{"id":13506120,"url":"https://github.com/m4n3dw0lf/SecureFiware","last_synced_at":"2025-03-30T03:30:34.363Z","repository":{"id":175969820,"uuid":"127581188","full_name":"m4n3dw0lf/SecureFiware","owner":"m4n3dw0lf","description":" Proposing security measures and security analysis in the Fiware IoT environment. ","archived":false,"fork":false,"pushed_at":"2018-10-04T02:59:44.000Z","size":616,"stargazers_count":21,"open_issues_count":0,"forks_count":6,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-03-18T18:15:24.925Z","etag":null,"topics":["coap","dtls","fiware","https","iot","iot-platform","lwm2m","secure","security","smartcities"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/m4n3dw0lf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2018-04-01T00:04:10.000Z","updated_at":"2022-05-04T17:17:50.000Z","dependencies_parsed_at":null,"dependency_job_id":"a9555f0e-5332-4e96-b6af-2f76ad45a9b8","html_url":"https://github.com/m4n3dw0lf/SecureFiware","commit_stats":null,"previous_names":["m4n3dw0lf/securefiware"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m4n3dw0lf%2FSecureFiware","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m4n3dw0lf%2FSecureFiware/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m4n3dw0lf%2FSecureFiware/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m4n3dw0lf%2FSecureFiware/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/m4n3dw0lf","download_url":"https://codeload.github.com/m4n3dw0lf/SecureFiware/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246273533,"owners_count":20750904,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["coap","dtls","fiware","https","iot","iot-platform","lwm2m","secure","security","smartcities"],"created_at":"2024-08-01T01:00:34.968Z","updated_at":"2025-03-30T03:30:33.232Z","avatar_url":"https://github.com/m4n3dw0lf.png","language":"Shell","funding_links":[],"categories":["Open-Source FIWARE from third parties"],"sub_categories":["Security"],"readme":"# SecureFiware\n\n![](https://img.shields.io/badge/version-0.0.1-green.svg)\n\n### Overview\n\n![](img/fiware-over-crypt.png)\n\n\n### End-to-end encryption\n\n#### COAP Device to LWM2M IoT Agent encrypted communication\n\n![](img/iota-device-encryption-proposal.png)\n\nFor the encrypted communication between the device and the IoT agent we've embedded a DTLS server feature in the **lwm2m-node-lib** source code that forwards any request to the plain-text lwm2m udp server via localhost network then forward the response back to the client. We designed this solution to be setup easily in the configuration `.js` file and is totally compatible with the **lightweightm2m-iotagent** as described [here](fiware-improvements/README.md#dtls-configuration) and also demonstrated on the PoC below. Notice that the other lightweightm2m-iotagent features are totally unnafected by this modifications.\nThe dtls-proxy library was also developed by us and already have more than 300 downloads in the npm (search for **node-dtls-proxy**)\n\n![](img/iota-device-encryption-solution.png)\n\n - Positive points:\n   - Enables DTLS communication between UDP servers and UDP clients (of any kind) with minimal or none source code modifications.\n   - Really quick to setup.\n\n - Negative points:\n   - A bit slower than a Pure DTLS solution.\n   - The client requires dtls support or be able to run a software that implements the dtls proxy downgrade service.\n\n - Links:\n   - [ goldy - IBM Lightweight DTLS proxy ](https://developer.ibm.com/code/open/projects/goldy/)\n   - [ node-dtls-proxy ](https://github.com/m4n3dw0lf/node-dtls-proxy)\n\n\u003cbr\u003e\n\n#### Orion ContextBroker and LWM2M IoT Agent HTTPS Communication and Support\n\n![](img/broker-ngsi-encryption-solution.png)\n\nFor the HTTPS support on the Orion ContextBroker we've added a nginx container in the `docker-compose.yml` file that acts like a HTTPS reverse-proxy to the ContextBroker in HTTP context (SSL/TLS Termination), then we've modified the **iotagent-node-lib** used by the **lightweightm2m-iotagent** to support the ContextBroker in HTTPS context, the configuration can be setupt in the `.js` configuration file of the IoTa described [here](fiware-improvements#connect-to-orion-in-https-context), also we modified the IoT Agent with a new feature that starts the NGSI server in HTTPS context too. the configuration can be easily set up in the `.js` configuration file of the IoTA as described [here](fiware-improvements/README.md#iot-agent-https-configuration) just like the https orion configuration.