Abstract

Owing to its lightweight and easiness, the message queue telemetry transport (MQTT) has become one of the most popular communication protocols in the internet-of-things (IoT). However, the security supports in the MQTT are very weak. In this paper, we systematically examine the security requirements of a MQTT-based IoT system, identify the gap between the requirements and the supported functions, and design a security-enhanced MQTT framework. The framework facilitates device authentication, key agreement, and policy authorisation. Additionally, it is desirable that any MQTT-security enhancements should be compatible with existent MQTT Application Programming Interfaces (API). We propose a two-phase authentication approach that can smoothly integrate secure key agreement schemes with the current MQTT-API. To evaluate its effectiveness and efficiency, we implement prototype. Compared to its counterparts, the results show the merits of improved communication performance, MQTT-API compliance, and security robustness.