2. Home
  4. Docs
  6. IoTGtw Introduction
  8. Encryption (DTLS & TLS)

Encryption (DTLS & TLS)

DTLS Encryption

DTLS Encryption (Datagram Transport Layer Security) is supported in all service regions on public and or private Service Access Points to provide bearer security and encryption for any of the supported application protocols and data frameworks.

DTLS encryption service requires pre-shared keys to be configured on each device object that will use DTLS encryption.

A connecting device must supply the device object’s UDID as the PSK_IDENTITY (string) along with the pre-configured PSK SECRET when establishing a DTLS session.

When using a Shared SAP Device authentication is limited to device UDID. Meaning the device must supply its UDID as its PSK identity and supply the PSK Secret as configured in the device object.

When using Private SAP, customer devices for which a Private SAP is setup can use the device UDID or device_id, IMSI or a custom PSK_identity value configured in the device object configuration. The PSK secret must be as configured in the PSK secret field of the device object.

 

TLS Encryption

TLS Encryption is also supported in all service regions on public and or private Service Access Points to provide bearer security and encryption for any of the supported application protocols and data frameworks.

 

TLS Encryption – Device Identity not supplied in the X509 Certificate

TLS encryption can be used for bearer encryption only (i.e. the device identity is not specified in the X509 certificate) in this case the device identity must be supplied in the application or data framework for example CoAP, SimplyTiny, etc.

 

TLS Encryption – Device Identity available in the X509 certificate

The device identity is available in the client certificate (device certificate) which is exchanged during the TLS handshake.

The client certificate must contain the device identity in one of the following certificate fields:

  • certificate serialNumber (the value will be matched against the serial number configured in the device object)
  • certificate subject.UID (the value will be matched against the device UDID or Device IMSI or the customer specified Device_ID)
  • certificate CN (identity is specified as the first part of the common name/CN i.e. id8adf9asd0f9 in id8adf9asd0f9.util.iostreamt.com )

 

We are very keen to support you with your project and advice on the best setup. For more information do not hesitate to get in touch with us using the web form or email (iotgtw_support@trillionthings.io) or by raising a support ticket from the portal.

Was this article helpful to you? Yes No

How can we help?