types of authorization used are Role-Based Access Controls (RBAC) and Access Control List (ACL). RBAC provides a level of abstraction between the client and the main resources. It facilitates the administration of security in a large organization. This allows the broker to authorize the clients published or subscribed topic. ACL associates certain clients with a list of permissions that includes who can access the resources and which operations are allowed. ACL provides policies on what topics a client can subscribe / publish. Using ACL or RBAC, the broker implements topic permissions to restrict a client from publish / subscribe to unauthorized topics. Each topic permission allows the broker to specify authorization for clients and limit them to subscribe and publish messages. If a client attempts to perform an unauthorized operation, the broker can perform actions such as disconnect the client by preventing it from publishing data to other clients.
Authorization with Access Tokens
Another approach to providing authorization is a token authorization. Token authorization permits a client to request the scope or privileges that the client has. To connect to the broker with an access token, the client must use the password field to send the access token with the connect message. The client must be given an access token before requesting a connection. There are a variety of token services available. The most commonly used are OAuth and OAuth 2.0.
It is a token-based authentication that is used to provide SSO and permits information to be utilized by third party services. It likewise requires an identity provider for authenticating clients’ access.
It authorizes third-party applications to access the client account and authenticates the client by following the authorization code flow.
There are numerous possibilities to hack the data transfer between Clients and Broker. To protect the contents of your MQTT messages, you can use TLS or SSL Security and Payload encryption. Enterprise MQTT Broker eliminates “Man in Middle attack” by enabling data transfer through TLS port.
TLS / SSL Security
TLS / SSL security is a more commonly known security used on the web. This security is part of the TCP / IP protocol. TLS provides a secure communication channel between the client and the server. TLS certificate is provided for both server and client, and those certificates will be verified and authenticated by Certificate Authority before connection. The broker will connect only if the Certificate and host IP match.
Communication between clients and the server must be ensured by enabling TLS mode and setting passwords for the connection. You can use a single password for all clients or individual passwords for each client. Open conf/ folder on broker.conf and update TLS_ENABLED to TRUE . All other values can be changed if necessary. Using a non-regular port number for Broker and a secure web socket will further enhance security against DDOS.
#########MQTT BROKER CONFIG#######
PORT_NO = 8883
WS_PORT_NO = 10443
TLS_ENABLED = TRUE
# TLS_PORT must be 88xx.
TLS_PORT_NO = 8883
WSS_PORT_NO = 11443
This is done at the application level and not by the broker. You can encrypt data without configuring the broker. It likewise implies that data is eventually encrypted and not just between the broker and the client. However, this type of encryption doesn’t protect passwords on the connection itself. Because it doesn’t involve any broker configuration or support this is likely to be a very popular method of protecting data.
WILL and Retained message
Last WILL, will help the subscribers to know when the publishing device has gone down or got disconnected from the broker. Retain tag tells the broker to keep the last published message for the new subscribers to know the last published messages while connecting for the first time. Besides, the Enterprise MQTT Broker provides both these messages as needed for the realtime.
The broker will store the data into the database for further analysis and decision making. The default DB supported is SQLite. But the DB Configuration can be modified to make it work with MySQL or any other Big Data engine. Please refer to the help document to set up MySQL, its dependency packages, and other big data engines.
Intuitive User Interface
Through a web-based primitive User Interface broker, you can view the active devices and recent activities of different devices. It also helps to view the activities and messages sent from and to specific devices.
To get started sign up for hosted setup or download a forever free version for local installation.
The product page and the help documentation will provide more information on configuring and running the Broker securely. For more queries, feel free to contact us at [email protected].