Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/m4n3dw0lf/SecureFiware
Proposing security measures and security analysis in the Fiware IoT environment.
https://github.com/m4n3dw0lf/SecureFiware
coap dtls fiware https iot iot-platform lwm2m secure security smartcities
Last synced: 2 months ago
JSON representation
Proposing security measures and security analysis in the Fiware IoT environment.
- Host: GitHub
- URL: https://github.com/m4n3dw0lf/SecureFiware
- Owner: m4n3dw0lf
- Created: 2018-04-01T00:04:10.000Z (almost 7 years ago)
- Default Branch: master
- Last Pushed: 2018-10-04T02:59:44.000Z (over 6 years ago)
- Last Synced: 2024-10-28T17:07:23.712Z (3 months ago)
- Topics: coap, dtls, fiware, https, iot, iot-platform, lwm2m, secure, security, smartcities
- Language: Shell
- Size: 602 KB
- Stars: 21
- Watchers: 7
- Forks: 6
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome - Secure FIWARE - Proposed security measures and security analysis for FIWARE IoT environments. (Open-Source FIWARE from third parties / Security)
README
# SecureFiware
![](https://img.shields.io/badge/version-0.0.1-green.svg)
### Overview
![](img/fiware-over-crypt.png)
### End-to-end encryption
#### COAP Device to LWM2M IoT Agent encrypted communication
![](img/iota-device-encryption-proposal.png)
For the encrypted communication between the device and the IoT agent we've embedded a DTLS server feature in the **lwm2m-node-lib** source code that forwards any request to the plain-text lwm2m udp server via localhost network then forward the response back to the client. We designed this solution to be setup easily in the configuration `.js` file and is totally compatible with the **lightweightm2m-iotagent** as described [here](fiware-improvements/README.md#dtls-configuration) and also demonstrated on the PoC below. Notice that the other lightweightm2m-iotagent features are totally unnafected by this modifications.
The dtls-proxy library was also developed by us and already have more than 300 downloads in the npm (search for **node-dtls-proxy**)![](img/iota-device-encryption-solution.png)
- Positive points:
- Enables DTLS communication between UDP servers and UDP clients (of any kind) with minimal or none source code modifications.
- Really quick to setup.- Negative points:
- A bit slower than a Pure DTLS solution.
- The client requires dtls support or be able to run a software that implements the dtls proxy downgrade service.- Links:
- [ goldy - IBM Lightweight DTLS proxy ](https://developer.ibm.com/code/open/projects/goldy/)
- [ node-dtls-proxy ](https://github.com/m4n3dw0lf/node-dtls-proxy)
#### Orion ContextBroker and LWM2M IoT Agent HTTPS Communication and Support
![](img/broker-ngsi-encryption-solution.png)
For the HTTPS support on the Orion ContextBroker we've added a nginx container in the `docker-compose.yml` file that acts like a HTTPS reverse-proxy to the ContextBroker in HTTP context (SSL/TLS Termination), then we've modified the **iotagent-node-lib** used by the **lightweightm2m-iotagent** to support the ContextBroker in HTTPS context, the configuration can be setupt in the `.js` configuration file of the IoTa described [here](fiware-improvements#connect-to-orion-in-https-context), also we modified the IoT Agent with a new feature that starts the NGSI server in HTTPS context too. the configuration can be easily set up in the `.js` configuration file of the IoTA as described [here](fiware-improvements/README.md#iot-agent-https-configuration) just like the https orion configuration.
### Walkthrough
Requirements
Clone the repositoy:
git clone https://github.com/m4n3dw0lf/securefiware --recursive
Install Docker: https://docs.docker.com/engine/installation/ and docker-compose: https://docs.docker.com/compose/install/.
Since all the Fiware libraries for LWM2M are in NodeJS, install NodeJS and it's package manager NPM
Run the following command:
sudo apt-get install nodejs nodejs-legacy npm
Also install de node-dtls-proxy library that will be responsible for encrypting the device requests and sending to the LWM2MIoTA in the DTLS context.
