Looking for enclaive's confidential multi-cloud solution. Click here.

Contents

Com­plete Guide to MOSQUITTO-SGX

What is MQTT and how does it work?

MQTT (MQ Teleme­try Trans­port) is a publish/subscribe based mes­sag­ing pro­to­col for machine-to-machine com­mu­ni­ca­tion. It is a light­weight pro­to­col that exchanges data between mul­ti­ple IoT devices. How­ev­er, MQTT is not only used in IoT use cas­es but can be also found in soft­ware prod­ucts and oth­er appli­ca­tions, such as the Face­book Mes­sen­ger appli­ca­tion, as it takes advan­tage of MQTT’S low data and ener­gy usage.

MQTT Bro­ker 

In any MQTT pro­to­col, there are two major play­ers: a bro­ker and clients. What exact­ly are MQTT bro­kers and MQTT clients and how do they differ?

As stat­ed, MQTT is a pub/sub pro­to­col, mean­ing the MQTT clients include pub­lish­ers and sub­scribers, so ones that are pub­lish­ing mes­sages and ones that are sub­scrib­ing to receive messages. 

A device (i.e. the client) may want to send data to a serv­er (i.e. the bro­ker), mean­ing the client pub­lish­es the data. When the oper­a­tion is reversed, we are talk­ing about sub­scrib­ing to spe­cif­ic mes­sages. Under the pub/sub mod­el, mul­ti­ple clients con­nect to the bro­ker and sub­scribe to spe­cif­ic top­ics. The bro­ker is respon­si­ble there­fore for receiv­ing the mes­sages and decid­ing to whom these mes­sages are then pub­lished (i.e. to all the sub­scribed clients).

Let’s put this into per­spec­tive by using an example:

You are using a con­tin­u­ous glu­cose mon­i­tor­ing (CGM) device which mon­i­tors your vital health data. This mon­i­tor con­nects to the hos­pi­tal mon­i­tor­ing device. The device sends data to the care­givers in order for them to mon­i­tor your health para­me­ters remotely. 

Your CGM device (i.e. the client) is send­ing the glu­cose lev­els to a serv­er (i.e. the MQTT bro­ker) that in turn is pro­cess­ing and pub­lish­ing this data to the sub­scribed hos­pi­tal device. There­fore, your doc­tor remains informed about your vital lev­els at all times and can remote­ly mon­i­tor your glu­cose lev­els, only by lever­ag­ing an MQTT protocol.

MOSQUITTO MQTT Broker

There are sev­er­al bro­kers you can use as servers for MQTT. One of these is Mosquit­to, an open-source soft­ware imple­ment­ing this MQTT mes­sag­ing protocol. 

MOSQUITTO is an open-source imple­men­ta­tion of a serv­er for ver­sions 5.0, 3.1.1, and 3.1 of the MQTT pro­to­col. It also includes a C and C++ client library, and the mosquitto_pub and mosquitto_sub util­i­ties for pub­lish­ing and sub­scrib­ing. You can either run Mosquit­to bro­ker on your PC, allow­ing you to exchange data between dif­fer­ent IoT devices that are all con­nect­ed to the same net­work. You can also run MOSQUITTO MQTT bro­ker in the cloud, which then allows you to con­nect IoT devices irre­spec­tive of their loca­tion and network.

What are the ben­e­fits of using MOSQUITTO MQTT?

The light­weight prop­er­ties of the MQTT pro­to­col set­up help ensure smooth data trans­fer with low band­width and reduce the load on the CPU and RAM. This archi­tec­ture deliv­ers the fol­low­ing advan­tages for the MQTT protocol: 

  • effi­cient data trans­mis­sion with a quick implementation;
  • low net­work usage, due to min­i­mized data packets;
  • effi­cient dis­tri­b­u­tion of data to all clients;
  • fast, effi­cient mes­sage delivery;
  • small amounts of pow­er, which is good for the con­nect­ed devices; 
  • opti­mal net­work band­width, min­i­miz­ing poor con­nec­tion issues.

What are the down­sides of MOSQUITTO MQTT?

How­ev­er, one of the biggest draw­backs of the MQTT pro­to­col is the fact that it is unen­crypt­ed. Because MQTT is try­ing to lever­age its light­weight prop­er­ties, secu­ri­ty and authen­ti­ca­tion were nev­er the fea­tures they were focus­ing on. 

MQTT has very few authen­ti­ca­tion fea­tures built into the pro­to­col. Authen­ti­ca­tion details, like user­names and pass­words, are stay­ing unen­crypt­ed in clear­t­ext dur­ing their use. Any form of secure use of the MQTT pro­to­col must use SSL/TLS, which is not a light­weight pro­to­col. Client cer­tifi­cates are also not avail­able out-of-the-box. This means that MQTT can­not con­trol who owns the top­ic and who can pub­lish infor­ma­tion on it. Here SSL/TLS jumps in. 

Our prod­uct MOSQUITTO-SGX meets these chal­lenges and we explain how below.

