Secure MQTT Authentication and Message Exchange Methods for IoT Constrained Device

Abstract

The concept of the Internet of Things (IoT) is expected to be one of the network solutions of the future. One of the protocols that are often used in IoT communication is the MQTT protocol. The MQTT protocol uses less bandwidth, is light in computing, and is fast in transmission. Thus, the MQTT protocol can be applied to constraint devices. However, the MQTT protocol lacks a security mechanism by default. The use of TLS in the MQTT protocol does not suitable for constraint devices. One of the vulnerabilities encountered in the MQTT protocol is authentication. The lack of authentication causes unauthorized nodes to use MQTT network resources which can lead to over-connection. This study used the JSON Web Token (JWT) to build a token-based authentication mechanism on MQTT as a second authentication factor other than username and password. This was done to prevent the access of unauthenticated nodes to enter the MQTT network. From the validation results, the proposed authentication mechanism is validated for brute force and sniffing attacks. The proposed authentication mechanism validated that there are not exist unauthenticated nodes that can log in into the MQTT network. In addition, the proposed authentication mechanism is validated that the message sent has been encrypted using the XXTEA encryption algorithm to maintain the confidentiality of the communication. The proposed authentication mechanism can be run on constraint devices using 405912 bytes (38% of total program storage) on publisher nodes and 406856 (38% of total program storage) on subscriber nodes.