NetX secure TLS handshake time

sabari1 · ‎2024-02-27

hi all,

I am trying to implement a TCP echo device on STM32U585 controller. here the TCP/IP communication is over ethernet as well as USB (CDC ECM). The communication channel is protected using TLS encryption.

here am using NetX stack as the TCP/IP stack and using the NetX secure for the TLS implementation's can able to establish a secure connection between the TLS client(my board) and server (OpenSSL server running on host PC).

the problem is when am using ECC ciphers(scep521r1) my TLS handshake is taking around 24 seconds and the same code when using RSA certificates taking max of 1 to 2 seconds.

am using self signed certificates created using the OpenSSL(for both RSA and ECC).while reading the documentation its mentioned that ECC is supporting the NetX secure. And am using the scep521r1 curve for creating the keys adn certificates.

am using the APIs as mentioned in the documentation

adding root ca certificate for the verification

ps:

am using chain of certificate for the authentication but even if we are using only 1 layer of certificate(server and root ca) also this problem is there.

can anyone help me to resolve this issue

many thanks ....

FBL · ‎2024-03-05

Hello @sabari1

Are you developing your own custom board? Have you tried this example STM32CubeU5/Projects/STM32U575I-EV/Applications/USBX/Ux_Device_CDC_ECM at c8fcb26ff629cf7c2a3b2c60e6121625eaa5ca2d · STMicroelectronics/STM32CubeU5 (github.com) as a starting point for CDC ECM using U575 Eval board?

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

sabari1 · ‎2024-03-10

hi

yes i am creating my own custom board and i already implemented the CDC ECM,USB RNDIS and ethernet code for the communication taken reference from the ST given examples. when I was using plain communication without TLS everything works fine and even when am using TLS with RSA keys and certificates everything works perfectly fine but the same is not working when am using ECC certificates and keys .while using ECC certificates the TLS handshake is taking more than 24 second to complete the TLS handshake.

am using NETX Secure library stack with NETX stack for the TLS over TCP communication (from ST example) and this communication can be over the medium Ethernet and USB.

here my main task is to optimize the TLS handshake time when am using ECC certificates (with RSA certificate everything works fine).my doubt is the NETX secure stack is taking more time while processing with the ECC certificates.

if possible please provide proper guidance or some reference to use ECC with NETX Secure stack...

FBL · ‎2024-03-11

Hi @sabari1

Sorry, I couldn't find resources to be of further assistance. I wish I could have helped more.

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

Jocelyn RICARD · ‎2024-03-11

Hello @sabari1 ,

ECC521 is quite demanding in term of CPU. Did you check with ECC-P256?

Best regards

Jocelyn

sabari1 · ‎2024-03-28

hi

I tried with secp256,secp384,secp521 the time consumption I different while using each one of them to complete the handshake.

secp256 ----> 1.5 sec

secp384----> 3 sec

secp521----> 10 sec

these are the the time consumption while using corresponding curves to complete the TLS handshake with only root CA and server certificate in picture.

since the final product is used in payment gateway we need to provide maximum security as possible so I need to use the secp521 curve.

stm32u585 supporting PKA, is there any way that I can use the PKA to accelerate the process. and one question is is Netx secure supports the hardware accelerators while processing the ECC.

or which the is the best way that i can use the ECC with secp521 with minimal handshake time in stm32u585 co ntroller.

any reference regarding this will be a great help for me

with regards sabarinath