Encryption Scheme

[syslot]

I hava a question about the encryption scheme spark used (RSA&AES) , why not SSL/TLS, are there some advantages?

[zsup]

Yes, there are significant advantages.

Basically, SSL/TLS have a variety of ciphers that they may use in any given session. This has the advantage of providing compatibility with a wider range of clients. It has two major downsides:

• Supporting a range of ciphers requires a significant amount of flash and memory (at least for an embedded processor)
• When security flaws are found in SSL/TLS, it is usually because one of the cipher suites is found to be unsafe. New versions of SSL/TLS will drop the unsafe cipher suite, but old versions will still use it and therefore provide a clear attack surface.

Since we don't need to support client diversity, there's no advantage to SSL/TLS over the encryption we do use. And by only supporting RSA/AES, it significantly decreases the memory overhead (which means we can run on a processor with 20KB of RAM, which would not be possible with SSL/TLS). In addition, it is potentially more secure, because we are not supporting ciphers that might be determined to be insecure.

[syslot]

Thanks for your answer. By the way, in spark server, dose one client map two pairs of keys(the public and private)?

[kennethlimcp]

The device holds its own private key while the server holds the public key as per normal security model.

In additional, communication with the server requires the use of the server public key stored in the device.