The jwt, defined by [rfc-jwt] enable digitally secure representation and exchange of claims between two or more parties on the internet.
The jwt have been used in the OAuth framework for authorization grants by the user of service to a third party. Such a grant enables third party applications to have access to users resources on the service. The OAuth framework is extensively used for web and mobile phone applications, and is specified in the [rfc-oauth]. The use of jwt within the OAuth framework is specified in the [rfc-client-authentication].
Figure 1 demonstrates an example and simplified usage of jwt as access tokens used by a third party application to get user authorized access to resources of another service. Here LinkedIn is the third party application that requests access to users contacts (resources) of the user’s Gail account.
The OpenID Connect extends the OAuth, and use of jwt for authentication purposes. The OpenId Connect specification is available at [openid-spec].
The Google Cloud has now introduced use of jwt for an iot protocol mqtt for authentication. The mqtt specification is available at [mqtt-spec]. The aws, another popular cloud service employs the tls Client Certificates as the primary mechanism for authenticating clients connecting to the iot service. This paper discusses available mechanisms for authentication with mqtt.
2 JSON Web Token
The jwt, defined by [rfc-jwt] enable digitally secure representation and exchange of claims between two or more parties on the internet. The claims are described in the json format. The claims can then be encrypted, as jwe, or, can be digitally signed or mac protected using the jws. The jwe specified in the [rfc-jwe]. The jws specified in the [rfc-jws]. The json format is specified in [rfc-json].
Figure 2 demonstrates example uses of jwt, jws to be specific, for encoding a set of claims. The jws consists of three parts:
the header, describes the primitives in json format used for securing the claims.
the payload, or the body, describes the claims in json format.
the signature or the message authentication code on the base64url encoded header and the payload.
Each field of the jwt is base64url encoded and separated by a ”.”. The base64url is specified in the [rfc-encoding]. The issuer of the claims, described by the ”iss” field is the SiT Cafe Elektro and the subject of the claim, described by the ”sub” field is free lunch. Further, the time of issue of the claim, is described by the ”iat” (issued at) field. Similarly, the expiration of the claim is encoded in the ”exp” field. The time format used to represent values of both ”iat” and ”exp” fields are as defined by the ISO-8601 standard. Here, the free lunch claim issued at Tuesday, August 21, 2018 10:05:50 AM UTC time and expires at Tuesday, August 21, 2018 12:05:50 PM UTC time. These claims are message authenticated using HMAC using SHA-256(HS256) under the shared secret ”blueberry”.
The HS256 scheme, uses the same key for signing and verification and is a message authentication scheme. Signature schemes, based on public key cryptography schemes use a signing key (private to the signer) to sign the messages and a verification key to verify the signatures, and hence authenticate the peer. rsa and ecdsa schemes are supported in jwt. The algorithms used for securing the jwt have been defined in the [rfc-alg]. In later sections, when referring to jwt based schemes is referred to, public key based signature schemes are implied.
Clearly, the jwt server very useful for issue of digital tokens that, if valid, can be exchanged for access to services.
It is important to note that jws mus be exchanged on a secure channel to avoid being stolen and misused by sniffing party. tls is commonly used for establishing a secure channel for exchange of the jws as access tokens.
3 Message Queuing Telemetry Transport Protocol
The mqtt, an oasis standard, is a lightweight protocol for machine to machine communication. All machines, referred to as the client communicate through a central server referred to as the broker. The publish-subscribe pattern is used for message exchange between the broker and the client. The clients can be publishers, subscriber or both. All clients must identify themselves uniquely when connecting to the broker. Figure 3 depicts two clients connecting to the broker. One of the client is the data source and publishes data, while another is a subscribes and subscribes to messages published message on a specific topic(s).
The [mqtt-spec] defines many concepts and mechanisms to enable detection of inactive clients, publishing the last will and testament of such clients, graceful disconnection etc. However, only the concepts necessary relevant for the discussion on client authentication are described here.
