Device Authentication

Use the Golioth Firmware SDK for all Zephyr projects

The Golioth Zephyr SDK is deprecated. Please use the Golioth Firmware SDK. (Migration Guide)

TLS & DTLS are the basis for our device authentication service as well as how the device authenticates a Golioth instance. The diagram below illustrates how the device's credentials (either an X.509 Certificate or a Pre-Shared Key pair) map to MbedTLS.

At runtime, the device credentials are retrieved from non-volatile storage (or other persistent storage) and provided to the DTLS client. The client and server support both X.509 Certificates and PSK-based authentication.

Should I Use Certificate Authentication or PSK Authentication?

Generally speaking, certificate-based authentication is more secure and you should use it for your production devices. However, slower devices will take a relatively long time to establish a handshake when applying the Elliptic Curve Digital Signature Algorithm (ECDSA) used by the certificate. For some resource-constrained MCUs (eg: low clock speed), Pre-Shared Key authentication may be a better option. If you have questions, please reach out to our Developer Relations staff.

Related Material:

• Why use certificates for Internet of Things authentication (DTLS)
• Yes, even your IoT prototype should be secure