The Datagram Transport Layer Security (DTLS) defines transport layer security for datagram protocols thereby providing communications privacy for datagram protocols. The DTLS protocol is based on the Transport Layer Security (TLS) protocol and provides equivalent security guarantees. TLS assumes a reliable transport and breaks when re-hosted on an unreliable transport. DTLS aims at fixing this problem by proposing changes to allow reordering of packets and implement retransmission timers to handle packet loss.
CoAP defines DTLS bindings for secure communication. Just as HTTP is secured using Transport Layer Security (TLS) over TCP, CoAP is secured using Datagram TLS (DTLS) [RFC6347] over UDP (see Figure 1).
+----------------------+
| Application |
+----------------------+
+----------------------+
| CoAP |
+----------------------+
+----------------------+
| DTLS |
+----------------------+
+----------------------+
| UDP |
+----------------------+
Figure 1: DTLS-Secured CoAP
nRF SDK uses mbedtls for DTLS. The cipher suites configured are limited to TLS_PSK_WITH_AES_128_CCM_8. One of the ciphers for CoAP TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 is not supported as mbedtls does not support rawy public keys yet. For more details, on configuration and use mbetls in the SDK please refer Transport Layer Security on nRF5.
nRF SDK includes examples enabling DTLS for both CoAP Server and Client Examples. It is possible to run the two concurrently or have multiple session with various remote peers for the same role. The number of concurrent sessions supported is determined by NRF_TLS_MAX_INSTANCE_COUNT. All DTLS examples this value is set to 2.
- Note
- The limiting factor for number of concurrent sessions is the RAM. For each DTLS session, ~5 kb is needed for a fragment length of 1024.
CoAP Server and Client Example applications detailed below: