7

How should I authenticate my device? I have an arduino yun, running an "daemon" on the OpenWRT side. The daemon reads commands from my message broker, executes them, and returns the value.

Before communicating with the broker, the device should be authenticated (I believe). What is the right flow?

Do I even need to authenticate it? If the broker credentials are embedded in the device, I maybe wouldn't need to do so. But I am not quite sure.

1 Answers1

4

MQTT supports username/password authentication and client side certificates to authenticate the client to the broker.

Using certificates also allows you to verify the broker is not being impersonated as well if you use certificate pinning.

hardillb
  • 12,553
  • 1
  • 20
  • 34
  • Beware that these schemes usually don't protect against an originally authentic but now compromised client box spying on traffic intended for other clients owned by other users. – Chris Stratton Jun 04 '18 at 18:41
  • 1
    No, but a well built topic tree and a ACL will ensure a compromised client can only see traffic meant for that client and the ability to revoke a certificate will cut it off. Keys/Certs should be kept in a secure element where possible – hardillb Jun 04 '18 at 18:43
  • I believe you need to use a plugin to provide such segregation - it's not one of the designed capabilities unfortunately. In terms of keys, it doesn't really matter if they're in a secure element - they need to be unique per instance of the client, and pretty much the entire capability of the client is attack surface by which someone could potentially make the client use its key for a purpose unintended by the manufacturer, so instead of relying on preventing that, you have to limit what a key can do. – Chris Stratton Jun 04 '18 at 18:46
  • No plugin needed for anything I've described (but the mosquitto plugin can make managing things easier). And yes, a tightly bound ACL linked to the cert/key identity the right way forward, but as the question was incredibly vague a high level answer was probably good enough. Feel free to add your own if you want. – hardillb Jun 04 '18 at 18:50