IoT <-> Cloud communication method

Question

I am struggling with creation of multiple IoT devices (NanoPi like) which will be controlled via cloud server. I wish to use MQTT as I see this is the best method for small footprint. I know MQTT has certificates, passwords etc. But I have no clue how to implement secure one-to-one communication between device and cloud. I might create one channel per device, but I'm afraid anyone who will access the device physically, will be able to join any other channel. I would create channels manually and assign user+pass for them, but doing so for multiple devices will be waste of time. So I'm stuck with two aspects:

1. Best implementation for Device <-> Cloud data protocol. Will MQTT over TLS be fine?
2. How can I automatically restrict devices to use only one channel? Like each device will register itself in the cloud with its own ID, and will use this ID as channel. But how to prevent rogue attacker from joining any other channels?

Answer 1

I'm going to ignore your first question for the reasons mentioned in the comment.

As for the second. MQTT messages are published to topics (not channels), nearly all MQTT brokers allow you to configure Access Control Lists (ACLs) the allow you to control which topics each user can both publish and subscribe to.

With a correctly setup ACL the client will only be able to publish data to a specific topic and if needed subscribe to specific topic used to send commands to that users device.

Most brokers also allow substitutions in the ACLs so you can set up template entries that match to any user. e.g. for mosquitto you can use %u to match to the username and %c to match to the clientid so a topic pattern might look like this:

write %u/data/# read %u/command/#

This would let user only publish to topics which start with their username followed by /data/... and subscribe to topics with [username]/command/... at the start.

As a pub/sub protocol MQTT is sometimes considered a broadcast medium, e.g. one publisher to many subscribers, but there is nothing to say you can't use topics that only the central controller publishes to and only one device subscribes to in order to get 1 to 1 messaging. In the new MQTT v5 spec there is even the concept of reply messages so you can specifically do request/response type messaging.