In my last article, I showed how we could build an IoT app without the Internet. It's a good exercise when you want to get started or do Rapid Prototyping without having any dependency on the Internet. One question that is always asked by the people evaluating the proof of concepts, is regarding Security. How have you secured your solution ? Most of the customers’ concerns when they are contemplating to introduce IoT into their business or product line are related to security. Be it device security or network security, having it on scale is very important. I would not go into much detail into that as it's a long topic.
In this article, I will showcase how we could secure our IoT network by enabling security into the MQTT broker and build a secure channel between the client and broker communication. One can use this when building PoCs or demos for clients or self-learning.
Network Security using Transport Level Security(TLS)
Transport Level Security(TLS) is the most common method by which secure network communication happens. I would not go into detail how TLS works, but I would demonstrate how we could configure TLS in our Local IoT application I showed you in my previous article.
Here is what I will do.
- Create a Local Certificate authority
- Create certificates for MQTT broker and clients
- Use the Local certificate authority to sign certificates for the MQTT broker and its clients.
- Secure the MQTT broker on our Raspberry Pi IoT gateway using the certificates.
- Connect multiple clients to the broker and do a data exchange.
Before we deep dive into practicalities, I just want to touch base about certificate authority (CA).
A certificate authority (CA) is an entity that signs digital certificates. The broker need to let the clients know that the connection is secure, so in practical scenarios, they pay an internationally trusted CA (e.g., VeriSign, DigiCert) to sign a certificate for their domain where the broker is hosted.e.g AWS IoT using Verisign CA. In some cases it may make more sense to act as your own CA, rather than paying a CA like DigiCert or Verisign. Common practices include…