學術產出-Theses
Article View/Open
Publication Export
-
題名 基於OAuth研製具主題管控能力的MQTT授權機制
An Approach for MQTT Topic Authorization based on OAuth作者 吳少棠
Wu, Shao-Tang貢獻者 廖峻鋒
Liao, Chun-Feng
吳少棠
Wu, Shao-Tang關鍵詞 物聯網
MQTT
OAuth
授權
Internet of Things
MQTT
OAuth
Authorization日期 2023 上傳時間 9-Mar-2023 18:25:10 (UTC+8) 摘要 隨著網路技術與聯網硬體設備的技術提升,物聯網的規模日與俱增,物聯網的資訊安全也漸漸成為嚴重的問題,而目前物聯網最廣泛使用的通訊協定是MQTT(Message Queuing Telemetry Transport )。MQTT目前流行的版本有3.1.1版與5.0版,前者只提供了基礎的username與password驗證,後者則可以實作Challenge-Response風格的驗證,但都沒有提供標準的授權機制。有許多研究便因此試圖透過其他方式處理MQTT的授權,例如著名的授權框架OAuth(Open Authorization),目前最廣泛使用的是OAuth 2.0版,利用OAuth 2.0的Scope授權限制MQTT Client的存取範圍,但目前的研究中,將OAuth 2.0直接套用到MQTT的訂閱機制可能會有授權範圍過於嚴格的問題,以及不易更新Client的權限的問題。因此,本研究提出一個結合OAuth 2.0的MQTT授權機制,並著重於讓訂閱的授權可以較為開放,以及使用簡單的方式更新Client的權限,並實作出授權伺服器、MQTT Broker與MQTT Client來驗證可行性,最後也進行了一系列的實驗,以檢視本論文提出設計的效能,並評估此設計的安全性。
With the advances in computing and network technologies, the scale of the Internet of Things is increasing day by day. Hence, security issues of the Internet of Things are gradually becoming none ignorable issues. Currently, one of the most widely used protocols for Internet of Things integration is MQTT (Message Queuing Telemetry Transport). MQTT’s popular versions are 3.1.1 and 5.0, where the former only provides the basic username and password authentication, and the latter can be implemented as Challenge-Response style authentication. However, current specifications still do not provide a standard authorization mechanism. Therefore, many studies tried to handle MQTT authorization in various ways, including the use of a well-known authorization framework called OAuth (Open Authorization). It restricts MQTT Client access using OAuth 2.0`s Scope authorization. However, in the current study, the direct application of OAuth 2.0 to the MQTT subscription mechanism may have the problem of overly strict authorization scope and the problem of not easily updating the Client`s privileges. Therefore, this study proposes an MQTT authorization mechanism based on OAuth 2.0, and focuses on making the authorization of subscriptions more open, and using a simple way to update the privileges of the Client, and implementing an authorization server, MQTT Broker and MQTT Client to verify the feasibility. Finally, the author performs a series of experiments to examine the performance impact of this framework, and to examine how much this framework improves security. This research has also conducted a series of experiments to examine the performance impact of this architecture, and to examine how much the security of this architecture has improved.參考文獻 [1] M. Rothmuller and S. Barker, “IoT–The Internet of transformation 2020”, Basingstoke, U.K., Apr. 2020.[2] Z. Sheng, H. Wang, C. Yin, X. Hu, S. Yang and V. C. M. Leung, "Lightweight management of resource-constrained sensor devices in the Internet of Things", IEEE Internet Things J., vol. 2, no. 5, pp. 402-411, Oct. 2015.[3] B. Mishra and A. Kertesz, "The Use of MQTT in M2M and IoT Systems: A Survey", IEEE Access, vol. 8, pp. 201071-201086, 2020.[4] T I Skerrett, "Why MQTT Has Become the De-Facto IoT Standard", Oct. 2019, [online] Available: dzone.com/articles/.[5] M. O. Al Enany, H. M. Harb, and G. Attiya, “A Comparative analysis of MQTT and IoT application protocols,” in Proceedings of the 2019 International Conference on Virtual Reality and Intelligent Systems (ICVRISs2021 International Conference on Electronic Engineering (ICEEM), pp. 1–6, Menouf, Egypt, July 2021.