MQTT-PRESENT: Approach to secure internet of things applications using MQTT protocol

The big challenge to raise for deploying the application's domain of the Internet of Things is security. As one of the popular messaging protocols in the IoT world, the message queue telemetry transport (MQTT) is designed for constrained devices and machine-to-machine communications, based on the publish-subscribe model, it offers a basic authentication using username and password. However, this authentication method might have a problem in terms of security and scalability. In this paper, we provide an analysis of the current research in the literature related to the security for the MQTT protocol, before we give a brief description of each algorithm used on our approach, to finally propose a new approach to secure this protocol based on AugPAKE algorithm and PRESENT encryption. This solution provides mutual authentication between the broker and their clients (publishers and subscribers), the confidentiality of the published message is protected twice, the integrity and non-repudiation of MQTT messages which is protected during the process of transmission.


INTRODUCTION
The internet of things (IoT) plays an important role in our daily life. Cisco predicted at the end of 2020 that the number of connected devices will rise to 50 billion [1], the main objective of IoT is to form a network of identifiable objects like the radio frequency identification (RFID) connected to the Internet and can communicate with each other anytime, anywhere, and everywhere [2]. The IoT is the backbone of each application's domain like healthcare, agriculture, transportation, cities in general. The researchers are under pressure to quickly deploy this technology but security is a critical point without we can trust any application because of the big amount of sensitive data transmitted by devices [3]. A lot of works are made to find a solution to secure the platform used in the IoT application's domain. There are various IoT application layer protocols like advanced message queuing protocol (AMQP), constrained application layer protocol (CoAP), message queue telemetry transport (MQTT). A lot of advantages make the MQTT protocol the most used protocol in IoT applications [4], [5] due to its simplicity and lightweight. There are some security features to make into consideration in an IoT environment like confidentiality, integrity, and availability. It's a big challenge for researchers to propose solutions that verify these features adapted to constrained devices. In this perspective, we propose an approach to secure the MQTT protocol, a solution based on AugPAKE algorithm and PRESENT encryption, that provides mutual authentication between the broker and their clients (publisher/subscriber), the confidentiality of the published message, the integrity, and non-repudiation of MQTT messages which is protected during the process of transmission. The paper has the following structure in section 2 we review the main contributions in the literature regarding the security solutions proposed for MQTT based on the authentication, the authorization, and cryptographic mechanism, and AugPAKE algorithm similar to our solution, in section 3 we detail the theoretical basis used in our approach (MQTT protocol and AugPAKE algorithm, PRESENT Encryption), while in section 4 we describe the proposed solution based on AugPAKE algorithm, the different steps in detail, and the exchanged messages. Finally, to explain the main security features approved by our contribution and some future works.

