17  E3-E4: Transport Encryption

Prerequisites: E2: Device-to-Gateway Encryption

This enables: E5: Key Renewal | Zero-Trust Security

17.1 Learning Objectives

By the end of this chapter, you will be able to:

• Implement E3 Device-to-Cloud Encryption: Design end-to-end security that bypasses untrusted gateways
• Configure TLS 1.3 for IoT: Deploy industry-standard transport security with appropriate cipher suites
• Optimize TLS for Constrained Devices: Use session resumption and efficient cipher selection
• Avoid Common Pitfalls: Recognize and prevent unencrypted communications, certificate validation failures, and hardcoded credentials

In 60 Seconds

E3 and E4 transport encryption use TLS/DTLS to protect IoT data traveling from gateways to cloud services, with E4 extending full end-to-end encryption so no intermediate party can access the plaintext.

For Beginners: E3-E4: Transport Encryption

Transport layer security (TLS/DTLS) creates encrypted tunnels for IoT data traveling across networks. Think of it as an armored truck for your data – even if someone intercepts the truck on the highway, they cannot access the valuable contents inside. TLS protects data in transit between IoT devices and servers.

Sensor Squad: The Direct Line to the Cloud!

“What if the gateway is not trustworthy?” Sammy the Sensor whispered. “With E2, the gateway can read our data because it has the key. But E3 lets us bypass the gateway entirely and encrypt straight to the cloud!”

Max the Microcontroller explained, “Think of it like this: E2 is like mailing a letter to your friend through your neighbor – the neighbor handles the envelope. E3 is like sending a locked briefcase directly to your friend, and the neighbor just carries it without being able to open it. The gateway becomes a transparent relay.”

“TLS 1.3 is the latest and best transport encryption,” Lila the LED said. “It is faster than older versions because it needs fewer messages to set up a secure connection. For IoT, that means less time and energy spent on handshakes. And with session resumption, after the first connection, reconnecting is even faster!”

“But there are common mistakes to watch out for,” Bella the Battery cautioned. “Some developers disable certificate validation during testing and forget to re-enable it. Others hardcode encryption keys in the firmware. And some IoT products send data completely unencrypted because nobody thought to enable TLS! Always check that encryption is actually ON and properly configured, not just assumed.”

17.2 E3: Device-to-Cloud Direct Encryption

Time: ~10 min | Level: Intermediate | Unit: P11.C08.U04

E3 (Device-to-Cloud) encryption enables use of untrusted gateways by encrypting data directly from the device to the cloud platform. The gateway cannot decrypt the payload – it acts purely as a transparent packet forwarder.

Figure 17.1: Device to cloud encryption (E3)

Characteristics:

• Keys stored in cloud, not gateway
• Gateway acts as transparent forwarder
• AES-256 encryption
• Combined with E1
• MCU runs encryption libraries

Figure 17.2: E3 device-to-cloud direct encryption enabling untrusted gateway bypass where device encrypts data with cloud-only key

17.3 E4: Gateway-to-Cloud TLS

Time: ~10 min | Level: Intermediate | Unit: P11.C08.U05

Figure 17.3: Gateway to cloud encryption (E4)

Purpose: Secure gateway-to-cloud communication using industry-standard protocols.

Characteristics:

• SSL/TLS certificates
• HTTPS/SSH protocols
• Same security as online banking
• Typical combinations: E1+E2+E4 or E1+E3+E4

Figure 17.4: E4 gateway-to-cloud TLS encryption showing TLS handshake with certificate verification, cipher suite negotiation, and session key establishment

17.3.1 E4 Implementation Details

Protocol: TLS 1.3 (or TLS 1.2 minimum) with X.509 certificates

TLS Cipher Suites for IoT:

Cipher Suite	Security	Performance	IoT Suitability
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256	High	Excellent	Recommended
TLS_ECDHE_RSA_AES_128_GCM_SHA256	High	Good	Compatible
TLS_AES_256_GCM_SHA384	Very High	Good	TLS 1.3 only
TLS_CHACHA20_POLY1305_SHA256	High	Excellent	Low-power devices
TLS_RSA_AES_128_CBC_SHA	Moderate	Fair	Legacy only

Key Characteristics:

