-2

We need to find a way to protect the data from the IoT devices to the cloud server. We use MQTT for the messaging.

Since we use STM32 in our IoT devices, TLS seems not a viable solution as there is only very limited ROM(about 60K) on the STM32 board.

And We use GPRS as the communication . It doesn't support TLS either.

But as AES alone is not sufficient, I am thinking about using IPSec for the transport layer security.

Can anyone provide any suggestion on the questions below?

1.Is there a way to use TLS in the environment with limited ROM?

2.Can IPSec be used in such IoT environment?

3.Is IPSec + AES sufficient or any other security we need to consider?

vaj oja
  • 1,151
  • 2
  • 16
  • 47

2 Answers2

0

IPSec is a tunneling technology - this means you need two tunnel endpoints: one ony your IoT device and one in the cloud (or better in the cloud you are sending the data to). IPSec endpoints are from what I know not very common.

Therefore TLS would be the recommended solution. I don't have experience how much ROM a TLS implementation needs, however you should be able to decrease the size by compiling the TLS library yourself. Most TLS libraries are only large because they have to support 4 SSL/TLS versions and dozens of ciphers.

Disable all unused modes (SSL, TLSv1, TLSv1.1) and ciphers. You have to check what ciphers are supported by your cloud service provider and adapt them in the TLS library accordingly. In the end you should only keep TLSv1.2 and one may be two ciphers.

Robert
  • 39,162
  • 17
  • 99
  • 152
  • We use GPRS as the communication . It doesn't support TLS either. In this case, should we only use aes? – vaj oja Jul 27 '16 at 16:59
  • I am sorry, but what you are taking is nonsense (unless you are not talking about the standard GPRS used worldwide). GPRS provides an IP channel and on every IP channel you can establish a TCP connection and therefore also a TLS connection (as a TLS connection is just a TCP connection with encrypted content). And if you have to use UDP instead of TCP you can use D-TLS (for UDP) instead. – Robert Jul 28 '16 at 10:03
  • Thanks for the correcgtion. Yes, GPRS does support TLS. What i didn't make clear is that we currently use MQTT which GPRS doesn't support. If we use TLS, we will have to use https instead of MQTT. Any suggestion to this? – vaj oja Jul 29 '16 at 16:53
  • TLS is not bound to HTTPS. You can use any TCP based protocol inside TLS. – Robert Jul 29 '16 at 17:22
0

TLS is still your friend.

There's a library here, that claims to fit into your memory amount: https://realtimelogic.com/products/sharkssl/ . They even have something for IoT under TLS section in their menu.

And here's the other one: http://www.matrixssl.org/ And more: https://www.allegrosoft.com/embedded-ssl-tls-ae

I have no personal experience with these implementations at all - just know that they exist.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121