LITERATURE REVIEW
Security is a crucial point in the IoT domain, a lot of researchers are working to propose a solution for securing applications based on a constrained device. The big challenge is to apply security features such as authentication and authorization to verify the confidentiality, integrity, and availability of data information. Some authors propose a solution based on authentication like the authors Bali [6], propose a lightweight authentication mechanism based on a chaotic algorithm using self-key agreement and block cipher to improve the MQTT security, after simulation, it was mentioned that the data confidentiality was proven. Bhawiyuga [7], proposes an implementation of token-based authentication of MQTT protocol in constrained devices, but the proposed design consists of four components: Publisher, subscriber, MQTT broker, and Token authentication server. Rahman [8] the authors propose a secure version designed for wireless sensor networks by developing a multi-tier authentication system to ensure data privacy in IoT system depending on the use of ciphertext-policy attribute-based encryption (CP-ABE) or key-policy attribute-based encryption (KP-ABE) with the lightweight elliptic curve cryptography (ECC).
Other works are based on authorization mechanism to secure the protocol MQTT as: Niruntasukrat [9] their solution is based on O.Auth 1.0a an open authorization standard for web applications, the proposed system is based on a set of credentials (device ID, device secret, access token, and access token secret), some of these credentials need to be sent through a device which has to be not constrained and can afford HTTPS.
Other authors propose a cryptographic algorithm to secure MQTT protocol like in [10] they propose a composite security solution for MQTT by combining on Attribute-based encryption and advanced encryption standard (AES) S-boxes. The solution is based on public-key cryptography and secret-key cryptography, so double decryption must be done by the subscriber. We will have the same drawback more overhead. Another solution based on attributes is [11] Singh propose a new secure publish command "SPublish" for (MQTT, MQTT-SN) which encrypt data based on a set of attribute-based encryption (ABE), the key policy KP-ABE and a ciphertext policy CP-ABE using lightweight ECC, the use of CP-ABE causes an extra overhead which is the main drawback of using ABE. Mektoubi [12] their contribution is to secure the flow of distributed messages between the users of the MQTT protocol by using a certification authority that generates a private key and a certificate to a topic that is published for certified clients. The contribution in [13] proposes to secure MQTT by using access control lists (ACLs) embedded in a Mosquitto broker which acts like a filter allowing only those data which are requested thereby saving the flow of ambiguous data. The (ACL) method act as extra security to the whole process, for each data username and password, are created to get access to the data. However, this solution can cause more overhead, scaling with the number of different data to be transmitted. Two works are like our solution based on augmented password-only authentication and key exchange (AugPAKE) are: Shin [14], the solution called AugMQTT: A session key will be established between the publisher and the broker and another session between the broker and the subscriber without certifications. To publish a message, the publisher uses a secure symmetric-key encryption schema or a secure authenticated encryption with associated data schema to send data to the broker, the broker uses the same key to decrypt data and store the data message, for necessary request the broker transmits a ciphertext to the subscriber using the same key shared with the broker. The proposed solution is implemented through Mosquitto. Calabretta [15] MQTT-Auth the authors use the AugPAKE protocol to make the session key and use an authentication token wich create and publish on a certain topic and an authorization tokenshared between the publisher and somechosen subscribers. The solution uses ActiveMQ. This Table 1 makes a comparison between some proposed solutions to secure MQTT by giving some advantages and drawbacks for each one.

THE COMPREHENSIVE THEORETICAL BASIS
In our approach, we use the AugPAKE algorithm and the PRESENT encryption through the MQTT protocol, so we have to explain in detail the basis of each one. To finally propose the new approach of our solution to secure the MQTT protocol.

The message queuing telemetry transport protocol (MQTT)
The MQTT protocol is one of the IoT's application protocols. This is the most widely adopted protocol for developing IoT applications compared with the others application protocols [19]. MQTT was developed by Andy Stanford-Clark of IBM [20] and Arlen Nipper of Arcom in 1999 and standardized in 2013 by the Organization for the advancement of structured information standards (OASIS) [21]. It's suitable for IoT applications due to its simple model and low bandwidth usage. Furthermore, it guarantees the reliability of packet delivery. Some features of the MQTT protocol: It's a published/subscribe protocol and runs over TCP/IP. It's suited for constrained environments due to its simplicity and open source code. It also supports three levels of quality of service (QoS).
In MQTT, the publish-subscribe model mentioned below in Figure 1, the publisher sends the data to the broker for publishing in the 'Publish' message; a subscriber authenticates and subscribes to the broker for a certain topic on the 'Subscribe' message, the broker sends the data to the specifics subscribers that are subscribed to the specific topic on 'Publish' message.

The AugPAKE protocol
The AugPAKE protocol [18] is based on the modification of the Diffie Hellman key exchange protocol. In this protocol, the client computes a key from the password to authenticate to the server which does not need to store client passwords. After successful authentication, the secure session is established and key agreement between the client and the server. The AugPAKE protocol exchanges 4 messages. The Augmented is a client-server session key establishment protocol that uses some parameters which are explained in this Table 2.

PRESENT
After secure key session establishment, we will use the payload encryption encapsulated into PUBLISH message. Encryption like a technique of cryptography which is the science of protecting data from malicious acts to ensure the confidentiality, integrity, and authenticity of the transmitted information. In this perspective, using the cryptographic technique is an intelligent choice to be developed to support heterogeneity, interoperability, key size, low energy consumption, limited resources of IoT devices [22]. That's why, we use PRESENT [23] encryption as a lightweight block cipher, compared to AES, it's 2,5 smaller than the last one. It's an example of the SP-Network cryptographic algorithm. It consists of 32 rounds, the block length is 64 bits and two supported key lengths of 80 and 128 bits as shown in Figure 2, the procedure of encryption is divided into three phases: a. Key addition: the data undergoes a xor operation with the key from which only the last 64 bits of the result are taken for this operation. After this, the 64 bits data is divided into 16 blocks each containing 16 bits for the next process. b. Non-linear substitution layer: Each of this block is then passed through the substitution boxes where the value in these boxes are replaced by the values in the substitution blocks. c. Bit-wise permutation: The substituted data is then passed through the permutation block where all the 64 bits of the input data are reorganized. After this, the key is updated to produce another round key which is used next time the same entire process is repeated for the same set of data. This is repeated 32 times and then the encrypted data is transmitted.