Aspect	Details
Authentication	X.509 certificates with PKI (Public Key Infrastructure)
Key Exchange	ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) for forward secrecy
Encryption	AES-128-GCM or ChaCha20-Poly1305 for bulk data
Integrity	SHA-256 or SHA-384 for message authentication
Certificate Validation	CA chain verification against trusted root certificates

E4 Configuration Example:

# OpenSSL-based TLS configuration for IoT gateway
openssl s_client -connect cloud.iot-platform.com:8883 \
  -CAfile /etc/ssl/certs/ca-certificates.crt \
  -cert gateway-cert.pem \
  -key gateway-key.pem \
  -tls1_3 \
  -ciphersuites 'TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256'

Security Properties:

• Industry Standard: Same security as HTTPS banking
• Forward Secrecy: Past sessions safe even if private key compromised
• Certificate Authentication: Verifies cloud server identity
• Widely Supported: Available in major IoT platforms (AWS IoT Core, Azure IoT Hub, HiveMQ)
• Requires PKI: Devices need certificate provisioning and management

17.4 Deep Dive: TLS 1.3 for IoT Gateways

TLS 1.3 Configuration for Constrained IoT Gateways

TLS 1.3 provides significant improvements over TLS 1.2 for IoT, but requires careful configuration on resource-constrained gateways.

TLS 1.3 Advantages for IoT:

Feature	TLS 1.2	TLS 1.3	IoT Benefit
Round trips	2 RTT	1 RTT	50% faster connection
0-RTT resumption	No	Yes	Instant reconnection
Cipher suites	37 options	5 options	Simpler configuration
Forward secrecy	Optional	Mandatory	Future-proof security
Handshake encryption	Partial	Full	Metadata protection

Minimal cipher suite configuration:

import ssl
import paho.mqtt.client as mqtt

def create_tls_context():
    """Configure TLS 1.3 for IoT gateway with optimal settings."""
    context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)

    # TLS 1.3 only (most secure)
    context.minimum_version = ssl.TLSVersion.TLSv1_3
    context.maximum_version = ssl.TLSVersion.TLSv1_3

    # Prioritize efficient ciphers for constrained devices
    # ChaCha20 is faster on devices without AES-NI
    context.set_ciphers(
        'TLS_CHACHA20_POLY1305_SHA256:'  # Fast on ARM without AES-NI
        'TLS_AES_128_GCM_SHA256:'         # Standard, hardware accelerated
        'TLS_AES_256_GCM_SHA384'          # Maximum security
    )

    # Load CA certificates for server verification
    context.load_verify_locations(cafile='/etc/ssl/certs/ca-certificates.crt')

    # Mutual TLS: Load gateway certificate and private key
    context.load_cert_chain(
        certfile='/etc/gateway/certs/gateway.crt',
        keyfile='/etc/gateway/certs/gateway.key'
    )

    # Enable certificate verification
    context.verify_mode = ssl.CERT_REQUIRED
    context.check_hostname = True

    return context

# Apply to MQTT client
client = mqtt.Client()
client.tls_set_context(create_tls_context())
client.connect('iot.cloud-provider.com', port=8883)

Session resumption for battery efficiency:

import time

class TLSSessionCache:
    """
    Cache TLS session tickets for 0-RTT resumption.
    Reduces handshake from 2 RTT to 0 RTT on reconnection.
    """
    def __init__(self, cache_file='/var/cache/tls_sessions.db'):
        self.cache_file = cache_file
        self.sessions = {}

    def store_session(self, server_name, session_data):
        """Store session ticket after successful handshake."""
        self.sessions[server_name] = {
            'ticket': session_data,
            'timestamp': time.time(),
            'max_age': 7200  # 2 hour validity
        }
        self._persist_to_disk()

    def get_session(self, server_name):
        """Retrieve session for 0-RTT resumption."""
        if server_name in self.sessions:
            session = self.sessions[server_name]
            if time.time() - session['timestamp'] < session['max_age']:
                return session['ticket']
        return None

Memory footprint comparison:

TLS Library	Code Size	RAM Usage	Platforms
mbedTLS	60-100 KB	10-40 KB	ARM Cortex-M
wolfSSL	20-100 KB	1-36 KB	All
BearSSL	25-50 KB	25 KB	ARM, RISC-V
OpenSSL	500+ KB	100+ KB	Linux gateways

Recommendation: Use mbedTLS or wolfSSL for constrained gateways. Reserve OpenSSL for Linux-based edge devices with ample resources.

