Comparison of security level and current consumption of security implementations for MQTT PAPER WITHIN Product development AUTHOR: Fredrik Carlsson, Klas-Göran Eriksson TUTOR: Rob Day JÖNKÖPING 05 2018 This exam work has been carried out at the School of Engineering in Jönköping in the subject area product development. The work is a part of the two-year university diploma programme of the Master of Science programme. The authors take full responsibility for opinions, conclusions and findings presented. Examiner: Anders Adlemo Supervisor: Rob Day Scope: 30 credits (second cycle) Date: 2018-05-29 Postadress: Besöksadress: Telefon: Box 1026 Gjuterigatan 5 036-10 10 00 (vx) 551 11 Jönköping Abstract Abstract IoT is a rapidly growing area with products in the consumer, commercial and industrial market. Collecting data with multiple small and often battery-powered devices sets new challenges for both security and communication. There has been a distinct lack of a IoT specific communication protocols. The industry has had to use bulky interfaces not suitable for resource-constrained devices. MQTT is a standardised communication protocol made for the IoT industry. MQTT does however not have built-in security and it is up to the developers to implement a suitable security countermeasure. To evaluate how different security countermeasures impact MQTT in complexity, current consumption and security the following research questions are answered. How do you derive a measurement from the SEF that can be compared with a current consumption measurement? Which level of security, according to the SEF, will RSA, AES and TLS provide to MQTT when publishing a message to a broker? What level of complexity is added to MQTT when using chosen security countermeasure? Which of the analysed security countermeasure upholds an adequate security level while also having a low current consumption? To answer the above research questions an experiment approach has been used. Implementations of TLS, RSA and AES have been evaluated to measure how they affect the security level and current consumption of an MQTT publication, compared to no security countermeasures at all. Both RSA and AES had the same security level, but the current consumption for RSA was four times higher. The experiment showed that the security level is significantly higher for TLS, while it also has the highest current consumption. The security countermeasure evaluated differs greatly. TLS provides complete protections, while RSA and AES lacks authentication and does not ensure integrity and non-repudiation. Even if the current consumption for TLS is higher, the security it provides make it unreasonable to recommend any of the other security countermeasure implementations. Keywords AES, Complexity, Current Consumption, Internet of Things, IoT, MQTT, RSA, Security, Security Countermeasure, TLS Sammanfattning Sammanfattning IoT är ett snabbt växande område med produkter inom konsument, kommersiell och industriell marknad. Hopsamling av data med många små och ofta batteridrivna enheter skapar nya utmaningar för både säkerhet och kommunikation. Det har funnits en distinkt brist på IoT-specifika kommunikationsprotokoll. Industrin har tvingats använda sig av tunga gränssnitt olämpliga för resursbegränsade enheter. MQTT är ett standardiserat kommunikationsprotokoll ämnat för IoT-industrin. MQTT har dock ingen inbyggd säkerhet, det är upp till utvecklarna att implementera en passande säkerhetsåtgärd. För att utvärdera olika säkerhetsåtgärder inverkan på MQTT gällande komplexitet, strömförbrukning och säkerhet besvaras följande forskningsfrågor. Hur kan man härleda ett mätvärde från SEF som kan jämföras med ett strömförbrukningsmätvärde? Vilken nivå av säkerhet, enlig SEF, kommer RSA, AES och TLS förse MQTT med under publicering av meddelanden till en broker? Vilken nivå av komplexitet läggs till på MQTT vid användning av vald säkerhetsåtgärd? Vilken av de analyserade säkerhetsåtgärden upprätthåller en tillräcklig nivå av säkerhet, och har samtidigt en låg strömförbrukning? För att besvara ovanstående forskningsfrågor användes en experimentmetod. Implementation av TLS, RSA och AES har utvärderats för att mäta hur de påverkar säkerhetsnivån och strömförbrukning för publicering av ett MQTT-meddelande, jämför med inga säkerhetsåtgärder alls. Både RSA och AES hade samma säkerhetsnivå, men RSA hade fyra gånger högre strömförbrukning. Experimenten visade att TLS hade en signifikant högre säkerhetsnivå, men också den högsta strömförbrukningen. De utvärderade säkerhetsåtgärderna skiljer sig mycket. TLS erbjuder ett mer komplett skydd, medan RSA och AES saknar autentisering och säkerställer varken integritet eller icke- förkastande. Trots att strömförbrukningen för TLS är högre, erbjuder den en säkerhetsnivå som gör det orimligt att rekommendera någon av de andra säkerhetsimplementationerna. Nyckelord AES, Komplexitet, Internet of Things, IoT, MQTT, RSA, Strömförbrukning, Säkerhet, Säkerhetsåtgärd, TLS Glossary Glossary AES - Advanced Encryption Standard Azure - A Microsoft cloud computing service Broker - Popular name for an MQTT server Cloud - The computers and connections that support cloud computing Complexity - Metric for work specified as executed instructions Computer network - A system of connected computers and devices Device - Electronic equipment designed to serve a specific purpose Heterogeneous - Consisting of dissimilar or diverse ingredients or constituents IoT - Internet of Things M2M - Machine-to-machine communication MQTT - Message Queue Telemetry Transport, a communication protocol Node - A device communicating in a computer network Operating System - Software that manages a computer’s processing of programs Paho - MQTT software library Perf - Linux performance analysing tool Plaintext - The intelligible form of data that is to be encrypted RSA - Rivest-Shamir-Adleman, a public-key cryptosystem Security - Protection of computer systems from malicious attacks SEF - Security Evaluation Framework proposed by M. Ge et al. Sensor - A device that communicates information derived from physical stimulus SSL - Secure Sockets Layer, a cryptographic protocol TLS - Transport Layer Security, a cryptographic protocol Topology - Arrangement of elements in a communication network ULPD - Ultra Low Power Devices WSN - Wireless Sensor Network Contents Contents 1 Introduction .............................................................................. 8 1.1 BACKGROUND.............................................................................................................8 1.2 PURPOSE AND RESEARCH QUESTIONS .........................................................................9 1.3 DELIMITATIONS ........................................................................................................10 1.4 OUTLINE ...................................................................................................................10 2 Theoretical background ......................................................... 12 2.1 PRE-STUDY ...............................................................................................................12 2.2 IOT ............................................................................................................................13 2.2.1 Ultra-Low-Power-Devices ..................................................................... 14 2.2.2 Wireless Sensor Network (WSN) ........................................................... 15 2.3 SECURITY IN IOT ......................................................................................................17 2.3.1 Cryptography ......................................................................................... 17 2.4 SOFTWARE COMPLEXITY ..........................................................................................18 2.5 MQTT .......................................................................................................................18 2.6 SECURITY COUNTERMEASURES ................................................................................20 2.6.1 RSA ........................................................................................................ 20 2.6.2 TLS/SSL ................................................................................................. 21 2.6.3 AES ......................................................................................................... 22 2.7 SECURITY EVALUATION FRAMEWORK (SEF) ..........................................................23 2.7.1 Definition of network information ........................................................ 24 2.7.2 Generation of extended HARM model .................................................. 24 2.7.3 Attack graph and attack trees ................................................................ 25 2.7.4 Security analysis for IoT network .......................................................... 25 2.7.5 Update of security model ....................................................................... 25 3 Method and implementation ................................................. 26 3.1 EXPERIMENT METHOD ..............................................................................................26 3.2 SECURITY EVALUATION FRAMEWORK ......................................................................27 3.3 IMPLEMENTATIONS OF SECURITY COUNTERMEASURES ...........................................27 3.4 SECURITY COUNTERMEASURE COMPLEXITY ............................................................29 Contents