Lightweight Establishment of Secure Session (LESS) on CoAP

Document Type Expired Internet-Draft (individual)
Last updated 2018-09-05 (latest revision 2018-03-04)
Stream (None)
Intended RFC status (None)
Expired & archived
plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


Secure yet lightweight protocol for communication over the Internet for constrained node networks (CNN) is a pertinent problem. Constrained Application Layer Protocol (CoAP) mandates the use of Datagram Transport Layer Security (DTLS) for a secure transaction over CoAP. But DTLS is not a candidate technology for CNNs by design. The DTLS handshake overhead to establish the credentials for a session between two end-points in a CNN may not be resource efficient. There are ongoing efforts to secure one-time exchanges by ensuring object security at the application layer. But a composite standardized mechanism for resource-efficient end-to-end security credential establishment is much needed to cater both one-time exchanges as well as exchanges over a session. DTLS is essentially a combination of two operations: (1) the session protocol to establish the credentials (and this is the resource heavy part), (2) the record protocol to protect the information (this is the cryptographic part). This draft proposes to distribute the security responsibilities such that the session establishment happens in the application layer, leveraging the lightweight semantics of CoAP, and the record layer encryption happens by reusing the existing DTLS record-layer protocol. This way the proposed mechanism enables a resource-efficient session establishment mechanism besides reusing the existing DTLS encryption. Assuming a Pre-Shared Key (PSK) environment, this draft proposes an embedding of handshake for resource efficient end-to-end session establishment into CoAP. The session establishment procedure produces the necessary and sufficient inputs for seamless operation of the DTLS record-layer to secure the channel. Also, this mechanism ensures a direct security association between the end-applications for systems using middleboxes like proxies and/or gateways which may not be always trusted. The proposed approach provides a mechanism to securely traverse through such middleboxes through an end-to-end trusted channel.


Abhijan Bhattacharyya (
Tulika Bose (
Arijit Ukil (
Soma Bandyopadhyay (
Arpan Pal (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)