sudo npm install -g node-dtls-proxy
Start the Orion Context Broker and the LWM2M IoT Agent
Generate a certificate and key to be used in TLS and DTLS connections of the components
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout cert.key -out cert.crt
Run the command below inside this directory to start the orion, mongodb, iota and openssl docker containers
$ sudo docker-compose up
Press CTRL+C to stop the environmentUtils:
Acessing the MongoDB:
$ sudo docker exec -it secfiware_mongodb mongo
Acessing the Orion bash:
$ sudo docker exec -it secfiware_orion bash
Acessing the IoT Agent bash:
$ sudo docker exec -it secfiware_iota bash
Destroying the environment:
$ sudo docker-compose down
Start the IoT Device
Running the LWM2M IoT Device (Client)
Enter the fiware-improvements/lwm2m-node-lib directory and install the nodejs requirements:
cd fiware-improvements/lwm2m-node-lib/ ; npm install
Run the LWM2M IoT Device:
node bin/iotagent-lwm2m-client.js
Secure DTLS and TLS Environment Walkthrough
- Provisioning a service configuration for devices
```
curl -X POST -k https://localhost:4041/iot/services \
--header "fiware-service:light_control" \
--header "fiware-servicepath:/light_control" \
--header "Content-Type:application/json" -d '{
"services": [
{
"resource": "/light_control",
"apikey": "",
"type": "Light Control",
"commands": [],
"attributes": [
{
"name": "On/Off",
"type": "Boolean"
}
]
}
]
}'
```- Provisioning a new device for the service created
```
curl -X POST -k https://localhost:4041/iot/devices \
--header "fiware-service:light_control" \
--header "fiware-servicepath:/light_control" \
--header "Content-Type:application/json" -d '{
"devices": [
{
"device_id": "rasp1",
"entity_type": "Raspberry",
"attributes": [
{
"name": "On/Off",
"type": "Boolean"
}
],
"internal_attributes": {
"lwm2mResourceMapping": {
"On/Off" : {
"objectType": 3311,
"objectInstance": 0,
"objectResource": 5850
}
}
}
}
]
}'
```- If you get error on logs about self-signed certificates, you may need to generate a keypair and declare the path on the config-secure.json
- Open another separated terminal and run
```
$ udp2dtls 5687 localhost 5684
```- Then (on another separated terminal) start an lwm2m-client
```
LWM2M-Client> create /3311/0
LWM2M-Client> connect localhost 5687 rasp1 /light_control
LWM2M-Client> set /3311/0 5850 On
```Query the device in the ContextBroker
- Run this
```
curl -X POST -k https://localhost:1026/v1/queryContext \
--header "fiware-service:light_control" \
--header "fiware-servicepath:/light_control" \
--header "Content-Type:application/json" \
--header "Accept:application/json" -d \
'{"entities": [{"id": "Raspberry:rasp1"}]}'
```> Notice that you will need to setup a udp2dtls proxy on a different port for each device, unless you already have a client that supports dtls. (The dtls support will be added in the client in future updates)
Links
- [Fiware tour guide application](https://www.fiware.org/devguides/fiware-tour-guide-application-a-tutorial-on-how-to-integrate-the-main-fiware-ges/)
- [IoTa Docs](https://github.com/telefonicaid/lightweightm2m-iotagent/tree/master/docs)
- [lwm2m-node-lib](https://github.com/telefonicaid/lwm2m-node-lib)
- [Devices provisioning](https://github.com/telefonicaid/lightweightm2m-iotagent/blob/master/docs/deviceProvisioning.md)
- [Configuration provisioning (fiware-service)](https://github.com/telefonicaid/lightweightm2m-iotagent/blob/master/docs/configurationProvisioning.md)
- [Installation of client](https://github.com/telefonicaid/lightweightm2m-iotagent/blob/master/docs/configurationProvisioning.md#installation-of-the-client)
- [Using the device](https://github.com/telefonicaid/lightweightm2m-iotagent/blob/master/docs/configurationProvisioning.md#using-the-device)
- [RFC DTLS](https://tools.ietf.org/html/rfc6347)
- [OMA Specification - OMA-LWM2M](http://www.openmobilealliance.org/release/LightweightM2M/V1_0-20170208-A/OMA-TS-LightweightM2M-V1_0-20170208-A.pdf)
- [OMA LWM2M Object and Resource Registry](http://www.openmobilealliance.org/wp/OMNA/LwM2M/LwM2MRegistry.html)
- [Objects and their corresponding Object IDs](https://github.com/IPSO-Alliance/pub/tree/master/reg)
- [IP for Smart Objects - IPSO Objects](https://github.com/IPSO-Alliance/pub/blob/master/README.md)
### Contributors
|Name|Role|Contact|
|-|-|-|
|Prof. Dr. Sergio Takeo Kofuji| Mentor| [email protected] |
|Prof. MSc. Fábio Henrique Cabrini | Mentor | [email protected] |
|Angelo Moura | Developer | [email protected] |
|Bruno Galvão | Developer | [email protected] |
|Igor Servulo | Developer | [email protected] |
|Lucas Pereira| Developer | [email protected] |
|Anderson A. Alves da Silva | Collaborator | [email protected] |
|Noris Junior | Collaborator | [email protected] |
|Albérico de Castro | Collaborator | [email protected] |
|Filippo Valiante Filho | Collaborator | [email protected] |