Analysis of MQTT protocol security and a method for key distribution through separation of knowledge

The scope of the project is to analyse MQTT protocol (used in IoT application) to detect malicious contexts in real use cases and analyse possible workarounds. The studies performed are: - MQTT protocol features analysis: it is a protocol used to transport messages, mainly used in IoT environment given its lightweightness; - Malicious contexts analysis: given its lightweightness, MQTT has not security mechanisms by default, in order to maintain it simple to be runned by resource constrained devices like IoT ones; - Workarounds analysis: identification of countermeasures able to guarantee authentication, confidentiality and integrity of MQTT messages; - State of the art of MQTT security solutions: analysis of innovative solutions developed to provide security to MQTT protocol; - Determining target use case; - Design, implementation and testing of a demo. The main threats of MQTT protocol are the lack of data privacy protection (anyone can read messages contained in MQTT packet, a big problem especially in scenario where sensitive information are sent) and the absence of authentication method integrated by default (there is no assurance about the "identity" of devices involved in communication). From the analysis of existing solutions, it was found out that there is poor consideration about key distribution and revocation. That's why the demo consists in the implementation of a method to distribute cryptographic keys through separation of knowledge: a key is generated combining a key embedded in the IoT device and a key obtained from a server. The last one must be forwarded in a secure way to the IoT device so that it can obtain the final key. In this way, it is also possible to revoke the key, invalidating the part of knowledge stored in the server. In my project, it is requested to the server using a smartphone application and transmitted to the IoT device through NFC. The work of thesis and method implementation has been carried out at Brain Technologies srl with the support of internal tutor Jacopo Federici and the supervision of professor Edoardo Patti.