Secure Data Distribution Architecture in IoT Using MQTT

Message Queuing Telemetry Transport (MQTT) is one of the standard application layer protocols for the Internet of Things. It uses a publish/subscribe mechanism which organizes a set of clients around a server called the broker, which delivers published data to its intended recipients. This article proposes an architecture that allows MQTT brokers to cooperate and share their data with other interested MQTT brokers. It is a service-oriented architecture that wraps an MQTT broker with a well defined WebSockets-based interface which allows it to offer its topic space and published data to other MQTT brokers. The wrapped MQTT broker is called a broker service, and it discovers other broker services through a discovery service. Each broker service only connects to services that have data its clients are interested. Furthermore, these services are authenticated by obtaining tokens from an authentication service that registers and issues JSON Web Tokens for them. These tokens contain the identity and claims of their owners and they can be verified without contacting the authentication service. The proposed architecture simplifies data sharing and improves the security in scenarios with multiple MQTT brokers where clients can move between them. In these scenarios, the MQTT brokers need to obtain data based on their clients interests, which are constantly changing. It does so by isolating MQTT brokers into services that can be discovered and consumed over well-defined interfaces. The architecture was implemented in javascript using MQTT 3.1.1 standard complaint library. We demonstrate the performance characteristics of our architecture using our implementation through three scenarios, which are designed to compare the delay from publisher to subscriber when they operate within the same MQTT broker and different MQTT brokers. The results show that the overhead of our architecture is around 50% in two synthetic scenarios (performed on a single machine) and around 27% in a third scenario performed on the cloud with multiple virtual machines hosting the broker services and simulated clients.