Security over MQTT using encryption

mqtt

#1

Hi Ravi,

I want some idea about MQTT encryption. How do I develop it in my code?


#2

Hi Dharmendra,
What is the processor you are using?
I dont think you can run encryption on Arduino boards or any low end MCU as it needs more horse power and RAM.
You should integrate light weight TLS/SSL encryption libraries like


or
https://www.insidesecure.com/Products/Data-Communication/Secure-Communication-Toolkits/GUARD-TLS-TK
or
https://tls.mbed.org/features

And then send your encrypted data over a normal TCP connection.


#3

I am using 28035. I noticed that SIM800 supports SSL over TCP port. I am not sure though how to pass the certificate from MCU to SIM800?


#4

Hi Dharmendra,
Thanks for letting me know, i was unaware of it.
Yes SIM800 does support SSL over TCP.
There is documentation on how to provide this ceritificate for encryption. Do have a look here in this document
http://simcom.ee/documents/SIM800x/SIM800%20Series_SSL_Application%20Note_V1.02.pdf

3.10. Import a SSL Certificate File
Grammar Description
AT+FSCREATE=C:\USER\HENRY_SSL.CRT
OK
Create certificate file on FS.
AT+FSWRITE=C:\USER\HENRY_SSL.CRT,0,1196,10
>
OK
Write file to FS.
AT+SSLSETCERT="C:\USER\HENRY_SSL.CRT","****
****"
OK
+SSLSETCERT: 0
Import certificate file
Import succeed

#5

I noticed that. I think it is fetching the file from PC. I need to fetch it from EEPROM. I am wondering how is it going to work?
I need to pass the pointer to some RAM location I guess.


#6

@dharminec1 I think the path is onto the internal memory file system of SIM800 module. Using the above FSWRITE command you can save the certificate file in internal memory path. You might need to enter the certificate file contents after the > prompt i guess, then it gets saved into the modules memory and you just give that filepath to SSLSETCERT command for use.
The C:\USER\ path is modules internal file system not on a desktop,


#7

Thanks Ravi…
I am having some basic issues. I have SIM800 board, which function OK I guess by monitoring LEDs. When I tried to send AT, it replied back same. I sent ATE0, it did same. It echoes everything. I checked my USB to serial, It is pretty fine . Have you come across any such issues? I am not new to this thing. I used RS232 before. This time I am using UART.


#8

Hi
You mean you are getting echo back of data?
The ATE0 command should stop it.
You can use AT&W to save echo mode settings to module. On next restart it will not echo.

Depends on your terminal software also. Some softwares have echo mode enabled. Check once.


#9

No, it is not tool issue or USB to serial converter. I am guessing something wrong with the module.
One question, I am going to use SIM800c in my design. I watched your video about 2G issue, I guess it will be good for few years though. Despite that, is there any issue do you think of? Should I go for Telit or quectel?

Where do I buy these modules? I could not find them on element14 or on Digikey.

And Do I need to know APN for every network provider if I want to change sim card then this would be very painful? There must be some way as in cellphone, there are no such settings to connect with internet.


#10

Although there was news that 2G is being shut down completely, some companies are going to carry it for some time. In India its going to be there for a long time still.
Telit is quite expensive and no sales support except one or two distributors in India.
Quectel has comparable prices. You can try. Telit designs are very complex, they need lot of extra circuit to operate. Their modules dont even have a Power Key pin to turn ON OFF, like the GL865 or GE866.

Contact Rabytes India or WE components for Telit modules. For Quectel Evelta electronics is the site.
Yes you need to know APN before hand. Its one time setup. Normally it is done using SMS in some modules. SIM800C has bluetooth so i make use of it to set APN values using an Android App.


#11

Thanks Ravi. This will help me a lot.
I have a question about TCP IP setup.
Below are the commands to connect with tcp port. Do I need to apply all every time? I guess, I only need to repeat commands after AT+CIPSTART. Do you have any idea?

AT+CGATT? +CGATT:n checks if GPRS is attached? n=1 if attached
AT+CIPMUX=n OK use n as 0 for single connection
or use 1 for multiple connections
AT+CSTT=”apn”,”username”,”pass” OK Sets APN, user name and password
AT+CIICR OK Brings up wireless connection
AT+CIFSR ip address Get local IP address if connected
AT+CIPSTART=“TYPE” , “domain”, “port” Connected Establishes a connection with a server. Type can be UDP or TCP
AT+CIPSEND > Sends data when the a connection is established.
AT+CIPCLOSE OK Closes the connection
AT+CIPSHUT SHUT OK resets IP session if any


#12

Welcome Dharmendra, :slight_smile:
Please post it in a separate topic.


#13

Thanks, Ravi. I wrote my own library for MQTT packets. It works fine. Now I need to encrypt the frame using SSL. Do you have any idea how can I do that using three different keys I have?


#14

For SSL encryption use a good processor like Cortex M4 which have good speed and inbuilt floating point and encryption units. Make use of open libraries from Mbed to encrypt the data. https://tls.mbed.org
There are other light weight libraries available which you can make use of.


#15

You are right, I need something high power MCU. I can not change the design at this point. Best shot is to use GSM module SSL. I tried as per document but could not get it working. Can you help me out with this? I tried Cloud MQTT secure server. I created a certificate in SIM800 but it I am not able to import it. Can you try it out if you can.


#16

Ok. I will try and let you know.


#17

@dharminec1
Which MQTT broker are you trying to connect to vial SSL?


#18

I am usingCloudMQTT. My issue is I am not able to set the certificate in SIM800.
AT+SSLSETCERT="C:\USER\SSL1.CER"
OK

+SSLSETCERT: 1
This means error.
I tried the same certificate from MQTTfx client and it worked.


#19

For cloud MQTT you just use default certificate right
I was able to just use command AT+CIPSSL=1 and it connected and sent data to the server on SSL port.


#20

Yes, I did the same. I was able to send data but when I tried to set the certificate it failed. I will be using AWS later where I will have a certificate.