[6] D. Happ and A. Wolisz, "Limitations of the pub/sub pattern for cloud based IoT and their implications", Proc. Cloudification Internet Things (CIoT), pp. 1-6, Nov. 2016.[7] H. R. Ghorbani and M. H. Ahmadzadegan, "Security challenges in internet of things: survey", Wireless Sensors (ICWiSe) 2017 IEEE Conference on, pp. 1-6, 2017.[8] "MQTT Version 3.1.1. Edited by Andrew Banks and Rahul Gupta. OASIS Standard", Oct. 2014, [online] Available: http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html.[9] "MQTT Version 5.0. Edited by Andrew Banks, Ed Briggs, Ken Borgendale, and Rahul Gupta. OASIS Standard", 07 March 2019, [online] Available: https://docs.oasis-open.org/mqtt/mqtt/v5.0/os/mqtt-v5.0-os.html.[10] D. Fett, R. Küsters and G. Schmitz, "A comprehensive formal security analysis of OAuth 2.0", Proc. ACM CCS, 2016.[11] P. Fremantle, B. Aziz, J. Kopecký and P. Scott, "Federated Identity and Access Management for the Internet of Things", Proceedings of IEEE International Workshop on Secure Internet of Things (SIoT), pp. 10-17, 2014.[12] M.Michaelides, C.Sengul and P.Patras, "An Experimental Evaluation of MQTT Authentication and Authorization in IoT", Proc. ACM WiNTECH, 2021.[13] D. Hardt, "RFC6749: The OAuth 2.0 Authorization Framework", 2012.[14] A. Niruntasukrat et al., "Authorization mechanism for MQTT-based Internet of Things", IEEE Int. Conf. on Communications Workshops, pp. 290-295, May 2016.[15] O. Yerlikaya and G. Dalkiliç, "Authentication and authorization mechanism on message queue telemetry transport protocol", 3rd international conference on computer science and engineering (UBMK), pp. 145-150, 2018.[16] M. G. Spina, F. D. Rango, G. M. Marotta, "Lightweight Dynamic Topic-Centric End-to-End Security Mechanism for MQTT", IEEE/ACM 25th International Symposium on Distributed Simulation and Real Time Applications (DS-RT), pp. 1-7, Sep 2021.[17] K. M. Dryja; M. Markovic; P. Edwards, "FlyTrap: A Blockchain-based Proxy for Authorisation and Audit of MQTT Connections", pp. 1-8, Dec 2021.[18] P. Colombo and E. Ferrari, "Access control enforcement within mqtt-based internet of things ecosystems", Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies, pp. 223-234, 2018.[19] C. Sengul et al. 2020. "MQTT-TLS profile of ACE" (draft-ietf-ace-mqtt-tls-profile-04). Internet Draft.[20] J. Richer, "RFC7662: The OAuth 2.0 Token Introspection", 2015. 描述 碩士
國立政治大學
資訊科學系碩士在職專班
109971013資料來源 http://thesis.lib.nccu.edu.tw/record/#G0109971013 資料類型 thesis dc.contributor.advisor 廖峻鋒 zh_TW dc.contributor.advisor Liao, Chun-Feng en_US dc.contributor.author (Authors) 吳少棠 zh_TW dc.contributor.author (Authors) Wu, Shao-Tang en_US dc.creator (作者) 吳少棠 zh_TW dc.creator (作者) Wu, Shao-Tang en_US dc.date (日期) 2023 en_US dc.date.accessioned 9-Mar-2023 18:25:10 (UTC+8) - dc.date.available 9-Mar-2023 18:25:10 (UTC+8) - dc.date.issued (上傳時間) 9-Mar-2023 18:25:10 (UTC+8) - dc.identifier (Other Identifiers) G0109971013 en_US dc.identifier.uri (URI) http://nccur.lib.nccu.edu.tw/handle/140.119/143781 - dc.description (描述) 碩士 zh_TW dc.description (描述) 國立政治大學 zh_TW dc.description (描述) 資訊科學系碩士在職專班 zh_TW dc.description (描述) 109971013 zh_TW dc.description.abstract (摘要) 隨著網路技術與聯網硬體設備的技術提升,物聯網的規模日與俱增,物聯網的資訊安全也漸漸成為嚴重的問題,而目前物聯網最廣泛使用的通訊協定是MQTT(Message Queuing Telemetry Transport )。MQTT目前流行的版本有3.1.1版與5.0版,前者只提供了基礎的username與password驗證,後者則可以實作Challenge-Response風格的驗證,但都沒有提供標準的授權機制。有許多研究便因此試圖透過其他方式處理MQTT的授權,例如著名的授權框架OAuth(Open Authorization),目前最廣泛使用的是OAuth 2.0版,利用OAuth 2.0的Scope授權限制MQTT Client的存取範圍,但目前的研究中,將OAuth 2.0直接套用到MQTT的訂閱機制可能會有授權範圍過於嚴格的問題,以及不易更新Client的權限的問題。因此,本研究提出一個結合OAuth 2.0的MQTT授權機制,並著重於讓訂閱的授權可以較為開放,以及使用簡單的方式更新Client的權限,並實作出授權伺服器、MQTT Broker與MQTT Client來驗證可行性,最後也進行了一系列的實驗,以檢視本論文提出設計的效能,並評估此設計的安全性。 zh_TW dc.description.abstract (摘要) With the advances in computing and network technologies, the scale of the Internet of Things is increasing day by day. Hence, security issues of the Internet of Things are gradually becoming none ignorable issues. Currently, one of the most widely used protocols for Internet of Things integration is MQTT (Message Queuing Telemetry Transport). MQTT’s popular versions are 3.1.1 and 5.0, where the former only provides the basic username and password authentication, and the latter can be implemented as Challenge-Response style authentication. However, current specifications still do not provide a standard authorization mechanism. Therefore, many studies tried to handle MQTT authorization in various ways, including the use of a well-known authorization framework called OAuth (Open Authorization). It restricts MQTT Client access using OAuth 2.0`s Scope authorization. However, in the current study, the direct application of OAuth 2.0 to the MQTT subscription mechanism may have the problem of overly strict authorization scope and the problem of not easily updating the Client`s privileges. Therefore, this study proposes an MQTT authorization mechanism based on OAuth 2.0, and focuses on making the authorization of subscriptions more open, and using a simple way to update the privileges of the Client, and implementing an authorization server, MQTT Broker and MQTT Client to verify the feasibility. Finally, the author performs a series of experiments to examine the performance impact of this framework, and to examine how much this framework improves security. This research has also conducted a series of experiments to examine the performance impact of this architecture, and to examine how much the security of this architecture has improved. en_US dc.description.tableofcontents 摘要 IABSTRACT II圖目錄 V表目錄 VI第一章 緒論 11.1 研究背景 11.2 研究動機 21.3 研究貢獻 41.4 論文架構 5第二章 技術背景與文獻探討 62.1 MQTT協定 62.1.1 MQTT的驗證與授權機制 72.1.2 TOPIC FILTER(主題過濾器) 82.2 OAUTH 2.0 92.3 REGULAR EXPRESSION(正則表示式) 102.4 相關文獻探討 11第三章 系統設計 133.1 系統架構說明 133.1.1 系統架構 133.1.2 TOPIC SCOPE簡化機制 153.2 精細的授權範圍控制機制 163.2.1 連線階段 163.2.2 發佈流程 183.2.3 訂閱流程 193.3 自動化的OAUTH授權範圍更新機制 22第四章 系統實作 244.1 開發環境 244.2 註冊流程 244.2.1 資料結構 244.2.2 註冊MQTT BROKER 254.2.3 註冊MQTT CLIENT 264.3 實作精細的授權範圍控制機制 324.4 實作更新授權範圍機制 34第五章 系統評估 375.1 實驗總覽 375.2 案例研討 385.2.1 太陽能案場閘道器訂閱控管 385.2.2 太陽能案場閘道器授權範圍更新 405.3 效能測試 425.3.1 CPU使用量測試 425.3.2 記憶體使用量測試 435.3.3 流量測試 435.3.4 延遲測試 455.4 安全性評估 465.4.1 限制設備存取 465.4.2 防範猜測密碼攻擊 465.4.3 防範REPLAY攻擊 475.4.4 防範使用者假冒攻擊 475.5 研究限制 475.6 討論 48第六章 結論 49參考文獻 50 zh_TW dc.format.extent 2484004 bytes - dc.format.mimetype application/pdf - dc.source.uri (資料來源) http://thesis.lib.nccu.edu.tw/record/#G0109971013 en_US dc.subject (關鍵詞) 物聯網 zh_TW dc.subject (關鍵詞) MQTT zh_TW dc.subject (關鍵詞) OAuth zh_TW dc.subject (關鍵詞) 授權 zh_TW dc.subject (關鍵詞) Internet of Things en_US dc.subject (關鍵詞) MQTT en_US dc.subject (關鍵詞) OAuth en_US dc.subject (關鍵詞) Authorization en_US dc.title (題名) 基於OAuth研製具主題管控能力的MQTT授權機制 zh_TW dc.title (題名) An Approach for MQTT Topic Authorization based on OAuth en_US dc.type (資料類型) thesis en_US dc.relation.reference (參考文獻) [1] M. Rothmuller and S. Barker, “IoT–The Internet of transformation 2020”, Basingstoke, U.K., Apr. 2020.