\n\n\u003cbr\u003e\n\n### Walkthrough\n\n\u003cdetails\u003e\n\u003csummary\u003eRequirements\u003c/summary\u003e\n\u003cbr\u003e\n\nClone the repositoy:\u003cbr\u003e\u003cbr\u003e\n\u003ccode\u003e\ngit clone https://github.com/m4n3dw0lf/securefiware --recursive\n\u003c/code\u003e\n\u003cbr\u003e\n\u003cbr\u003e\nInstall \u003cb\u003eDocker\u003c/b\u003e: https://docs.docker.com/engine/installation/ and \u003cb\u003edocker-compose\u003c/b\u003e: https://docs.docker.com/compose/install/.\n\u003cbr\u003e\n\u003cbr\u003e\nSince all the Fiware libraries for LWM2M are in NodeJS, install \u003cb\u003eNodeJS\u003c/b\u003e and it's package manager \u003cb\u003eNPM\u003c/b\u003e\u003cbr\u003e\u003cbr\u003e\nRun the \u003cb\u003efollowing command\u003c/b\u003e:\u003cbr\u003e\u003cbr\u003e\n\u003ccode\u003e\nsudo apt-get install nodejs nodejs-legacy npm\n\u003c/code\u003e\n\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\nAlso install de node-dtls-proxy library that will be responsible for encrypting the device requests and sending to the LWM2MIoTA in the DTLS context.\u003cbr\u003e\u003cbr\u003e\n\u003ccode\u003e\nsudo npm install -g node-dtls-proxy\n\u003c/code\u003e\n\u003cbr\u003e\n\u003cbr\u003e\n\u003c/details\u003e\n\u003cbr\u003e\n\u003cdetails\u003e\n\u003csummary\u003eStart the Orion Context Broker and the LWM2M IoT Agent\u003c/summary\u003e\n\u003cbr\u003e\nGenerate a certificate and key to be used in TLS and DTLS connections of the components\n\u003cbr\u003e\n\u003cbr\u003e\n\u003ccode\u003e\n$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout cert.key -out cert.crt\n\u003c/code\u003e\n\u003cbr\u003e\n\u003cbr\u003e\nRun the \u003cb\u003ecommand below\u003c/b\u003e inside this directory to start the orion, mongodb, iota and openssl docker containers\n\u003cbr\u003e\n\u003cbr\u003e\n\u003ccode\u003e\n$ sudo docker-compose up\n\u003c/code\u003e\n\u003cbr\u003e\n\u003cbr\u003e\nPress CTRL+C to stop the environment\n\u003cbr\u003e\n\n\u003ch5\u003e Utils:\u003c/h5\u003e\n\u003cbr\u003e\nAcessing the MongoDB:\n\u003ccode\u003e\n$ sudo docker exec -it secfiware_mongodb mongo\n\u003c/code\u003e\n\u003cbr\u003e\n\u003cbr\u003e\nAcessing the Orion bash:\n\u003ccode\u003e\n$ sudo docker exec -it secfiware_orion bash\n\u003c/code\u003e\n\u003cbr\u003e\n\u003cbr\u003e\nAcessing the IoT Agent bash:\n\u003ccode\u003e\n$ sudo docker exec -it secfiware_iota bash\n\u003c/code\u003e\n\u003cbr\u003e\n\u003cbr\u003e\nDestroying the environment:\n\u003ccode\u003e\n$ sudo docker-compose down\n\u003c/code\u003e\n\u003cbr\u003e\n\u003cbr\u003e\n\u003c/details\u003e\n\u003cbr\u003e\n\u003cdetails\u003e\n\u003csummary\u003eStart the IoT Device\u003c/summary\u003e\n\u003cbr\u003e\n\u003ch5\u003e Running the LWM2M IoT Device (Client) \u003c/h5\u003e\n\u003cbr\u003e\nEnter the \u003cb\u003efiware-improvements/lwm2m-node-lib\u003c/b\u003e directory and install the nodejs requirements:\n\u003cbr\u003e\n\u003ccode\u003e\ncd fiware-improvements/lwm2m-node-lib/ ; npm install\n\u003c/code\u003e\n\u003cbr\u003e\u003cbr\u003e\nRun the LWM2M IoT Device:\u003cbr\u003e\n\u003ccode\u003e\nnode bin/iotagent-lwm2m-client.js\n\u003c/code\u003e\n\u003cbr\u003e\n\u003c/details\u003e\n\u003cbr\u003e\n\u003cdetails\u003e\n\u003csummary\u003e Secure DTLS and TLS Environment Walkthrough \u003c/summary\u003e\n\n- Provisioning a service configuration for devices\n```\ncurl -X POST -k https://localhost:4041/iot/services \\\n  --header \"fiware-service:light_control\" \\\n  --header \"fiware-servicepath:/light_control\" \\\n  --header \"Content-Type:application/json\" -d  '{  \n    \"services\": [\n      {\n        \"resource\": \"/light_control\",\n        \"apikey\": \"\",\n        \"type\": \"Light Control\",\n        \"commands\": [],\n        \"attributes\": [\n          {\n            \"name\": \"On/Off\",\n            \"type\": \"Boolean\"\n          }\n        ]\n      }\n    ]\n  }'\n```\n\n- Provisioning a new device for the service created\n\n```\ncurl -X POST -k https://localhost:4041/iot/devices \\\n  --header \"fiware-service:light_control\" \\\n  --header \"fiware-servicepath:/light_control\" \\\n  --header \"Content-Type:application/json\" -d '{\n    \"devices\": [\n      {\n        \"device_id\": \"rasp1\",\n        \"entity_type\": \"Raspberry\",\n        \"attributes\": [\n          {\n            \"name\": \"On/Off\",\n            \"type\": \"Boolean\"\n          }\n        ],\n        \"internal_attributes\": {\n          \"lwm2mResourceMapping\": {\n            \"On/Off\" : {\n              \"objectType\": 3311,\n              \"objectInstance\": 0,\n              \"objectResource\": 5850 \n            }\n          }\n        }\n      }\n    ]\n  }'\n```\n\n\n- If you get error on logs about self-signed certificates, you may need to generate a keypair and declare the path on the config-secure.json\n\n- Open another separated terminal and run\n\n```\n$ udp2dtls 5687 localhost 5684\n```\n\n- Then (on another separated terminal) start an lwm2m-client\n```\nLWM2M-Client\u003e create /3311/0\nLWM2M-Client\u003e connect localhost 5687 rasp1 /light_control\nLWM2M-Client\u003e set /3311/0 5850 On\n```\n\n\u003ch5\u003eQuery the device in the ContextBroker\u003c/h5\u003e\n\n- Run this\n\n```\ncurl -X POST -k https://localhost:1026/v1/queryContext \\\n  --header \"fiware-service:light_control\" \\\n  --header \"fiware-servicepath:/light_control\" \\\n  --header \"Content-Type:application/json\" \\\n  --header \"Accept:application/json\" -d \\\n  '{\"entities\": [{\"id\": \"Raspberry:rasp1\"}]}'\n```\n\n\u003e Notice that you will need to setup a udp2dtls proxy on a different port for each device, unless you already have a client that supports dtls. (The dtls support will be added in the client in future updates)\n\n\u003c/details\u003e\n\u003cbr\u003e\n\u003cdetails\u003e\n\u003csummary\u003eLinks\u003c/summary\u003e\n\u003cbr\u003e\n\n- [Fiware tour guide application](https://www.fiware.org/devguides/fiware-tour-guide-application-a-tutorial-on-how-to-integrate-the-main-fiware-ges/)\n\n- [IoTa Docs](https://github.com/telefonicaid/lightweightm2m-iotagent/tree/master/docs)\n\n- [lwm2m-node-lib](https://github.com/telefonicaid/lwm2m-node-lib)\n\n- [Devices provisioning](https://github.com/telefonicaid/lightweightm2m-iotagent/blob/master/docs/deviceProvisioning.md)\n\n- [Configuration provisioning (fiware-service)](https://github.com/telefonicaid/lightweightm2m-iotagent/blob/master/docs/configurationProvisioning.md)\n\n- [Installation of client](https://github.com/telefonicaid/lightweightm2m-iotagent/blob/master/docs/configurationProvisioning.md#installation-of-the-client)\n\n- [Using the device](https://github.com/telefonicaid/lightweightm2m-iotagent/blob/master/docs/configurationProvisioning.md#using-the-device)\n\n- [RFC DTLS](https://tools.ietf.org/html/rfc6347)\n\n- [OMA Specification - OMA-LWM2M](http://www.openmobilealliance.org/release/LightweightM2M/V1_0-20170208-A/OMA-TS-LightweightM2M-V1_0-20170208-A.pdf)\n\n- [OMA LWM2M Object and Resource Registry](http://www.openmobilealliance.org/wp/OMNA/LwM2M/LwM2MRegistry.html)\n\n- [Objects and their corresponding Object IDs](https://github.com/IPSO-Alliance/pub/tree/master/reg)\n\n- [IP for Smart Objects - IPSO Objects](https://github.com/IPSO-Alliance/pub/blob/master/README.md)\n\u003c/details\u003e\n\n\n### Contributors\n\n|Name|Role|Contact|\n|-|-|-|\n|Prof. Dr. Sergio Takeo Kofuji| Mentor| kofuji@pad.lsi.usp.br |\n|Prof. MSc. Fábio Henrique Cabrini | Mentor | fabio.cabrini@pad.lsi.usp.br |\n|Angelo Moura | Developer | m4n3dw0lf@gmail.com |\n|Bruno Galvão | Developer | bruno.oliveira109@fatec.sp.gov.br |\n|Igor Servulo | Developer | igor.servulo@fatec.sp.gov.br |\n|Lucas Pereira| Developer | lucas.pereira49@fatec.sp.gov.br |\n|Anderson A. Alves da Silva | Collaborator | anderson.silva@pad.lsi.usp.br |\n|Noris Junior | Collaborator | norisjunior@gmail.com |\n|Albérico de Castro | Collaborator | alberico.castro@pad.lsi.usp.br |\n|Filippo Valiante Filho | Collaborator | filippo.valiante@pad.lsi.usp.br |\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fm4n3dw0lf%2FSecureFiware","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fm4n3dw0lf%2FSecureFiware","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fm4n3dw0lf%2FSecureFiware/lists"}