Security is complex and requires manufacturers building IoT devices to carefully analyze all software/hardware components in the solution.
Some time ago, a DEFCON paper uncovered a huge amount of unprotected MQTT brokers on the Internet. The unprotected MQTT brokers -- in combination with the openness in the MQTT protocol where one can use wildcard subscriptions and subscribe to all messages published via the broker -- makes this ordeal a major security concern.
There have been discussions on the Internet regarding the DEFCON paper, where some IoT service providers made a point in that MQTT must be used in combination with X.509 certificate authentication. Also, some IoT service providers promote or even force one into using client-side X.509 certificate authentication. However, client-side X.509 certificate authentication may not always be the best choice. In this article we will explore some of the issues related to using client-side X.509 certificate authentication and consider when other authentication types, such as username/password, may be a better choice.
What is X.509 certificate authentication?
In cryptography, X.509 is an important standard for a public key infrastructure (PKI) to manage digital certificates and their associated public key for asymmetric encryption (public-key encryption). X.509 is a key component in the Transport Layer Security (TLS/SSL) protocol -- a security layer used to secure many IoT protocols.
The TLS protocol requires the server to have an X.509 certificate; however, an X.509 certificate is optional for the client. The server certificate enables the client to authenticate the server and enables the TLS protocol to setup a secure (encrypted) communication channel with the server. A client certificate, in addition, enables the server to authenticate the client. This is known as mutual authentication, where the client authenticates the server (required) and the server authenticates the client (optional). (For an introduction to X.509 certificate authentication, see Real Time Logic's Certificate Management for Embedded Systems whitepaper.)
Continue reading on EE Times' sister site, Embedded.com.