[2] Z. Sheng, H. Wang, C. Yin, X. Hu, S. Yang and V. C. M. Leung, "Lightweight management of resource-constrained sensor devices in the Internet of Things", IEEE Internet Things J., vol. 2, no. 5, pp. 402-411, Oct. 2015.[3] B. Mishra and A. Kertesz, "The Use of MQTT in M2M and IoT Systems: A Survey", IEEE Access, vol. 8, pp. 201071-201086, 2020.[4] T I Skerrett, "Why MQTT Has Become the De-Facto IoT Standard", Oct. 2019, [online] Available: dzone.com/articles/.[5] M. O. Al Enany, H. M. Harb, and G. Attiya, “A Comparative analysis of MQTT and IoT application protocols,” in Proceedings of the 2019 International Conference on Virtual Reality and Intelligent Systems (ICVRISs2021 International Conference on Electronic Engineering (ICEEM), pp. 1–6, Menouf, Egypt, July 2021.[6] D. Happ and A. Wolisz, "Limitations of the pub/sub pattern for cloud based IoT and their implications", Proc. Cloudification Internet Things (CIoT), pp. 1-6, Nov. 2016.[7] H. R. Ghorbani and M. H. Ahmadzadegan, "Security challenges in internet of things: survey", Wireless Sensors (ICWiSe) 2017 IEEE Conference on, pp. 1-6, 2017.[8] "MQTT Version 3.1.1. Edited by Andrew Banks and Rahul Gupta. OASIS Standard", Oct. 2014, [online] Available: http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html.[9] "MQTT Version 5.0. Edited by Andrew Banks, Ed Briggs, Ken Borgendale, and Rahul Gupta. OASIS Standard", 07 March 2019, [online] Available: https://docs.oasis-open.org/mqtt/mqtt/v5.0/os/mqtt-v5.0-os.html.[10] D. Fett, R. Küsters and G. Schmitz, "A comprehensive formal security analysis of OAuth 2.0", Proc. ACM CCS, 2016.[11] P. Fremantle, B. Aziz, J. Kopecký and P. Scott, "Federated Identity and Access Management for the Internet of Things", Proceedings of IEEE International Workshop on Secure Internet of Things (SIoT), pp. 10-17, 2014.[12] M.Michaelides, C.Sengul and P.Patras, "An Experimental Evaluation of MQTT Authentication and Authorization in IoT", Proc. ACM WiNTECH, 2021.[13] D. Hardt, "RFC6749: The OAuth 2.0 Authorization Framework", 2012.[14] A. Niruntasukrat et al., "Authorization mechanism for MQTT-based Internet of Things", IEEE Int. Conf. on Communications Workshops, pp. 290-295, May 2016.[15] O. Yerlikaya and G. Dalkiliç, "Authentication and authorization mechanism on message queue telemetry transport protocol", 3rd international conference on computer science and engineering (UBMK), pp. 145-150, 2018.[16] M. G. Spina, F. D. Rango, G. M. Marotta, "Lightweight Dynamic Topic-Centric End-to-End Security Mechanism for MQTT", IEEE/ACM 25th International Symposium on Distributed Simulation and Real Time Applications (DS-RT), pp. 1-7, Sep 2021.[17] K. M. Dryja; M. Markovic; P. Edwards, "FlyTrap: A Blockchain-based Proxy for Authorisation and Audit of MQTT Connections", pp. 1-8, Dec 2021.[18] P. Colombo and E. Ferrari, "Access control enforcement within mqtt-based internet of things ecosystems", Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies, pp. 223-234, 2018.[19] C. Sengul et al. 2020. "MQTT-TLS profile of ACE" (draft-ietf-ace-mqtt-tls-profile-04). Internet Draft.[20] J. Richer, "RFC7662: The OAuth 2.0 Token Introspection", 2015. zh_TW