The mqtt is defined over the tcp transport. tcp port 1883 is reserved for the mqtt protocol. In case tls is used for securing communication between the client and the broker, then the tcp port 8883 is used.
A new specification,mqtt-sn, adapted for the udp transport has been defined. See [mqtt-sn-spec] for details. This version is not discussed in this paper.
3.2 Publish and Subscribe
A client can publish data to a broker using the mqtt publish message. A broker can similarly send data to a client via a publish message. Each publish message contains a topic field that identifies the data being published, for example, whether the data is a temperature measurement or a gps may be segregated based on the topic. Similarly, if the client is interested in receiving certain measurements, then it can subscribe to its topic(s) of interest. The topic and payload are of variable length.
The specification does not mandate any topics nor format of the topics. However, it does define wild card characters that permissible when subscribing to topics. The specification also does not mandate any payload formats that shall be supported by the clients.
Therefore, the specification leaves much to the implementation, and the clients must comply with the broker that it wishes to communicate to.
It is worth noting that two client never talk to each other directly.
3.3 Client Authentication and Authorization
The [mqtt-spec] defines optional authentication of the clients connecting to the broker using user name and password of the connection request. The primitives used for the user name and password is an implementation choice left to the entity that deploys the mqtt based service. Based, on the configured access control policy on the broker, clients may have authorization to publish and/or subscribe to only certain topics. The specification does mention authentication of the clients using the tls mutual authentication scheme. Therefore, it is not necessary that all authentication schemes must use the user name and password field of the connect request.
The choice of authentication and authorized access is left to the implementation and not mandated by the specification. Some implementations of mqtt make issues with leaving much to the implementation clear. These implementations, by default, allow unauthenticated clients to publish data to authenticated subscribing clients that authenticate the server using tls. Therefore, the authentication of the server provides little value to the subscribers.
3.4 Keep Alive
The specification defines a periodic keep alive message be sent by the client to the broker. This is intended for the broker to detect any clients that are no longer reachable due to battery failure, loss of network or other reasons.
4 MQTT Client Authentication Schemes
The specification of mqtt, allows for implementation specific client authentication scheme. Section 3.3 already summarizes client authentication and authorization as defined in the mqtt specification, [mqtt-spec]. The specification focuses mostly on client authentication and not broker (server) authentication. However, server authentication is assumed achievable using tls server authentication schemes.
Before, we discuss the client authentication schemes, it is recommended to familiarize with tls. Knowledge of certificate authentication of the tls server and the tls client will be particularly useful to appreciating how some of the schemes work, and to compare them with the others. The version 1.2 specification of tls is available at [rfc-tls-1.2]. [kap] provides a good overview of tls and an excellent summary of attacks on tls. A servers to provide a quick refresh of server and client authentication during tls handshake.
Since, the specification leaves much to implementation and choice, all possibilities are not considered and compared. This research is limited to comparing the schemes listed below:
User name and password
Client Authentication using tls
Client Authentication using jwt
On note for the subsequent sections is that the service (the cloud) may consist of many components. Components like the mqtt broker to communicate with the sensor devices that implementmqttclients, a user data base or an iam system for maintaining the users identity, authentication and authorization information, a portal to register the users, a portal to monitor the users data from the clients and/or the state of the clients etc. The service therefore is a composite of various components. However, in this paper, only two components are considered, the mqtt broker and the user data base or the iam. Note that for the client, the broker symbolizes the service.
4.1 User name and password
The mqtt specification [mqtt-spec] provisions for user name and password fields in the connect request message from the client. Both the fields are optional. And presence of each field is individually indicated in the flags field of the message. See section 3.1 of [mqtt-spec] for details.
The figure 4 provides a simplified view of a client connecting to mqtt based service, that uses the user name and password field for authentication. Authorization is derived from the authentication of the user name.
For this authentication scheme, following prerequisites must be fulfilled.
User name and password are registered with the service.
The user name and password have been provisioned in the client.
