Corpus ID: 237416511

TLS Beyond the Broker: Enforcing Fine-grained Security and Trust in Publish/Subscribe Environments for IoT

  title={TLS Beyond the Broker: Enforcing Fine-grained Security and Trust in Publish/Subscribe Environments for IoT},
  author={Korbinian Spielvogel and H. C. P{\"o}hls and J. Posegga},
Message queuing brokers are a fundamental building block of the Internet of Things, commonly used to store and forward messages from publishing clients to subscribing clients. Often a single trusted broker offers secured (e.g. TLS) and unsecured connections but relays messages regardless of their inbound and outbound protection. Such mixed mode is facilitated for the sake of efficiency since TLS is quite a burden for MQTT implementations on class-0 IoT devices. Such a broker thus transparently… Expand

Figures and Tables from this paper


Secure Hybrid Publish-Subscribe Messaging Architecture
This paper proposes a hybrid approach which secures the WAN and minimizes the delay on the LAN, and evaluates the Round Trip Time (RTT) with and without security enabled to determine the actual security overhead introduced for different computing platforms. Expand
A Distributed Security Mechanism for Resource-Constrained IoT Devices
The real-time experimental evaluations have proven the applicability of the proposed mechanism pertaining to the security assurance and the consumed resources of the target IoT devices. Expand
Analysis of vulnerabilities in MQTT security using Shodan API and implementation of its countermeasures via authentication and ACLs
This paper identifies various security loopholes in MQTT, using Shodan API and implementing an experimental setup on a Raspberry Pi as an MqTT Broker and python programs as publisher/subscriber clients to find the Broker was found to be immune to such attacks. Expand
Tighter Proofs for the SIGMA and TLS 1.3 Key Exchange Protocols
New, fully-quantitative and concrete bounds that justify the SIGMA and TLS 1.3 key exchange protocols’ security levels are given, and it is proved that the strong Diffie–Hellman problem is as hard as solving discrete logarithms in the generic group model. Expand
JSON Sensor Signatures (JSS): End-to-End Integrity Protection from Constrained Device to IoT Application
  • H. C. Pöhls
  • Computer Science
  • 2015 9th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing
  • 2015
This paper implemented an elliptic curve based signature algorithm on a class 1 (following RFC 7228) constrained device (Zolertia Z1: 16-bit, MSP 430) and reached the design goal to keep the original data accessible by legacy parsers and signing does not break parsing. Expand
Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication
This work model and analyse revision 10 of the TLS 1.3 specification using the Tamarin prover, a tool for the automated analysis of security protocols, and shows the strict necessity of recent suggestions to include more information in the protocol's signature contents. Expand
Towards Privacy-Preserving Local Monitoring and Evaluation of Network Traffic from IoT Devices and Corresponding Mobile Phone Applications
It is shown that a privacy-preserving and thus more data-protection (GDPR) compliant monitoring of IoT-related network traffic is possible – and how it will look is shown. Expand
Attack scenarios and security analysis of MQTT communication protocol in IoT system
This paper discusses several reasons on why there are many IoT system that does not implement adequate security mechanism in MQTT protocol and demonstrates and analyzes how to attack this protocol easily using several attack scenarios. Expand
ECDSA on Things: IoT Integrity Protection in Practise
It is shown that providing signed sensor data has little impact on the overall power consumption and hardware accelerated signing can further reduce the costs in terms of runtime, however, the differences were not significant. Expand
Identity management and its support of multilateral security
The introduction to technologies for multilateral security and an architecture which enables multilaterally secure communication are described and problems and risks of identity management systems are discussed. Expand