HCC’s Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS) is a highly optimized software module designed to provide secure network communications for embedded devices. The software is developed using a rigorous adherence to MISRA C:2004 and is available with a full MISRA compliance report. The importance of using a strong development process and source code control has been emphasized by a number of high-profile security problems caused by source code errors. Network security requires a high degree of quality and traditional methods of ‘freestyle coding’ and test do not provide sufficient guarantees of correctness.
HCC’s TLS/DTLS is a framework for secure communication in computer networks, based on the TCP/IP or UDP protocols. The module supports Secure Sockets Layer (SSL) 3.0 but this is deprecated as TLS 1.2 is the recommended standard. The TLS and DTLS module forms part of HCC’s MISRA-compliant TCP/IP stack and is designed specifically for use with it.
This module provides three options:
- TLS interfacing to either HCC’s MISRA-compliant TCP or to a TCP Sockets interface.
- DTLS interfacing to either HCC’s MISRA-compliant UDP or to a UDP Sockets interface.
- TLS interfacing to HCC’s EAP-TLS module (EAP is the Extensible Authentication Protocol). The EAP-TLS module interfaces to the TLS RAW interface.
The TLS/DTLS implementation can be used as client or server (host). The module provides the following guaranteed capabilities, regardless of the components that lie beneath it:
- Privacy – it ensures that nobody else can read the message.
- Authenticity – it ensures that each party really is talking to the peer they think they are talking to.
- Integrity – it ensures that the data payload has not been modified/tampered with.
Note: You may not require all three of the above capabilities for all use cases; HCC can advise on this.
The module uses HCC’s Embedded Encryption Manager (EEM) to provide encryption and certificate management.
The TLS RAW interface can be used to interface TLS to HCC’s EAP-TLS module.
- Conforms to the HCC Advanced Embedded Framework.
- Designed for integration with both RTOS and non-RTOS based systems.
- MISRA-compliant. A full MISRA compliance report is provided and, for specialized applications, a full UML description is available that can be licensed as a separate component.
- Designed for microcontrollers, ensuring a low memory footprint. This is typically around 20 KB of ROM or 8 KB of RAM.
- Typically uses a standard Sockets interface, allowing easy integration with many embedded applications.
- Supports TLS 1.0, 1.1 and 1.2 (RFC 5246) and SSL 3.0 and is verifiable.
- Supports DTLS version 1.2 (RFC 6347) and version 1.0 (RFC 4347).
- Supports HCC’s EAP-TLS module (through its RAW interface).
- Supports heartbeat extensions (RFC 6520).
- Supports HTTP over TLS (RFC 2818).
- Provides HTTP or FTP Server support for HTTPS and FTPS implementations, or for connection to any other secure client or server application.
- Uses HCC’s Embedded Encryption Manager (EEM) to provide full certificate management.
- Supports all the algorithms supported by the EEM, including AES, 3DES, DSS, EDH, MD5, RSA, SHA-1, SHA-256, SHA-384, and SHA-512. These acronyms are expanded below.
- Supports all the mandatory cipher suites required by different versions of TLS.
- Supports Elliptic Curve Cryptography (ECC) (RFC 4492).
- Supports Authenticated Encryption with Associated Data (AEAD).
The supported algorithms are:
- Advanced Encryption Standard (AES).
- Digital Signature Standard (DSS).
- Elliptic Curve Digital Signature Algorithm (ECDSA).
- Ephemeral Diffie-Hellman (EDH) algorithm.
- Message Digest Algorithm 5 (MD5).
- RSA Signature Algorithm (RSA).
- Secure Hash Algorithm SHA-1, SHA-1 HMAC, SHA1-HMAC-96, SHA-256, SHA-384 and SHA-512). (HMAC stands for Hash Message Authentication Code.)
- Tiger/128, Tiger/160, Tiger/192 and Tiger/192 HMAC.
- Triple Data Encryption Standard (3DES).