Securing your IoT Product: SSL/TLS, DTLS, SASL, and DDS Explained

Connections between different devices are made up of different layers, as was shown in the OSI model standard below. The model dictates the 7 different layers which contribute to the transmission of data in a network system. 

One of the layers shown above is the transport layer. In this layer, the transmission of data is monitored and secured. There are different security protocols implemented within different data transfer protocols: MQTT, AMQP, CoAP, XMPP, and DDS. You should read that blog first before diving into the security protocols below since which one your product uses depends on the data transfer protocol you choose.

• MQTT uses SSL/TLS
• AMQP uses SSL/TLS and SASL
• CoAP uses DTLS
• XMPP uses TLS and SASL
• DDS uses DDS

SSL/TLS

SSL (Secure Socket Layer) and TLS (Transport Layer Security) are two of the most common security protocols used for network communications. The security system implements the method of encryption. In which encryption, by definition, is the method of scrambling data so it would be meaningless when tampered with (or collected over the air).  Both SSL and TLS work in a similar fashion, with TLS being the updated version of SSL. 

SSL 1.0 was first developed in 1995 and its development has come to a halt in 1998. TSL comes from a similar development background and many companies use it alongside or in place of SSL 3.0. SSL 3.0 has some security flaws so we suggest you use TSL instead.

To establish a connection with another device, the server with SSL/TLS security first sends a cryptographic key to the identified partner. The key provided can be classified into 3 types, a session key, a public key, and a private key. When the connection between devices is first established, the private and public key helps initiate the session key. This session key will last throughout the session and will be terminated when the connection is terminated.

SSL/TSL has 2 types of encryption, asymmetric and symmetric. When you apply symmetric encryption, the system only uses a pair of public keys for encrypting and decrypting. On the other hand, when you apply asymmetric encryption, the system uses the public and private key set throughout the encryption process.

The public key, which is visible to all users, is in charge of encrypting (randomizing) the data to be sent across. The corresponding private key, which is only known to the recipient, is in charge of decrypting the sent data. With these public-private key pairs, the encryption and identification of the data transmission process are maintained. 

An example of the data layer protocol which implements SSL/TLS security is the MQTT protocol. The MQTT data transmission technique itself has several advantages over other means of transmission, which includes:

• Permission of bidirectional data transfer with a single port. This provides the system with added security. Even with a firewall being set up between the clients and the broker, the communication between the devices can still take place through a single open port. 
• Provides client identifier and username/password credentials to authenticate device on application level. 
• Only specific brokers are permitted to authorize client credentials. This reduces the chances of interference. 
• Enforces QoS (Quality of Service) standard.
• Checks for message delivery statuses.

DTLS 

Datagram TLS is an improved version of TLS. On top of the data encryption that TLS provides, the DTLS also manages data package retransmission when the packet data is lost and assigns sequence numbers within the handshake process.

This security protocol was created by CoAP. CoAP itself has 4 types of security mechanisms, which include:

• NoSec DTLS is disabled

• PreSharedKey DTLS enabled

• RawPublicKey DTLS enabled. The device has an asymmetric key pair (one public and one private key) without a certificate. Key is validated using the out-of-bound (OOB) mechanism.

• Certificate DTLS enabled. Asymmetric key pair with X.509 certificate which is signed by a common and trusted Root CA.

SASL

Simple Authentication and Security Layer. SASL has several command mechanisms, and the 2 most commonly used are anonymous and plain. 

When the anonymous is called, the connection is established between a client and queue manager without having any credentials passed. This allows unauthenticated guest access. 

On the other side, when the plain command is called, the queue manager requests a username and password from the client for the authentication process. 

The AMQP and XMPP protocols implement the SASL security system along with the SSL/TSL encryption system for additional security. 

DDS 

The DDS protocol has its own security service technique. It’s developed more recently than DTLS or TLS, and is made up of 5 SPIs (Service Plugin Interfaces), which provide information assurance to the DDS system. The SPIs include:

• Authentication, in which the identity of the target device is confirmed. 
• Access control, in which the devices’ permissions are checked. 
• Cryptography, in which all cryptographic operations are carried out (e.g. encryption, decryption) to ensure that the transmitted data is secure. 
• Logging, which logs all security-related events, if there is any intrusion attempt or error in transmission. 
• Data Tagging, giving tags for each data processed, which lets data be tracked easier.