17.5 Common Pitfalls in Secure Communication

Even with encryption architecture knowledge, these common implementation mistakes undermine IoT security:

Common Pitfall: Unencrypted Communication (No TLS/DTLS)

The mistake: Transmitting data over unencrypted connections, often during development or due to misconfiguration.

Symptoms:

• Credentials visible in network packet captures
• Data interception possible with simple tools like Wireshark
• Man-in-the-middle attacks succeed without detection
• Compliance audit failures (GDPR, HIPAA, PCI-DSS)

Why it happens: Developers disable TLS during testing and forget to re-enable it. Some assume internal networks are “safe.” MQTT defaults to port 1883 (unencrypted) rather than 8883 (TLS).

How to diagnose:

1. Check connection port numbers (1883 = unencrypted MQTT, 8883 = TLS)
2. Use Wireshark to capture traffic and check for plaintext
3. Review connection code for tls_set() or equivalent calls
4. Check server logs for TLS handshake vs plain connections

The fix:

# WRONG: Unencrypted MQTT connection
client.connect("broker.example.com", port=1883)
client.username_pw_set("user", "password")  # Sent in clear text!

# CORRECT: TLS-encrypted MQTT
client.tls_set(
    ca_certs="ca.crt",
    certfile="device.crt",
    keyfile="device.key"
)
client.connect("broker.example.com", port=8883)

# CORRECT: HTTPS for REST APIs
import requests
requests.post("https://api.example.com/data", data=sensor_data)
# NOT: http://api.example.com/data

Prevention: Always use TLS/DTLS for transport. Verify server certificates (don’t disable verification). Use mutual TLS (mTLS) for device authentication. Block unencrypted ports at the firewall level.

Common Pitfall: Hardcoded Credentials in Firmware

The mistake: Embedding passwords, API keys, or certificates directly in source code or firmware binaries.

Symptoms:

• Mass device compromise from a single firmware leak
• Unable to rotate credentials without firmware update
• Firmware reverse engineering exposes all secrets
• All devices share identical credentials

Why it happens: It’s the simplest approach during prototyping. Developers underestimate how easy firmware extraction is. Production deadlines push security corners.

How to diagnose:

1. Search source code for string literals like “password”, “api_key”, “secret”
2. Use strings command on firmware binaries to find embedded credentials
3. Check if all devices use identical credentials
4. Review provisioning process documentation

The fix:

# WRONG: Credentials in source code
MQTT_USER = "admin"
MQTT_PASS = "secretpassword123"
API_KEY = "sk_live_abc123xyz"

# CORRECT: Read from secure storage provisioned at manufacturing
credentials = secure_element.get_credentials()

# CORRECT: Use device-specific certificates
client.tls_set(
    certfile=f"/secure/certs/{device_id}.crt",
    keyfile=f"/secure/certs/{device_id}.key"
)

# CORRECT: Provision unique credentials per device
def provision_device(device_id):
    unique_key = generate_device_key(device_id)
    secure_storage.store("api_key", unique_key)
    # Credentials never appear in source code

Prevention: Use secure element or TPM for credential storage. Implement secure provisioning during manufacturing. Use per-device unique credentials. Never store credentials in source code or configuration files.

Common Pitfall: Missing Input Validation on Device Commands

The mistake: Executing received commands or using input data without validation.

Symptoms:

• Command injection attacks succeed
• Device crashes from malformed or out-of-range input
• Unauthorized actions executed via crafted messages
• Security breaches through parameter manipulation

Why it happens: Developers trust the message source (especially if using TLS). Input validation is tedious and often skipped. Edge cases aren’t considered during development.