This method is simplistic, and requires the client to share its identity and secret to the broker. And that once the credentials are compromised, any body could start impersonating the client. If this scheme must really be used, then, at least two precautions must be taken to:
Encrypt the communication between the client and the broker.
Authenticate the server before sending any credentials to it.
Both of these are easily addressed by use of TLS with server authentication scheme.
Note that this method may never be deployed commercially, however, serves as a good basis for understanding how use of resources on the brokers can be authorized by a simple use of user name.
It should be noted that the specification uses the client id and the user name as distinct concepts without much elaboration on intended use. One of the interpretations could be that a single user can log in from multiple devices. With this interpretation one could argue if the authentication is really the user authentication or client authentication.
However, it is mandated that the client id be unique across clients, and the password field could be supplied even without the user name field. This leaves possibility of individual client’s authentication open. It seems intentional to permit both models in the specification. However, this is subjective to the readers understanding.
4.3 Client Authentication using TLS
The mqtt broker relies on the tls client certificates to establish the identity of the client, and authenticate it. The access control policies are applied based on the identity of the client, the public certificate. The figure 5 illustrates the authentication of a mqtt client authenticated using tls before the mqtt connection. This method is not unique to mqtt, and tls based client authentication is available to any protocol that uses tls for establishing a secure channel. This method is already popularly used with the http based applications.
For this authentication scheme, following prerequisites must be fulfilled.
The client is provisioned with its private key and public certificate. In addition, root ca certificate is provisioned to authenticate the server.
Client’s public certificate is registered with a service and necessary access control policies attached.
The aws cloud service deploys this method as the default and recommended mechanism to authenticate the both http and the mqtt based clients. The client certificates registered with the aws are signed by a root ca that aws trusts. In fact, aws implements its root ca based on the geographic region. The certificate chain used by aws is not very long.The documentation of integrating a device to with the aws IoT is available at [aws-iot]. Protocol specific documentation is available at [aws-protocols]. Additional documentation on security and identity is available at [aws-security].
It is important to note that aws employs many components, each component delegated a specific task. And achieving communication with the mqtt broker has the prerequisite of setting up other components up correctly. An example of such a component is configuration of the iam component. Documentation is available at [aws-iam]. The aws iam provides a verify fine grain control of access control policies per certificate.
This method, enjoys the merit of being a well established standard available to application protocols. And therefore, could be more studied and attacked as against the others schemes.
One observation from experience of implementing tls mutual authentication on Cortex-M based embedded device is that the RAM and CPU requirements when implementing tls peak the handshake are quite high. In fact tls extension max fragment length had to be enabled in order to reduce the RAM requirements for the input and the out record sizes. Hence, this method can be resource intensive and impractical for small embedded devices. This could be a reason why aws may have opened up for other possibilities for authentication of the iot devices.
4.5 Client Authentication using JWT
The mqtt client sends the broker a jwt in the password field of the connect message to the broker. This is the first message that the client send to the broker. The jwt contained in the password field contains the claims like the time of issue, expiration date and any other claim defined by the service and a signature of these claims, any header fields. The signature servers as a proof of possession of the signing key or the private key. The signature is verified using the verification key or the public key that is already registered with the service. Therefore, the client’s identity is its public certificate. However, this identity is never sent out during the communication. The jwt may include a hint on the key to be used for verification. An illustration of this method is depicted in the figure 6.
For this authentication scheme, following prerequisites must be fulfilled.
The client is provisioned with it a signing key (the private key). In addition, root ca certificate is provisioned to authenticate the server.
Client’s public certificate is registered with a service and necessary access control policies attached.
This mechanism of authenticating the clients is used by the Google Cloud IoT Core service. The service mandates inclusion of the audience claim identifying the project in the jwt. The mandated header fields include the algorithm and type. The signature schemes mandated to be supported for jwt are RS256 and ES256. The service does not mandate the verification keys provisioned on the server for jwt to be signed by any ca. These can be self signed. The Google cloud mandates refreshing the jwt at least once every hour. It is not specified if any user or project specific claims can be included in the jwt. Full documentation on how to integrate a device with the Google Cloud IoT using mqtt is available at [google-mqtt]. The documentation on use jwt for authentication is available at [google-jwt].
