Key Missing Feature for IoT

Simon Bernard contact at simonbernard.eu
Thu Mar 14 16:03:38 UTC 2024 

Hi all,

I'm the main Maintainer of *Leshan* 
<https://github.com/eclipse-leshan/leshan>. An open Source Java 
Implementation of *LWM2M 
<https://github.com/eclipse-leshan/leshan/wiki/Lightweight-M2M-Specification>* 
protocol.

*LWM2M* is mainly based on *coap* and *coap+tcp* protocol.
Security is available by usage of *coaps* and *coaps+tcp* which are 
based respectively on *DTLS* and *TLS* (mainly v1.2 for now)

Currently we only have support of *coap* and *coaps*. We are using 
*Scandium 
<https://github.com/eclipse-californium/californium/tree/main/scandium-core>* 
as *DTLS* implementation, this is an historical choice because *DTLS* 
was not available *OpenJDK* initially.

Recently, I begin to work about adding *coap+tcp* and *coaps+tcp* to 
Leshan and so I looked again on available security feature in OpenJDK to 
see if I should rely on it but  I understand there still missing key 
features for IoT.

My understanding, DTLS 1.2 was added but there is still no support of :

  * *Pre-Shared Key* for (D)TLS 1.2 :  PSK is one of the most basic
    techniques for TLS/DTLS since it is both computationally efficient
    and bandwidth conserving. (RFC7925§Section4.2
    <https://www.rfc-editor.org/rfc/rfc7925#section-4.2> - TLS / DTLS
    -Profiles for the Internet of Things)
  * *Connection Identifier* for DTLS 1.2 (RFC 9146
    <https://www.rfc-editor.org/rfc/rfc9146.html>) : CID is key feature
    to limit handshake in dynamic IP environment. (and also be used for
    load balancing)
  * Cipher suite based on *AES_128_CCM_8
    *(TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLS_PSK_WITH_AES_128_CCM_8)
    which are the recommended or mandatory ciphersuite for CoAP or to
    create implementation compliant with RFC7925
    <https://www.rfc-editor.org/rfc/rfc7925>.

If I missed something and one of those feature is already available let 
me know.

The point I want to raise here it that it's pretty hard for Java IoT 
developer to support commons Security IoT Feature.

Community can eventually rely on Scandium but it is currently maintain 
by only 1 person and doesn't follow JSSE API and only target DTLS.
Other alternative is maybe Bouncy Castle but Pre-shared key seems not 
available in their JSSE provider.
There is also possibility to bind native library but this is not so easy 
and also have drawback.
All that solution sounds not so good...

So do you think it could make sense to add this kind of feature in OpenJDK ?
Or Maybe there is already plan to add it ?

(I hope this is the right place for this kind of question)

Thx,

Simon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20240314/ad53b18c/attachment.htm>

More information about the security-dev mailing list