Industrial Internet of Things (IIoT) deployments increasingly rely on low-cost microcontrollers and single-board computers to stream operational telemetry for monitoring, control, and predictive maintenance, yet the canonical “TLS-to-broker” model does not protect message content from a compromised or curious MQTT broker. This study therefore designs and implements a practical, application-layer end-to-end (E2E) encryption pipeline spanning an ESP32 data client (C++/mbedTLS), an untrusted MQTT broker, and a Raspberry Pi gateway (Python/PyCryptodome) using AES-256-GCM with Additional Authenticated Data (AAD). Sensor measurements are serialized as compact JSON, encrypted and authenticated on the ESP32, framed into a binary record, Base64-encoded for MQTT payload carriage, and verified/decrypted only at the gateway. Experiments on ESP32-WROOM-32 and Raspberry Pi 4 show an average ESP32 packet-preparation latency of 41.754 ms (JSON 1.0 ms; AES-GCM 29.5 ms; Base64 11.2 ms), robust rejection of ciphertext tampering and unauthorized devices via MAC verification and whitelist checks, and 99.72% decrypt-and-store success over a one-hour run (718/720 messages). These results indicate that commodity IIoT hardware can support practical and replicable E2E confidentiality and integrity without sacrificing operational throughput, while eliminating the MQTT broker as a de facto man-in-the-middle.
Amirkhanova et al. (Sat,) studied this question.
Synapse has enriched 5 closely related papers on similar clinical questions. Consider them for comparative context: