Transport layer encryption
The device connectivity layer uses encryption for all connectivity. This is accomplished by using industry standard TLS protocol for all TCP-based endpoints and DTLS for UDP-based endpoints.
Due to security best practices, the device connectivity layer does not allow potentially insecure protocols like SSL or TLS lower than version 1.2.
Supported encryption protocols
Protocol |
Supported |
SSL any version |
No |
TLS1.0 |
No |
TLS1.1 |
No |
TLS1.2 |
Yes |
TLS1.3 |
Supported by protocol adapters for AMQP, HTTP, LoRa and MQTT |
DTLS1.2 |
Supported by CoAP protocol adapter only |
Supported TLS cipher suites
Supported cipher suites ordered by encryption strength
TCP-based Protocol adapters (AMQP, HTTP, LoRa and MQTT)
TLS Version |
Cipher Suite Name (IANA/RFC) |
KeyExch. |
Encryption |
Bits |
Cipher Suite Name (OpenSSL) |
Remark |
TLSv1.3 |
TLS_AES_128_GCM_SHA256 |
|
AES |
128 |
TLS_AES_128_GCM_SHA256 |
Recommended |
TLSv1.3 |
TLS_AES_256_GCM_SHA384 |
|
AES |
256 |
TLS_AES_256_GCM_SHA384 |
Recommended |
TLSv1.3 |
TLS_CHACHA20_POLY1305_SHA256 |
|
AES |
256 |
TLS_CHACHA20_POLY1305_SHA256 |
Recommended |
TLSv1.2 |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
ECDH 256 |
AESGCM |
256 |
ECDHE-RSA-AES256-GCM-SHA384 |
Recommended |
TLSv1.2 |
TLS_ECDHE_RSA_WITH_CHACHA20 |
ECDH 256 |
ChaCha20 |
256 |
ECDHE-RSA-CHACHA20-POLY1305 |
Recommended |
TLSv1.2 |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
ECDH 256 |
AESGCM |
128 |
ECDHE-RSA-AES128-GCM-SHA256 |
Recommended |
TLSv1.2 |
TLS_RSA_WITH_AES_256_GCM_SHA384 |
RSA |
AESGCM |
256 |
AES256-GCM-SHA384 |
Not recommended |
TLSv1.2 |
TLS_RSA_WITH_AES_128_GCM_SHA256 |
RSA |
AESGCM |
128 |
AES128-GCM-SHA256 |
Not recommended |
UDP-based protocol adapter (CoAP)
DTLS Version |
Cipher Suite Name (IANA/RFC) |
KeyExch. |
Encryption |
Bits |
Remark |
DTLS 1.2 |
TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 |
ECDHE PSK |
AES GCM |
128 |
Recommended |
DTLS 1.2 |
TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA378 |
ECDHE PSK |
AES GCM |
256 |
Recommended |
DTLS 1.2 |
TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 |
ECDHE PSK |
AES CCM 8 |
128 |
Recommended |
DTLS 1.2 |
TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 |
ECDHE PSK |
AES CCM |
128 |
Recommended |
DTLS 1.2 |
TLS_PSK_WITH_AES_128_GCM_SHA256 |
PSK |
AES GCM |
128 |
Not recommended |
DTLS 1.2 |
TLS_PSK_WITH_AES_256_GCM_SHA378 |
PSK |
AES GCM |
256 |
Not recommended |
DTLS 1.2 |
TLS_PSK_WITH_AES_128_CCM_8 |
PSK |
AES CCM 8 |
128 |
Not recommended |
DTLS 1.2 |
TLS_PSK_WITH_AES_256_CCM_8 |
PSK |
AES CCM 8 |
256 |
Not recommended |
DTLS 1.2 |
TLS_PSK_WITH_AES_128_CCM |
PSK |
AES CCM |
128 |
Not recommended |
DTLS 1.2 |
TLS_PSK_WITH_AES_256_CCM |
PSK |
AES CCM |
256 |
Not recommended |
DTLS 1.2 |
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 |
ECDHE PSK |
AES CBC |
128 |
Not recommended |
DTLS 1.2 |
TLS_PSK_WITH_AES_128_CBC_SHA256 |
PSK |
AES CBC |
128 |
Not recommended |
Manage endpoint
TLS Version |
Cipher Suite Name (IANA/RFC) |
KeyExch. |
Encryption |
Bits |
Cipher Suite Name (OpenSSL) |
Remark |
TLSv1.2 |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
ECDH 256 |
AESGCM |
256 |
ECDHE-RSA-AES256-GCM-SHA384 |
Recommended |
TLSv1.2 |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
ECDH 256 |
AESGCM |
128 |
ECDHE-RSA-AES128-GCM-SHA256 |
Recommended |
TLSv1.2 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
ECDH 256 |
AES |
256 |
ECDHE-RSA-AES256-SHA384 |
Not recommended |
TLSv1.2 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
ECDH 256 |
AES |
128 |
ECDHE-RSA-AES128-SHA256 |
Not recommended |
TLSv1.2 |
TLS_RSA_WITH_AES_256_GCM_SHA384 |
RSA |
AESGCM |
256 |
AES256-GCM-SHA384 |
Not recommended |
TLSv1.2 |
TLS_RSA_WITH_AES_256_CBC_SHA256 |
RSA |
AES |
256 |
AES256-SHA256 |
Not recommended |
TLSv1.2 |
TLS_RSA_WITH_AES_128_GCM_SHA256 |
RSA |
AESGCM |
128 |
AES128-GCM-SHA256 |
Not recommended |
TLSv1.2 |
TLS_RSA_WITH_AES_128_CBC_SHA256 |
RSA |
AES |
128 |
AES128-SHA256 |
Not recommended |