Journal of Computer Applications ›› 2021, Vol. 41 ›› Issue (5): 1378-1385.DOI: 10.11772/j.issn.1001-9081.2020060985

Special Issue: 网络空间安全

• Cyber security • Previous Articles     Next Articles

End-to-end security solution for message queue telemetry transport protocol based on proxy re-encryption

GU Zhengchuan1,2, GUO Yuanbo1, FANG Chen1   

  1. 1. College of Cryptography, Information Engineering University of Strategic Support Force, Zhengzhou Henan 450002, China;
    2. PLA 77562 Troop, Shigatse Tibet 857000, China
  • Received:2020-07-08 Revised:2020-11-11 Online:2021-05-10 Published:2021-01-15
  • Supported by:
    This work is partially supported by the Foundation of Science and Technology on Information Assurance Laboratory (614211203010417).

基于代理重加密的消息队列遥测传输协议端到端安全解决方案

谷正川1,2, 郭渊博1, 方晨1   

  1. 1. 战略支援部队信息工程大学 密码工程学院, 郑州 450002;
    2. 中国人民解放军 77562部队, 西藏 日喀则 857000
  • 通讯作者: 谷正川
  • 作者简介:谷正川(1989-),男,重庆人,硕士研究生,主要研究方向:物联网安全、零信任网络;郭渊博(1975-),男,陕西周至人,教授,博士,主要研究方向:网络安全、态势感知;方晨(1993-),男,安徽安庆人,博士研究生,主要研究方向:人工智能安全、隐私保护。
  • 基金资助:
    信息保障技术重点实验室基金资助项目(614211203010417)。

Abstract: Aiming at the lack of built-in security mechanism in Message Queue Telemetry Transport (MQTT) protocol to protect communication information between the Internet of Things (IoT) devices, as well as the problem that the credibility of MQTT broker is questioned in the new concept of zero trust security, a new solution based on proxy re-encryption for implementing secure end-to-end data transmission between publisher and subscriber in MQTT communication was proposed. Firstly, the Advanced Encryption Standard (AES) was used to symmetrically encrypt the transmitted data for ensuring the confidentiality of the data during the transmission process. Secondly, the proxy re-encryption algorithm that defines the MQTT broker as a semi-honest participant was adopted to encrypt the session key used by the AES symmetric encryption, so as to eliminate the implicit trust of the MQTT broker. Thirdly, the computation of re-encryption key generation was transferred from clients to a trusted third party for the applicability of the proposed scheme in resource-constrained IoT devices. Finally, Schnorr signature algorithm was employed to digitally sign the messages for the authenticity, integrity and non-repudiation of the data source. Compared with the existing MQTT security schemes, the proposed scheme acquires the end-to-end security features of MQTT communication at the expense of the computation and communication overhead equivalent to that of the lightweight security scheme without end-to-end security.

Key words: Message Queue Telemetry Transport (MQTT), security, cryptography, proxy re-encryption, Advanced Encryption Standard (AES), digital signature

摘要: 针对消息队列遥测传输(MQTT)协议缺乏保护物联网(IoT)设备间通信信息的内置安全机制,以及MQTT代理在新的零信任安全理念下的可信性受到质疑的问题,提出了一种基于代理重加密实现MQTT通信中发布者与订阅者间端到端数据安全传输的解决方案。首先,使用高级加密标准(AES)对传输数据进行对称加密,以确保数据在整个传输过程中的机密性;然后,采用将MQTT代理定义为半诚实参与方的代理重加密算法来加密传输AES对称加密使用的会话密钥,从而消除对MQTT代理的隐式信任;其次,将重加密密钥生成的计算工作从客户端转移到可信第三方,使得所提方案适用于资源受限的IoT设备;最后,使用Schnorr签名算法对消息进行数字签名,以提供数据来源的真实性、完整性和不可否认性。与现有MQTT安全方案相比,所提方案用和不提供端到端安全性的轻量级方案相当的计算和通信开销获取了MQTT通信的端到端安全特性。

关键词: 消息队列遥测传输, 安全性, 密码学, 代理重加密, 高级加密标准, 数字签名

CLC Number: