學術產出-學位論文

文章檢視/開啟

書目匯出

Google ScholarTM

政大圖書館

引文資訊

TAIR相關學術產出

題名 基於OAuth研製具主題管控能力的MQTT授權機制
An Approach for MQTT Topic Authorization based on OAuth
作者 吳少棠
Wu, Shao-Tang
貢獻者 廖峻鋒
Liao, Chun-Feng
吳少棠
Wu, Shao-Tang
關鍵詞 物聯網
MQTT
OAuth
授權
Internet of Things
MQTT
OAuth
Authorization
日期 2023
上傳時間 9-三月-2023 18:25:10 (UTC+8)
摘要 隨著網路技術與聯網硬體設備的技術提升,物聯網的規模日與俱增,物聯網的資訊安全也漸漸成為嚴重的問題,而目前物聯網最廣泛使用的通訊協定是MQTT(Message Queuing Telemetry Transport )。MQTT目前流行的版本有3.1.1版與5.0版,前者只提供了基礎的username與password驗證,後者則可以實作Challenge-Response風格的驗證,但都沒有提供標準的授權機制。有許多研究便因此試圖透過其他方式處理MQTT的授權,例如著名的授權框架OAuth(Open Authorization),目前最廣泛使用的是OAuth 2.0版,利用OAuth 2.0的Scope授權限制MQTT Client的存取範圍,但目前的研究中,將OAuth 2.0直接套用到MQTT的訂閱機制可能會有授權範圍過於嚴格的問題,以及不易更新Client的權限的問題。因此,本研究提出一個結合OAuth 2.0的MQTT授權機制,並著重於讓訂閱的授權可以較為開放,以及使用簡單的方式更新Client的權限,並實作出授權伺服器、MQTT Broker與MQTT Client來驗證可行性,最後也進行了一系列的實驗,以檢視本論文提出設計的效能,並評估此設計的安全性。
With the advances in computing and network technologies, the scale of the Internet of Things is increasing day by day. Hence, security issues of the Internet of Things are gradually becoming none ignorable issues. Currently, one of the most widely used protocols for Internet of Things integration is MQTT (Message Queuing Telemetry Transport). MQTT’s popular versions are 3.1.1 and 5.0, where the former only provides the basic username and password authentication, and the latter can be implemented as Challenge-Response style authentication. However, current specifications still do not provide a standard authorization mechanism. Therefore, many studies tried to handle MQTT authorization in various ways, including the use of a well-known authorization framework called OAuth (Open Authorization). It restricts MQTT Client access using OAuth 2.0`s Scope authorization. However, in the current study, the direct application of OAuth 2.0 to the MQTT subscription mechanism may have the problem of overly strict authorization scope and the problem of not easily updating the Client`s privileges. Therefore, this study proposes an MQTT authorization mechanism based on OAuth 2.0, and focuses on making the authorization of subscriptions more open, and using a simple way to update the privileges of the Client, and implementing an authorization server, MQTT Broker and MQTT Client to verify the feasibility. Finally, the author performs a series of experiments to examine the performance impact of this framework, and to examine how much this framework improves security. This research has also conducted a series of experiments to examine the performance impact of this architecture, and to examine how much the security of this architecture has improved.
參考文獻 [1] M. Rothmuller and S. Barker, “IoT–The Internet of transformation 2020”, Basingstoke, U.K., Apr. 2020.
[2] Z. Sheng, H. Wang, C. Yin, X. Hu, S. Yang and V. C. M. Leung, "Lightweight management of resource-constrained sensor devices in the Internet of Things", IEEE Internet Things J., vol. 2, no. 5, pp. 402-411, Oct. 2015.
[3] B. Mishra and A. Kertesz, "The Use of MQTT in M2M and IoT Systems: A Survey", IEEE Access, vol. 8, pp. 201071-201086, 2020.
[4] T I Skerrett, "Why MQTT Has Become the De-Facto IoT Standard", Oct. 2019, [online] Available: dzone.com/articles/.
[5] M. O. Al Enany, H. M. Harb, and G. Attiya, “A Comparative analysis of MQTT and IoT application protocols,” in Proceedings of the 2019 International Conference on Virtual Reality and Intelligent Systems (ICVRISs2021 International Conference on Electronic Engineering (ICEEM), pp. 1–6, Menouf, Egypt, July 2021.
