Managing authorization

Authorization is the ability to determine who has access to what or who can do what. Authorization requires authenticated identities. MQTT does not forward the identities of publishers. This makes authorization a big problem. How do you know if a packet is valid, or if the sender is authorized to send it? Since anybody can publish packets on any topic, by default, injection a great problem.

As with the problem of privacy, this vulnerability can be solved using ACL. It can also be solved by cryptographic means, for instance by signing packets using a PKI encryption method, such as RSA. Signatures using PKI work well in a Publish/Subscribe setting. It is only the sender that needs the private key. Recipients only require the public key of the sender to validate the signature.

The same PKI method can be used to achieve privacy in point-to-point communication or used to distribute shared symmetric keys. But implementation is far from simple, and the chances of achieving interoperability is slim.

The authorization problem, perhaps the most important problem to solve, is not solved in the MQTT v5 specification. Due to the serious vulnerabilities inherent in the MQTT protocol, it is better used in controlled environments, and then only with equipment that is programmed using the same proprietary data protection measures. Achieving secure, open, and interoperable internet-based solutions using MQTT is far from simple, if at all practically possible. For this reason, it might be better to view MQTT as a good M2M protocol, and not a suitable IoT protocol.

If interoperability is important to your solution, there are other protocols that you can use to solve these issues. More on these protocols in later chapters.

Table of Contents for Managing authorization

Create new playlist

Sign In

Sign Up

Table of Contents for
Managing authorization