THE PROPOSED APPROACH
Our approach to secure the MQTT protocol consists of using the AugPAKE algorithm with PRESENT as lightweight encryption for the payload of PUBLISH message. Our contribution related to Aug-MQTT is to bring more lightness to the process of securing MQTT communication. In Aug-MQTT the authors use only secure symmetric-key encryption as AES which is heavy for constrained resources also they use a client to broker encryption but in our contribution we use an end to end encryption which the broker has no idea about the payload, it's encrypted by PRESENT and will be sent to the subscriber securely. In Aug-MQTT, the broker is a good target for a hacker, the data isn't secure, the message is plaintext and also in MQTT-Auth, the authors mentioned that the broker could be a single point of attack. It has complete visibility of the exchanged data because it's in charge of encrypting and decrypting the MQTT payloads.
The diagram above present our approach based on AugPAKE and PRESENT. The first step is based on the AugPAKE algorithm to establish a secure key session between the publisher/the subscriber and the broker. It's divided into two phases: a. The initialization phase: the publisher sends (Cp, Wp) to the broker where Cp: the identifier of the publisher and computed Wp by using the (1) in the AugPAKE algorithm: b. The execution phase <Publisher --Broker>: composed of multiple steps mentioned below in Figure 3, that explain the Key session between the Publisher and the Broker: 1) The publisher sends (Cp,Xp) to the broker according to (2).
2) The broker sends (S, Yp) to the publisher when it received the right Xp; according to (3).
3) The publisher sends (Cp,Vcp); according to (5); when it received the right Yp. 4) The broker computes SKp according to (8) and sends (S, Vsp), according to (7). 5) Finally, the publisher computes SKP; according to (8), when it's received the right Vsp. The publisher and the broker share a secure session key SKp. c. The execution phase <Broker --Subscriber>: composed of multiple steps mentioned below in Figure 4, that explain the Key session between the Broker and the Subscriber: 1) The Subscriber sends (Cs,Xs) to the broker according to (2).
2) The broker sends (S, Ys) to the Subscriber when it received the right Xs; according to (3).
3) The Subscriber sends (Cs,Vcs); according to (5); when it received the right Ys. 4) The broker computes SKs according to (8) and sends (S, Vss), according to (7). 5) Finally, the Subscriber computes SKs; according to (8), when it's received the right Vss. The Subscriber and the broker share secure session key Sks.
The broker has the two sessions keys shared by the subscriber and the publisher as are mentioned in Figure 5, It computes the key Ks by the (9): The key Ks must be shared with the publisher and the subscriber that's why the broker sends the key to the publisher (subscriber) by PRESENT encryption using the Skp (Sks). Both the publisher and the subscriber have the shared key Ks. When the publisher wants to publish a message, the PRESENT encryption process applied to the payload of the message PUBLISH using Ks, the publisher will transmit E(Ks, Data1) to the broker. When necessary/requested, Broker transmits a ciphertext E(KS, Data1) to Subscriber, who can decrypt by PRESENT decryption with the key KS to get the message published according to its corresponding topic.

