Skip to main content

TLS Beyond the Broker: Enforcing Fine-Grained Security and Trust in Publish/Subscribe Environments for IoT

  • Conference paper
  • First Online:
Security and Trust Management (STM 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13075))

Included in the following conference series:

Abstract

Message queuing brokers are a fundamental building block of the Internet of Things, commonly used to store and forward messages from publishing clients to subscribing clients. Often a single trusted broker offers secured (e.g. TLS) and unsecured connections but relays messages regardless of their inbound and outbound protection. Such mixed mode is facilitated for the sake of efficiency since TLS is quite a burden for MQTT implementations on class-0 IoT devices.

Such a broker thus transparently interconnects securely and insecurely connected devices; we argue that such mixed mode operation can actually be a significant security problem: Clients can only control the security level of their own connection to the broker, but they cannot enforce any protection towards other clients.

We describe an enhancement of such a publish/subscribe mechanism to allow for enforcing specified security levels of publishers or subscribers by only forwarding messages via connections which satisfy the desired security levels. For example, a client publishing a message over a secured channel can instruct the broker to forward the message exclusively to subscribers that are securely connected. We prototypically implemented our solution for the MQTT protocol and provide detailed overhead measurements.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    See https://transparencyreport.google.com/ or https://telemetry.mozilla.org/.

  2. 2.

    Class-0 is defined as the group of IoT devices with less than 10 KB RAM (Data size) and less than 100 KB ROM (Code size) [14].

  3. 3.

    https://www.shodan.io, search query ‘mqtt’, Accessed: 17.01.2021.

References

  1. Andy, S., Rahardjo, B., Hanindhito, B.: Attack scenarios and security analysis of MQTT communication protocol in IoT system. In: 2017 4th International Conference on Electrical Engineering, Computer Science and Informatics (EECSI), pp. 1–6, September 2017. https://doi.org/10.1109/EECSI.2017.8239179

  2. Banks, A., Briggs, E., Borgendale, K., Gupta, R. (eds.): MQTT Version 3.1.1. Organization for the advancement of structured information standards, Woburn, USA, October 2014. http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html. Latest version: http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/mqtt-v3.1.1.html

  3. Banks, A., Briggs, E., Borgendale, K., Gupta, R. (eds.): MQTT Version 5.0. Organization for the advancement of structured information standards, Woburn, USA, March 2019. https://docs.oasis-open.org/mqtt/mqtt/v5.0/os/mqtt-v5.0-os.html. Latest version: https://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html

  4. Bauer, J., Staudemeyer, R.C., Pöhls, H.C., Fragkiadakis, A.: ECDSA on things: IoT integrity protection in practise. In: Lam, K.-Y., Chi, C.-H., Qing, S. (eds.) ICICS 2016. LNCS, vol. 9977, pp. 3–17. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-50011-9_1

    Chapter  Google Scholar 

  5. Clauß, S., Köhntopp, M.: Identity management and its support of multilateral security. Comput. Netw. 37(2), 205–219 (2001)

    Article  Google Scholar 

  6. Cremers, C., Horvat, M., Scott, S., van der Merwe, T.: Automated analysis and verification of TLS 1.3: 0-RTT, resumption and delayed authentication. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 470–485 (2016). https://doi.org/10.1109/SP.2016.35

  7. Davis, H., Günther, F.: Tighter proofs for the SIGMA and TLS 1.3 key exchange protocols. In: Sako, K., Tippenhauer, N.O. (eds.) ACNS 2021. LNCS, vol. 12727, pp. 448–479. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-78375-4_18

    Chapter  Google Scholar 

  8. Espressif Documentation: ESP8266EX Datasheet V6.6 (2020). https://www.espressif.com/en/support/documents/technical-documents. Accessed 15 July 2021

  9. Fragkiadakis, A., Oikonomou, G., Pöhls, H.C., Tragos, E.Z., Wójcik, M.: Securing communications among severely constrained, wireless embedded devices. In: Aziz, B., Arenas, A., Crispo, B. (eds.) Engineering Secure Internet of Things Systems. The Institute of Engineering and Technology, October 2016. http://www.theiet.org/resources/books/security/secIoT.cfm

  10. Götz, C.: MQTT: Protokoll für das Internet der Dinge, April 2014. https://m.heise.de/developer/artikel/MQTT-Protokoll-fuer-das-Internet-der-Dinge-2168152.html. Accessed 03 Feb 2021

  11. Harsha, M.S., Bhavani, B.M., Kundhavai, K.R.: Analysis of vulnerabilities in MQTT security using Shodan API and implementation of its countermeasures via authentication and ACLs. In: 2018 International Conference on Advances in Computing, Communications and Informatics (ICACCI), pp. 2244–2250, September 2018. https://doi.org/10.1109/ICACCI.2018.8554472