Now let’s talk about Intel SGX

Before we jump into our MOSQUITTO-SGX prod­uct, here is a short intro­duc­tion to Intel Secu­ri­ty Guard Exten­sion (SGX). Intel SGX deliv­ers advanced hard­ware and RAM secu­ri­ty encryp­tion fea­tures by lever­ag­ing con­fi­den­tial com­put­ing tech­nol­o­gy. By using so-called enclaves, the code and data that are spe­cif­ic to each appli­ca­tion stay com­plete­ly iso­lat­ed with­in the secure enclave. Addi­tion­al secu­ri­ty, pri­va­cy and trust guar­an­tees are pro­vid­ed when data and appli­ca­tion code run in an enclave. This makes these secure con­tain­ers an ide­al choice for (untrust­ed) cloud environments.

The appli­ca­tion code exe­cut­ing with­in an Intel SGX enclave:

  • Remains pro­tect­ed even when the BIOS, VMM, OS, and dri­vers are com­pro­mised, imply­ing that an attack­er with full exe­cu­tion con­trol over the plat­form can be kept at bay
  • Ben­e­fits from mem­o­ry pro­tec­tions that thwart mem­o­ry bus snoop­ing, mem­o­ry tam­per­ing and “cold boot” attacks on images retained in RAM
  • At no moment in time are data, pro­gram code and pro­to­col mes­sages leaked or de-anonymized
  • Reduces the trust­ed com­put­ing base of its par­ent appli­ca­tion to the small­est pos­si­ble footprint

Check out our blog post Con­fi­den­tial Com­put­ing Explained” and learn more about con­fi­den­tial com­put­ing technology.

Why use MOSQUITTO-SGX (instead of “vanil­la” MOSQUITTO) images?

So imag­ine if you can get all these encryp­tion fea­tures of Intel SGX as a “Plus” ver­sion of the Mosquit­to MQTT Bro­ker. This is what MOSQUITTO-SGX brings to the table.

The MOSQUITTO-SGX prod­uct now offered by enclaive com­bines the con­fi­den­tial com­put­ing tech­nol­o­gy used with­in Intel SGX with the Mosquit­to imple­men­ta­tion of the MQTT pro­to­col. The appli­ca­tion code with­in the MQTT Bro­ker is now exe­cut­ed with­in a secure enclave while being sent back to the client devices. In con­junc­tion with a secure SSL/TLS con­nec­tion, there will be no leaks of sen­si­tive data. MOSQUITTO-SGX pro­vides this “black box”, that now holds the entire con­tent request­ed, mak­ing sure there will be no leaks of sen­si­tive data. This means that any secu­ri­ty and authen­ti­ca­tion weak­ness­es that came with MQTT pro­to­col are now met by using con­fi­den­tial com­put­ing tech­nol­o­gy. Fur­ther­more, the imple­men­ta­tion of the MOSQUITTO-SGX is an easy and quick set­up, mak­ing it acces­si­ble for everyone.

Fol­low­ing ben­e­fits come for free with MOSQUITTO-SGX :

  • All busi­ness advan­tages from the migra­tion to a (pub­lic) cloud with­out sac­ri­fic­ing on-premise infra­struc­ture trust
  • Hard­ened secu­ri­ty against ker­nel-space exploits, mali­cious or acci­den­tal priv­i­leged insid­er attacks, UEFI firmware exploits and oth­er “root” attacks cor­rupt­ing the appli­ca­tion to infil­trate the net­work and system
  • Run on any host­ing envi­ron­ment irre­spec­tive­ly of geo-loca­tion and com­pli­ance with pri­va­cy export reg­u­la­tions, such as Schrems-II
  • GDPR/CCPA com­pli­ant pro­cess­ing (“data in use”) of user data in the cloud. The data stays anonymized thanks to the secure enclave
  • The bro­ker process­es the sen­si­tive data (e.g., health data) and shields it from the out­side, mak­ing this an ide­al choice for an (untrust­ed) cloud environment.
  • It pro­vides strong pro­tec­tion of SSL/TLS cer­tifi­cates, username/passwords and oth­er cre­den­tials, by stay­ing stored in the enclave.
  • Sim­ple deploy­ment through Docker/Kubernetes com­pat­i­ble containers
  • Avail­able for major cloud providers (e.g. Microsoft Azure, OVH, IBM)

Wrap-up

Busi­ness­es can now ben­e­fit from com­plete end-to-end con­tain­er encryp­tion of their Mosquit­to MQTT bro­ker. At any giv­en moment in time, the code and data are ful­ly secure and stay anonym. 

Com­ing back to our exam­ple: if you have to use any per­son­al data while pub­lish­ing or sub­scrib­ing to spe­cif­ic top­ics — i.e. while your CGM device is send­ing your sen­si­tive health data to the hospital’s device, and the hos­pi­tal is using a MOSQUITTO-SGX bro­ker to han­dle your mes­sages (and a mil­lion oth­ers publishers/subscribers), you can be 100% sure that your user data will nev­er be in any dan­ger of being leaked or de-anonymized. 

Con­nect­ing and lever­ag­ing dif­fer­ent IoT devices all around the world was there­fore nev­er before as safe and secure as it would be with our MOSQUITTO-SGX product.

Still read­ing? Head to our Prod­ucts page and try MOSQUITTO-SGX now for free. Let us know what you think.

Contact us

Cookie Consent with Real Cookie Banner