How to Authenticate MQTT Sessions Without Channel- and Broker Security
share
This paper describes a new but state-of-the-art approach to provide authenticity in mqtt sessions using the means of zero-knowledge-proofs. This approach completely voids session hijacking for the mqtt protocol and provides authenticity without the need for any network-security nor channel-security nor broker-based predefined ACLs. The presented approach does not require the broker to keep any secrets for session handling, what so ever. Moreover, it allows the clientID, which represents the identification for a session, to be publicly known. The presented approach allows completely anonymous but authentic sessions, hence the broker does not need any a priori knowledge of the client-party. As it is especially targeted for applications within the world of IoT, the presented approach is tuned to require only the minimum in extra power in terms of energy and space. The approach does not introduce any new concept, but simply fusions a state-of-the-art cryptographic zero knowledge proof of identity with the existing MQTT-5 specification. Thus no protocol extension is required in order to provide the targeted security properties. The described approach is completely agnostic to the application layer at the client side and is only required during mqtt-session establishment.
READ FULL TEXT
