Supporting DTLS and CoAP in Your Cipher Suite
Neustar, a leading provider of information and security services, is expanding its offerings in IoT. In conjunction with OCF, Neustar's contributions to their single, open specification enable IoT devices to communicate across the ecosystem. Our goal is to develop a simple, quick onboarding workflow for OIC. Being able to quickly onboard devices is important because it creates an interoperable network across manufacturers, chipsets, and operating systems. In working towards this, we've been testing the interoperability of DTLS stacks. Two separate TLS stacks are required to get full cipher suite coverage in DTLS and platform agnosticism. We're excited to release a set of open-source tools to help you test your cipher suite interoperability.
Choosing an SSL Library: mbed TLS
An appropriate SSL library is needed to handle secure, encrypted connections between two parties over an insecure network. Using mbed TLS has many advantages over other SSL libraries like OpenSSL because the code is intuitive and well documented, including examples and discussion forums. Furthermore, it is easy to include only the necessary parts of the library because mbed TLS is loosely coupled and written in the portable C language. This made using mbed TLS an obvious choice. Currently, we have it running on two types of microcontrollers: Cortex M4, Cortex M7 and Linux.
A Reliable Cipher Suite
Beyond an SSL library, a reliable cipher suite is necessary to authenticate, encrypt and exchange keys on networks using the TLS and SSL network protocols. tinyDTLS implements the DTLS protocol efficiently such that it can be used in devices with tight memory constraints. tinyDTLS supports the cipher suites that many IoT stacks using CoAP consider mandatory. Though it was originally developed by TZI and later Eclipse, tinyDTLS now has several hard forks floating around the IoT space. Along with them are patches that attempt to provide some interoperability; however, no version of tinyDTLS can be reliably trusted to interoperate with another in a distant branch.
As the space continues to evolve, it is possible that iotivity-constrained's version of tinyDTLS becomes obsolete or other options become more desirable. This cipher suite could become unsupported if iotivity-constrained abandons tinyDTLS. Or, other options may emerge: mbed TLS may cover its few remaining gaps with respect to AES-CCM cipher suites or NodeJS may support DTLS on it's included OpenSSL implementation. Such are the opportunities in an ever-changing, open source development space.
We've developed three libraries to get DTLS and CoAP support in our cipher suite coverage. The original Node CoAP API needed to be enlarged to contain DTLS options. Because DTLS is at the bottom of the stack, all libraries in between also needed to be enlarged. These libraries impose minimum requirements and determine eligible platforms. Because IoT devices have limited memory capacity, it is important to set minimum requirements below the platform's maximum capabilities. Today, we're pleased to share Node mbed DTLS, Node CoAP DTLS, and CoAP CLI.
This native-wrapper is used to test PSK interoperability in mainline IoTivity. It is fairly reliable, though single-purpose. Node mbed DTLS was forked to gain control over the mbed TLS version and the build process. There is no network or file I/O support in the native build. Instead, all I/O relies on Node. Network-layer callbacks are bound to socks created by NodeJS, and they are passed in as arguments.
- Fragile, large stack
- Certificate and asymmetric modes are present and generally supported, though little testing has been done with them in this stack
This API is a good place to start if you're interested in writing NodeJS applications against IoT devices. This is the CoAP application layer, forked from Node-CoAP and reworked to support DTLS. The application layer communicates cryptographic parameters to Node mbed DTLS, the native wrapper this library is built upon. This API is compatible with the original Node CoAP package and includes mbed TLS as a dependency. Node CoAP now handles cryptographic connections according to TLS protocol.
This example application is written on top of Node-CoAP for the purpose of passing cryptographic material into Node CoAP. The cryptographic message passes from Node-CoAP to Node mbed DTLS, and finally into mbed TLS. Thus, the message passes though the stack with supported DTLS options.
We hope you find these tools useful as you explore the DTLS and CoAP space. Please report bugs and ask questions. These open-source repositories are just a glimpse of what is to come from Neustar's IoT connectivity initiative.