emSSL

From SEGGER Wiki
Jump to: navigation, search

emSSL is an implementation of SSL (Secure Sockets Layer), now called TLS (Transport Layer Security) for Embedded Systems by SEGGER.

This wiki page explains and links to other articles providing information too specific for the user manual or product pages on [1]

Device specifics

emSSL is independent of TCP/IP stack and hardware crytographic acceleration. Because emSSL can work over any full-duplex link, it is feasible to run emSSL between two devices over a simple UART, a CAN network, or any other 8-bit transparent link.

Performance

Performance of an SSL session can be broken into the connection phase and the bulk communication phase.

  • The connection phase is dominated by the SSL handshake that involves network latency and where one or both ends are authenticated and keys are derived and exchanged. Because messages are exchanged mostly in lock step, there is little opportunity to pipeline an SSL handshake in TLS versions 1.2 and lower. Authentication of one or both ends (usually) requires public key signature vertification and signature generation, and public key operations are computationally expensive.
  • The communication phase is dominated by transmission and bulk encryption and decryption of user data. Encryption and decryption speed depend upon the cipher suite agreed between the peers, but bulk encryption is much faster than public key encryption.

Selection of client parameters

If you are setting up a connection between your own server and client devices, you can select a single cipher suite that meets your performance and security levels. For instance, you may wish to use AES with a 256-bit key, use SHA-256 as the basis for the message authentication code on each packet, and a server certificate with a corresponding 2048-bit RSA private key.

If you need to connect a client to a web-based service, for instance a service with a REST API, the client must be able to agree a cipher suite with the target server. You can use the "scan" tool provided with emSSL to all common cipher suites between emSSL and the target server.

In addition to the scan tool, you can use an online service such as https://www.ssllabs.com/ssltest/ to list the capabilities of the target server.

Once you have selected a cipher suite, you can configure your client with a minimal set of capabilities and therefore minimize the RAM and ROM footprint of your client application.

Selection of server parameters

If you are setting up a server that you wish to connect to using a web browser such as Edge, Firefox, or Chrome, you must select one or more cipher suites that are common between your server and each web browser.

The cipher suites that web browsers accept are becoming more and more limited, reducing the attack surface of the secure connection. As more modern cryptographic algorithms become accepted and standardized by the IETF, so older, less secure ones become unsupported.

You can check the capability of your web browser by using a service such as https://www.ssllabs.com/ssltest/viewMyClient.html.

Once you have a set of common cipher suites for the browsers you wish to support, you can configure emSSL with those suites.