(IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 11, No. 7, 2020 Lightweight Security Mechanism over MQTT Protocol for IoT Devices Sanaz Amanlou1, Khairul Azmi Abu Bakar2 Center for Cyber Security, Faculty of Information Science & Technology Universiti Kebangsaan Malaysia, Bangi, Malaysia Abstract—Security is one of the main concerns with regard to preserving exchanged data becomes most important. Also, the Internet of Things (IoT) networks. Since most IoT devices are objects in IoT networks are seriously resource-constrained with restricted in resource and power consumption, it is not easy to limited computational ability, memory, and power, so it is very implement robust security mechanisms. There are different difficult to implement heavy operations on them which are methods to secure network communications; however, they are required by ciphering algorithms. They need a lightweight not applicable to IoT devices. In addition, most authentication security mechanism with low resource consumption. methods use certificates in which signing and verifying Traditional authentication and encryption methods have a huge certificates need more computation and power. The main overhead on IoT devices. Therefore, this study focuses on the objective of this paper is to propose a lightweight authentication evaluation of a lightweight security mechanism that secures and encryption mechanism for IoT constrained devices. This communication in IoT networks as well as reduces resource mechanism uses ECDHE-PSK which is the Transport Layer Security (TLS) authentication algorithm over Message Queuing consumption of IoT limited devices. Telemetry Transport (MQTT) Protocol. This authentication Based on these requirements in IoT networks, a algorithm provides a Perfect Forward Secrecy (PFS) feature that communication stack is needed to provide a low-power, secure, makes an improvement in security. It is the first time that this and lightweight protocol. IoT communication stack includes TLS authentication algorithm is implemented and evaluated over different types of protocols [4] [5], this paper was tried to the MQTT protocol for IoT devices. To evaluate resource improve the security of the MQTT application layer protocol consumption of the proposed security mechanism, it was since it built on top of TCP protocol, has low power usage and compared with the default security mechanism of the MQTT protocol and the ECDHE-ECDSA that is a certificate-based lightweight overhead than other IoT protocols [6]. In addition, authentication algorithm. They were evaluated in terms of CPU because IoT networks depend on TPC/IP, in this study, utilization, execution time, bandwidth, and power consumption. Transport Layer Security (TLS) [7] is selected which is the The results show that the proposed security mechanism reliable protocol and supports most of the security cipher outperforms the ECDHE-ECDSA in all tests. suites. Then the TLS evaluated over MQTT protocol when using the ECDHE-PSK authentication algorithm. The results Keywords—Internet of Things (IoT); MQTT; Pre-Shared Keys are then compared with the ECDHE- ECDSA and also with the (PSK); elliptic curve cryptography; Diffie-Hellman Ephemeral default security mechanism of the MQTT protocol. (DHE); Digital Signature Algorithm (DSA); Perfect Forward Secrecy (PFS); authentication; power consumption; wireless The rest of the paper is categorized as follows: Section II sensors reviews previous works related to IoT security also an overview of the MQTT protocol. Section III provides details of I. INTRODUCTION the proposed security mechanism. Section IV describes The Internet of Things (IoT) has been developed performance evaluation and discussion on the results. Lastly, significantly and is moving towards maturity. It can be viewed Section V concludes the paper and offers a suggestion for as “a global network which provides the communication future work. between human-to-human, human-to-things, and things-to- II. RELATED WORK things by making a unique identity for each object” [1]. Multiple objects which include embedded sensors, wireless A. Message Queuing Telemetry Transport (MQTT) Protocol communication, processors, can be linked together to make the MQTT is an open protocol, standardized by OASIS and network of IoT. The Internet of Things is a mixture of two became an ISO standard (ISO/IEC 20922:2016) [8]. This terms. The first term is the Internet, which connects billions of protocol is being adopted widely and used extensively by most users, devices, personal systems, and even business big companies such as Amazon and Facebook to exchange data organizations. The second term is Thing, which refers to between resource-constrained devices. MQTT supports intelligent