Bosch IoT Device Management

Transport layer encryption

Bosch IoT Hub uses encryption for all connectivity. This is accomplished by using industry standard TLS protocol for all TCP-based endpoints and DTLS for UDP-based endpoints.

Due to security best practices, IoT Hub does not allow potentially insecure protocols like SSL or TLS lower than version 1.2.

Supported encryption protocols

Protocol

Supported

SSL any version

No

TLS1.0

No

TLS1.1

No

TLS1.2

Yes

TLS1.3

Supported by Protocol Adapters for AMQP, HTTP, LoRa and MQTT

DTLS1.2

Supported by CoAP Protocol Adapter only

Supported TLS cipher suites

Supported cipher suites ordered by encryption strength

TCP-based Protocol adapters (AMQP, HTTP, LoRa and MQTT)

TLS Version

Cipher Suite Name (IANA/RFC)

KeyExch.

Encryption

Bits

Cipher Suite Name (OpenSSL)

Remark

TLSv1.3

TLS_AES_128_GCM_SHA256

AES

128

TLS_AES_128_GCM_SHA256

Recommended

TLSv1.3

TLS_AES_256_GCM_SHA384

AES

256

TLS_AES_256_GCM_SHA384

Recommended

TLSv1.3

TLS_CHACHA20_POLY1305_SHA256

AES

256

TLS_CHACHA20_POLY1305_SHA256

Recommended

TLSv1.2

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

ECDH 256

AESGCM

256

ECDHE-RSA-AES256-GCM-SHA384

Recommended

TLSv1.2

TLS_ECDHE_RSA_WITH_CHACHA20
_POLY1305_SHA256

ECDH 256

ChaCha20

256

ECDHE-RSA-CHACHA20-POLY1305

Recommended

TLSv1.2

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

ECDH 256

AESGCM

128

ECDHE-RSA-AES128-GCM-SHA256

Recommended

TLSv1.2

TLS_RSA_WITH_AES_256_GCM_SHA384

RSA

AESGCM

256

AES256-GCM-SHA384

Not recommended

TLSv1.2

TLS_RSA_WITH_AES_128_GCM_SHA256

RSA

AESGCM

128

AES128-GCM-SHA256

Not recommended

UDP-based protocol adapter (CoAP)

DTLS Version

Cipher Suite Name (IANA/RFC)

KeyExch.

Encryption

Bits

Remark

DTLS 1.2

TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256

ECDHE PSK

AES GCM

128

Recommended

DTLS 1.2

TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA378

ECDHE PSK

AES GCM

256

Recommended

DTLS 1.2

TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256

ECDHE PSK

AES CCM 8

128

Recommended

DTLS 1.2

TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256

ECDHE PSK

AES CCM

128

Recommended

DTLS 1.2

TLS_PSK_WITH_AES_128_GCM_SHA256

PSK

AES GCM

128

Not recommended

DTLS 1.2

TLS_PSK_WITH_AES_256_GCM_SHA378

PSK

AES GCM

256

Not recommended

DTLS 1.2

TLS_PSK_WITH_AES_128_CCM_8

PSK

AES CCM 8

128

Not recommended

DTLS 1.2

TLS_PSK_WITH_AES_256_CCM_8

PSK

AES CCM 8

256

Not recommended

DTLS 1.2

TLS_PSK_WITH_AES_128_CCM

PSK

AES CCM

128

Not recommended

DTLS 1.2

TLS_PSK_WITH_AES_256_CCM

PSK

AES CCM

256

Not recommended

DTLS 1.2

TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256

ECDHE PSK

AES CBC

128

Not recommended

DTLS 1.2

TLS_PSK_WITH_AES_128_CBC_SHA256

PSK

AES CBC

128

Not recommended

Manage endpoint

TLS Version

Cipher Suite Name (IANA/RFC)

KeyExch.

Encryption

Bits

Cipher Suite Name (OpenSSL)

Remark

TLSv1.2

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

ECDH 256

AESGCM

256

ECDHE-RSA-AES256-GCM-SHA384

Recommended

TLSv1.2

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

ECDH 256

AESGCM

128

ECDHE-RSA-AES128-GCM-SHA256

Recommended

TLSv1.2

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

ECDH 256

AES

256

ECDHE-RSA-AES256-SHA384

Not recommended

TLSv1.2

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

ECDH 256

AES

128

ECDHE-RSA-AES128-SHA256

Not recommended

TLSv1.2

TLS_RSA_WITH_AES_256_GCM_SHA384

RSA

AESGCM

256

AES256-GCM-SHA384

Not recommended

TLSv1.2

TLS_RSA_WITH_AES_256_CBC_SHA256

RSA

AES

256

AES256-SHA256

Not recommended

TLSv1.2

TLS_RSA_WITH_AES_128_GCM_SHA256

RSA

AESGCM

128

AES128-GCM-SHA256

Not recommended

TLSv1.2

TLS_RSA_WITH_AES_128_CBC_SHA256

RSA

AES

128

AES128-SHA256

Not recommended