The fix:

# WRONG: Direct execution of received command
def handle_message(msg):
    exec(msg['command'])  # NEVER do this!

# WRONG: No validation of parameters
def set_temperature(msg):
    thermostat.set(msg['temp'])  # What if temp = 1000?

# CORRECT: Validate and sanitize all input
ALLOWED_COMMANDS = {'get_status', 'set_temp', 'reset', 'reboot'}
TEMP_MIN, TEMP_MAX = 10, 35  # Valid temperature range

def handle_message(msg):
    cmd = msg.get('command')

    # Whitelist check
    if cmd not in ALLOWED_COMMANDS:
        log.warning(f"Rejected invalid command: {cmd}")
        return error_response("Invalid command")

    if cmd == 'set_temp':
        temp = msg.get('temp')

        # Type check
        if not isinstance(temp, (int, float)):
            return error_response("Temperature must be a number")

        # Range check
        if not TEMP_MIN <= temp <= TEMP_MAX:
            return error_response(f"Temperature must be {TEMP_MIN}-{TEMP_MAX}")

        thermostat.set(temp)
        return success_response()

Prevention: Use allowlists for commands (not blocklists). Validate data types and ranges for all parameters. Sanitize string inputs before use. Implement rate limiting to prevent brute force. Never use eval() or exec() on external input.

Tradeoff: End-to-End Encryption vs Transport Encryption

Decision context: When designing IoT data protection, you must decide whether to encrypt data only during transport (hop-by-hop TLS) or maintain encryption from device to final destination (end-to-end).

Factor	Transport Encryption (E4 only)	End-to-End Encryption (E3)
Gateway Access	Gateway decrypts and re-encrypts	Gateway forwards opaque ciphertext
Trust Model	Must trust all intermediaries	Only trust endpoints
Processing at Edge	Gateway can filter, aggregate, transform	No edge processing possible
Complexity	Simpler (standard TLS termination)	More complex (key distribution to cloud)
Debugging	Easier (can inspect at gateway)	Harder (encrypted everywhere)
Compliance	Data exposed at multiple points	Stronger audit posture

Choose Transport Encryption (E4) when: Gateway performs value-add processing (aggregation, filtering), all infrastructure is under your control, debugging at intermediate points is required.

Choose End-to-End Encryption (E3) when: Data transits untrusted networks or third-party gateways, regulatory compliance requires data remain encrypted (HIPAA, GDPR), zero-trust architecture principles apply, high-value data (medical, financial, personal) is being transmitted.

Default recommendation: Implement both E3 and E4 as defense in depth.

17.6 Worked Example: E3+E4 Architecture for a Remote Patient Monitoring System

Scenario: A healthcare provider deploys 5,000 wearable health monitors in patients’ homes. Each device measures heart rate, SpO2, and ECG, transmitting data every 30 seconds through a home Wi-Fi gateway to an AWS cloud platform. HIPAA requires end-to-end encryption of all Protected Health Information (PHI). The provider does not control the home gateway (consumer router). Design the encryption architecture.

Step 1: Trust Model Analysis

Trust boundary assessment:
  Wearable device: TRUSTED (provider-controlled, secure element)
  Home Wi-Fi: UNTRUSTED (patient's consumer router)
  ISP network: UNTRUSTED (transit network)
  AWS IoT Core: TRUSTED (provider's cloud platform)
  Mobile app: SEMI-TRUSTED (patient's phone, can view own data)

Conclusion: Gateway (home router) is UNTRUSTED.
  -> E2 (device-to-gateway) is INSUFFICIENT (router decrypts PHI)
  -> E3 (device-to-cloud) is REQUIRED (router cannot decrypt)
  -> E4 (TLS to cloud) provides defense-in-depth

Step 2: E3 Implementation Design

E3 encryption (device to AWS IoT Core):
  Algorithm: AES-128-GCM (AEAD - authenticated encryption)
  Key exchange: ECDH P-256 via device X.509 certificate
  Key storage: ATECC608B secure element on wearable
  Key rotation: Every 24 hours via E5 renewal

E3 packet structure (per 30-sec reading):
  Patient pseudonym (not real ID): 16 bytes
  Timestamp: 4 bytes
  Heart rate + SpO2 + ECG summary: 48 bytes
  AES-GCM nonce: 12 bytes
  AES-GCM auth tag: 16 bytes
  Total: 96 bytes encrypted payload

E4 transport (DTLS 1.3 over UDP):
  Wraps E3 payload for network transport
  Uses separate TLS session key (defense-in-depth)
  If DTLS is stripped (MITM), E3 payload remains encrypted

Step 3: Performance Impact on Wearable

Energy per transmission cycle (Nordic nRF52840):
  E3 AES-128-GCM encrypt (96 bytes): 0.8 uJ
  DTLS 1.3 record layer: 0.3 uJ
  BLE transmission to phone (as relay): 33 uJ
  Wi-Fi transmission from phone: handled by phone battery

