• State Verified Answer
  • Replies 3 replies
  • Subscribers 67 subscribers
  • Views 370 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 319113
Options

nRF9160: Offloaded TLS vs. Mbed TLS

JordanK

I'm working with the nrf/samples/net/https_client sample for the nRF9160 and am trying to get a better understanding of using the modem's offloaded TLS capabilities vs. Mbed TLS in the secure environment.

It mentions that there are more configuration options with Mbed TLS, but I can't seem to find much more in the way of details in comparing the two. Specifically, I would like to know:

  1. Is there a difference in performance (speed)?
  2. Is there a difference in power consumption?
  3. Is there a difference in security?
  4. Is there a difference in memory footprint (both volatile and non-volatile)?
  5. In which scenarios would one be recommended over the other?

And then regarding provisioning the certificates themselves, I'm not quite clear on which certificate types to provision. For MQTT with mTLS, I have three PEM-encoded files: the CA cert, the client cert, and the client private key. For modem key management, there are the following options:

MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN
MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT
MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT
MODEM_KEY_MGMT_CRED_TYPE_PSK
MODEM_KEY_MGMT_CRED_TYPE_IDENTITY

And for Mbed TLS, there are the following options:

TLS_CREDENTIAL_NONE
TLS_CREDENTIAL_CA_CERTIFICATE
TLS_CREDENTIAL_SERVER_CERTIFICATE
TLS_CREDENTIAL_PRIVATE_KEY
TLS_CREDENTIAL_PSK
TLS_CREDENTIAL_PSK_ID

For each of these two sets of options, which enums correspond to each of those three PEM-encoded files that I need to configure?

Thanks!

Parents
  • +1

    Hello,

    In terms of ''modem's offloaded TLS capabilities vs. Mbed TLS'', there are differences between them. But it depends on the modem version.

    I do not know about power consumption. It probably depends on how the ''native'' TLS is configured. The modem has some HW acceleration. So, there should not have too many differences. Power consumption is dominated by radio also. 

    On the application core, we have the cryptocell, but it might also configure the libraries to use SW implementations, and in that case, we would expect the performance to be worse on the application side. In terms of performance, you could argue that there is no performance cost when using offloaded TLS, as then the heavy computation happens on the modem side, and the application core is free to do other things. 

    Regarding memory footprint, when using offloaded TLS, the cost is on the modem side, where you do not get any benefit from not using it, while on the application side, you will lose a lot of flash and RAM that the application could have used otherwise. 

    From a security point of view, we recommend using offloaded TLS, as then the keys won't be accessible by the application at all.

    So in general, we recommend offloaded TLS in all cases, unless the TLS stack in the modem is missing some features that they absolutely need. I.e. the only benefit of "native" TLS is the extra configurability. 

  • 0 in reply to Kazi Afroza Sultana

    The major drawback of the offloaded TLS is the limitation of the secure buffers (2 kB)

Reply Children
No Data
Related