hannestschofenig
commented
5 years ago TLS_PSK_WITH_AES_128_CBC_SHA256 is not a good ciphersuite because researchers have found security attacks against them. Those attacks are described in this RFC: https://tools.ietf.org/html/rfc7457 If you want to use a CBC-based ciphersuite then you have to use the encrypt-then-mac extension (i.e., RFC 7366).
TLS_PSK_WITH_AES_128_CCM_8 on the other hand is completely fine. It is part of a modern class of cryptographic algorithms called "Authenticated Encryption with Additional Data (AEAD)".
Hence, if you have the choice then use an AEAD ciphersuite and CCM is a popular mode of operation for IoT environments.
AES-CCM has been selected for LwM2M because it is recommended in https://tools.ietf.org/html/rfc7925. AES-CCM has been recommended there because pretty much all IoT-related specifications already recommend it. AES-CCM is just very popular, and it is secure. It is better than AES-GCM for IoT environments because it only uses one AES primitive, which leads to more compact implementations. It also comes with various tag sizes and thereby reduces the overhead on the wire.
Did I answer your question?
rdyjshi
Hi,
In "OMA-TS-LightweightM2M_Transport-V1_1-20180710-A.pdf"
_5.2.8.1. Pre-Shared Keys If a LwM2M Server supports the pre-shared key credentials it MUST support the following: TLS_PSK_WITH_AES_128_CCM_8, as defined in [RFC6655] and mandated in [RFC7925] TLS_PSK_WITH_AES_128_CBC_SHA256, as defined in [RFC5487]. The LwM2M Client SHOULD NOT use the TLS_PSK_WITH_AES_128_CBC_SHA256 ciphersuite as RFC 7457 [RFC7457] has identified security attacks against these TLS/DTLS ciphersuites. A LwM2M v1.1 Client MUST support TLS_PSK_WITH_AES_128_CCM8 and MAY support additional ciphersuites.
These PSK ciphersuites are not safety ciphersuites. It may be attacked by Dictionary Attack or DDOS. Could you please share some opinion about the reason use these ciphersuites?
Thanks a lot.