SecureFiware
Overview
End-to-end encryption
COAP Device to LWM2M IoT Agent encrypted communication
For the encrypted communication between the device and the IoT agent we've embedded a DTLS server feature in the lwm2m-node-lib source code that forwards any request to the plain-text lwm2m udp server via localhost network then forward the response back to the client. We designed this solution to be setup easily in the configuration .js file and is totally compatible with the lightweightm2m-iotagent as described here and also demonstrated on the PoC below. Notice that the other lightweightm2m-iotagent features are totally unnafected by this modifications.
The dtls-proxy library was also developed by us and already have more than 300 download in the npm (search for node-dtls-proxy)
-
Positive points:
- Enables DTLS communication between UDP servers and UDP clients (of any kind) with minimal or none source code modifications.
- Really quick to setup.
-
Negative points:
- A bit slower than a Pure DTLS solution.
- The client requires dtls support or be able to run a software that implements the dtls proxy downgrade service.
-
Links:
Orion ContextBroker and LWM2M IoT Agent HTTPS Communication and Support
For the HTTPS support on the Orion ContextBroker we've added a nginx container in the docker-compose.yml file that acts like a HTTPS reverse-proxy to the ContextBroker in HTTP context (SSL/TLS Termination), then we've modified the iotagent-node-lib used by the lightweightm2m-iotagent to support the ContextBroker in HTTPS context, the configuration can be setupt in the .js configuration file of the IoTa described here, also we modified the IoT Agent with a new feature that starts the NGSI server in HTTPS context too. the configuration can be easily set up in the .js configuration file of the IoTA as described here just like the https orion configuration.
Walkthrough
Requirements
Install Docker: https://docs.docker.com/engine/installation/ and docker-compose: https://docs.docker.com/compose/install/.
Since all the Fiware libraries for LWM2M are in NodeJS, install NodeJS and it's package manager NPM
Run the following command:
sudo apt-get install nodejs nodejs-legacy npm
Also install de node-dtls-proxy library that will be responsible for encrypting the device requests and sending to the LWM2MIoTA in the DTLS context.
sudo npm install -g node-dtls-proxy
Start the Orion Context Broker
run the command below to start the orion, mongodb, nginx and openssl docker containers
$ sudo docker-compose up
Press CTRL+C to stop the environment
Utils:
Acessing the MongoDB:
$ sudo docker exec -it secfiware_mongodb mongo
Acessing the Orion bash:
$ sudo docker exec -it secfiware_orion bash
Destroying the environment:
$ sudo docker-compose down
Start the IoT Agent and IoT Device
Initialize the git submodules
$ git submodule update --init --recursive
Running the LWM2M IoT Agent (Server)
Enter the fiware-improvements/lightweightm2m-iotagent directory and install the nodejs requirements, also replace the iotagent-node-lib for the improved one:
$ cd fiware-improvements/lightweightm2m-iotagent/ ; npm install
You may need to generate a keypair and declare the path on the config-secure.json
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout cert.key -out cert.crt
Run the LWM2M IoT Agent:
$ node bin/lwm2mAgent.js config-secure.js
Running the LWM2M IoT Device (Client)
Enter the fiware-improvements/lwm2m-node-lib directory and install the nodejs requirements:
cd fiware-improvements/lwm2m-node-lib/ ; npm install
Run the LWM2M IoT Device:
node bin/iotagent-lwm2m-client.js
Secure DTLS and TLS Environment Walkthrough
- Provisioning a service configuration for devices
curl -X POST -k https://localhost:4041/iot/services \
--header "fiware-service:raspberry" \
--header "fiware-servicepath:/raspberry" \
--header "Content-Type:application/json" -d '{
"services": [
{
"resource": "/raspberry",
"apikey": "",
"type": "Raspberry",
"commands": [],
"attributes": [
{
"name": "Light",
"type": "string"
}
]
}
]
}'
- Provisioning a new device for the service created
curl -X POST -k https://localhost:4041/iot/devices \
--header "fiware-service:raspberry" \
--header "fiware-servicepath:/raspberry" \
--header "Content-Type:application/json" -d '{
"devices": [
{
"device_id": "rasp1",
"entity_type": "Raspberry",
"attributes": [
{
"name": "Light",
"type": "string"
}
],
"internal_attributes": {
"lwm2mResourceMapping": {
"Light" : {
"objectType": 3311,
"objectInstance": 0,
"objectResource": 0
}
}
}
}
]
}'
-
If you get error on logs about self-signed certificates, you may need to generate a keypair and declare the path on the config-secure.json
-
Open another separated terminal and run
$ udp2dtls 5687 localhost 5684
- Then (on another separated terminal) start an lwm2m-client
LWM2M-Client> create /3311/0
LWM2M-Client> connect localhost 5687 rasp1 /raspberry
LWM2M-Client> set /3311/0 0 On
Query the device in the ContextBroker
- Run this
curl -X POST -k https://localhost:1026/v1/queryContext \
--header "fiware-service:raspberry" \
--header "fiware-servicepath:/raspberry" \
--header "Content-Type:application/json" \
--header "Accept:application/json" -d \
'{"entities": [{"id": "Raspberry:rasp1"}]}'
Notice that you will need to setup a udp2dtls proxy on a different port for each device, unless you already have a client that supports dtls. (The dtls support will be added in the client in future updates)
Links
Contributors
| Name | Role | Contact |
|---|---|---|
| Prof. Dr. Sergio Takeo Kofuji | Mentor | kofuji@pad.lsi.usp.br |
| Prof. MSc. Fábio Henrique Cabrini | Mentor | fabio.cabrini@pad.lsi.usp.br |
| Angelo Moura | Developer | m4n3dw0lf@gmail.com |
| Bruno Galvão | Developer | bruno.oliveira109@fatec.sp.gov.br |
| Igor Servulo | Developer | igor.servulo@fatec.sp.gov.br |
| Lucas Pereira | Developer | lucas.pereira49@fatec.sp.gov.br |
| Anderson A. Alves da Silva | Collaborator | anderson.silva@pad.lsi.usp.br |
| Noris Junior | Collaborator | norisjunior@gmail.com |
| Albérico de Castro | Collaborator | alberico.castro@pad.lsi.usp.br |
| Filippo Valiante Filho | Collaborator | filippo.valiante@pad.lsi.usp.br |