54 Int. J. Sensor Networks, Vol. 32, No. 1, 2020 Copyright © 2020 Inderscience Enterprises Ltd. A MQTT-API-compatible IoT security-enhanced platform Hung-Yu Chien* and Yi-Jui Chen Department of Information Management, National Chi Nan University, PuLi, Nantou 54561, Taiwan Email: hychien@ncnu.edu.tw Email: a25237780a@gmail.com *Corresponding author Guo-Hao Qiu, Jian Fu Liao and Ruo-Wei Hung Department of Computer Science and Information Engineering, Chaoyang University of Technology, Wufeng, Taichung 41349, Taiwan Email: z55121255@gmail.com Email: tt159753tt@gmail.com Email: rwhung@cyut.edu.tw Pei-Chih Lin, Xi-An Kou and Mao-Lun Chiang Department of Information and Communication Engineering, Chaoyang University of Technology, Wufeng, Taichung 41349, Taiwan Email: qazz6411@gmail.com Email: kandy841011@gmail.com Email: mlchiang@cyut.edu.tw Chunhua Su Division of Computer Science, The University of Aizu, Aizuwakamatsu-shi, Fukushima 965-8580, Japan Email: chsu@u-aizu.ac.jp Abstract: Owing to its lightweight and easiness, the message queue telemetry transport (MQTT) has become one of the most popular communication protocols in the internet-of-things (IoT). However, the security supports in the MQTT are very weak. In this paper, we systematically examine the security requirements of a MQTT-based IoT system, identify the gap between the requirements and the supported functions, and design a security-enhanced MQTT framework. The framework facilitates device authentication, key agreement, and policy authorisation. Additionally, it is desirable that any MQTT-security enhancements should be compatible with existent MQTT Application Programming Interfaces (API). We propose a two-phase authentication approach that can smoothly integrate secure key agreement schemes with the current MQTT-API. To evaluate its effectiveness and efficiency, we implement prototype. Compared to its counterparts, the results show the merits of improved communication performance, MQTT-API compliance, and security robustness. Keywords: transport layer issues; security and privacy; MQTT; message queue telemetry transport; internet of things; authentication. Reference to this paper should be made as follows: Chien, H-Y., Chen, Y-J., Qiu, G-H., Liao, J.F., Hung, R-W., Lin, P-C., Kou, X-A., Chiang, M-L. and Su, C. (2020) ‘A MQTT-API-compatible IoT security-enhanced platform’, Int. J. Sensor Networks, Vol. 32, No. 1, pp.54–68.