Performance of the Transport Layer Security Handshake Over 6TiSCH

This paper presents a thorough comparison of the Transport Layer Security (TLS) v1.2 and Datagram TLS (DTLS) v1.2 handshake in 6TiSCH networks. TLS and DTLS play a crucial role in protecting daily Internet traffic, while 6TiSCH is a major low-power link layer technology for the IoT. In recent years, DTLS has been the de-facto security protocol to protect IoT application traffic, mainly because it runs over lightweight, unreliable transport protocols, i.e., UDP. However, unlike the DTLS record layer, the handshake requires reliable message delivery. It, therefore, incorporates sequence numbers, a retransmission timer, and a fragmentation algorithm. Our goal is to study how well these mechanisms perform, in the constrained setting of 6TiSCH, compared to TCP’s reliability algorithms, relied upon by TLS. We port the mbedTLS library to OpenWSN, a 6TiSCH reference implementation, and deploy the code on the state-of-the-art OpenMote platform. We show that, when the peers use an ideal channel, the DTLS handshake uses up to 800 less and completes 0.6 s faster. Nonetheless, using an unreliable communication link, the DTLS handshake duration suffers a performance penalty of roughly 45%, while TLS’ handshake duration degrades by merely 15%. Similarly, the number of exchanged bytes doubles for DTLS while for TLS the increase is limited to 15%. The results indicate that IoT product developers should account for network characteristics when selecting a security protocol. Neglecting to do so can negatively impact the battery lifetime of the entire constrained network.