Key Missing Feature for IoT

Thu, 14 Mar 2024 09:30:38 -0700 

Hi all,
I'm the main Maintainer of *Leshan* <https://github.com/eclipse-leshan/leshan>. An open Source Java Implementation of *LWM2M <https://github.com/eclipse-leshan/leshan/wiki/Lightweight-M2M-Specification>* protocol. 

*LWM2M* is mainly based on *coap* and *coap+tcp* protocol.

Security is available by usage of *coaps* and *coaps+tcp* which are 
based respectively on *DTLS* and *TLS* (mainly v1.2 for now)



Currently we only have support of *coap* and *coaps*. We are using 
*Scandium 
<https://github.com/eclipse-californium/californium/tree/main/scandium-core>* 
as *DTLS* implementation, this is an historical choice because *DTLS* 
was not available *OpenJDK* initially.



Recently, I begin to work about adding *coap+tcp* and *coaps+tcp* to 
Leshan and so I looked again on available security feature in OpenJDK to 
see if I should rely on it but  I understand there still missing key 
features for IoT.


My understanding, DTLS 1.2 was added but there is still no support of :

 * *Pre-Shared Key* for (D)TLS 1.2 :  PSK is one of the most basic
   techniques for TLS/DTLS since it is both computationally efficient
   and bandwidth conserving. (RFC7925§Section4.2
   <https://www.rfc-editor.org/rfc/rfc7925#section-4.2> - TLS / DTLS
   -Profiles for the Internet of Things)
 * *Connection Identifier* for DTLS 1.2 (RFC 9146
   <https://www.rfc-editor.org/rfc/rfc9146.html>) : CID is key feature
   to limit handshake in dynamic IP environment. (and also be used for
   load balancing)
 * Cipher suite based on *AES_128_CCM_8
   *(TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLS_PSK_WITH_AES_128_CCM_8)
   which are the recommended or mandatory ciphersuite for CoAP or to
   create implementation compliant with RFC7925
   <https://www.rfc-editor.org/rfc/rfc7925>.


If I missed something and one of those feature is already available let 
me know.



The point I want to raise here it that it's pretty hard for Java IoT 
developer to support commons Security IoT Feature.



Community can eventually rely on Scandium but it is currently maintain 
by only 1 person and doesn't follow JSSE API and only target DTLS.
Other alternative is maybe Bouncy Castle but Pre-shared key seems not 
available in their JSSE provider.
There is also possibility to bind native library but this is not so easy 
and also have drawback.

All that solution sounds not so good...

So do you think it could make sense to add this kind of feature in OpenJDK ?
Or Maybe there is already plan to add it ?

(I hope this is the right place for this kind of question)

Thx,

Simon






















					Reply via email to