AES implementation in COAP

Question

I am trying to implement AES_128 provided in Contiki-2.7 in my CoAP server, but in a little bit of confusion as to how it will be translated in the browser.

I have some physical sky motes as CoAP servers and a border router. I am using the copper browser to see the CoAP resources.

I would like to encrypt the traffic with AES so it is not possible to see the traffic using Wireshark or any interceptors.

Can anyone please help?

Thank you

Answer 1

As already written above, AES alone seems not to comply any known standard. As far as I know, you use the Californium proxy to communicate with your nodes. It's generally possible to setup the outgoing request to use coaps (CoAP over DTLS), but not out-of-the-box with the current early version of the proxy2. If you can wait some weeks, the new Californium proxy2 will offer that in the future. Anyway, this doesn't help for the communication to the proxy. I'm not sure, why you want to use a http-browser, the current http-server implementation of the proxy2 also doesn't support https for now, but I think it will ... in some weeks :-).

If you consider to use an other client, maybe the californium.tools cf-browser, it's easier to use coaps directly with the nodes, when they are reachable in your network setup also without proxy.

Answer 2

AES alone on CoAP does not really make sense, it needs to be integrated with CoAP in some way.

• CoAP-over-DTLS (coaps, RFC7252) is the traditional choice, and familiar to HTTPS users
• OSCORE (RFC8613, introduced well here) was recently specified, and is generally more compact
• IPsec would work in theory, but I haven't seen it used in IoT yet.

Copper supports neither DTLS nor OSCORE, but then again has not been updated in years, so I suggest look into the client software you'll actually be using first.

I can't tell what Contiki currently has support for, that largely depends on which branch you are using -- but for both DTLS and OSCORE, there should be a branch around.