This proposal has been approved and the Eclipse tinydtls project has been created.
Visit the project page for the latest information and development.

Go to Project

tinydtls

Wednesday, February 18, 2015 - 05:49 by Olaf Bergmann
Basics
This proposal is in the Project Proposal Phase (as defined in the Eclipse Development Process) and is written to declare its intent and scope. We solicit additional participation and input from the community. Please login and add your feedback in the comments section.
Project
Eclipse tinydtls
Parent Project
Eclipse IoT
Working Group
Internet of Things (IoT)
Proposal State
Created
Background

TZI began development of tinydtls in 2011 to estimate the memory footprint of a minimal Datagram Transport Layer Security (DTLS) engine. At that time, the Constrained RESTful Environments (CoRE) working group in the IETF scrutinized various options for securing the Constrained Application Protocol (CoAP). One question addressed the applicability of DTLS together with two new cipher suites that have been proposed for resource-limited network nodes, i.e. TLS_PSK_WITH_AES_128_CCM_8 for Pre-Shared Key (PSK) mode, and TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 for Raw Public Key (RPK) mode. As these new cipher suites as well as the use of raw public keys in DTLS were still in an early phase of standardization, no known DTLS implementation provided support. It would not have been too hard to enhance existing open source DTLS implementations, though. But in turn, investigating the bare minimum that is required to run a minimal DTLS stack would have implied significant changes to the existing code. Developing the DTLS engine from scratch also allowed to support not only POSIX-compliant systems but also embedded operating systems such as Contiki. Since its initial release, tinydtls has become an important tool for experimenting with DTLS in constrained devices by users from academia as well as industry. It has been used as a blueprint and reference platform during development of other DTLS implementations such as Scandium and contiki-dtls, and is designed to integrate with libcoap, a widely deployed CoAP implementation in C. Bindings for other languages such as lua exist.

Scope

tinydtls provides a light-weight implementation of the DTLS protocol that can be used in devices with tight memory constraints, i.e. in the order of 100 KiB flash memory and about 10 KiB RAM. The cipher suites supported by tinydtls are limited to TLS_PSK_WITH_AES_128_CCM_8 and TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 that are mandatory-to-implement for CoAP. In scope:

  • Integration of new cipher suites as they become available and are recommended for use with CoAP, e.g. the proposed TLS_ECDHE_PSK_WITH_AES_128_CCM_8 to achieve forward secrecy in the PSK mode of CoAP.
  • Implementation of DTLS extensions that are useful in constrained environments, e.g. the maximum fragment length negotiation specified in RFC6066.
  • Provide an interface for using hardware acceleration for cryptographic computations such as AES or ECC.
  • Include optional lua binding for rapid prototyping of DTLS-enabled applications.
  • Optimize memory usage and runtime behavior.
  • Improve code quality, including error handling and robustness.

Out of scope:

  • Development of new cipher suites.
  • Implementing application logic except for example code that illustrates how to use the library.
  • Support for CoAP's certificate mode.
Description

tinydtls is a library for Datagram Transport Layer Security (DTLS) covering both the client and the server state machine. It is implemented in C and provides support for the mandatory cipher suites specified in CoAP.

Licenses
Eclipse Distribution License 1.0 (BSD)
Eclipse Public License 1.0
Legal Issues

The library contains an implementation of the Rijndael algorithm (AES) from OpenBSD. The license information is available in the source file rijndael.c. The SHA256 implementation included with tinydtls is licensed under BSD (taken from Aaron D. Gifford). The implementation of the ECC curve secp256r1 was originally developed by Chris K Cockrum and has been put under MIT license. Additional contributions to tinydtls are from Hauke Mehrtens.

Why Here?

Currently, the library is used by Wakaama to facilitate security on the transport layer. Wakaama and other CoAP implementations need DTLS support for secure communication at transport layer. Hosting the project at Eclipse can facilitate integration with other projects such as libcoap or Wakaama. Users that want to use DTLS with their Eclipse projects currently have to do the integration part by themselves. As this is a difficult task, errors that affect the overall security of their projects are more likely.

Future Work
  • Adding luadtls to the [tinydtls] code base.
  • Integration with libcoap
  • Support third-party crypto libraries such as micro-ecc
  • API for hardware acceleration
  • Enhance code quality
People
Project Leads
Olaf Bergmann
Committers
Olaf Bergmann
Simon Bernard (This committer does not have an Eclipse Account)
Mentors
Benjamin Cabé
Interested Parties

Julien Vermillard

Source Code
Initial Contribution

The initial contribution will be from the existing code base at SourceForge. The large part of the code is copyright by Olaf Bergmann, with additional contributions are from Hauke Mehrtens.

luadtls will be contributed by Simon Bernard.

Source Repository Type
Git
Source Repositories
http://sourceforge.net/p/tinydtls/code/
https://github.com/sbernard31/luadtls