PSK-TLS and TLS comparision : when to use what?
Posted by yadab das on March 31, 2008
I was going through the RFC of Pre-Shared Key Ciphersuites for Transport Layer Security (TLS) http://tools.ietf.org/html/rfc4279, and was trying to compare them when to use what?
It actually depends on two main aspects to analyse:-
- What is the target environment?
- Who is going to use your solution?
Following are the properties, we should have a look, before we think about deploying:-
- Does that target environment has enough CPU to process initial Public/Private or Asymatric key cryptography operation? If it is a 256Mhz processor and a new session establishment trigered inbetween a critical task execution, you can not imagine that. Because such devices are alawys assigned to do real time activity?
- Is it feasible to update or revoke certificate their / on the target environment?
- What is more important ? Availabity or Information Security?
Now, when it comes to end user, who is going to use the solution, Is it a web browser like application or a set of API, which you will sell by adding TLS to it, or a stand alone application running on a small box.
For resource constrained, controlled and where certificate revocation is a pain, and using phony certificate is not granted by IT security policy it is alwys better to go with PSK-TLS, just like IPsec-Preshared key (which also proven to be worked out nicely).
Yadab Das said
One important aspect, i forgot to mention, Usages of PKI infrastructure is really a costly for resource constrained devices. So, the TLS-PSK, would be a perfect solution for such devices where we can use symmetric keys.