Setting up secure communication between devices—especially in the world of microcontrollers—isn’t always easy. If you’re confused, don’t worry! Even experienced sysadmins sometimes scratch their heads over SSL and TLS.
This guide walks you through the basics of secure socket communication, with a focus on resource-constrained environments like MicroPython. Whether you're building a connected sensor or a secure IoT gateway, this will help you understand how to protect your data.
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols that secure data sent over networks.
They provide:
- Confidentiality – Encrypts data to prevent eavesdropping.
- Integrity – Ensures data isn’t tampered with during transmission.
- Authentication – Verifies the identity of the server or client.
- Secure sensitive data like sensor readings or API keys.
- Enable secure communication with cloud services (e.g., HTTPS, MQTT).
- Prevent man-in-the-middle attacks and device impersonation.
When two devices connect securely, they go through a TLS handshake to negotiate encryption and authentication. There are three handshake modes:
Client Server
| |
| --- Propose Cipher Suites -----> |
| |
| <----- Select Cipher Suite ------|
| |
| --- Generate Session Key ------> |
| |
| <----- Acknowledge Key --------- |
| |
| <=== Encrypted Communication ===>|
How it works:
- Client and server agree on encryption (e.g., AES).
- Generate session keys.
- No certificates involved.
Use case:
- Testing on trusted local networks.
Client Server
| |
| --- Propose Cipher Suites -----> |
| |
| <--- Server Certificate ---------|
| |
| --- Verify Certificate --------->| (Checks: CA, Expiry, Domain)
| |
| --- Generate Encrypted Key ----> |
| |
| <----- Acknowledge Key --------- |
| |
| <=== Encrypted Communication ===>|
How it works:
- Server sends a certificate (from a trusted Certificate Authority).
- Client verifies:
- Valid certificate chain.
- Certificate hasn't expired or been revoked.
- Domain name matches.
- Secure session is established.
Use case:
- IoT devices communicating with cloud APIs (e.g.,
https://api.example.com).
✅ Benefit: Protects against fake servers or impersonation.
Client Server
| |
| --- Propose Cipher Suites -----> |
| |
| <--- Server Certificate ---------|
| |
| --- Verify Server Certificate -->|
| |
| --- Client Certificate --------->|
| |
| <--- Verify Client Certificate --|
| |
| --- Generate Encrypted Key ----> |
| |
| <----- Acknowledge Key --------- |
| |
| <=== Encrypted Communication ===>|
How it works:
- Server authenticates itself (same as Mode 2).
- Client also sends its certificate.
- Server verifies the client before continuing.
Use case:
- Device-to-device communication.
- High-security industrial IoT.
✅ Benefit: Blocks unauthorized devices from connecting.
TLS encryption relies on asymmetric cryptography, using a key pair:
-
Public Key
- Shared openly.
- Used to encrypt data or verify signatures.
-
Private Key
- Kept secret.
- Used to decrypt data or sign messages.
-
Encryption/Decryption
- Data encrypted with the public key can only be decrypted by the private key.
- Used to securely exchange session keys.
-
Signing/Verification
- A private key signs data (like certificates).
- A public key verifies that signature.
| Property | RSA (e.g., 2048 bits) | ECC (e.g., 256 bits) |
|---|---|---|
| Key Size | Large | Small |
| Speed | Slower | Faster (great for MicroPython) |
| Best For | Legacy systems | Modern IoT and low-power boards |
✅ MicroPython Tip: Prefer ECC for devices like ESP32.
Certificates are digital documents that link a public key to a verified identity (like a domain name).
- Subject: Domain or entity name (e.g.,
example.com). - SANs: Alternative names or IPs.
- Issuer: The Certificate Authority that signed it.
- Validity: Start and end dates.
- Public Key: Used for encryption.
- Digital Signature: Proof that the CA trusts this certificate.
-
CA-Signed
- Trusted by browsers and OS by default.
- Issued by authorities like Let's Encrypt.
-
Self-Signed
- Created by you.
- Great for testing but requires manual trust.
- Root CA – Pre-installed in browsers and systems.
- Intermediate CA – Signed by the root.
- Server Certificate – Issued by intermediate.
✅ Validation Process:
- The client checks the certificate chain.
- Validates the domain.
- Checks for revocation (CRL or OCSP).
Running TLS on a microcontroller means working around limited memory and CPU.
Here are some suggestions:
- ✅ Use ECC certificates to reduce size and improve performance.
- 🔧 Trim unused CA certificates to save flash memory.
- ❌ Avoid RSA-4096—too heavy for small devices.
- 🛡️ Use secure elements or hardware security modules to store private keys.
- ⚖️ Choose your mode wisely:
- Use Mode 2 for cloud APIs and general use.
- Use Mode 3 (mTLS) for sensitive or critical applications.
TLS and SSL may sound intimidating at first, but once you understand the basics—encryption, trust, and identity verification—it gets much easier.
Start small:
- Try setting up server-authenticated connections.
- Test with self-signed certs in local environments.
- Explore mutual TLS when you're ready for more security.
You're building secure systems. Keep going, one encrypted handshake at a time! 💪
Alice and Bob are exchanging encrypted messages.
Eve is trying to eavesdrop.
Then Mallory shows up, intercepts the keys, forges a message, and sends it to Bob.
Bob reads it, nods, and says:
"I don't know who you are, but if Alice says she loves me, I believe her."
Eve facepalms 🤦. Mallory smiles.
Meanwhile, Trent, the trusted third party, is off on vacation 🏖️ because he “trusted everyone to do the right thing.”