• State Verified Answer
  • Replies 2 replies
  • Subscribers 74 subscribers
  • Views 707 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 330924
Options

NRF9160 PSK Cipher-Suites in modem and TLS 1.3

rw_w

Hello,

the BSI (German Federal Office for Information Security) released a document February this year which contains a list for recommended cipher suites and TLS versions:

BSI TR-02102-2: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-2.pdf?__blob=publicationFile&v=6

The current NRF9160 SiP modem firmware 1.3.6 supports the Cipher suites as defined on this website: https://www.nordicsemi.com/Products/nRF9160/Download

Two questions:

  1. Section 3.3.1.3 (Table 4) lists recommended cipher suites for TLS 1.2 with pre-shared keys. Unfortunatly none of the the PSK cipher suites seem to be supported by the NRF9160 modem. PSK Cipher Suites may be used in our hardware for LWM2M over DTLS. Are there any plans to add more cipher suites to the modem firmware of the NRF9160 in the future? Especially of interest are cipher suites that are recommended to be used up to 2030+. Are there any timelines for future modem firmware releases?
  2. As far as I know currently the modem firmware and zephyr only support D/TLS 1.2. Are there any plans to add support for TLS 1.3 to the modem firmware and/or to zephyr (e.g. with mbedTLS) in the future, in case usage of TLS 1.2 will not be recommended anymore in a few years?

Best regards

rw

  • +1

    Hi,

    Are there any plans to add more cipher suites to the modem firmware of the NRF9160 in the future? Especially of interest are cipher suites that are recommended to be used up to 2030+. Are there any timelines for future modem firmware releases?

    For future plans, modem releases and timelines please contact your regional sales manager.

    Are there any plans to add support for TLS 1.3 to the modem firmware and/or to zephyr (e.g. with mbedTLS) in the future, in case usage of TLS 1.2 will not be recommended anymore in a few years?

    Maybe you can get this information by asking in the Zephyr Discord channel directly (visit Zephyr community and go to Community->Connect with Zephyr->Discord). Otherwise, please contact your regional sales manager regarding future support for TLS v1.3.

    Best regards,
    Dejan

  • 0

    The usage of TLS_ECDHE_PSK requires ECC calculations and therefore using TLS_ECDHE_ECDSA requires not that more calculations. The pain may be using x509, if RawPublicKey (RFC 7250) isn't supported (AFAIK mbedtls doesn't support it).

    With RPK and an efficient ECC implementation (either hw or micro-ecc) using TLS_ECDHE_ECDSA is pretty well (see Eclipse/tinydtls  and Eclipse/Californium). UDP payload handshake all together about 1225 bytes, time for handshake 1s (nRF9160, micro_ecc), and with DTLS 1.2 CID, that is only required once for a "pretty long time".

Related
Terms of service