  12. HiveMQ Documentation - Listeners (n.d.). https://www.hivemq.com/docs/hivemq/4.5/user-guide/listeners.html/. Accessed 01 Mar 2021

  13. Kaspersky Lab: Internet of Things: What Is IoT? IoT Security, December 2018. https://www.kaspersky.com/resource-center/definitions/what-is-iot. Accessed 27 Jan 2021

  14. King, J., Awad, A.: A distributed security mechanism for resource-constrained IoT devices. Informatica 40, 133–143 (2016)

    Google Scholar 

  15. Klement, F., Pöhls, H., Spielvogel, K.: Towards privacy-preserving local monitoring and evaluation of network traffic from IoT devices and corresponding mobile phone applications. In: IEEE 3rd Workshop on Internet of Things Security and Privacy (WISP 2020) Held in Conjunction with Global IoT Summit 2020 (GIOTS 2020), pp. 1–6. IEEE, June 2020. https://doi.org/10.1109/GIOTS49054.2020.9119507

  16. Mishra, B., Kertesz, A.: The use of MQTT in M2M and IoT systems: a survey. IEEE Access 8, 201071–201086 (2020). https://doi.org/10.1109/ACCESS.2020.3035849

    Article  Google Scholar 

  17. Pfitzmann, A.: Multilateral security: enabling technologies and their evaluation. In: Wilhelm, R. (ed.) Informatics. LNCS, vol. 2000, pp. 50–62. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44577-3_4

    Chapter  Google Scholar 

  18. Pöhls, H.C.: JSON Sensor Signatures (JSS): end-to-end integrity protection from constrained device to IoT application. In: Proceedings of the Workshop on Extending Seamlessly to the Internet of Things (esIoT) at the IMIS-2012 International Conference (IMIS 2015), pp. 306–312. IEEE, July 2015. https://doi.org/10.1109/IMIS.2015.48. Accessed Sept 2017

  19. Rannenberg, K.: Recent development in information technology security evaluation - the need for evaluation criteria for multilateral security. In: Proceedings of the IFIP TC9/WG9.6 Working Conference on Security and Control of Information Technology in Society on Board M/S Illich and Ashore, pp. 113–128. North-Holland Publishing Co., Amsterdam (1993)

    Google Scholar 

  20. Rannenberg, K.: Multilateral security a concept and examples for balanced security. In: Proceedings of the 2000 Workshop on New Security Paradigms, NSPW 2000, New York, NY, USA, pp. 151–162. Association for Computing Machinery (2001). https://doi.org/10.1145/366173.366208

  21. Skerrett, I.: Why MQTT has become the de-facto IoT standard, October 2019. https://dzone.com/articles/why-mqtt-has-become-the-de-facto-iot-standard. Accessed 10 Feb 2021

  22. The HiveMQ Team: Introducing the MQTT Protocol - MQTT Essentials: Part 1, January 2015. https://www.hivemq.com/blog/mqtt-essentials-part-1-introducing-mqtt/. Accessed 12 Apr 2021

  23. The HiveMQ Team: Introducing the MQTT Security Fundamentals, April 2015. https://www.hivemq.com/blog/introducing-the-mqtt-security-fundamentals/. Accessed 24 Jan 2021

  24. The HiveMQ Team: TLS/SSL - MQTT Security Fundamentals, May 2015. https://www.hivemq.com/blog/mqtt-security-fundamentals-tls-ssl/. Accessed 12 Apr 2021

  25. The HiveMQ Team: Client, Broker/Server and Connection Establishment - MQTT Essentials: Part 3, July 2019. https://www.hivemq.com/blog/mqtt-essentials-part-3-client-broker-connection-establishment/. Accessed 14 Feb 2021

  26. Vučnik, M., Švigelj, A., Kandus, G., Mohorčič, M.: Secure hybrid publish-subscribe messaging architecture. In: 2019 International Conference on Software, Telecommunications and Computer Networks (SoftCOM), pp. 1–5 (2019). https://doi.org/10.23919/SOFTCOM.2019.8903868

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Korbinian Spielvogel .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Spielvogel, K., Pöhls, H.C., Posegga, J. (2021). TLS Beyond the Broker: Enforcing Fine-Grained Security and Trust in Publish/Subscribe Environments for IoT. In: Roman, R., Zhou, J. (eds) Security and Trust Management. STM 2021. Lecture Notes in Computer Science(), vol 13075. Springer, Cham. https://doi.org/10.1007/978-3-030-91859-0_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-91859-0_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-91858-3

  • Online ISBN: 978-3-030-91859-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics