MQTT v5 has brought many new features, we will try our best to show these features in a popular and understandable way, and discuss the impact of these features on developers. So far, we have discussed these new features of MQTT v5 , today we will continue to discuss: enhanced authentication
In the application scenarios of the Internet of Things, security design is a very important link. The leakage of sensitive data or the illegal control of edge devices are unacceptable. However, compared to other application scenarios, the Internet of Things projects still have the following Limitations:
- There is no compromise between security and high performance;
- Encryption algorithms require more computing power, and the performance of IoT devices is often very limited;
- The network conditions of the Internet of Things are often much worse than those of the home or office.
In order to solve the above problems, the MQTT protocol provides simple authentication and enhanced authentication to facilitate the verification of devices at the application layer.
Simple authentication
The MQTT CONNECT message uses username and password to support basic network connection authentication. This method is called simple authentication. This method can also be used to carry other forms of authentication, such as passing the password as a token.
After receiving the CONNECT message, the server can verify the legitimacy of the client through the user name and password contained in it to ensure the security of the business.
Compared with the enhanced authentication, the simple authentication occupies very low computing power for the client and the server, and the business with low security requirements and tight computing resources can use simple authentication.
However, in the protocol based on the simple authentication model of username and password, both the client and the server know that a username corresponds to a password. Under the premise of not encrypting the channel, either directly transmitting the user name and password in plain text, or adding a hash to the password is easy to be attacked.
Enhanced certification
Based on stronger security considerations, MQTT v5 adds new features to enhance the authentication , enhanced certification certification includes challenge / response style, you can achieve mutual authentication of client and server, the server can verify that the client is connected to the real customer At the end, the client can also verify whether the connected server is a real server, thereby providing higher security.
Enhanced authentication relies on authentication methods and authentication data to complete the entire authentication process. In enhanced authentication, the authentication method is usually SASL (Simple Authentication and Security Layer) mechanism, and a registered name is used to facilitate information exchange. However, the authentication method is not limited to the use of the registered SASL mechanism. The server and the client can agree to use any challenge/response style of authentication.
Authentication method
The authentication method is a UTF-8 string, which is used to specify the authentication method. The client and server need to support the specified authentication method at the same time. The client initiates enhanced authentication by adding the authentication method field to the CONNECT message. During the enhanced authentication process, the messages exchanged between the client and the server need to include the authentication method field, and the authentication method must be consistent with the CONNECT message.
Authentication data
Authentication data is binary information used to transmit encryption secrets or multiple iterations of protocol steps. The content of the authentication data highly depends on the specific realization of the authentication method.
Enhanced certification process
Compared with simple authentication that relies on one interaction between CONNECT and CONNACK packets, enhanced authentication requires multiple exchanges of authentication data between the client and the server. Therefore, MQTT v5 adds an AUTH packet to meet this requirement. Enhanced authentication is implemented based on three MQTT message types: CONNECT message, CONNACK message and AUTH message. All three messages need to carry authentication methods and authentication data to achieve the purpose of mutual authentication.
To start the enhanced authentication process, the client needs to send a CONNECT message containing the authentication method field to the server. After the server receives the CONNECT message, it can continue to exchange authentication data with the client through the AUTH message, and send the authentication data to the client after the authentication is completed. The end sends a CONNACK message.
Examples of non-standard SCRAM certification
-
Client to server: CONNECT authentication method = "SCRAM-SHA-1", authentication data = client-first-data
-
Server to client: AUTH reason code=0x18, authentication method="SCRAM-SHA-1", authentication data=server-first-data
-
Client to server: AUTH reason code=0x18, authentication method="SCRAM-SHA-1", authentication data=client-final-data
-
Server to client: CONNACK reason code=0, authentication method=“SCRAM-SHA-1”, authentication data=server-final-data
Kerberos authentication non-standard example
- Client to server: CONNECT authentication method = "GS2-KRB5"
- Server to client: AUTH reason code = 0x18, authentication method = "GS2-KRB5"
- Client to server: AUTH reason code=0x18, authentication method="GS2-KRB5", authentication data=initial context token
- Server to client: AUTH reason code=0x18, authentication method=“GS2-KRB5”, authentication data=reply context token
- Client to server: AUTH reason code=0x18, authentication method="GS2-KRB5"
- Server to client: CONNACK reason code=0, authentication method=“GS2-KRB5”, authentication data=outcome of authentication
In the process of enhanced authentication, the client and the server need to exchange authentication data multiple times, and each exchange needs to encrypt and decrypt the authentication data through the authentication algorithm, so it needs more computing resources and a more stable network Therefore, it is not suitable for edge devices with weak computing power and large network fluctuations. MQTT servers that support enhanced authentication also need to prepare more computing resources to cope with a large number of connections.
Recertification
After the enhanced authentication is completed, the client can initiate re-authentication by sending an AUTH message at any time. After the re-authentication starts, the client and the server exchange authentication data by exchanging AUTH messages until the server sends the AUTH message to the client. The AUTH packet with the reason code 0x00 (success) indicates that the re-authentication is successful. It should be noted that the authentication method for re-authentication must be consistent with the enhanced authentication.
During the re-authentication process, other message streams of the client and server can continue to use the previous authentication.
Copyright statement: This article is EMQ original, please indicate the source for reprinting.
Original link: https://www.emqx.io/cn/blog/mqtt5-enhanced-authentication