Enhanced Authentication - MQTT 5 Essentials Part 11

Written by Georg Held

Category: MQTT 5 MQTT 5 Essentials HiveMQ IoT Security Auth

Published: March 6, 2020


In the MQTT 5 Essentials, we explore the foundational changes that MQTT 5 introduces and the top reasons MQTT users make the move to MQTT v5. Our goal is to individually examine each new feature the MQTT 5 protocol offers. Today, we’ll take a look at another important feature: Enhanced Authentication.

Modern IoT projects are often big and complex, especially once security considerations come into play. These large-scale projects usually require the collaboration of multiple vendors and teams. Adherence to internationally accepted standards is one way to limit the challenges such projects entail.

Today’s feature helps you meet those standards.

Implementing Challenge-Response Authentication

MQTT 5 Enhanced Authentication provides the tools you need to implement authentication in a challenge-response manner. In contrast to the traditional credential-based approach, the server authenticates a client by presenting a challenge that the client must respond to with a valid response.

This allows you to the implement authentication standards such as the Salted Challenge Response Authentication Mechanism (SCRAM) or the Kerberos protocol.

Authentication Flow

Enhanced authentication is based on three MQTT message types: the CONNECT and CONNACK messages that were already present in MQTT v3 and the new MQTT v5 AUTH message. CONNECT messages are only sent by clients and CONNACK messages are only sent by the server. Both types are used one time during each authentication process. AUTH messages can be used multiple times by the server and the client.

Two message properties are at the heart of the authentication flow: the Authentication Method that is identified by byte 21 and the Authentication Data that is identified by byte 22. These properties are set on every message that takes part in the enhanced authentication flow.

Authentication Flow

Authentication Flow

Authentication Method

The Authentication Method is used to choose and describe a way of authentication that the client and server have agreed upon. This is done with method strings that are commonly used to identify SASL mechanisms. For example, SCRAM-SHA-1 for SCRAM with SHA-1 or GS2-KRB5 for Kerberos.

The Authentication Method gives meaning to the data that is exchanged during the enhanced authentication and must not change.

Authentication Data

Authentication data is binary information. This data is usually used to transfer multiple iterations of encrypted secrets or protocol steps. The content is highly dependent on the specific mechanism that is used in the enhanced authentication and is application-specific.

Source Code Example

In this brief code snipped we use the HiveMQ extension SDK to implement enhanced authentication that checks for support of the Authentication Method and decides the state of a connecting MQTT client after the exchange of two AUTH messages.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
public class MyEnhancedAuthenticator implements EnhancedAuthenticator {

    public void onConnect(EnhancedAuthConnectInput input, EnhancedAuthOutput output) {

        final ConnectPacket connectPacket = input.getConnectPacket();

        // Is the given authentication method supported?
        if (authenticationMethodIsSupported(connectPacket.getAuthenticationMethod())) {

            // Did the client provide valid authentication data?
            if (validateClientAuthenticationData(connectPacket.getAuthenticationData())) {

                // Send an AUTH message that contains a challenge!
                output.continueAuthentication(prepareServerAuthenticationData());
                return;
            }
        }

        // Fail the authentication and disconnect the client.
        output.failAuthentication();
    }


    public void onAuth(EnhancedAuthInput input, EnhancedAuthOutput output) {

        final AuthPacket authPacket = input.getAuthPacket();

        // Try to validate the response.
        if (validateClientAuthenticationData(authPacket.getAuthenticationData())) {

            // Allow the client to connect to the server.
            output.authenticateSuccessfully();
            return;
        }

        // Fail the authentication and disconnect the client.
        output.failAuthentication();
    }
}

Conclusion

Enhanced authentication is the perfect way to integrate HiveMQ into your existing enterprise security network. This new feature allows you to secure IoT deployments to a degree that was previously not possible.

Learn everything about MQTT v5

Over the next few weeks, we will continue our technical deep dive into all of the MQTT 5 features. If you would like to join us, sign up for our newsletter to get regular updates and ensure that you don’t miss a post.


About Georg Held

Georg is a software developer at HiveMQ. He is the main developer of the HiveMQ Enterprise Security Extension.
Contact Georg

Implementing MQTT Challenge-Response Authentication
The HiveMQ MQTT Client 1.1.4 is released