SecureFiware
Overview
End-to-end encryption
COAP Device to LWM2M IoT Agent encrypted communication
For the encrypted communication between the device and the IoT agent we've embedded a DTLS server feature in the lwm2m-node-lib source code that forwards any request to the plain-text lwm2m udp server via localhost network then forward the response back to the client. We designed this solution to be setup easily in the configuration .js file and is totally compatible with the lightweightm2m-iotagent as described here and also demonstrated on the PoC below. Notice that the other lightweightm2m-iotagent features are totally unnafected by this modifications.
The dtls-proxy library was also developed by us and already have more than 300 downloads in the npm (search for node-dtls-proxy)
-
Positive points:
- Enables DTLS communication between UDP servers and UDP clients (of any kind) with minimal or none source code modifications.
- Really quick to setup.
-
Negative points:
- A bit slower than a Pure DTLS solution.
- The client requires dtls support or be able to run a software that implements the dtls proxy downgrade service.
-
Links:
Orion ContextBroker and LWM2M IoT Agent HTTPS Communication and Support
For the HTTPS support on the Orion ContextBroker we've added a nginx container in the docker-compose.yml file that acts like a HTTPS reverse-proxy to the ContextBroker in HTTP context (SSL/TLS Termination), then we've modified the iotagent-node-lib used by the lightweightm2m-iotagent to support the ContextBroker in HTTPS context, the configuration can be setupt in the .js configuration file of the IoTa described here, also we modified the IoT Agent with a new feature that starts the NGSI server in HTTPS context too. the configuration can be easily set up in the .js configuration file of the IoTA as described here just like the https orion configuration.
Walkthrough
Requirements
Clone the repositoy:
git clone https://github.com/m4n3dw0lf/securefiware --recursive
Install Docker: https://docs.docker.com/engine/installation/ and docker-compose: https://docs.docker.com/compose/install/.
Since all the Fiware libraries for LWM2M are in NodeJS, install NodeJS and it's package manager NPM
Run the following command:
sudo apt-get install nodejs nodejs-legacy npm
Also install de node-dtls-proxy library that will be responsible for encrypting the device requests and sending to the LWM2MIoTA in the DTLS context.
sudo npm install -g node-dtls-proxy
Start the Orion Context Broker and the LWM2M IoT Agent
Generate a certificate and key to be used in TLS and DTLS connections of the components
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout cert.key -out cert.crt
Run the command below inside this directory to start the orion, mongodb, iota and openssl docker containers
$ sudo docker-compose up
Press CTRL+C to stop the environment
Utils:
Acessing the MongoDB:
$ sudo docker exec -it secfiware_mongodb mongo
Acessing the Orion bash:
$ sudo docker exec -it secfiware_orion bash
Acessing the IoT Agent bash:
$ sudo docker exec -it secfiware_iota bash
Destroying the environment:
$ sudo docker-compose down
Start the IoT Device
Running the LWM2M IoT Device (Client)
Enter the fiware-improvements/lwm2m-node-lib directory and install the nodejs requirements:
cd fiware-improvements/lwm2m-node-lib/ ; npm install
Run the LWM2M IoT Device:
node bin/iotagent-lwm2m-client.js
Secure DTLS and TLS Environment Walkthrough
- Provisioning a service configuration for devices
curl -X POST -k https://localhost:4041/iot/services \
--header "fiware-service:light_control" \
--header "fiware-servicepath:/light_control" \
--header "Content-Type:application/json" -d '{
"services": [
{
"resource": "/light_control",
"apikey": "",
"type": "Light Control",
"commands": [],
"attributes": [
{
"name": "On/Off",
"type": "Boolean"
}
]
}
]
}'
- Provisioning a new device for the service created
curl -X POST -k https://localhost:4041/iot/devices \
--header "fiware-service:light_control" \
--header "fiware-servicepath:/light_control" \
--header "Content-Type:application/json" -d '{
"devices": [
{
"device_id": "rasp1",
"entity_type": "Raspberry",
"attributes": [
{
"name": "On/Off",
"type": "Boolean"
}
],
"internal_attributes": {
"lwm2mResourceMapping": {
"On/Off" : {
"objectType": 3311,
"objectInstance": 0,
"objectResource": 5850
}
}
}
}
]
}'
-
If you get error on logs about self-signed certificates, you may need to generate a keypair and declare the path on the config-secure.json
-
Open another separated terminal and run
$ udp2dtls 5687 localhost 5684
- Then (on another separated terminal) start an lwm2m-client
LWM2M-Client> create /3311/0
LWM2M-Client> connect localhost 5687 rasp1 /light_control
LWM2M-Client> set /3311/0 5850 On
Query the device in the ContextBroker
- Run this
curl -X POST -k https://localhost:1026/v1/queryContext \
--header "fiware-service:light_control" \
--header "fiware-servicepath:/light_control" \
--header "Content-Type:application/json" \
--header "Accept:application/json" -d \
'{"entities": [{"id": "Raspberry:rasp1"}]}'
Notice that you will need to setup a udp2dtls proxy on a different port for each device, unless you already have a client that supports dtls. (The dtls support will be added in the client in future updates)
Links
Contributors
| Name | Role | Contact |
|---|---|---|
| Prof. Dr. Sergio Takeo Kofuji | Mentor | [email protected] |
| Prof. MSc. Fábio Henrique Cabrini | Mentor | [email protected] |
| Angelo Moura | Developer | [email protected] |
| Bruno Galvão | Developer | [email protected] |
| Igor Servulo | Developer | [email protected] |
| Lucas Pereira | Developer | [email protected] |
| Anderson A. Alves da Silva | Collaborator | [email protected] |
| Noris Junior | Collaborator | [email protected] |
| Albérico de Castro | Collaborator | [email protected] |
| Filippo Valiante Filho | Collaborator | [email protected] |