Use of tls is a must as otherwise, the jwt stand the risk of being stolen and misused. The Google Cloud service mandates use of tls. The server is authenticated by the server certificate and also confidentiality of communication between the broker and the client is ensured. One observation is that the service uses a long ca chain. This has implications on bandwidth, RAM and time taken to verify the server on the client side, which may be a small embedded device.
The client id format are mandated by the service. This is unlike the aws service that allows the developers to define the length.
5 Comparison of authentication schemes
This section compares the authentication schemes described in 4. Not all attributes used for comparison are security properties or goals. However, these are included for as they integrate the application layer protocol, and implementation details and challenges with the schemes.
It is important to note that no formal security analysis has been performed for comparing the schemes. Tamarin-prover available at [tamarin-prover] was investigated for the purposes of analyzing use of tls and jwt for mqtt together. However, the investigation never materialized mostly because of time constraints. Also, there was no straight forward way of combining protocols and primitives for analysis exist.
Confidentiality here is considered not as a security goal, but rather whether it is a prerequisite for authentication. The jwt based authentication described in the section and 4.1 4.5 must be performed on a confidential, and server authenticated channel, to be of any value. Else, the token or the credentials may be stolen and used by anybody to get unauthorized access to the resources on the server.
The tokens are stateless, and do no include any client and/or protocol information. Of course the access to resources are time limited, but, provide enough opportunity to exploit the service by means of impersonating a legitimate client of the service.
The tls client authentication scheme has no such requirement. However, as a consequence, compromise the client’s privacy as a consequence. See 5.3 for details.
5.2 Server authentication
Again, this discussed more as a prerequisite rather than a goal for all the schemes. Providing credentials to an unauthenticated server compromises not just the client, but could end up having wider implications on the system. If a client provides its credentials to an adversary, then, the adversary can impersonate the client publish messages that can cause harm through the devices that subscribe to these published messages. Note that the subscribers never authenticate the source of the published messages, but rather rely on the server to take necessary measures for entity and message authenticity.
5.3 Client Privacy
Use of tls client certificates for authentication described in 4.3 implies that the client’s identity, its public certificate is sent as plain text. The tls handshake is not complete yet, and hence the keys needed for bulk encryption are no established yet. A method to overcome this has been described in section of [kap]. The method proposed is to first establish a confidential link with the server, and then renegotiate the session. Renegotiation procedure is apart of the tls, however, must be supported by both the server and the client to successfully use this feature. Attacks that target this renegotiation procedure are also detailed in [kap].
The use of jwt for authentication described in 4.5 fairs better in this aspect, as the the jwt is sent over tls encrypted channel. Also, the client’s identity is never directly transferred to the server. Rather the client identity and authentication is implied by a valid signature on the token.
5.4 Credential/Key management
One of the major challenges with deployment of any security scheme is the key management.
In tls based authentication scheme, each device, ideally, should be provisioned with unique key pair - the private key, and the corresponding public certificate chain to authenticate itself, and the root ca to be able to authenticate the server.
In jwt base authentication scheme, each device, ideally, should be provisioned with he private key for signing the tokens and the root ca to be able to authenticate the server during the tls handshake.
For each scheme, it is recommended to have more than one key pair to be able to revoke them in case of compromise.
Provisioning of private keys must be performed in a secure environment and managing them is an existing challenge that still requires o be addressed. Further, checking the revocation status of certificates may not be implemented in embedded devices. This choice may then lead to continued communication of devices with a compromised server. Millions of devices can hence be compromised due to a compromised server and impacts of such large scale compromises are hitherto unknown as the iot is still reach its full potential. Updating the system of remote sensors can definitely have a cost impact on the businesses.
Strong recommendations, clear guidelines and swift and transparent measures in case of compromise by service providers may already be some of the steps that could be taken by the service providers.
