• State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 74 subscribers
  • Views 1659 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 282824
Options
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Which elliptic curves are supported by the nrf9160 modem?

Dan H

Hi,

We are currently looking into using the nrf9160 for a smart meter gateway like solution. It is of particular interest to us to know if we would be able to achieve compliance with Germany BSI’s TR-03116.

The mandatory cipher suites for our application scenario (TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) are support by the nrf9160 modem according to this.

However, I did not find any information on which elliptic curves the modem uses with this cipher suites. TR-03116 requires BrainpoolP256r1, BrainpoolP384r1 and NIST P-256.

Are they supported by the modem?

Parents
  • 0

    Hello Dan,

    There is a list of TLS/DTLS supported cipher suites in the modem released zip. 

    The modem negotiates automatically with the peer using the necessary cipher suites. Each of the cipher suites is recognized by an official identification number which is registered at Internet Assigned Number Authority (IANA). It is possible to whitelist (opt-in security feature) some ciphersuites to use only the listed ones (Specific for TLS/DTLS connection). This narrowing down of the cipher suite can be done by using the nrf_setsockopt() function. See the following code where it shows the application of the nrf_setsockopt function for Elliptic Curve Diffie Hellman RSA with AES (256) CBC SHA. 

    /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
nrf_sec_cipher_t cipher_list[] = { 0xC014 };

err = nrf_setsockopt(fd, NRF_SOL_SECURE, NRF_SO_CIPHERSUITE_LIST, cipher_list, sizeof(cipher_list));
if (err) {
   /* Failed to set up cipher suite list. */
   return -1;
}

    Hope it helps.

    Best Regards,

    Kazi Afroza Sultana

Reply
  • 0

    Hello Dan,

    There is a list of TLS/DTLS supported cipher suites in the modem released zip. 

    The modem negotiates automatically with the peer using the necessary cipher suites. Each of the cipher suites is recognized by an official identification number which is registered at Internet Assigned Number Authority (IANA). It is possible to whitelist (opt-in security feature) some ciphersuites to use only the listed ones (Specific for TLS/DTLS connection). This narrowing down of the cipher suite can be done by using the nrf_setsockopt() function. See the following code where it shows the application of the nrf_setsockopt function for Elliptic Curve Diffie Hellman RSA with AES (256) CBC SHA. 

    /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
nrf_sec_cipher_t cipher_list[] = { 0xC014 };

err = nrf_setsockopt(fd, NRF_SOL_SECURE, NRF_SO_CIPHERSUITE_LIST, cipher_list, sizeof(cipher_list));
if (err) {
   /* Failed to set up cipher suite list. */
   return -1;
}

    Hope it helps.

    Best Regards,

    Kazi Afroza Sultana

Children
No Data
Related
Terms of service