Research On Key Technology Of Zero-Trust-Oriented MQTT Security

Message Queuing Telemetry Transport(MQTT)protocol has been widely used in medical,industrial,home and other intelligent fields and instant messaging social networks in recent years with the rapid development of Io T,serving as the mainstream protocol of Io T communication.The lightweight features,decoupled pub/sub paradigm,and the application scenarios of restricted devices of MQTT have brought challenges to the security implementation of the protocol.Therefore,the research on the security technology of MQTT communication networks has become a current research hotspot.In the existing research work,security solutions are usually based on the traditional perimeter network security model,granting implicit trust to the distribution center of MQTT messages called the broker,and there is a lack of traffic inspection for pub/sub messages of legitimate devices within the network,which restricts the security protection effectiveness of security solutions in enterprise networks with prominent internal threats and deep cloud services.Based on an in-depth study of the security threats in the MQTT application field,this paper proposes more efficient light A security solution of magnitude with the guiding of zero trust network security strategies and methods after analyzing the security requirements of MQTT communication network.The main research content includes the following five points:1.This thesis analyzed the deficiencies of the solutions proposed in the MQTT security research oriented the traditional perimeter security architecture facing the new security situation,and pointed out that building a zero-trust-oriented MQTT security architecture required a reasonable end-to-end security solution and trust computation model for granular dynamic access control implementable.2.The end-to-end security issues between publishers and subscribers in communication networks based on MQTT protocol is studied.According to the application scenario of MQTT Io T,a lightweight MQTT end-to-end security solution was proposed based on secure cryptographic primitives,with the publisher/subscriber endpoint systems performing authentication and encryption.The solution used three kinds of secure cryptographic algorithm including proxy re-encryption,Schnorr signature and AES symmetric encryption.Finally,the performance and cost comparision between proposed solution and existing lightweight security solutions which provide end-to-end security and these without end-to-end security,and the heuristic analysis of attacks defense show that the solution has achieved end-to-end security and lightweight features.3.Aiming at the different carrying capacity of equipment calculation,communication and storage overhead in the actual application of data transmission and sharing by enterprises using the MQTT protocol and the different confidentiality level requirements of transmission data,a hierarchical encryption transmission scheme was designed on the basis of an end-to-end security scheme,respctively with security level 1 providing data integrity,source authenticity and non-repudiation with Schnorr signature,security level 2 providing end-to-end data confidentiality with the combination of using AES to encrypt data and proxy re-encryption algorithm to protect AES symmetric encryption session keys on the basis of security level 1,and security level 3 providing end-to-end data confidentiality directly using the proxy re-encryption algorithm to encrypt transmission data on the basis of security level 1.4.In accordance with the principle of zero trust network construction,functions such as authentication and authorization,access control,continuous pub/sub message verification,system monitoring,feedback of malicious data release,and permission revocation were added on the basis of the hierarchical data encryption transmission scheme,and targeted adjustments were made for the definition and composition of some fields of the MQTT protocol to support functionality extensions above,forming a zero-trust-oriented hierarchical secure MQTT protocol framework.Finally,the performance evaluation and security discussion of the protocol were carried out through theoretical analysis.5.A dynamic access control model based on trust computation with multi-source input was proposed.Representative parameters of the pub/sub message message in the zero-trust-oriented hierarchical secure MQTT protocol framework and the abnormal behavior ratio of publisher/subscriber within a certain time range were selected as the current publish/subscribe behavior evaluation attributes to perform direct trust value calculation.The direct trust value of other pub/sub behaviors of the publisher/subscriber over a period of time was recorded to calculate the comprehensive trust value that can evaluate the current credibility of the publisher/subscriber in combination with the time decay function for performing fine-grained dynamic access control on the pub/sub of topic.The analysis of simulation experiment results shows that the proposed trust calculation model can respond in time to the current behavior characteristics and historical behavior of publisher/subscriber,and can be used to implement dynamic access control.