基于代理重加密的消息队列遥测传输协议端到端安全解决方案

End-to-end security solution for message queue telemetry transport protocol based on proxy re-encryption

针对消息队列遥测传输(MQTT)协议缺乏保护物联网(Io T)设备间通信信息的内置安全机制,以及MQTT代理在新的零信任安全理念下的可信性受到质疑的问题,提出了一种基于代理重加密实现MQTT通信中发布者与订阅者间端到端数据安全传输的解决方案。首先,使用高级加密标准(AES)对传输数据进行对称加密,以确保数据在整个传输过程中的机密性;然后,采用将MQTT代理定义为半诚实参与方的代理重加密算法来加密传输AES对称加密使用的会话密钥,从而消除对MQTT代理的隐式信任;其次,将重加密密钥生成的计算工作从客户端转移到可信第三方,使得所提方案适用于资源受限的Io T设备;最后,使用Schnorr签名算法对消息进行数字签名,以提供数据来源的真实性、完整性和不可否认性。与现有MQTT安全方案相比,所提方案用和不提供端到端安全性的轻量级方案相当的计算和通信开销获取了MQTT通信的端到端安全特性。

Aiming at the lack of built-in security mechanism in Message Queue Telemetry Transport(MQTT)protocol to protect communication information between the Internet of Things(IoT)devices,as well as the problem that the credibility of MQTT broker is questioned in the new concept of zero trust security,a new solution based on proxy re-encryption for implementing secure end-to-end data transmission between publisher and subscriber in MQTT communication was proposed.Firstly,the Advanced Encryption Standard(AES)was used to symmetrically encrypt the transmitted data for ensuring the confidentiality of the data during the transmission process.Secondly,the proxy re-encryption algorithm that defines the MQTT broker as a semi-honest participant was adopted to encrypt the session key used by the AES symmetric encryption,so as to eliminate the implicit trust of the MQTT broker.Thirdly,the computation of re-encryption key generation was transferred from clients to a trusted third party for the applicability of the proposed scheme in resource-constrained IoT devices.Finally,Schnorr signature algorithm was employed to digitally sign the messages for the authenticity,integrity and non-repudiation of the data source.Compared with the existing MQTT security schemes,the proposed scheme acquires the end-to-end security features of MQTT communication at the expense of the computation and communication overhead equivalent to that of the lightweight security scheme without end-to-end security.