objects [2]. publish/subscribe architecture [9] over TCP [10] protocol. It There are many different environments [3] where IoT has two components that are the client as a publisher or objects interact automatically with their surroundings and the subscriber and the broker. The publisher publishes messages Internet automatically and independently, as a result, a lot of and the client subscribes to certain topics that are relevant to security and privacy concerns have arisen. IoT devices have them and by that, receives every message published under become crucial to many enterprises and even cities and those topics. Each message has a topic and clients can 202 | P a g e www.ijacsa.thesai.org (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 11, No. 7, 2020 subscribe to several topics. These topics categorized in a C. Elliptic Curve Diffie Hellman Ephemeral (ECDHE) Key hierarchical system [11] similar to file paths in a computer; e.g. exchange algorithm “home/living room/air condition/status”. ECDHE is an algorithm used for key exchange which lets MQTT has a low overhead, meaning that it sends a very two entities to make a shared secret. In fact, it is an adaption of small amount of extra data and the actual content of the the Diffie-Hellman (DH) [23] key exchange protocol that message. The MQTT header is incredibly small (only 2 bytes) employs elliptic curve cryptography to minimize the key length [12] in comparison with other protocols like HTTP or CoAP and improve performance. Elliptic curves are used widely in [13]. various key exchange methods which include the DH key agreement. ECC [24] provides a security level similar to RSA Among different IoT protocols the Quality of Service but with smaller key sizes [25] that result in fast calculations (QoS) [14] features of MQTT make it unique which guaranteed and less power consumption for IoT devices. delivery of messages and assurance of data distribution between two parties. In the ECDHE algorithm, each party must generate a key pair (include a public key and a private key). Public keys are MQTT has default security features [15], For instance, for Ephemeral therefore a unique session key made for each authenticating purposes, MQTT offers a simple authentication session and provide the Perfect Forward Secrecy (PFS) [26] method via username and password for connecting a client to feature. This feature guarantees that the session keys will not the broker. Authentication options are sent in plaintext without be compromised by making a unique session key for each any encryption. Therefore, developers can implement their own session. Previous key exchange algorithms like RSA [27] and security mechanisms on the network and transport layer. ECDH [28] cannot provide the (PFS) feature because of their Security can also be provided at lower layers. For instance, static public keys. There are some papers that compared RSA MQTT uses TLS on the Transport layer to protect and ECDH-based cryptography together. According to communication between parties. measurement results in [29], the overall execution time of B. The Transport Layer Security (TLS) and its cipher suits TLS-ECDH is faster than TLS-RSA. In [30] the power consumption and performance of RSA, DH, and ECDH key TLS protocol [16] is a widely used secure-channel protocol exchange algorithms are compared and the results showed the that allows secure end-to-end communication between two ECDH algorithm is better than others. Although ECDH devices. It utilizes cryptography for data protection and device outperforms RSA and DH algorithms, it cannot provide authenticity. This protocol contains two main protocols: the forward secrecy feature that is possible by using ECDHE TLS handshake protocol and the TLS record protocol. The algorithm. handshake protocol allows the client and server to authenticate each other and to negotiate an encryption algorithm, MAC D. Elliptic Curve Digital Signature Algorithm (ECDSA) algorithms, and session keys for data encryption in the TLS Authentication algorithm record [17]. The TLS Record Protocol secures the connection The U.S. National Institute of Standards and Technology after the TLS Handshake Protocol established using symmetric (NIST) developed the Digital Signature Algorithm (DSA) [31] cryptography such as RC4 or AES [18] and hash functions like for use in their Digital Signature Standard (DSS) in 1991. In a SHA-1 [19]. The operation is determined by the cipher suite Digital Signature, the signer's Private Key is used to sign, and which applied and its name represents the involved algorithms. the signatory's Public Key is used to verify the signature by the For example, the TLS-ECDHE-ECDSA-CHACHA20- recipient. The ECDSA [32] is an elliptic curve variant of