IoT General Protocols:
1. MQTT (Message Queuing Telemetry Transport) — A lightweight messaging protocol designed for device communication in low bandwidth and unstable network environments (Applicable: Remote monitoring of IoT devices, sensor data transmission)
1) Small protocol header, suitable for resource-constrained devices
2) Publish/Subscribe model
3) QoS: Provides three levels of service quality
2. CoAP (Constrained Application Protocol)
CoAP is a protocol designed for low-power, low-bandwidth networks, based on REST architecture, similar to HTTP. Features:
Lightweight: Suitable for resource-constrained devices.
RESTful architecture: Supports GET, POST, PUT, DELETE operations.
UDP transmission: Reduces transmission overhead.
Application scenarios: Suitable for smart homes, industrial control, etc., requiring a simple request/response mechanism.
3. AMQP (Advanced Message Queuing Protocol)
Overview: AMQP is an open-source standard application layer protocol for message middleware, supporting complex messaging patterns. Features:
Reliability: Ensures reliable message delivery.
Flexibility: Supports various messaging patterns.
Interoperability: Implementations from different vendors can interoperate.
4. Bluetooth Low Energy (BLE)
Overview: BLE is a low-power Bluetooth technology for short-range data communication, suitable for battery-powered devices. Features:
Low power consumption: Extends battery life.
Wide support: Built into most smartphones and mobile devices.
Highly adaptable: Supports both broadcast and connection modes.
Application scenarios: Suitable for wearable devices, medical devices, smart homes, etc., requiring short-range low-power communication.
https://developer.aliyun.com/article/1638402
II. MQTT Publish/Subscribe Protocol:
Publisher > Broker > Subscriber (HTTP: Request/Response model)
Advantages: Low bandwidth, high latency, unstable network optimization process:
a. Device generates raw data > TLS encrypted tunnel encrypts data sent to B (e.g., AWS IoT Core)
b. Transmit encrypted data to C (corresponding server)
Using TLS: Encrypts data at the transport layer to prevent man-in-the-middle attacks and data eavesdropping. AWS IoT defaults to port 8883.
III. Authentication and Connection Process
Device authentication three elements:
X.509 Certificate: Device identity (issued by AWS IoT or third-party CA)
Private Key File: Asymmetric encryption key (.key file)
Root Certificate: Trust chain verification (Amazon Root CA)
Connection Establishment Process:
sequenceDiagram
Device->>AWS IoT Core: 1. TCP handshake (port 8883)
Device->>AWS IoT Core: 2. TLS handshake (certificate exchange)
AWS IoT Core-->>Device: 3. Validate device certificate validity
Device->>AWS IoT Core: 4. MQTT CONNECT (with ClientID)
AWS IoT Core-->>Device: 5. CONNACK (connection acknowledgment)
IV. Why Fragmented IoT Devices Require Authorization and Authentication?
Purpose:
1. Prevent counterfeit devices from connecting (X.509 device identity authentication)
2. Prevent unauthorized devices from accessing sensitive data (avoid user privacy data leakage)
3. Prevent device hijacking (avoid attacks)
4. Overstepping operations
Authentication: Verify the authenticity of the device identity (not a counterfeit device).
Someone knocks on the door; first confirm that the person knocking is someone you know. If confirmed, let them in; if not, do not open the door.
Implementation method: Authenticate through X.509 certificates/IAM roles, etc.
Authentication failure: Reject device connection (403 error)
Authentication success: AWS IoT: connect action
Authorization: Authorization actions will always occur after successful authentication, intended to define what the authenticated device can do (operational permissions).
Some people allowed to sit in the living room, some allowed to enter special rooms for visits.
Authorization failure: Device operation requests are denied, but connection can still be maintained (error: 401)
AWS: Authorization success
Authorization and Authentication Process:
sequenceDiagram
Device->>+IoT Core: Initiate connection with X.509 certificate
IoT Core->>CA: Certificate validity verification
alt Authentication success
IoT Core-->>Device: Establish TLS encrypted channel
Device->>IoT Core: Request to publish data to sensors/temp
IoT Core->>Policy Engine: Check device permission policy
alt Authorization passed
IoT Core-->>Data Pipeline: Forward data
else Authorization failed
IoT Core-->>Device: Return 401 Unauthorized
end
else Authentication failed
IoT Core-->>Device: Return 403 Forbidden
end