Configuration of DTLS

[opave]

Hello,

I would like to configure DTLS in my project and looking at the Anjay documentation it seems that the recommended way is to use the Security Object. Unfortunately in my project I am not allowed to expose Private key of the system and have some OpenSSL extension to be able to use this private key. We are using "Certificate mode" as Security Mode and not using the private key send by server as it is pre-provisionned in our system. The Security Object defines as Resource#5 (Secret Key) the private key of the client which I cannot expose as mention above.

So my questions are:

1. How to configure DTLS without using Security Object (if it is really the only recommended way to do it which I understood from documentation)?
2. Is this solution valid for both use cases: Bootstrap and Device Management? By the way why using Security Object to configure DTLS in bootstrap case as server is not even know and Security Object not yet written by server

Thanks for your support.

Regards, Olivier PAVE.

[dextero]

Hi,

Unfortunately in my project I am not allowed to expose Private key of the system and have some OpenSSL extension to be able to use this private key.

Please note that from the LwM2M servers' perspective, Security object is strictly write-only. The library reads DTLS secrets only to initialize the connection, it never sends them over the network.

If that kind of guarantee is still too much in your use case, changes to the library will be required. Right now, an attempt to set up a DTLS connection fails if keys cannot be read from the data model. I suspect this means a change to our DTLS socket implementation may be necessary to make use of the extension you mention.

Is that extension something available to the public that we could take a look at? Do you use some kind of Secure Element chip?

1. How to configure DTLS without using Security Object (if it is really the only recommended way to do it which I understood from documentation)?

It is not possible in the current version of the library. Using the Security object is the only supported way of configuring DTLS.

2. Is this solution valid for both use cases: Bootstrap and Device Management? By the way why using Security Object to configure DTLS in bootstrap case as server is not even know and Security Object not yet written by server

I am not sure I understand what you are asking for, but Security Object is used as the source of DTLS credentials for both Bootstrap and Device Management servers. And why do we use Security Object to configure DTLS for the bootstrap server? Mostly because LwM2M requires that, and for consistency - to have only a single source we retrieve that kind of data from.

Best regards, Marcin

[opave]

Hello,

Thanks for the clear feedback and sorry for the late reply from my side.

In fact, our specificity (to not expose private key) is "encapsulated" in OpenSSL Engine implementation which is used by OpenSSL library. So if Anjay is able to integrate the use of OpenSSL library (which is the case from your documentation) it shall be straight forward but Anjay implementation shall be changed to avoid grabbing private key from data model and trigger OpenSSL calls instead. Do you see any issue doing this and what is your estimation of the effort?

Regards, Olivier PAVE

[dextero]

Hi,

My apologies for the late response.

We would need to figure out the scope of changes required to make it work - for example, how is that supposed to work in the presence of a LwM2M Bootstrap Server, which is supposed to be able to override the private key used by a client.

Being able to take a look at how the API differs from standard OpenSSL would be helpful.

Anyway, this is something that differs from the usual way of handling private keys in LwM2M, so it would have to be a non-standard extension. If you are interested in us adding that, please contact sales@avsystem.com .

Best regards, Marcin