Enhanced Authentication - MQTT 5 Essentials Part 11
Written by Georg Held
Category: MQTT 5 MQTT 5 Essentials HiveMQ IoT Security Auth
Published: March 6, 2020
In the MQTT 5 Essentials, we explore the foundational changes that MQTT 5 introduces and the top reasons MQTT users make the move to MQTT v5. Our goal is to individually examine each new feature the MQTT 5 protocol offers. Today, we’ll take a look at another important feature: Enhanced Authentication.
Modern IoT projects are often big and complex, especially once security considerations come into play. These large-scale projects usually require the collaboration of multiple vendors and teams. Adherence to internationally accepted standards is one way to limit the challenges such projects entail.
Today’s feature helps you meet those standards.
Implementing Challenge-Response Authentication
MQTT 5 Enhanced Authentication provides the tools you need to implement authentication in a challenge-response manner. In contrast to the traditional credential-based approach, the server authenticates a client by presenting a challenge that the client must respond to with a valid response.
This allows you to the implement authentication standards such as the Salted Challenge Response Authentication Mechanism (SCRAM) or the Kerberos protocol.
Enhanced authentication is based on three MQTT message types: the CONNECT and CONNACK messages that were already present in MQTT v3 and the new MQTT v5 AUTH message. CONNECT messages are only sent by clients and CONNACK messages are only sent by the server. Both types are used one time during each authentication process. AUTH messages can be used multiple times by the server and the client.
Two message properties are at the heart of the authentication flow: the Authentication Method that is identified by byte 21 and the Authentication Data that is identified by byte 22. These properties are set on every message that takes part in the enhanced authentication flow.
The Authentication Method is used to choose and describe a way of authentication that the client and server have agreed upon.
This is done with method strings that are commonly used to identify SASL mechanisms.
SCRAM-SHA-1 for SCRAM with SHA-1 or
GS2-KRB5 for Kerberos.
The Authentication Method gives meaning to the data that is exchanged during the enhanced authentication and must not change.
Authentication data is binary information. This data is usually used to transfer multiple iterations of encrypted secrets or protocol steps. The content is highly dependent on the specific mechanism that is used in the enhanced authentication and is application-specific.
Source Code Example
In this brief code snipped we use the HiveMQ extension SDK to implement enhanced authentication that checks for support of the Authentication Method and decides the state of a connecting MQTT client after the exchange of two AUTH messages.
Enhanced authentication is the perfect way to integrate HiveMQ into your existing enterprise security network. This new feature allows you to secure IoT deployments to a degree that was previously not possible.
Learn everything about MQTT v5
Over the next few weeks, we will continue our technical deep dive into all of the MQTT 5 features. In Part 11 of this series we will be talking about Flow Control. If you would like to join us, sign up for our newsletter to get regular updates and ensure that you don’t miss a post.