5.5 Requirement for Time Synchronization
Use of jwt based authentication requires implementing a time service. Use of time adds the needed randomness in jwt tokens. Else, the signature scheme being deterministic would always have the same signature. Further, use of time ensures freshness of the authentication token.
tls based scheme does not have any such requirements as nonce provided by server and client are used during the handshake.
Connection is rejected by the Google cloud if the ”issued at time” did not match its expectation. This means that there can be denial of service attacks launched by impersonating a time server. Typically an ntp server is contacted by an embedded device to get absolute time and typically, only a subset referred to as the sntp is implemented on these constrained devices. The specifications of ntp and sntp are available at [rfc-ntp] and [rfc-sntp] respectively. The [rfc-sntp] describes on security measures being too elaborate and/or complex to be used in simpler devices - this being very true for small embedded devices. Use of jwt based authentication is hence creating dependency on another network based service that has its own vulnerabilities.
5.6 Session interruption
The mandate by the Google cloud service to refresh the jwt token periodically. To fulfill this requirement, the client must be disconnected and connected back with a fresh token as there are no existing mechanisms to refresh the security token. This, therefore translates into the requirement of reestablishing the tls session. Such an interruption may be undesirable in some use cases. Undesirable, due to latency introduced, or the cost of creating a session or both.
While refreshing the token seems like a good idea when used as cookies in the browser or in case authorization grants enable by OAuth. It is unclear what the objective is refreshing the token when used for authentication of mqtt clients is. And therefore, this additional cost and disruption becomes more undesirable.
If the security objective is established, then perhaps a scheme to enable refreshing of tokens with interrupting the sessions could be useful.
5.7 Cost on the client
The client devices that comply with the authentication schemes dictated by the cloud service, are many times constrained in terms resources (RAM, bandwidth, flash and computational capacity and available power), and may further requirements on latency on sending measurements or reacting to commands from the cloud (turn on light bulb) for example.
A study of implementation cost of the various both the tls and jwt based schemes is needed and unavailable as of today.
Choice of deployment schemes like the length of ca used for the server certificates has a direct impact on the constrained client. Google cloud service uses a very long ca chain, that must be first received and stored by the wireless sensor and then validate. The aws uses only one ca for the servers.
Further, certain features like he resumption of tls session may benefit the constrained devices, however, are not always supported by the cloud service due to challenges with sharing the session tickets across load balanced servers. An investigation of how this could be better enabled in the servers, and hence be used by clients may be useful.
5.8 Access Control
It is important to notice the subtle difference in when the iam is contacted in the 5 and the 6. In jwt based scheme, since th client authentication is not established until the mqtt connect request arrives from the client, the default access policy must be configured correctly to ensure no opportunities for unauthorized access open up between the tls handshake completion and mqtt connection.
Further, in this scheme, it is unclear how clients may be authorized to allow only certain protocols. Note that the protocols are typically are deployed in distinct port numbers. Hence, for tls based scheme, based on protocol port and the client certificate, it may be possible to assert even before the handshake completes if the client should be allowed access to the service on the port.
5.9 Known plain text attacks on TLS
The mqtt by design is lightweight with limited set of messages. Each message has fixed header, may have variable header and may contain variable length payload.
Also, the order of the messages can be determined, the first message shall always be the connect message. There is a periodic keep alive message etc.
The connect message fixed header and variable parts by specification, but the variable parts are fixed for a particular client. The keep alive message has no variable components and is sent out periodically.
Therefore, knowing the structure of the message, and most parts of the message, and their use in the protocol could be exploited for chosen plain text attacks on the ciphers used for the tls connection with the broker.
Note that use of jwt in the initial connect message helps only in introducing certain variation to the initial message. And this too, if an only if, the jwt itself introduced a variable, like the time of issue or expiration and/ or other random component.
Therefore, a method to analyze the tls with mqtt may be useful in determining how secure the connection between the client and the broker really is.