[6] D. Happ and A. Wolisz, "Limitations of the pub/sub pattern for cloud based IoT and their implications", Proc. Cloudification Internet Things (CIoT), pp. 1-6, Nov. 2016.
[7] H. R. Ghorbani and M. H. Ahmadzadegan, "Security challenges in internet of things: survey", Wireless Sensors (ICWiSe) 2017 IEEE Conference on, pp. 1-6, 2017.
[8] "MQTT Version 3.1.1. Edited by Andrew Banks and Rahul Gupta. OASIS Standard", Oct. 2014, [online] Available: http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html.
[9] "MQTT Version 5.0. Edited by Andrew Banks, Ed Briggs, Ken Borgendale, and Rahul Gupta. OASIS Standard", 07 March 2019, [online] Available: https://docs.oasis-open.org/mqtt/mqtt/v5.0/os/mqtt-v5.0-os.html.
[10] D. Fett, R. Küsters and G. Schmitz, "A comprehensive formal security analysis of OAuth 2.0", Proc. ACM CCS, 2016.
[11] P. Fremantle, B. Aziz, J. Kopecký and P. Scott, "Federated Identity and Access Management for the Internet of Things", Proceedings of IEEE International Workshop on Secure Internet of Things (SIoT), pp. 10-17, 2014.
[12] M.Michaelides, C.Sengul and P.Patras, "An Experimental Evaluation of MQTT Authentication and Authorization in IoT", Proc. ACM WiNTECH, 2021.
[13] D. Hardt, "RFC6749: The OAuth 2.0 Authorization Framework", 2012.
[14] A. Niruntasukrat et al., "Authorization mechanism for MQTT-based Internet of Things", IEEE Int. Conf. on Communications Workshops, pp. 290-295, May 2016.
[15] O. Yerlikaya and G. Dalkiliç, "Authentication and authorization mechanism on message queue telemetry transport protocol", 3rd international conference on computer science and engineering (UBMK), pp. 145-150, 2018.
[16] M. G. Spina, F. D. Rango, G. M. Marotta, "Lightweight Dynamic Topic-Centric End-to-End Security Mechanism for MQTT", IEEE/ACM 25th International Symposium on Distributed Simulation and Real Time Applications (DS-RT), pp. 1-7, Sep 2021.
[17] K. M. Dryja; M. Markovic; P. Edwards, "FlyTrap: A Blockchain-based Proxy for Authorisation and Audit of MQTT Connections", pp. 1-8, Dec 2021.
[18] P. Colombo and E. Ferrari, "Access control enforcement within mqtt-based internet of things ecosystems", Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies, pp. 223-234, 2018.
[19] C. Sengul et al. 2020. "MQTT-TLS profile of ACE" (draft-ietf-ace-mqtt-tls-profile-04). Internet Draft.
[20] J. Richer, "RFC7662: The OAuth 2.0 Token Introspection", 2015.
描述 碩士
國立政治大學
資訊科學系碩士在職專班
109971013
資料來源 http://thesis.lib.nccu.edu.tw/record/#G0109971013
資料類型 thesis
dc.contributor.advisor 廖峻鋒zh_TW
dc.contributor.advisor Liao, Chun-Fengen_US
dc.contributor.author (作者) 吳少棠zh_TW
dc.contributor.author (作者) Wu, Shao-Tangen_US
dc.creator (作者) 吳少棠zh_TW
dc.creator (作者) Wu, Shao-Tangen_US
dc.date (日期) 2023en_US
dc.date.accessioned 9-三月-2023 18:25:10 (UTC+8)-
dc.date.available 9-三月-2023 18:25:10 (UTC+8)-
dc.date.issued (上傳時間) 9-三月-2023 18:25:10 (UTC+8)-
dc.identifier (其他 識別碼) G0109971013en_US
dc.identifier.uri (URI) http://nccur.lib.nccu.edu.tw/handle/140.119/143781-
dc.description (描述) 碩士zh_TW
dc.description (描述) 國立政治大學zh_TW
dc.description (描述) 資訊科學系碩士在職專班zh_TW
dc.description (描述) 109971013zh_TW
