I implement mbedTLS to the Particle environment community library, TlsTcpClient and MQTT-TLS. This 2 library could connect to AWS/Azure…etc IoT cloud platform with certificate/private key.
Now cipher suite is here.
Here is TLS 1.2 sequence.
I test this library with Particle Photon on the several IoT Platform(AWS IoT/Azure/mosquitto/eclipse iot…etc), I would note the “How to implements mbedTLS to embedded IoT platform”.
Here is the Particle Cloud API and MQTT(TLS)/TlsTcpClient network communications image.
Particle Cloud API is official API from Particle very useful for developer, it is easy to use on the application with Cloud IoT Platform and low price(free Device Cloud access for first 100 devices). But if Particle cloud system will down, device could not pub/sub data with other Cloud IoT Platforms. MQTT(TLS)/TlsTcpClient area community library could connect to the AWS/Azure…etc directly, developer could use this for second choice.
And Particle provid firmware api TCPClient for the TCP network communication. If developer want secure TCP connection, TlsTcpClient could be used for it.
Next, my point of the implementation of the Photon and mbedTLS.
1) I want to use OpenSSL on the Particle but can’t
OpenSSL is powerful SSL/TLS library used on the several application, server, pc…etc.(SSLSocket is very useful for programmer). Maybe talking about the SSL, many developer think OpenSSL. But OpenSSL library size is very fat. I build openssl-1.1.0c on my Ubuntu x64 total library size is 9,227,602byte!!
Then I found the following open source TLS library for implementation.
I choice the mbedTLS because of mbedTLS could use the Apache 2.0 license or the GPL 2.0 license, and I think the future possibilities with the this library.
mbedTLS could work on the several CPU(x86/64…etc) platform not only the ARM core. And Particle Photon have a STM32F205RGY6 120Mhz ARM Cortex M3, so maybe think “you could build/compile the mbedTLS on the Photon easily, hahaha…”. That’s fault. I did the following work.
1. There were very lot of compile error happen on the mbedTLS with Particle IDE, I modify source code and debug.
2. There are some libc function needed by mbedTLS did not found on the Particle environment, I added that functions to the mbedTLS source code.
2) embedded cpu power.
Particle Photon have a STM32F205RGY6 120Mhz ARM Cortex M3 cpu. This spec is powerful for embedded IoT platform, but I’m afraid TLS/RSA/some cipher alogorithm could not work on the this CPU spec. As a result, there is nothing to worry about that.
Photon with webserver TLS handshake total network time(see the this blog entry WireShark packet capture image) is under 20ms!! on the case of the TLS_RSA_AES_128_GCM_SHA256. And TLS data communication(AES128 cipher) encrypt/decrypt is high speed too. Photon cpu(Cortex-M3) is enough for TLS working!!
Next version Particle device ARGON(BT Mesh, WiFi) including ESP32 chip. ESP32 have a hardware acceleration AES/SHA-2/RSA/ECC/RNG maybe ARGON enable very fast TLS communication.
3) firmware size.
I think this firmware size limitation is really important. Here is MQTT-TLS a1-sample build result.
Application firmware size limit is about the 128Kbyte with library, so it’s hard to use a lot of library even if developer want to use. If library use 96Kbyte size in the application, developer could use only 32kbyte for own application. Because of that, library have to shape the size as far as possible for developer application.
mbedTLS library have a several Cipher Suites, option algorithm, which one be used is important for the size and security. Of course all cipher suite could include to the library, but library would be size over the flash size. On the other hand, if it use the weak cipher(DES/MD5) only for the flash size, that’s security would be vulnerable. Balance of the security and flash size would be very important.
Thne here is latest library size with sample application.
MQTT-TLS 0.2.13, Photon firmware 0.8.0-rc2 : 71200byte
TlsTcpClient 0.2.11,Photon firmware 0.8.0-rc2 : 72768byte
Now cipher is TLS_RSA_WITH_AES_[128|256]_GCM_SHA[1|256|512], if remove SHA1/512 size will be about 50Kbyte. I choice this cipher suite because of certification compatibility/security strength.
1st version TlsTcpClient/MQTT-TLS programing with mbedTLS is about 2-3 days. mbedTLS is very useful and having possibilities in IoT environments.
I think TLS would be more needed in IoT/embedded platforms. A lot of IoT/embedded platforms use non ciphered TCP communication now because of low power MCU/firmware size limitation, but mbedTLS works well like a this MQTT-TLS/TlcTcpClient library.