1

We're estimating the practicability to replace our conventional HTTPS/RESTful over cellular network (4G-LTE) with CoAP/DTLS over NB-IoT, to prolong the battery life of remote devices. The IoT application we've deployed only takes a tiny proportion of 4G-LTE data bandwidth and UDP over NB-IoT is good enough; so transmission performance is not our main concern.

But the problem is, we're now using mutual authentication in SSL/TLS layer and we assign different client certificates to different sub-groups. And I'm not sure how to do that in CoAP/DTLS.

I've learned that the default credential model of CoAP/DTLS is Pre-Shared Key (PSK) and I also learned from RFC4279 that I may use the PSK identity / shared-key pair as an easy alternative to username, which could just fit my needs. But when I'm trying to figure out how to implement this, I found the internet resource is very limited. So far I've surveyed node-coap.js and libcoap but I can't find any hints in the documents. Both seemed to support only one credential at the same time.

What is the best practice to deploy CoAP-DTLS server that can support multiple PSK identity/shared-key sets ? Or do I need to implement the whole authentication mechanism in application layer ?

RichardLiu
  • 1,902
  • 1
  • 19
  • 18

1 Answers1

4

One option for server/cloud side CoAP is Eclipse Californium. I am involved in that project and may thus be biased. That said, we have actually built Californium for exactly this purpose.

Kai Hudalla
  • 826
  • 1
  • 5
  • 7
  • Thanks. Following your hint, I just check the Scandium source code on GitHub. Seems it now implements PSK repository either as static (single fixed key) or java.util.Map. So I need to re-configure the PSK storage every time the server application initialize. Am I correct ? – RichardLiu Nov 21 '19 at 03:23
  • These StaticPskStore and InMemoryPskStore are example implementations of PskStore. Feel free to implement it according your requirements. Using InMemoryPskStore to start with, will, as you already found out, require such a initialization. – Achim Kraus Nov 21 '19 at 21:39
  • @AchimKraus Thanks. I guess it makes sense to extend InMemoryPskStorage to integrate with MapDB. – RichardLiu Nov 22 '19 at 03:40
  • Though californium is intended to be a "library" to build a application, that extension of "PskStore" (or InMemoryPskStorage) is in my opinion left to that application. – Achim Kraus Nov 22 '19 at 20:45