dc.description.abstract (摘要) 隨著網路技術與聯網硬體設備的技術提升,物聯網的規模日與俱增,物聯網的資訊安全也漸漸成為嚴重的問題,而目前物聯網最廣泛使用的通訊協定是MQTT(Message Queuing Telemetry Transport )。MQTT目前流行的版本有3.1.1版與5.0版,前者只提供了基礎的username與password驗證,後者則可以實作Challenge-Response風格的驗證,但都沒有提供標準的授權機制。有許多研究便因此試圖透過其他方式處理MQTT的授權,例如著名的授權框架OAuth(Open Authorization),目前最廣泛使用的是OAuth 2.0版,利用OAuth 2.0的Scope授權限制MQTT Client的存取範圍,但目前的研究中,將OAuth 2.0直接套用到MQTT的訂閱機制可能會有授權範圍過於嚴格的問題,以及不易更新Client的權限的問題。因此,本研究提出一個結合OAuth 2.0的MQTT授權機制,並著重於讓訂閱的授權可以較為開放,以及使用簡單的方式更新Client的權限,並實作出授權伺服器、MQTT Broker與MQTT Client來驗證可行性,最後也進行了一系列的實驗,以檢視本論文提出設計的效能,並評估此設計的安全性。zh_TW
dc.description.abstract (摘要) With the advances in computing and network technologies, the scale of the Internet of Things is increasing day by day. Hence, security issues of the Internet of Things are gradually becoming none ignorable issues. Currently, one of the most widely used protocols for Internet of Things integration is MQTT (Message Queuing Telemetry Transport). MQTT’s popular versions are 3.1.1 and 5.0, where the former only provides the basic username and password authentication, and the latter can be implemented as Challenge-Response style authentication. However, current specifications still do not provide a standard authorization mechanism. Therefore, many studies tried to handle MQTT authorization in various ways, including the use of a well-known authorization framework called OAuth (Open Authorization). It restricts MQTT Client access using OAuth 2.0`s Scope authorization. However, in the current study, the direct application of OAuth 2.0 to the MQTT subscription mechanism may have the problem of overly strict authorization scope and the problem of not easily updating the Client`s privileges. Therefore, this study proposes an MQTT authorization mechanism based on OAuth 2.0, and focuses on making the authorization of subscriptions more open, and using a simple way to update the privileges of the Client, and implementing an authorization server, MQTT Broker and MQTT Client to verify the feasibility. Finally, the author performs a series of experiments to examine the performance impact of this framework, and to examine how much this framework improves security. This research has also conducted a series of experiments to examine the performance impact of this architecture, and to examine how much the security of this architecture has improved.en_US
dc.description.tableofcontents 摘要 I
ABSTRACT II
圖目錄 V
表目錄 VI
第一章 緒論 1
1.1 研究背景 1
1.2 研究動機 2
1.3 研究貢獻 4
1.4 論文架構 5
第二章 技術背景與文獻探討 6
2.1 MQTT協定 6
2.1.1 MQTT的驗證與授權機制 7
2.1.2 TOPIC FILTER(主題過濾器) 8
2.2 OAUTH 2.0 9
2.3 REGULAR EXPRESSION(正則表示式) 10
2.4 相關文獻探討 11
第三章 系統設計 13
3.1 系統架構說明 13
3.1.1 系統架構 13
3.1.2 TOPIC SCOPE簡化機制 15
3.2 精細的授權範圍控制機制 16
3.2.1 連線階段 16
3.2.2 發佈流程 18
3.2.3 訂閱流程 19
3.3 自動化的OAUTH授權範圍更新機制 22
第四章 系統實作 24
4.1 開發環境 24
4.2 註冊流程 24
4.2.1 資料結構 24
4.2.2 註冊MQTT BROKER 25
4.2.3 註冊MQTT CLIENT 26
4.3 實作精細的授權範圍控制機制 32
4.4 實作更新授權範圍機制 34
第五章 系統評估 37
5.1 實驗總覽 37
5.2 案例研討 38
5.2.1 太陽能案場閘道器訂閱控管 38
5.2.2 太陽能案場閘道器授權範圍更新 40
5.3 效能測試 42
5.3.1 CPU使用量測試 42
5.3.2 記憶體使用量測試 43
5.3.3 流量測試 43
5.3.4 延遲測試 45
5.4 安全性評估 46
5.4.1 限制設備存取 46
5.4.2 防範猜測密碼攻擊 46
5.4.3 防範REPLAY攻擊 47
5.4.4 防範使用者假冒攻擊 47
5.5 研究限制 47
5.6 討論 48
第六章 結論 49
參考文獻 50
zh_TW
dc.format.extent 2484004 bytes-
dc.format.mimetype application/pdf-
dc.source.uri (資料來源) http://thesis.lib.nccu.edu.tw/record/#G0109971013en_US
dc.subject (關鍵詞) 物聯網zh_TW
dc.subject (關鍵詞) MQTTzh_TW
dc.subject (關鍵詞) OAuthzh_TW
dc.subject (關鍵詞) 授權zh_TW
dc.subject (關鍵詞) Internet of Thingsen_US
dc.subject (關鍵詞) MQTTen_US
dc.subject (關鍵詞) OAuthen_US
dc.subject (關鍵詞) Authorizationen_US
dc.title (題名) 基於OAuth研製具主題管控能力的MQTT授權機制zh_TW
dc.title (題名) An Approach for MQTT Topic Authorization based on OAuthen_US
dc.type (資料類型) thesisen_US
dc.relation.reference (參考文獻) [1] M. Rothmuller and S. Barker, “IoT–The Internet of transformation 2020”, Basingstoke, U.K., Apr. 2020.
[2] Z. Sheng, H. Wang, C. Yin, X. Hu, S. Yang and V. C. M. Leung, "Lightweight management of resource-constrained sensor devices in the Internet of Things", IEEE Internet Things J., vol. 2, no. 5, pp. 402-411, Oct. 2015.
[3] B. Mishra and A. Kertesz, "The Use of MQTT in M2M and IoT Systems: A Survey", IEEE Access, vol. 8, pp. 201071-201086, 2020.
[4] T I Skerrett, "Why MQTT Has Become the De-Facto IoT Standard", Oct. 2019, [online] Available: dzone.com/articles/.
[5] M. O. Al Enany, H. M. Harb, and G. Attiya, “A Comparative analysis of MQTT and IoT application protocols,” in Proceedings of the 2019 International Conference on Virtual Reality and Intelligent Systems (ICVRISs2021 International Conference on Electronic Engineering (ICEEM), pp. 1–6, Menouf, Egypt, July 2021.
[6] D. Happ and A. Wolisz, "Limitations of the pub/sub pattern for cloud based IoT and their implications", Proc. Cloudification Internet Things (CIoT), pp. 1-6, Nov. 2016.
[7] H. R. Ghorbani and M. H. Ahmadzadegan, "Security challenges in internet of things: survey", Wireless Sensors (ICWiSe) 2017 IEEE Conference on, pp. 1-6, 2017.
[8] "MQTT Version 3.1.1. Edited by Andrew Banks and Rahul Gupta. OASIS Standard", Oct. 2014, [online] Available: http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html.
[9] "MQTT Version 5.0. Edited by Andrew Banks, Ed Briggs, Ken Borgendale, and Rahul Gupta. OASIS Standard", 07 March 2019, [online] Available: https://docs.oasis-open.org/mqtt/mqtt/v5.0/os/mqtt-v5.0-os.html.
[10] D. Fett, R. Küsters and G. Schmitz, "A comprehensive formal security analysis of OAuth 2.0", Proc. ACM CCS, 2016.
[11] P. Fremantle, B. Aziz, J. Kopecký and P. Scott, "Federated Identity and Access Management for the Internet of Things", Proceedings of IEEE International Workshop on Secure Internet of Things (SIoT), pp. 10-17, 2014.
[12] M.Michaelides, C.Sengul and P.Patras, "An Experimental Evaluation of MQTT Authentication and Authorization in IoT", Proc. ACM WiNTECH, 2021.
[13] D. Hardt, "RFC6749: The OAuth 2.0 Authorization Framework", 2012.
[14] A. Niruntasukrat et al., "Authorization mechanism for MQTT-based Internet of Things", IEEE Int. Conf. on Communications Workshops, pp. 290-295, May 2016.
[15] O. Yerlikaya and G. Dalkiliç, "Authentication and authorization mechanism on message queue telemetry transport protocol", 3rd international conference on computer science and engineering (UBMK), pp. 145-150, 2018.
[16] M. G. Spina, F. D. Rango, G. M. Marotta, "Lightweight Dynamic Topic-Centric End-to-End Security Mechanism for MQTT", IEEE/ACM 25th International Symposium on Distributed Simulation and Real Time Applications (DS-RT), pp. 1-7, Sep 2021.
[17] K. M. Dryja; M. Markovic; P. Edwards, "FlyTrap: A Blockchain-based Proxy for Authorisation and Audit of MQTT Connections", pp. 1-8, Dec 2021.
[18] P. Colombo and E. Ferrari, "Access control enforcement within mqtt-based internet of things ecosystems", Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies, pp. 223-234, 2018.
[19] C. Sengul et al. 2020. "MQTT-TLS profile of ACE" (draft-ietf-ace-mqtt-tls-profile-04). Internet Draft.
[20] J. Richer, "RFC7662: The OAuth 2.0 Token Introspection", 2015.
zh_TW