DTLS over CoAP for the Zephyr project


Nikos Karamolegkos
 

Hello everyone,

I have seen that other IoT OS use tinydtls for authentication over CoAP and IEEE 802.15.4. On the other hand,  the Zephyr RTOS I have seen (in documentation 1.9) that uses mbed TLS but I confused on how to set it in IoT end devices. Specifically, I was wondering if there is any tutorial to start (e.g in reel boards). Also, I would like to know if the DTLS is based on pre-shared keys or in any elliptic curve cryptography (ECC) algorithm?

Thank you for your time

--
Nikos Karamolegkos
R & D Engineer at ICS-FORTH
Telecommunications and Networks Lab (TNL)


Nikos Karamolegkos
 

Any ideas guys?


Carles Cufi
 

Hi Nikos,

Copying a couple of people that might not be on this mailing list and may be able to help you.

Carles

-----Original Message-----
From: users@lists.zephyrproject.org <users@lists.zephyrproject.org> On
Behalf Of Nikos Karamolegkos via Lists.Zephyrproject.Org
Sent: 03 July 2019 13:07
To: users@lists.zephyrproject.org
Cc: users@lists.zephyrproject.org
Subject: [Zephyr-users] DTLS over CoAP for the Zephyr project

Hello everyone,

I have seen that other IoT OS use tinydtls for authentication over CoAP
and IEEE 802.15.4. On the other hand,  the Zephyr RTOS I have seen (in
documentation 1.9) that uses mbed TLS but I confused on how to set it in
IoT end devices. Specifically, I was wondering if there is any tutorial
to start (e.g in reel boards). Also, I would like to know if the DTLS is
based on pre-shared keys or in any elliptic curve cryptography (ECC)
algorithm?

Thank you for your time

--
Nikos Karamolegkos
R & D Engineer at ICS-FORTH
Telecommunications and Networks Lab (TNL)



Nikos Karamolegkos
 

Thank you. I was trying to find an example with CoAP over DTLS (client and server) in the zephyr tree. However, I can not find any tutorial or any discussion about that. Also, in 1.9.2 zephyr docs there is a sample named "CoAP over DTLS sample server" which does not exist in the latest release of zephyr (after 1.13 is gone). Any help on that? I am really confused


Lubos, Robert
 

Hi Nikos,

 

The samples you mention were likely removed/modified during our transition from net_app API to socket API. CoAP samples we have now does not seem to feature DTLS at this point.

 

There are a few samples featuring TLS/DTLS communication. The staple examples would be `echo_client`/`echo_server` samples that can communicate with each other over TLS/DTLS. You could also check `mqtt_publisher`, `http_get`, `lwm2m_client` or `google_iot_mqtt`. Depending on what application protocol is used, they can run over TLS or DTLS.

Typically, to enable TLS in these samples, you need to apply the `overlay-tls.conf` configuration provided with a sample. You can do it  by specifying `-DOVERLAY_CONFIG=overlay-tls.conf` option when you generate a project.

 

Regards,

Robert

 

From: users@... [mailto:users@...] On Behalf Of Nikos Karamolegkos via Lists.Zephyrproject.Org
Sent: Wednesday, July 24, 2019 12:59
To: users@...
Cc: users@...
Subject: Re: [Zephyr-users] DTLS over CoAP for the Zephyr project

 

Thank you. I was trying to find an example with CoAP over DTLS (client and server) in the zephyr tree. However, I can not find any tutorial or any discussion about that. Also, in 1.9.2 zephyr docs there is a sample named "CoAP over DTLS sample server" which does not exist in the latest release of zephyr (after 1.13 is gone). Any help on that? I am really confused


Nikos Karamolegkos
 

Thank you for the detailed reply Robert. Thus, as I understand there is no support for CoAP over DTLS at this time. Is it possible to add this functionality in the next commits? Also, for the echo client/server I can see frdm_kw41z.conf in the folder "boards"  which makes me conclude that these samples could be used with this 802.15.4 compatible module. Am I correct? My purpose is to find a 802.15.4 module (i.e. support of O-QPSK with the 6lowpan stack) in order to use CoAP over DTLS and zephyr RTOS


Lubos, Robert
 

Nikos,

 

CoAP over DTLS is supported, we just don’t have a straightforward sample of this functionality. For instance, the `lwm2m_client` sample uses CoAP protocol over DLTS (LWM2M uses CoAP internally). For TLS/DTLS communication we have a secure sockets API – the API is similar to the posix sockets API, therefore it’s pretty straightforward to convert socket-based samples to use DTLS instead of UDP for instance.

