• State Verified Answer
  • Replies 2 replies
  • Subscribers 68 subscribers
  • Views 3500 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 218749
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

MQTTSN with DTLS

maxbachmann

Hello,

There is a example for the nrf52840 for thread with mqttsn. Although this is just for my personal use I would love to use some kind of encryption for it.

So the idea was to use dtls for mqttsn. I already used tls with mqtt, but never worked with mqttsn and dtls before and do not really have a clue on how to implement this, since the nordic example appears to use no encryption at all. Did anyone here already use mqttsn and dtls on a nrf52840, or which security precautions do you take?

Thank you in advance

Max

  • +1

    Hello Max,

    Glad to hear that you use nRF5 SDK for Thread. As you correctly spotted there is no example that shows MQTT-SN example with DTLS. Moreover this is the thoughtful choice.

    If you look at the MQTT-SN specification (which is free and open-source) you can see that there are two virtual paths.

    1) from MQTT-SN clients (nRF52840) to a MQTT-SN Gateway (e.g. Raspberry pi) - over UDP

    2) from MQTT-SN Gateway to a MQTT broker over TCP

    The path number 1 is fully encrypted using AES-128 and Thread embedded encryption. So addition of DTLS between those MQTT-SN Clients and MQTT-SN Gateway seems to be unneeded and resource hungry.

    The path number 2 is based on regular MQTT (and TCP) which as you said you have some experienced with. Moreover if you log in to the Thread Border Router you can modify MQTT-SN Gateway configuration and use your favorite MQTT-SN Broker. You can also set up proper encryption there (TLS). Our MQTT-SN Gateway is based on the open source project Paho - https://github.com/eclipse/paho.mqtt-sn.embedded-c

    However if I haven't convinced you and you still want to use DTLS, this is possible but it would require significant changes both in MQTT-SN Gateway and in MQTT-SN Clients implementations. For later you would most likely need to expose DTLS API in OpenThread. Right now, there is public API for CoAPs only (you would like to cut it one line below - on plain UDP). Please see this file (github.com/.../coap_secure.cpp) to get understanding how to use internal DTLS API.

    Hope that helps!

  • 0 in reply to Lukasz Duda

    Hello Lukasz,

    Thank you for the fast response. I totally missed that the default version already uses AES-128 for encryption. I am totally with you that adding DTLS on top of that is unneeded.

    Max

Related