nRF9160 ssl tls https websocket connections

Question

I am working on a project now that will be performing ssl based http or websocket connections to a server. 
 I have looked around a little and seen some documentation and under the impression that certificates need to first be uploaded into the nRF9160. 
 I have a few questions that I would like to ask. 
 I am considering running a SSL library on the SAM51 host MCU at this time as well, but the SAM51 (Adafruit M4 Grand Central) is not really optimized for cryptography as I know and will consume a number of CPU cycles to handle the handshaking and encryption. 
 How does the nRF9160 compare, does it have some hardware to accelerate cryptography to some degree? 
 In order to connect to an arbitrary HTTPS server the nRF9160 would need to have knowledge of the common use root certificates, is it possible to create this root CA store in the nRF9160 to handle the CA verification? Quite a few of the WiFi modules out today appear to have a root CA certificate store in them (which can be updated) for use with built in TLS support. I have yet to work with one of these WiFI modules, but may obtain one in the near future for use in a project. 
 Currently I am working with the "serial lte modem" example and would prefer if there was TLS support in this project, but it appears it is either limited or does not exist presently. 
 I guess what I am getting at here is that I am considering doing the cryptography on the SAM51 MCU and just using forwarding the already encrypted packets to the nRF9160 through the "serial lte modem" application running on it. Is there a better path to go with adding the cryptography support to the "serial lte modem" application and offloading the cryptography to the nRF9160? This would mean the nRF9160 would need to a root CA store, which might not have the flash to do so. 
 With the SAM51 I would store the root CAs on an SD card. Attaching an SD card to the nRF9160 through SPI I guess would not be impossible, but then the necessary code would have to be written to handle the implementation. 
 Since the nRF9160 is still new I am having difficulty finding a lot of information about this topic. Any thoughts or advice about this?

Didrik Rokhaug · Accepted Answer

Hi, 
 
 How does the nRF9160 compare, does it have some hardware to accelerate cryptography to some degree? 
 Yes, the nRF9160 has some hardware cryptography modules. Both in the modem and on the application core. 
 https://infocenter.nordicsemi.com/topic/ps_nrf9160/cryptocell.html 
 is it possible to create this root CA store in the nRF9160 to handle the CA verification? 
 The IP, TCP (and UDP), TLS (and DTLS) stacks are normally offloaded to the modem. In that case, the certificates must also be stored in the modem. You do that with the %CMNG AT command. 
 The certificates are written to a "sec_tag", and when you open a socket, you can instruct the modem to use the certificates stored in a given sec_tag. 
 Currently I am working with the "serial lte modem" example and would prefer if there was TLS support in this project, but it appears it is either limited or does not exist presently. 
 TLS is supported both for the HTTP commands, and the TCP commands. In both cases, you enable TLS by adding the sec_tag to the command. 
 https://developer.nordicsemi.com/nRF_Connect_SDK/doc/1.4.2/nrf/applications/serial_lte_modem/doc/TCPIP_AT_commands.html#bsd-socket-xsocket 
 https://developer.nordicsemi.com/nRF_Connect_SDK/doc/1.4.2/nrf/applications/serial_lte_modem/doc/HTTPC_AT_commands.html#http-client-connection-xhttpccon 
 If the TLS stack on the modem isn't enough, or you would like to configure the TLS stack differently, the SLM also supports having the TLS stack on the application core when using the TCP commands (it will not use the application core TLS stack when using HTTP or MQTT commands). You can use the application core TLS stack by setting CONFIG_SLM_NATIVE_TLS=y in your prj.conf. 
 https://developer.nordicsemi.com/nRF_Connect_SDK/doc/1.4.2/nrf/applications/serial_lte_modem/doc/slm_description.html#native-tls-sockets

With the SAM51 I would store the root CAs on an SD card. Attaching an SD card to the nRF9160 through SPI I guess would not be impossible, but then the necessary code would have to be written to handle the implementation. 
 Unless you want to keep the certificates away from the SAM51, it will probably be easiest to connect the SD card to the SAM51, and send the certificates over the AT command interface to the nRF9160. 
 It shouldn't be too hard to modify the SLM to read the certificates from the SD card, but it does sound like more work. 
 If you want to read the SD card from the nRF9160: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/1.4.2/zephyr/reference/storage/disk/sdhc.html 
 Best regards, 
 Didrik

nRF9160 ssl tls https websocket connections

Top Replies