DTLS with SSLEngine

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

DTLS with SSLEngine

Neil Madden
Is it possible to use Bouncy Castle for DTLS with the JSSE SSLEngine classes? As far as I can see the BCJSSE SSLContext only supports TLS protocols, not DTLS.

To give some context, I have an existing SSLEngine-based DTLS implementation that I now need to add support for CCM ciphersuites to, so I would like to leverage Bouncy Castle’s support for these ciphersuites without rewriting the whole thing to use the BC API directly. Is this possible?

Kind regards,

Neil
Reply | Threaded
Open this post in threaded view
|

Re: DTLS with SSLEngine

Peter Dettman-3
Hi Neil,
BCJSSE doesn't support DTLS, and likely won't for a long while.

If your existing implementation already supports GCM ciphersuites, then
adding support for CCM suites should be very simple; they behave in all
ways like the corresponding GCM(_SHA256) suite, excepting the actual
cipher underneath, with the _CCM_8 variants using a 64-bit tag instead
of 128.

So depending on how you are implementing your crypto, you would only
need to substitute CCMBlockCipher for GCMBlockCipher, or e.g.
"AES/CCM/NoPadding" for "AES/GCM/NoPadding".

Regards,
Pete Dettman


On 6/3/20 11:31 pm, Neil Madden wrote:
> Is it possible to use Bouncy Castle for DTLS with the JSSE SSLEngine classes? As far as I can see the BCJSSE SSLContext only supports TLS protocols, not DTLS.
>
> To give some context, I have an existing SSLEngine-based DTLS implementation that I now need to add support for CCM ciphersuites to, so I would like to leverage Bouncy Castle’s support for these ciphersuites without rewriting the whole thing to use the BC API directly. Is this possible?
>
> Kind regards,
>
> Neil
>


Reply | Threaded
Open this post in threaded view
|

Re: DTLS with SSLEngine

Neil Madden
Ok, good to know.

Sorry I wasn’t completely clear before. When I said I’d implemented DTLS I meant that I was using the OpenJDK SSLEngine implementation to add DTLS to a UDP-based protocol. I haven’t implemented DTLS from scratch (although it feels like it at times, the SSLEngine API is such a beast).

As far as I’m aware it’s not possible to add new ciphersuites to the JSSE SSLEngine, so I was hoping I could drop in the BC SSLEngine instead.

I will have a look at the BC DTLS lightweight API and see how much work it would be to adapt the existing code.

Thanks,

Neil

> On 7 Mar 2020, at 05:47, Peter Dettman <[hidden email]> wrote:
>
> Hi Neil,
> BCJSSE doesn't support DTLS, and likely won't for a long while.
>
> If your existing implementation already supports GCM ciphersuites, then
> adding support for CCM suites should be very simple; they behave in all
> ways like the corresponding GCM(_SHA256) suite, excepting the actual
> cipher underneath, with the _CCM_8 variants using a 64-bit tag instead
> of 128.
>
> So depending on how you are implementing your crypto, you would only
> need to substitute CCMBlockCipher for GCMBlockCipher, or e.g.
> "AES/CCM/NoPadding" for "AES/GCM/NoPadding".
>
> Regards,
> Pete Dettman
>
>
>> On 6/3/20 11:31 pm, Neil Madden wrote:
>> Is it possible to use Bouncy Castle for DTLS with the JSSE SSLEngine classes? As far as I can see the BCJSSE SSLContext only supports TLS protocols, not DTLS.
>>
>> To give some context, I have an existing SSLEngine-based DTLS implementation that I now need to add support for CCM ciphersuites to, so I would like to leverage Bouncy Castle’s support for these ciphersuites without rewriting the whole thing to use the BC API directly. Is this possible?
>>
>> Kind regards,
>>
>> Neil
>>
>
>