Skip to content

Proposing security measures and security analysis in the Fiware IoT environment.

Notifications You must be signed in to change notification settings

m4n3dw0lf/SecureFiware

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SecureFiware

Overview

End-to-end encryption

COAP Device to LWM2M IoT Agent encrypted communication

For the encrypted communication between the device and the IoT agent we've embedded a DTLS server feature in the lwm2m-node-lib source code that forwards any request to the plain-text lwm2m udp server via localhost network then forward the response back to the client. We designed this solution to be setup easily in the configuration .js file and is totally compatible with the lightweightm2m-iotagent as described here and also demonstrated on the PoC below. Notice that the other lightweightm2m-iotagent features are totally unnafected by this modifications. The dtls-proxy library was also developed by us and already have more than 300 downloads in the npm (search for node-dtls-proxy)

  • Positive points:

    • Enables DTLS communication between UDP servers and UDP clients (of any kind) with minimal or none source code modifications.
    • Really quick to setup.
  • Negative points:

    • A bit slower than a Pure DTLS solution.
    • The client requires dtls support or be able to run a software that implements the dtls proxy downgrade service.
  • Links:


Orion ContextBroker and LWM2M IoT Agent HTTPS Communication and Support

For the HTTPS support on the Orion ContextBroker we've added a nginx container in the docker-compose.yml file that acts like a HTTPS reverse-proxy to the ContextBroker in HTTP context (SSL/TLS Termination), then we've modified the iotagent-node-lib used by the lightweightm2m-iotagent to support the ContextBroker in HTTPS context, the configuration can be setupt in the .js configuration file of the IoTa described here, also we modified the IoT Agent with a new feature that starts the NGSI server in HTTPS context too. the configuration can be easily set up in the .js configuration file of the IoTA as described here just like the https orion configuration.


Walkthrough

Requirements

Clone the repositoy:

git clone https://github.com/m4n3dw0lf/securefiware --recursive

Install Docker: https://docs.docker.com/engine/installation/ and docker-compose: https://docs.docker.com/compose/install/.

Since all the Fiware libraries for LWM2M are in NodeJS, install NodeJS and it's package manager NPM

Run the following command:

sudo apt-get install nodejs nodejs-legacy npm


Also install de node-dtls-proxy library that will be responsible for encrypting the device requests and sending to the LWM2MIoTA in the DTLS context.

sudo npm install -g node-dtls-proxy


Start the Orion Context Broker and the LWM2M IoT Agent
Generate a certificate and key to be used in TLS and DTLS connections of the components

$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout cert.key -out cert.crt

Run the command below inside this directory to start the orion, mongodb, iota and openssl docker containers

$ sudo docker-compose up

Press CTRL+C to stop the environment
Utils:

Acessing the MongoDB: $ sudo docker exec -it secfiware_mongodb mongo

Acessing the Orion bash: $ sudo docker exec -it secfiware_orion bash

Acessing the IoT Agent bash: $ sudo docker exec -it secfiware_iota bash

Destroying the environment: $ sudo docker-compose down


Start the IoT Device
Running the LWM2M IoT Device (Client)

Enter the fiware-improvements/lwm2m-node-lib directory and install the nodejs requirements:
cd fiware-improvements/lwm2m-node-lib/ ; npm install

Run the LWM2M IoT Device:
node bin/iotagent-lwm2m-client.js

Secure DTLS and TLS Environment Walkthrough
  • Provisioning a service configuration for devices
curl -X POST -k https://localhost:4041/iot/services \
  --header "fiware-service:light_control" \
  --header "fiware-servicepath:/light_control" \
  --header "Content-Type:application/json" -d  '{  
    "services": [
      {
        "resource": "/light_control",
        "apikey": "",
        "type": "Light Control",
        "commands": [],
        "attributes": [
          {
            "name": "On/Off",
            "type": "Boolean"
          }
        ]
      }
    ]
  }'
  • Provisioning a new device for the service created
curl -X POST -k https://localhost:4041/iot/devices \
  --header "fiware-service:light_control" \
  --header "fiware-servicepath:/light_control" \
  --header "Content-Type:application/json" -d '{
    "devices": [
      {
        "device_id": "rasp1",
        "entity_type": "Raspberry",
        "attributes": [
          {
            "name": "On/Off",
            "type": "Boolean"
          }
        ],
        "internal_attributes": {
          "lwm2mResourceMapping": {
            "On/Off" : {
              "objectType": 3311,
              "objectInstance": 0,
              "objectResource": 5850 
            }
          }
        }
      }
    ]
  }'
  • If you get error on logs about self-signed certificates, you may need to generate a keypair and declare the path on the config-secure.json

  • Open another separated terminal and run

$ udp2dtls 5687 localhost 5684
  • Then (on another separated terminal) start an lwm2m-client
LWM2M-Client> create /3311/0
LWM2M-Client> connect localhost 5687 rasp1 /light_control
LWM2M-Client> set /3311/0 5850 On
Query the device in the ContextBroker
  • Run this
curl -X POST -k https://localhost:1026/v1/queryContext \
  --header "fiware-service:light_control" \
  --header "fiware-servicepath:/light_control" \
  --header "Content-Type:application/json" \
  --header "Accept:application/json" -d \
  '{"entities": [{"id": "Raspberry:rasp1"}]}'

Notice that you will need to setup a udp2dtls proxy on a different port for each device, unless you already have a client that supports dtls. (The dtls support will be added in the client in future updates)


Links

Contributors

Name Role Contact
Prof. Dr. Sergio Takeo Kofuji Mentor kofuji@pad.lsi.usp.br
Prof. MSc. Fábio Henrique Cabrini Mentor fabio.cabrini@pad.lsi.usp.br
Angelo Moura Developer m4n3dw0lf@gmail.com
Bruno Galvão Developer bruno.oliveira109@fatec.sp.gov.br
Igor Servulo Developer igor.servulo@fatec.sp.gov.br
Lucas Pereira Developer lucas.pereira49@fatec.sp.gov.br
Anderson A. Alves da Silva Collaborator anderson.silva@pad.lsi.usp.br
Noris Junior Collaborator norisjunior@gmail.com
Albérico de Castro Collaborator alberico.castro@pad.lsi.usp.br
Filippo Valiante Filho Collaborator filippo.valiante@pad.lsi.usp.br

About

Proposing security measures and security analysis in the Fiware IoT environment.

Topics

Resources

Stars

Watchers

Forks

Packages

No packages published