https://github.com/m4n3dw0lf/SecureFiware

Proposing security measures and security analysis in the Fiware IoT environment.
https://github.com/m4n3dw0lf/SecureFiware

coap dtls fiware https iot iot-platform lwm2m secure security smartcities

Last synced: about 1 month ago
JSON representation

Proposing security measures and security analysis in the Fiware IoT environment.

• Host: GitHub
• URL: https://github.com/m4n3dw0lf/SecureFiware
• Owner: m4n3dw0lf
• Created: 2018-04-01T00:04:10.000Z (over 6 years ago)
• Default Branch: master
• Last Pushed: 2018-10-04T02:59:44.000Z (over 5 years ago)
• Last Synced: 2024-02-19T15:37:45.311Z (4 months ago)
• Topics: coap, dtls, fiware, https, iot, iot-platform, lwm2m, secure, security, smartcities
• Language: Shell
• Size: 602 KB
• Stars: 21
• Watchers: 7
• Forks: 6
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Lists

• awesome - Secure FIWARE - Proposed security measures and security analysis for FIWARE IoT environments. (Open-Source FIWARE from third parties / Security)

README

        
# SecureFiware

![](https://img.shields.io/badge/version-0.0.1-green.svg)

### Overview

![](img/fiware-over-crypt.png)

### End-to-end encryption

#### COAP Device to LWM2M IoT Agent encrypted communication

![](img/iota-device-encryption-proposal.png)

For the encrypted communication between the device and the IoT agent we've embedded a DTLS server feature in the **lwm2m-node-lib** source code that forwards any request to the plain-text lwm2m udp server via localhost network then forward the response back to the client. We designed this solution to be setup easily in the configuration `.js` file and is totally compatible with the **lightweightm2m-iotagent** as described [here](fiware-improvements/README.md#dtls-configuration) and also demonstrated on the PoC below. Notice that the other lightweightm2m-iotagent features are totally unnafected by this modifications.

The dtls-proxy library was also developed by us and already have more than 300 downloads in the npm (search for **node-dtls-proxy**)

![](img/iota-device-encryption-solution.png)

 - Positive points:

   - Enables DTLS communication between UDP servers and UDP clients (of any kind) with minimal or none source code modifications.

   - Really quick to setup.

 - Negative points:

   - A bit slower than a Pure DTLS solution.

   - The client requires dtls support or be able to run a software that implements the dtls proxy downgrade service.

 - Links:

   - [ goldy - IBM Lightweight DTLS proxy ](https://developer.ibm.com/code/open/projects/goldy/)

   - [ node-dtls-proxy ](https://github.com/m4n3dw0lf/node-dtls-proxy)




#### Orion ContextBroker and LWM2M IoT Agent HTTPS Communication and Support

![](img/broker-ngsi-encryption-solution.png)

For the HTTPS support on the Orion ContextBroker we've added a nginx container in the `docker-compose.yml` file that acts like a HTTPS reverse-proxy to the ContextBroker in HTTP context (SSL/TLS Termination), then we've modified the **iotagent-node-lib** used by the **lightweightm2m-iotagent** to support the ContextBroker in HTTPS context, the configuration can be setupt in the `.js` configuration file of the IoTa described [here](fiware-improvements#connect-to-orion-in-https-context), also we modified the IoT Agent with a new feature that starts the NGSI server in HTTPS context too. the configuration can be easily set up in the `.js` configuration file of the IoTA as described [here](fiware-improvements/README.md#iot-agent-https-configuration) just like the https orion configuration.




### Walkthrough

Requirements




Clone the repositoy:





git clone https://github.com/m4n3dw0lf/securefiware --recursive









Install Docker: https://docs.docker.com/engine/installation/ and docker-compose: https://docs.docker.com/compose/install/.







Since all the Fiware libraries for LWM2M are in NodeJS, install NodeJS and it's package manager NPM



Run the following command:





sudo apt-get install nodejs nodejs-legacy npm








Also install de node-dtls-proxy library that will be responsible for encrypting the device requests and sending to the LWM2MIoTA in the DTLS context.





sudo npm install -g node-dtls-proxy












Start the Orion Context Broker and the LWM2M IoT Agent




Generate a certificate and key to be used in TLS and DTLS connections of the components









$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout cert.key -out cert.crt









Run the command below inside this directory to start the orion, mongodb, iota and openssl docker containers









$ sudo docker-compose up









Press CTRL+C to stop the environment




 Utils:




Acessing the MongoDB:



$ sudo docker exec -it secfiware_mongodb mongo









Acessing the Orion bash:



$ sudo docker exec -it secfiware_orion bash









Acessing the IoT Agent bash:



$ sudo docker exec -it secfiware_iota bash









Destroying the environment:



$ sudo docker-compose down












Start the IoT Device




 Running the LWM2M IoT Device (Client) 




