CoAP via DTLS with secure transport only [message #1718283] |
Tue, 22 December 2015 06:19 |
Klaus Schroiff Messages: 4 Registered: December 2015 |
Junior Member |
|
|
Hi,
I am a bit confused regarding the way how CoAP works over DTLS - probably also because of the research papers out there suggesting what could be done so I'm now in a state where I don't know anymore what has been done actually.
The thing that produces headaches on my side is the definition of authentication. Is it the authentication solely on packet level for creating the secure transport or is it the authentication on tenant (application-) level ?
During testing I created two separate keystores for client and server (client key not stored in the server keystore). Now whatever I set as "ClientAuthenticationRequired" on the server - it doesn't make a difference - the request comes through anyway (which is good enough for us as long as the connection is encrypted).
Our problem scenario:
We are offering a multi-tenant cloud service. The idea is to use a CoAP cross proxy (farm) to map from CoAP(s) to HTTP for further processing. The Cross-Proxy instances have _no_ tenant notion so I'd like to use DTLS for secure transport only. The credentials will be provided in the (encrypted) payload.
Thanks
Klaus
[Updated on: Wed, 23 December 2015 04:50] Report message to a moderator
|
|
|
|
Re: CoAP via DTLS with secure transport only [message #1718456 is a reply to message #1718453] |
Thu, 24 December 2015 02:47 |
Klaus Schroiff Messages: 4 Registered: December 2015 |
Junior Member |
|
|
Ok, can it be that this is all a big text adventure at this stage?
In order to use PSK the client has to set the supported CipherSuite to TLS_PSK_WITH_AES_128_CCM_8 _explicitly_.
Otherwise TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 will be used which also explains why the pskStore was ignored in my previous example.
Well, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 is fine for me anyway.
When setting the client to TLS_PSK_WITH_AES_128_CCM_8 I am running into a handshake failure despite identical PSK store on the client and server side.\
Any idea why?
[Updated on: Thu, 24 December 2015 03:23] Report message to a moderator
|
|
|
|
Powered by
FUDForum. Page generated in 0.03352 seconds