Device API Encryption Requirements

Murano device APIs only supports secure communication with TLS encryption.


Q. Why does Murano not support plain TCP connections?

A. IoT-Devices communicate information which are expected to be true by users. Data communication over a public network, such as the Internet, has no guarantees of data integrity during the transport. In other words, data from and to your devices could easily be read and changed by anonymous 3rd party, making your product UN-TRUSTABLE.

Supported TLS Version

By default only TLSv1.2 is supported as older versions have known security weaknesses allowing 3rd parties to impersonate your device and potentially access and compromise transmitted data.

To support legacy hardware, such legacy versions can be enabled per IoT-Connector while device maker is made fully aware of the risk.

You can check your TLS security settings robustness on https://www.ssllabs.com/ssltest/.


SNI

When making a secure TLS connection attempt to the API domain, it is required to specify the domain as the SNI field in the TLS connection request.

SNI stands for Server Name Indication, which is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which host-name it is attempting to connect to at the start of the handshaking process. This allows Murano IoT platform to present multiple certificates on the same IP address and provide a dedicated certificate to each of the IoT device products (aka IoT Connectors) for high security. Most of the modern Web browsers and HTTP/MQTT clients have already supported the SNI feature behind the scenes during the TLS handshake process for secure HTTP/MQTT connections.

More technical details about SNI and TLS handshake can be found in the following references:

SNI is a standard widely supported by most implementation. See for example how to set SNI with OpenSSL or Murano tutorial for Cypress Wiced hardware.


Supported TLS Ciphers

A cipher is an encryption algorithm that uses encryption keys to create a coded message. Protocols use several ciphers to encrypt data over the internet. During the connection negotiation process, the client and the server present a list of ciphers and protocols that they each support, in order of preference. By default, the first cipher on the server's list that matches any one of the client's ciphers is selected for the secure connection.

The following table describes the supported cipher suites for Device Connectivity.

TLS Cipher Suites Protocol-TLSv1 Protocol-TLSv1.1 Protocol-TLSv1.2
AES128-GCM-SHA256 * * *
AES128-SHA * * *
AES128-SHA256 * * *
AES256-GCM-SHA384 * * *
AES256-SHA * * *
AES256-SHA256 * * *
DES-CBC-SHA * * *
DES-CBC3-SHA * * *
DHE-DSS-AES128-CBC-SHA * * *
DHE-DSS-AES128-CBC-SHA256 *
DHE-DSS-AES128-GCM-SHA256 *
DHE-DSS-AES256-CBC-SHA * * *
DHE-DSS-AES256-CBC-SHA256 *
DHE-DSS-AES256-GCM-SHA384 *
DHE-DSS-DES-CBC3-SHA * * *
DHE-RSA-AES128-GCM-SHA256 *
DHE-RSA-AES128-SHA * * *
DHE-RSA-AES128-SHA256 *
DHE-RSA-AES256-GCM-SHA384 *
DHE-RSA-AES256-SHA * * *
DHE-RSA-AES256-SHA256 *
DHE-RSA-CHACHA20-POLY1305 * * *
DHE-RSA-DES-CBC-SHA * * *
DHE-RSA-DES-CBC3-SHA * * *
ECDH-ECDSA-AES128-CBC-SHA * * *
ECDH-ECDSA-AES128-CBC-SHA256 *
ECDH-ECDSA-AES128-GCM-SHA256 *
ECDH-ECDSA-AES256-CBC-SHA * * *
ECDH-ECDSA-AES256-CBC-SHA384 *
ECDH-ECDSA-AES256-GCM-SHA384 *
ECDH-ECDSA-DES-CBC3-SHA * * *
ECDH-ECDSA-RC4-SHA * * *
ECDH-RSA-AES128-CBC-SHA * * *
ECDH-RSA-AES128-CBC-SHA256 *
ECDH-RSA-AES128-GCM-SHA256 *
ECDH-RSA-AES256-CBC-SHA * * *
ECDH-RSA-AES256-CBC-SHA384 *
ECDH-RSA-AES256-GCM-SHA384 *
ECDH-RSA-DES-CBC3-SHA * * *
ECDH-RSA-RC4-SHA * * *
ECDHE-ECDSA-AES128-GCM-SHA256 *
ECDHE-ECDSA-AES128-SHA * * *
ECDHE-ECDSA-AES128-SHA256 *
ECDHE-ECDSA-AES256-GCM-SHA384 *
ECDHE-ECDSA-AES256-SHA * * *
ECDHE-ECDSA-AES256-SHA384 *
ECDHE-ECDSA-CHACHA20-POLY1305 * * *
ECDHE-ECDSA-DES-CBC3-SHA * * *
ECDHE-ECDSA-RC4-SHA * * *
ECDHE-RSA-AES128-GCM-SHA256 *
ECDHE-RSA-AES128-SHA * * *
ECDHE-RSA-AES128-SHA256 *
ECDHE-RSA-AES256-GCM-SHA384 *
ECDHE-RSA-AES256-SHA * * *
ECDHE-RSA-AES256-SHA384 *
ECDHE-RSA-CHACHA20-POLY1305 * * *
ECDHE-RSA-DES-CBC3-SHA * * *
ECDHE-RSA-RC4-SHA * * *
RC4-MD5 * * *
RC4-SHA * * *
RSA-PSK-AES128-CBC-SHA * * *
RSA-PSK-AES128-CBC-SHA256 *
RSA-PSK-AES128-GCM-SHA256 *
RSA-PSK-AES256-CBC-SHA * * *
RSA-PSK-AES256-CBC-SHA384 *
RSA-PSK-AES256-GCM-SHA384 *
RSA-PSK-DES-CBC3-SHA * * *
RSA-PSK-RC4-SHA * * *
SRP-DSS-AES128-CBC-SHA * * *
SRP-DSS-AES256-CBC-SHA * * *
SRP-DSS-DES-CBC3-SHA * * *
SRP-RSA-AES-128-CBC-SHA * * *
SRP-RSA-AES-256-CBC-SHA * * *
SRP-RSA-DES-CBC3-SHA * * *

Root Server Certificates

The following root server certificates are available to download for establishing secure connections with Murano IoT platform. The Exosite Root CA RSA 2048 certificate is self-signed therefore its expiration time is much longer.

Base Name Valid Until Download Link When to Use
Exosite Root CA RSA 2048 Jun. 13, 2058 .cer .crt When device cannot remotely replace its certificate. (eg. hardcoded firmware)
DigiCert Global Root CA Nov. 10, 2031 .cer .crt When device is an operating system with regular security updates (linux/IoS/Android/Windows). In such case you usually also don't need to download & install it.