 

As for the modules supporting 802.15.4, yes frdm_kw41z is one of them. I don’t know if we provide a complete list of all boards that support 802.15.4, but for sure you can check what drivers are available to have some insight: https://github.com/zephyrproject-rtos/zephyr/tree/master/drivers/ieee802154. I personally use `nrf52840_pca10056` for 802.15.4 (I’m a Nordic employee).

 

As for 802.15.4 base networking, Zephyr provides its own 6lowpan stack (which can be tested with echo samples). You might also be interested in OpenThread, which we support in Zephyr – it’s a 802.15.4 based IPv6 mesh protocol. OpenThread can also be run with the echo samples (the protocol used in the sample depends on what overlay config file you select).

 

Regards,

Robert

 

From: users@... [mailto:users@...] On Behalf Of Nikos Karamolegkos via Lists.Zephyrproject.Org
Sent: Wednesday, July 24, 2019 15:35
To: users@...
Cc: users@...
Subject: Re: [Zephyr-users] DTLS over CoAP for the Zephyr project

 

Thank you for the detailed reply Robert. Thus, as I understand there is no support for CoAP over DTLS at this time. Is it possible to add this functionality in the next commits? Also, for the echo client/server I can see frdm_kw41z.conf in the folder "boards"  which makes me conclude that these samples could be used with this 802.15.4 compatible module. Am I correct? My purpose is to find a 802.15.4 module (i.e. support of O-QPSK with the 6lowpan stack) in order to use CoAP over DTLS and zephyr RTOS


Nikos Karamolegkos
 

Once again thank you for your detailed answer. Therefore, If I apply the "overlay-802154.conf" overlay config then I will have the 6lowpan stack?

Yes, the OpenThread is really a nice choice.

Also, I am going to check the module nrf52840_pca10056 although doesn't support hardware acceleration as I can see. I would like to find a module which can support hardware acceleration for ECC in DTLS (not only pre-shared key). For now, as I can see in the tls_credential.h file the DTLS is using pre-shared key (PSK) only.

Best,

Nikos


Lubos, Robert
 

Yes, applying `overlay-802154.conf` will make the sample use Zephyr’s native 6lowpan stack. Applying ` overlay-ot.conf` will make the sample use OpenThread, which implements it’s own 6lowpan layer. You can also combine two overlays – `-DOVERLAY_CONFIG=”overlay-802154.conf overlay-tls.conf”` to run DTLS over 802.15.4 6lowpan. Combining DTLS with OpenThread is not supported at this moment.

 

Certificates are also supported with DTLS sockets – echo_client/echo_server use them to secure DTLS connection. The lwm2m_client though indeed uses PSK.

 

nrf52840_pca10056 has a hardware crypto acceleration module – CryptoCell 310, which is capable of accelerating ECC operations (we use it for example in “vanilla” OpenThread repository). We have some support for it in our Zephyr based SDK (https://github.com/NordicPlayground/fw-nrfconnect-nrf/), sadly we haven’t integrated and tested it with networking samples yet.

 

Regards,

Robert

 

From: users@... [mailto:users@...] On Behalf Of Nikos Karamolegkos via Lists.Zephyrproject.Org
Sent: Thursday, July 25, 2019 12:12
To: users@...
Cc: users@...
Subject: Re: [Zephyr-users] DTLS over CoAP for the Zephyr project

 

Once again thank you for your detailed answer. Therefore, If I apply the "overlay-802154.conf" overlay config then I will have the 6lowpan stack?

Yes, the OpenThread is really a nice choice.

Also, I am going to check the module nrf52840_pca10056 although doesn't support hardware acceleration as I can see. I would like to find a module which can support hardware acceleration for ECC in DTLS (not only pre-shared key). For now, as I can see in the tls_credential.h file the DTLS is using pre-shared key (PSK) only.

Best,

Nikos


Nikos Karamolegkos
 

The nrf52840_pca10056 module looks promising provided that supports the 6lowpan stack  and also has the acceleration module. However, I have to check how difficult is to use/implement ECC and DTLS using zephyr. I will look for any discussion.