Securing MQTT. #javaland

Transcription

1 Securing MQTT #javaland

2 INTRODUCTION Dominik

3 Disclaimer Obligatory Disclaimer: All security suggestions and guidelines in this talk are collected from real-world projects and experiences. When in doubt how to apply these techniques in your own projects, please consult a security professional you trust.

4 Key Protocol Facts

5 MQTT Protocol Characteristics Messaging Protocol Publish / Subscribe Lightweight Binary Data Agnostic Easy

6 Publish / Subscribe subscribe publish: 21 C publish: 21 C laptop subscribe temperature sensor MQTT-Broker publish: 21 C mobile device

7 Security

8 The mantra of any good security engineer is: 'Security is a not a product, but a process.' It's more than designing strong cryptography into a system; it's designing the entire system such that all security measures, including cryptography, work together. - Bruce Schneier

9 Multiple Security Layers and Aspects

10 Security Layers Network Host Application Data

11 Network & Secure Communication

12 Reduced Attack Surface

13 Reduced Attack Surface Client initiates TCP connection Client doesn t need (and shouldn t be) addressable from outside IPv6 Privacy Mode should be used NATs can further decrease attack surface

14 NAT

15 Transport Layer Security (TLS)

16 Network Stack

17 TLS Cryptographic protocol Provides a secure communication channel between client and server TLS handshake initiates TLS session Client validates X509 certificate from server

18 TLS Handshake Source: Wikimedia Commons:

19 Best Practices 1 Always use TLS if possible 2 Use Certificates from trusted CAs 3 Always validate the X509 certificate chain 4 Use highest TLS version and secure cipher suites

20 X509 Client Certificates

21 X509 Client Certificates Client sends certificate as part of the TLS handshake The server is able to verify the identity of the client and can abort the handshake Authentication on Transport Layer Some brokers can use certificates for authorization

22 The challenge: Provisioning and revocation

23 X509 Client Certificate Provisioning + Revocation How to deploy certificates to MQTT clients? Works great if PKI is already in place Certificate Revocation Lists for small deployments Online Certificate Status Protocol for online certificate validation

24 Security Layers Network Host Application Data

25 Firewall

26 MQTT Ports MQTT + TCP MQTT + TLS MQTT + Websockets 1883 Official IANA Port 8883 Official IANA Port 80 / 443 Standard HTTP Ports

27 Firewall Best Practices Only listen on defined ports Only allow traffic from a specific IP range if possible Block all protocols except TCP * Create iptables rules for common attacks * ICMPv6 may be needed for IPv6

28 OS Best Practices (Linux) Keep libraries and software updated Disallow Root Access and use SSH Keys for SSH Setup SELinux Install Tools like Fail2Ban, Snort, OSSEC

29 Security Layers Network Host Application Data

30 Choose your MQTT Broker wisely

31 Broker Selection

32 Broker specific security mechanisms Authentication Authorization Throttling Message Size Restrictions

33 Criteria for choosing MQTT brokers

34 Criteria for Broker selection What security features does the broker have out of the box? Does the broker have a pluggable security mechanism Is TLS supported? Do security features thwart the broker?

35 Authentication

36 Authentication is the act of confirming the truth of an attribute of a single piece of data or entity. - Wikipedia on Authentication

37

38 But how does Authentication work with MQTT?

39 Authentication

40 Authentication Information Username + Password Client Identifier IP Address X509 Client certificate

41 Authorization

42 Authorization and MQTT Authorization can restrict Topics a client can publish or subscribe to. Black and Whitelists Message characteristics also possible to restrict (Retained, QoS)

43 OAuth 2.0

44 OAuth 2.0 Only Client Credentials Flow Applicable to MQTT Designed for HTTP but also usable for MQTT Uses JWT for Access Tokens on CONNECT Online (JWKS) and Offline Validation (Signature Validation) Possible

45 OAuth 2.0 Client Credentials Flow

46 Why OAuth 2.0 instead of plain User Credentials?

47 OAuth 2.0 Advantage over Credentials MQTT Brokers will never see a password - Only Authorization Servers which issue Access Tokens Online and Offline Validation Possible Access Tokens only have a limited lifetime and can get revoked Brokers are just Resource Servers - Access Tokens could also be valid for other Resource Servers Authorization information can get encoded in the JWT by using custom claims

48 Security Layers Network Host Application Data

49 Payload Encryption

50 Message Data Integrity

51 Security Layers Network Host Application Data

52 A key concept is that security is an enabler, not a disabler... security enables you to keep your job, security enables you to move into new markets, security enables you to have confidence in what you're doing. - Gene Spafford

53 THANK YOU QUESTIONS?