From SSL over TLS to pbTLS: maximum security requiring minimum space
Nowadays everyone is familiar with the small lock icon in the browser that indicates higher security through ‘https’. Users take this visual aid and its symbolic meaning for granted entrusting their providers with the task of protecting their confidential data. Over the years, the original SSL encryption evolved into TLS, which has become one of the most frequently used security standards ever.
However, while TLS is quite common on user-orientated platforms, such as personal computers with fully fledged operating systems and plenty of resources, much smaller devices with limited memory and computational power like IoT are still teetering on the brink of a major crisis for want of consistent security.
Therefore, we have developed pbTLS that now bridges the divide between ‘big numbers’ and the limited resources of embedded microcontrollers or in layman’s terms ‘small chips’. With pbTLS in place, IoT and similar systems can now fulfil all essential security goals: consistent end-to-end encryption with strong certificate-based authentication and verifiable integrity. pbTLS is based on reliable, well-tested and efficient cryptographic building blocks, which ensure the highest level of security while seriously competing with a PC in terms of speed.
Example: Secure Artificially Intelligent Lighting (SAIL)
Conventional LED lighting systems are now gradually being extended in order to support automation and remote control based on specific environmental conditions. Present concepts can reach incredible levels of sophistication by integrating thermal sensors or cameras into lighting compartments to measure the presence of customers or viewers in their vicinity. This input is then used to decide whether to power the LED up or down to increase the illumination of the target area or object or to bring it back to a power-saving minimum.
If such systems are to become remote-controlled in the sense of IoT, then it is imperative that they provide secure communication end points. The usual approach is to use gateways to connect these devices to a certain network such as the local Wi-Fi. Whatever level of security that local network provides is however not sufficient to make the device directly accessible from the Internet. That is why PointBlank has now shifted its focus to the end-point devices themselves: by integrating TLS in the device there is no need for additional hardware (e.g. gateways) or software for that matter.
To reduce the footprint as much as possible only one specific cipher suite is embedded into pbTLS at a time.
- Asymmetric crypto based on RSA
- Symmetric crypto based on AES in CBC mode
- SHA256 hash algorithm
- Client/Server send & receive data:
- Low level source of entropy
(for random numbers, TRNG)
- Client, server, root (CA) certificates
- Socket API (physical/network layer send & receive functions)
Benchmarks - Platform S:
MCU: ARM Cortex M4 @168 MHz
Ethernet (Hardwired TCP/IP)
- TLS socket connections
- https in TLS 1.2 client & server mode
Connection time (device to device):
- 2.6 ms for TCP socket initialization
- 1.4 ms for client hello
- 1.4 ms for server hello
- 161.6 ms for TLS negotiation
- 195 ms for RSA key exchange
- 346 ms for RSA decryption
- 60 ms for content delivery
- 768 ms for the complete transaction
Average memory usage
- - 50 kByte pbTLS library
- - 50 kByte demo application
- RAM: 500 Byte to 5 kByte dynamically (max ~16 kByte)