SECURITY DISCUSSION
In this section, we discuss the security properties that are supported by our solution: a. Authentication: Everything on the Internet of Things must be identifiable and authenticated with the other objects connected, so it's a challenging task because of the nature of IoT. Our proposed solution provides mutual authentication between the broker and their clients (publishers and subscribers) [24]. 1) Publisher (subscriber) authentication: the publisher (the subscriber) is authenticated by using the session key Skp (Sks) approved by the usage of the AugPAKE Algorithm. 2) Broker authentication: only the broker with his common key (Skp) or (Sks) can decrypt the publish and subscribe messages from publishers and subscribers who use the common broker keys. b. Confidentiality: It is very important to ensure that the data is secure and only available to authorized users. Another point that the users of IoT must be aware of how the data is managed and ensure that the data is protected through the process [25]. In the proposed solution the published message is protected twice, first when it is transferred to the broker, by using the secure session generated by the AugPAKE Algorithm; only the client who has the session key can decrypt the message and in the second time in the side of the broker doesn't have the message in plaintext due to the PRESENT encryption. c. Integrity and non-repudiation: It's very important to ensure the accuracy of the data; that it is created or modified by the authorized party only. The integrity feature can be imposed by maintaining end-to-end security in IoT communication. This is what our solution providers, the end-to-end security, and not the client to end security The data is encrypted by the PRESENT encryption during the process of publishing the message, the broker has no idea about the message transmitted [24]. Our contribution consists of reinforcing the security of the broker, the data is stored by the broker in an encrypted format (PRESENT encryption). The proposed system provides the authentication of publisher and subscriber: they are authenticated with the broker by using the session key Skp (Sks) approved by the usage of the AugPAKE algorithm. The confidentiality, integrity, and non-repudiation of MQTT messages from the publisher to the subscriber because the broker does not have the message in plaintext due to the PRESENT encryption.
By using the AugPAKE protocol in our approach, an attacker can get (Cp,Xp) ,(S,Yp),Vsp or Vcp by eavesdropping, but he cannot compute an authenticated session key (Skp) shared between the publisher and the broker, therefore it's secure against passive attacks and also if the attacker controls the exchange message, he can't compute an authenticated session key so it's secure against active attacks ( man in the middle attack/replay attack) also for the offline/online dictionary attacks [26]. Our contribution related to the previous works using the AugPAKE Protocol that we add the PRESENT encryption that provides more protection to the broker, the message will be encrypted. Our solution provides: a. User anonymity: For the clients (subscriber/publisher) the identity of the clients is protected using Sks/Skp. b. Mutual authentication: By using the session channel Sks (Skp) between the subscriber/Broker and publisher/Broker. The proposition validates important points of security for IoT using the MQTT protocol. The proposed solution is secure against: c. Man in the middle attack: The attacker interfere between two nodes by monitoring, eavesdropping, and controlling the communication between the two sensor nodes to access the restricted data [27], d. The replay attack and the offline password guessing attack: even if the attacker can guess a password, the parameter K in the (4) of the AugPAKE Algorithm is derived independently from the guessed password. We make this Table 3 which summarize some advantages of our proposed solution compared with some previous works, some of these advantages: User anonymity, mutual authentication, data confidentiality data privacy, data integrity, and robustness against some attacks like Man in the middle, the offline password guessing attack, the replay attack. The results seem interesting in comparison with the other solutions working on the security of MQTT.
The second important parameter to take into consideration is the estimated cost time for this solution, according to the number of hash, modular exponentiation, and encryption operation, we do a comparison of the estimated cost time of each solution using AugPAKE (Aug-MQTT, Auth-MQTT, Our Approach) by making these parameters, the result is summarized in Table 4. The results of our solution in terms of the parameters cited in Table 4, look promising in comparison with the other solutions, we are on the way to validate these results by simulation.

CONCLUSION
Our contribution consists in this paper, to propose a new approach that makes the MQTT protocol, the most used protocol in IoT applications, more secure and competitive with the other solutions proposed by the others research to secure the MQTT protocol. Our solution is based on AugPAKE Algorithm and PRESENT lightweight encryption. Our contribution consists of using the PRESENT encryption comparing with works using the same AugPAKE algorithm the Aug-MQTT and MQTT-Auth, that makes the solution lightweight and more secure, the solution provides the user anonymity, mutual authentication, data confidentiality, and data privacy, data integrity and non-repudiation of data information also it's secure against some attacks like the man in the middle, offline password guessing, the replay attack. Finally, the estimated cost time of our proposed solution seems interesting to go ahead. For future works, we are on the way to simulate our approach in the publish/subscribe model and especially for the smart healthcare application. In others words, we will simulate some attacks to evaluate the robustness of our approach. Also, we are working on how Machine learning techniques can help us to secure the publish/subscribe model.