5.10 End to end security
Most cloud providers including the aws and the Google cloud claim end-to-end security. In fact many practitioners have the notion that use of tls implies that end-to-end security is achieved. And this may be right.
However, consider the use case where an mqtt subscriber either turns on/off the light based on luminosity or illumination detected by the publishing clients. The subscribing client has no way of ensuring that each of the published message was in fact valid. The validity here may be in sense of time, and or in sense of who is allowed to publish illuminations. The trust is placed entirely on the server. This could, by design of mqtt is the single point of failure.
Possibilities of using jwt in every publish message to asset the source of the message, that the subscriber can verify independent of the server before processing the request could be interesting to research.
Formally defining these security goals are recommended prerequisite to and analyze solutions.
jwt brings about a new method of authenticating the client that can be easily integrated in the existing implementations of the mqtt. However, this new mechanism does not simplify any of the existing challenges of key management. Both tls and mqtt require use of public and private key pair to be provisioned into the devices. Google infact recommends use of key rotation and can support up to 3 keys per device. And, since both schemes rely on the root of trust via the ca chain for server authentication, the two schemes inherit the risks involved with use of certificate chains. The jwt based schemes does protect client privacy, and this is a clear advantage over the tls scheme. However, this advantage however be leveled with widespread support for tls 1.3.
Cost of implementing jwt in constrained devices is not known entirely either. A study of cost weighed against the benefits may be important to help make choices in products.
All schemes rely on secure channel established using the tls. tls being a popular and widely used security protocol on the internet, is most researched and also may be most attacked. A compromise of tls may impact either of the schemes. It is therefore important to ensure that practitioners choose strong ciphers. It is also critical evaluate and test the tls library used in implementations. Also, building mechanisms to ensure patching of any vulnerabilities found in implementations quickly may help mitigate some of the risks in deployed products.
Also, enabling study of security protocols and primitives in an application protocol may be useful, and needed to expose any vulnerabilities exposed by the choice of primitives or the nature of the application protocol. As mentioned in 5.9, mqtt being predictable in payload sent from the client to the server may enable known plaint text attacks on tls. A good models and tool enabling such analysis may be worth research to install faith in security measures deployed in iot systems. Also, many times when analyzing protocols, it is assumed that a fresh time stamp is just available in the system. This may not be true for embedded devices. And an attack on time service of the device may open up for new opportunities of attacks on the device. The most obvious category being the denial of service attack.
More jwt based authentication schemes have been proposed for iot devices. These schemes are not limited or bound to use of any particular application protocol and are targeted for smart home applications. For example, [personal-oauth] suggesting setting up a personal OAuth servers on mobile phones that can issue tokens for the users things connecting to the cloud. Another paper, [imei-based-authenitcation], suggests use of the home gateway device to issue security tokens to other devices to get needed authorized access to services. Both these solution, may simplify the use key management problem for constrained devices. These proposals may have not scale to use cases outside of smart home and, may also be putting to much trust on devices like Gateways and mobile phones which themselves are subject to being compromised easily. However, these proposals do show that there are many possibilities to authenticating iot devices and many varied objectives, so one solution may not fit all use cases.
Appendix A Authentication with TLS
The figure 7 provides an overview of the handshake protocol of the tls. The handshake protocol is used for authentication and key establishment.
For server authentication, the client connecting to the server is provisioned with a root ca certificate. During the handshake, the server then sends its certificate along with the certificate chain in the Certificate message that follows the ServerHello message. The client can now verifies the signature and validity period of each of the certificates in the certificate chain. The last certificate in the chain must either be the root ca that the client is provisioned or signed by the this root ca.
The client cannot send its own certificate unless the server requests it using the ”CertificateRequest” message. When requested, the client, sends its certificate to the server in the ”Certificate” message that follows the ”ServerHelloDone” in the 7. The client is authenticated by the ”CertificateVerify” message that contains signature on hash of all the handshake messages until this message.
Note that, the client cannot send its certificate if not requested by the server and, cannot demand that the server sends it certificate. It can however, terminate the handshake using the alert protocol.