Enter the fiware-improvements/lwm2m-node-lib directory and install the nodejs requirements:






cd fiware-improvements/lwm2m-node-lib/ ; npm install







Run the LWM2M IoT Device:




node bin/iotagent-lwm2m-client.js









 Secure DTLS and TLS Environment Walkthrough 

- Provisioning a service configuration for devices

```

curl -X POST -k https://localhost:4041/iot/services \

  --header "fiware-service:light_control" \

  --header "fiware-servicepath:/light_control" \

  --header "Content-Type:application/json" -d  '{  

    "services": [

      {

        "resource": "/light_control",

        "apikey": "",

        "type": "Light Control",

        "commands": [],

        "attributes": [

          {

            "name": "On/Off",

            "type": "Boolean"

          }

        ]

      }

    ]

  }'

```

- Provisioning a new device for the service created

```

curl -X POST -k https://localhost:4041/iot/devices \

  --header "fiware-service:light_control" \

  --header "fiware-servicepath:/light_control" \

  --header "Content-Type:application/json" -d '{

    "devices": [

      {

        "device_id": "rasp1",

        "entity_type": "Raspberry",

        "attributes": [

          {

            "name": "On/Off",

            "type": "Boolean"

          }

        ],

        "internal_attributes": {

          "lwm2mResourceMapping": {

            "On/Off" : {

              "objectType": 3311,

              "objectInstance": 0,

              "objectResource": 5850 

            }

          }

        }

      }

    ]

  }'

```

- If you get error on logs about self-signed certificates, you may need to generate a keypair and declare the path on the config-secure.json

- Open another separated terminal and run

```

$ udp2dtls 5687 localhost 5684

```

- Then (on another separated terminal) start an lwm2m-client

```

LWM2M-Client> create /3311/0

LWM2M-Client> connect localhost 5687 rasp1 /light_control

LWM2M-Client> set /3311/0 5850 On

```

Query the device in the ContextBroker


- Run this

```

curl -X POST -k https://localhost:1026/v1/queryContext \

  --header "fiware-service:light_control" \

  --header "fiware-servicepath:/light_control" \

  --header "Content-Type:application/json" \

  --header "Accept:application/json" -d \

  '{"entities": [{"id": "Raspberry:rasp1"}]}'

```

> Notice that you will need to setup a udp2dtls proxy on a different port for each device, unless you already have a client that supports dtls. (The dtls support will be added in the client in future updates)




Links




- [Fiware tour guide application](https://www.fiware.org/devguides/fiware-tour-guide-application-a-tutorial-on-how-to-integrate-the-main-fiware-ges/)

- [IoTa Docs](https://github.com/telefonicaid/lightweightm2m-iotagent/tree/master/docs)

- [lwm2m-node-lib](https://github.com/telefonicaid/lwm2m-node-lib)

- [Devices provisioning](https://github.com/telefonicaid/lightweightm2m-iotagent/blob/master/docs/deviceProvisioning.md)

- [Configuration provisioning (fiware-service)](https://github.com/telefonicaid/lightweightm2m-iotagent/blob/master/docs/configurationProvisioning.md)

- [Installation of client](https://github.com/telefonicaid/lightweightm2m-iotagent/blob/master/docs/configurationProvisioning.md#installation-of-the-client)

- [Using the device](https://github.com/telefonicaid/lightweightm2m-iotagent/blob/master/docs/configurationProvisioning.md#using-the-device)

- [RFC DTLS](https://tools.ietf.org/html/rfc6347)

- [OMA Specification - OMA-LWM2M](http://www.openmobilealliance.org/release/LightweightM2M/V1_0-20170208-A/OMA-TS-LightweightM2M-V1_0-20170208-A.pdf)

- [OMA LWM2M Object and Resource Registry](http://www.openmobilealliance.org/wp/OMNA/LwM2M/LwM2MRegistry.html)

- [Objects and their corresponding Object IDs](https://github.com/IPSO-Alliance/pub/tree/master/reg)

- [IP for Smart Objects - IPSO Objects](https://github.com/IPSO-Alliance/pub/blob/master/README.md)

### Contributors

|Name|Role|Contact|

|-|-|-|

|Prof. Dr. Sergio Takeo Kofuji| Mentor| [email protected] |

|Prof. MSc. Fábio Henrique Cabrini | Mentor | [email protected] |

|Angelo Moura | Developer | [email protected] |

|Bruno Galvão | Developer | [email protected] |

|Igor Servulo | Developer | [email protected] |

|Lucas Pereira| Developer | [email protected] |

|Anderson A. Alves da Silva | Collaborator | [email protected] |

|Noris Junior | Collaborator | [email protected] |

|Albérico de Castro | Collaborator | [email protected] |

|Filippo Valiante Filho | Collaborator | [email protected] |