Distributed UCON in CoAP and MQTT Protocols

  • Athanasios RizosEmail author
  • Daniel BastosEmail author
  • Andrea Saracino
  • Fabio Martinelli
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11980)


The Internet of Things (IoT) is playing a key role in consumer and business environments. Due to the sensitivity of the information IoT devices collect and share, and the potential impact a data breach can have in people’s lives, securing communication and access to data in IoT has become a critical feature. Multiple application layer protocols are used nowadays in IoT, with the Constrained Application Protocol (CoAP) and the Message Queue Telemetry Transport (MQTT) being two of the most widely popular. In this paper, we propose a solution to increase the security of both CoAP and MQTT based on the distributed Usage Control (UCON) framework. The inclusion of UCON provides dynamic access control to the data shared using these protocols. This occurs by monitoring mutable attributes related to the local protocol nodes and also by sharing data values between remote nodes via the distributed instances of UCON. We present the architecture and the workflow of our approach together with a real implementation for performance evaluation purposes.


CoAP Internet of Things MQTT Usage Control 


  1. 1.
    Al-Fuqaha, A., Guizani, M., Mohammadi, M., Aledhari, M., Ayyash, M.: Internet of Things: a survey on enabling technologies, protocols, and applications. IEEE Commun. Surv. Tutor. 17(4), 2347–2376 (2015). (Fourthquarter)CrossRefGoogle Scholar
  2. 2.
    Bastos, D., Shackleton, M., El-Moussa, F.: Internet of Things: a survey of technologies and security risks in smart home and city environments. In: Living in the Internet of Things: Cybersecurity of the IoT - 2018, pp. 1–7, March 2018.
  3. 3.
    Capossele, A., Cervo, V., De Cicco, G., Petrioli, C.: Security as a CoAP resource: an optimized DTLS implementation for the IoT. In: 2015 IEEE International Conference on Communications (ICC), pp. 549–554. IEEE (2015)Google Scholar
  4. 4.
    Carniani, E., D’Arenzo, D., Lazouski, A., Martinelli, F., Mori, P.: Usage control on cloud systems. Future Gener. Comput. Syst. 63(C), 37–55 (2016). Scholar
  5. 5.
    Chen, D., Varshney, P.K.: QoS support in wireless sensor networks: a survey. In: International Conference on Wireless Networks, vol. 233, pp. 1–7 (2004)Google Scholar
  6. 6.
    Collina, M., Corazza, G.E., Vanelli-Coralli, A.: Introducing the QEST broker: scaling the IoT by bridging MQTT and REST. In: 2012 IEEE 23rd International Symposium on Personal, Indoor and Mobile Radio Communications (PIMRC), pp. 36–41, September 2012.
  7. 7.
    Costantino, G., La Marra, A., Martinelli, F., Mori, P., Saracino, A.: Privacy preserving distributed attribute computation for usage control in the Internet of Things. In: 2018 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/12th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE), pp. 1844–1851, August 2018.
  8. 8.
    Faiella, M., Martinelli, F., Mori, P., Saracino, A., Sheikhalishahi, M.: Collaborative attribute retrieval in environment with faulty attribute managers. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 296–303, August 2016.
  9. 9.
    Gerdes, S., Bergmann, O., Bormann, C., Selander, G., Seitz, L.: Datagram Transport Layer Security (DTLS) Profile for Authentication and Authorization for Constrained Environments (ACE). Internet-Draft draft-ietf-ace-dtls-authorize-07, Internet Engineering Task Force, March 2019. (work in Progress)
  10. 10.
