Secure decoupled messaging with DANE and the TLSA resource record
Configuration
Set each device's DNS name in Balena.io by defining an environment variable called IDENTITY_NAME
for each device. This should be set to the DNS entry that will store the device certificate.
Create the device identity credentials, using a terminal session in the maintenance container, by running ./create_selfsigned_id
.py. Next, generate the TLSA record data by running generate_tlsa.py
.
You'll see a long string of text produced from the last command. That's the actual TLSA record contents for you to place in DNS (Figure 1).

You'll notice that if you run ls /identity/
, you'll see a self-signed certificate and private key. Perform the same steps for generating the identity and TLSA record for each of your devices. Then, copy the TLSA record contents for each of your devices into your DNS management system. There are a great many options for hosting DNS; you can pick a DNS hosting provider that supports the TLSA record type or you can use an open-source DNS server like PowerDNS. Once your TLSA record is correctly configured in your DNS server, you will be able to use dig to download your certificate. As described previously, enter:
dig -t TLSA ${IDENTITY_NAME}<I>
where ${IDENTITY_NAME}
is your device's DNS name.
In the Balena console, watch the logs for the messaging_receiver
service. At first, you'll see "Public identity is not valid!" messages. These messages will go away once the TTL in DNS for record nonexistence expires and the certificate is available. It shouldn't be more than a minute or two with most DNS servers.
Sending a Message
To send a message between your devices, use the messaging_sender
container to run the send_message.py
command. This command takes two arguments: the destination device's DNS name and the message itself (Figure 2). (Don't forget the enclosing quotes if the message has spaces.) When you run this command, the tool uses the device's private key to generate a signed JWS object containing your message. The tool then grabs the recipient's certificate from DNS and uses the public key in the certificate to generate an encrypted JWE object, which contains the JWS object. Finally, the signed and encrypted object is published to the message broker with the recipient's DNS name as the topic.

Within a second or two, you should see the message in the console of the recipient device (Figure 3). The recipient device listens on the message broker for messages with a topic matching the device's DNS name. The device then retrieves and decrypts the message (JWE object) and then uses the sender's certificate from DNS (which is referenced in the JWS object headers) to authenticate the message. Finally, the message is printed to the console.

These messages all pass through the HiveMQ public message broker. You can watch your encrypted messages scroll by using the web client located at http://www.hivemq.com/demos/websocket-client/. First, use the web client to connect to the broker (hostname: broker.hivemq.com
). Next, watch the recipient device's topic: Use the device's identity name for the topic to monitor.
Call a friend, and ask them to follow the same steps. It doesn't matter if you use the same domain, or if you even use the same DNS provider. They just need a certificate in a TLSA record, and you can chat with end-to-end encryption and source authentication knowing only the DNS name of the device with which you want to communicate.
Postscript
The chat application described in this article implements sender authentication and end-to-end message payload encryption in a way that doesn't require you to transmit a copy of the certificate to everyone who might need to authenticate the sender of your messages.
Compare this to the common practice of synchronizing the certificate authority's set of currently-valid certificates to every entity that might need to authenticate your messages. The method described in this article is more scalable and straightforward. Certificate rotation is straightforward too: If you want to replace your device's certificate, the only delay in rotation is tied to the time required to place the new certificate in DNS and wait out the TLSA record's TTL; the recommended TTL for the TLSA record is not specified in the DANE RFC and is completely under your control.
This system is resilient against naming collisions (since there is only one DNS), and revoking trust in an identity is as simple as deleting the TLSA record from DNS. Even though the messages themselves pass over a public transport for all to see, they are individually encrypted so that only the intended recipient may read them. Though the message is encrypted, the recipient device's DNS name is still revealed in the message topic.
The messaging devices described in this article won't add much convenience to your day-to-day life, but they demonstrate the use of standards and open source software to simplify the process of end-to-end message security in IoT applications. Remember: Encryption is only part of the solution. Without authentication, you really can't establish trust.
Standards bodies have a great deal of work ahead to address the many different aspects of secure IoT communications. The speed of evolution in those IoT-specific initiatives leads to many interesting and engaging possibilities.
Now you have patterns, tools, and examples to build on. Go forth and build better, more secure applications!
Infos
- DANE RFC: https://tools.ietf.org/html/rfc7671
- MQTT: https://mqtt.org/
- dane_jwe_jws library on PyPI: https://pypi.org/project/dane-jwe-jws/
- JOSE Working Group: https://datatracker.ietf.org/group/jose/documents/
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
News
-
KaOS 2022.06 Now Available With KDE Plasma 5.25
The newest iteration of KaOS Linux not only adds the latest KDE Plasma desktop but sets LibreOffice as the default.
-
Manjaro 21.3.0 Is Now Available
Manjaro “Ruah” has been released and includes the latest Calamares installer, GNOME 42, and much more.
-
SpiralLinux is a New Linux Distribution Focused on Simplicity
A new Linux distribution, from the creator of GeckoLinux, is a Debian-based operating system with a focus on simplicity and ease of use.
-
HP Dev One Linux Laptop is Now Available for Pre-Order
The System76/HP collaboration Dev One laptop, geared toward developers, is now available for pre-order.
-
NixOS 22.5 Is Now Available
The latest release of NixOS with a much-improved package manager and a user-friendly graphical installer.
-
System76 Teams up with HP to Create the Dev One Laptop
HP and System76 have come together to develop a new laptop, powered by Pop!_OS and aimed toward developers.
-
Titan Linux is a New KDE Linux Based on Debian Stable
Titan Linux is a new Debian-based Linux distribution that features the KDE Plasma desktop with a focus on usability and performance.
-
Danielle Foré Has an Update for elementary OS 7
Now that Ubuntu 22.04 has been released, the team behind elementary OS is preparing for the upcoming 7.0 release.
-
Linux New Media Launches Open Source JobHub
New job website focuses on connecting technical and non-technical professionals with organizations in open source.
-
Ubuntu Cinnamon 22.04 Now Available
Ubuntu Cinnamon 22.04 has been released with all the additions from upstream as well as other features and improvements.