nRF9160: Offloaded TLS vs. Mbed TLS

Question

I'm working with the nrf/samples/net/https_client sample for the nRF9160 and am trying to get a better understanding of using the modem's offloaded TLS capabilities vs. Mbed TLS in the secure environment. 
 It mentions that there are more configuration options with Mbed TLS, but I can't seem to find much more in the way of details in comparing the two. Specifically, I would like to know: 
 
 Is there a difference in performance (speed)? 
 Is there a difference in power consumption? 
 Is there a difference in security? 
 Is there a difference in memory footprint (both volatile and non-volatile)? 
 In which scenarios would one be recommended over the other? 
 
 And then regarding provisioning the certificates themselves, I'm not quite clear on which certificate types to provision. For MQTT with mTLS, I have three PEM-encoded files: the CA cert, the client cert, and the client private key. For modem key management, there are the following options: 
 MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT MODEM_KEY_MGMT_CRED_TYPE_PSK MODEM_KEY_MGMT_CRED_TYPE_IDENTITY 
 And for Mbed TLS, there are the following options: 
 TLS_CREDENTIAL_NONE TLS_CREDENTIAL_CA_CERTIFICATE TLS_CREDENTIAL_SERVER_CERTIFICATE TLS_CREDENTIAL_PRIVATE_KEY TLS_CREDENTIAL_PSK TLS_CREDENTIAL_PSK_ID 
 For each of these two sets of options, which enums correspond to each of those three PEM-encoded files that I need to configure? 
 Thanks!

Kazi Afroza Sultana · Accepted Answer

Hello, 
 In terms of '' modem's offloaded TLS capabilities vs. Mbed TLS'', there are differences between them. But it depends on the modem version. 
 I do not know about power consumption. It probably depends on how the ''native'' TLS is configured. The modem has some HW acceleration. So, there should not have too many differences. Power consumption is dominated by radio also. 
 On the application core, we have the cryptocell, but it might also configure the libraries to use SW implementations, and in that case, we would expect the performance to be worse on the application side. In terms of performance, you could argue that there is no performance cost when using offloaded TLS, as then the heavy computation happens on the modem side, and the application core is free to do other things. 
 Regarding memory footprint, when using offloaded TLS, the cost is on the modem side, where you do not get any benefit from not using it, while on the application side, you will lose a lot of flash and RAM that the application could have used otherwise. 
 
 From a security point of view, we recommend using offloaded TLS, as then the keys won't be accessible by the application at all. 
 So in general, we recommend offloaded TLS in all cases, unless the TLS stack in the modem is missing some features that they absolutely need. I.e. the only benefit of "native" TLS is the extra configurability.

nRF9160: Offloaded TLS vs. Mbed TLS

Top Replies