    Giusto, D., Iera, A., Morabito, G., Atzori, L.: The Internet of Things. Springer, New York (2010). Scholar
  11. 11.
    Granjal, J., Monteiro, E., Silva, J.S.: Security for the Internet of Things: a survey of existing protocols and open research issues. IEEE Commun. Surv. Tutor. 17(3), 1294–1312 (2015)CrossRefGoogle Scholar
  12. 12.
    Hartke, K.: Observing Resources in the Constrained Application Protocol (CoAP). RFC 7641, September 2015.
  13. 13.
    Karopoulos, G., Mori, P., Martinelli, F.: Usage control in SIP-based multimedia delivery. Comput. Secur. 39, 406–418 (2013). Scholar
  14. 14.
    La Marra, A., Martinelli, F., Mori, P., Rizos, A., Saracino, A.: Improving MQTT by inclusion of usage control. In: Wang, G., Atiquzzaman, M., Yan, Z., Choo, K.-K.R. (eds.) SpaCCS 2017. LNCS, vol. 10656, pp. 545–560. Springer, Cham (2017). Scholar
  15. 15.
    La Marra, A., Martinelli, F., Mori, P., Rizos, A., Saracino, A.: Introducing usage control in MQTT. In: Katsikas, S.K., et al. (eds.) CyberICPS/SECPRE 2017. LNCS, vol. 10683, pp. 35–43. Springer, Cham (2018). Scholar
  16. 16.
    Lazouski, A., Martinelli, F., Mori, P.: Usage control in computer security: a survey. Comput. Sci. Rev. 4(2), 81–99 (2010). Scholar
  17. 17.
    Lazouski, A., Martinelli, F., Mori, P., Saracino, A.: Stateful data usage control for android mobile devices. Int. J. Inf. Secur., pp. 1–25 (2016). Scholar
  18. 18.
    Locke, D.: MQ telemetry transport (MQTT) v3. 1 protocol specification. IBM developerWorks Technical Library (2010)Google Scholar
  19. 19.
    Marra, A.L., Martinelli, F., Mori, P., Saracino, A.: Implementing usage control in Internet of Things: a smart home use case. In: 2017 IEEE Trustcom/BigDataSE/ICESS, pp. 1056–1063, August 2017.
  20. 20.
    Park, J., Sandhu, R.: The UCONABC usage control model. ACM Trans. Inf. Syst. Secur. 7(1), 128–174 (2004). Scholar
  21. 21.
    Raza, S., Shafagh, H., Hewage, K., Hummen, R., Voigt, T.: Lithe: lightweight secure CoAP for the Internet of Things. IEEE Sens. J. 13(10), 3711–3720 (2013). Scholar
  22. 22.
    Rescorla, E., Modadugu, N.: Datagram Transport Layer Security Version 1.2. RFC 6347, January 2012.
  23. 23.
    Rescorla, E., Tschofenig, H., Modadugu, N.: The Datagram Transport Layer Security (DTLS) Protocol Version 1.3. Internet-Draft draft-ietf-tls-dtls13-31, Internet Engineering Task Force, March 2019. (work in Progress)
  24. 24.
    INFSO D.4 Networked Enterprise and RFID INFSO G.2 Micro and Nanosystem: Internet of Things in 2020, A Roadmap for the Future (2009)Google Scholar
  25. 25.
    Shelby, Z., Hartke, K., Bormann, C.: The Constrained Application Protocol (CoAP). RFC 7252, June 2014.
  26. 26.
    Singh, M., Rajan, M.A., Shivraj, V.L., Balamuralidhar, P.: Secure MQTT for Internet of Things (IoT). In: 2015 Fifth International Conference on Communication Systems and Network Technologies, pp. 746–751, April 2015.
  27. 27.
    Tiloca, M., Selander, G., Palombini, F., Park, J.: Group OSCORE - Secure Group Communication for CoAP. Internet-Draft draft-ietf-core-oscore-groupcomm-04, Internet Engineering Task Force, March 2019. (work in Progress)
  28. 28.
    Ukil, A., Bandyopadhyay, S., Bhattacharyya, A., Pal, A., Bose, T.: Lightweight security scheme for IoT applications using CoAP. Int. J. Pervasive Comput. Commun. 10(4), 372–392 (2014)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Istituto di Informatica e TelematicaConsiglio Nazionale delle RicerchePisaItaly
  2. 2.Department of Computer ScienceUniversity of PisaPisaItaly
  3. 3.BT Adastral Park Research LabsBritish Telecommunications plcIpswichUK

Personalised recommendations