  Total device energy: 34.1 uJ per reading
  Readings per day: 2,880 (every 30 seconds)
  Daily energy: 2,880 x 34.1 uJ = 98,208 uJ = 98.2 mJ

  Wearable battery: 200 mAh x 3.7V = 740 mWh = 2,664 J
  Battery life (TX + encryption only): 2,664,000 mJ / 98.2 mJ = ~27,130 days
  (Real battery life much shorter due to sensing, MCU, display, etc.)
  Radio TX dominates: 33 uJ / 34.1 uJ = 97% of energy
  Encryption overhead: 3% of transmission energy

Step 4: HIPAA Compliance Verification

HIPAA Requirement	E3 Implementation	E4 Implementation	Combined
Encryption in transit (164.312(e)(1))	AES-128-GCM device-to-cloud	DTLS 1.3 transport layer	Two independent encryption layers
Access control (164.312(a)(1))	Per-device X.509 certificates	mTLS with AWS IoT	Mutual authentication at both layers
Audit trail (164.312(b))	Sequence numbers in E3 packets	DTLS session logging	Full provenance tracking
Integrity (164.312(c)(1))	GCM authentication tag	DTLS record MAC	Tamper detection at both layers
Key management (164.312(a)(2)(iv))	24-hour rotation via E5	TLS session resumption	Forward secrecy guaranteed

Result: The E3+E4 architecture ensures that even if a patient’s home router is compromised (malware, misconfiguration, or ISP-level interception), PHI remains encrypted with keys that only exist in the wearable’s secure element and AWS KMS. The encryption overhead (3% of transmission energy) is negligible, and the dual-layer design satisfies all HIPAA technical safeguards.

Key lesson: When the gateway is untrusted, E3 is not optional – it is the only architecture that provides true end-to-end confidentiality. E4 alone (TLS from gateway to cloud) leaves PHI exposed at the home router, which in a healthcare context creates both a HIPAA violation and a patient safety risk.

17.7 Concept Relationships

Concept	Depends On	Enables	Critical Distinction
E3 (Device-Cloud)	Pre-shared device-cloud key	Untrusted gateway use	E3 gateway cannot decrypt, E2 gateway can
E4 (Gateway-Cloud)	TLS/DTLS + certificates	Internet transport security	E4 protects only gateway-cloud leg
TLS 1.3	Certificate validation	1-RTT handshake	Faster than TLS 1.2 (50% fewer round trips)
Forward Secrecy (ECDHE)	Ephemeral key exchange	Past session protection	Static keys = past traffic at risk
Certificate Validation	Trusted CA roots	MITM prevention	Disabled validation = no security
Mutual TLS (mTLS)	Both client and server certs	Strong device authentication	Server-only TLS = device not authenticated

E3 vs E4: E3 = end-to-end (device-cloud), E4 = hop-by-hop (gateway-cloud). E3 prevents gateway access, E4 prevents internet MITM.

Putting Numbers to It: TLS Handshake Latency and Overhead

TLS handshake establishes a secure channel through asymmetric key exchange followed by symmetric session encryption.

\[T_{handshake} = T_{clientHello} + T_{serverHello} + T_{keyExchange} + T_{finished}\]

\[\text{Overhead}_{bytes} = \text{Header} + \text{Certificates} + \text{KeyMaterial} + \text{MAC}\]

Working through an example:

Given: IoT device connecting to cloud via TLS 1.3 with ECDHE-P256 key exchange, 1 KB certificate chain, 50 ms network RTT.

Step 1: Handshake round-trip calculation (TLS 1.3) - Flight 1: ClientHello (256 bytes) - Flight 2: ServerHello + Certificate + CertificateVerify + Finished (1,536 bytes) - Flight 3: Finished (64 bytes)

\[T_{TLS1.3} = 1\text{ RTT} = 50\text{ ms}\]

(Compare to TLS 1.2: 2 RTT = 100 ms)

Step 2: Cryptographic operations time (ESP32 @ 240 MHz) - ECDHE-P256 key generation: 8 ms - ECDSA certificate verification: 12 ms - Derive session keys (HKDF): 2 ms

\[T_{crypto} = 8 + 12 + 2 = 22\text{ ms}\]

Step 3: Total handshake time \[T_{total} = T_{network} + T_{crypto} = 50 + 22 = 72\text{ ms}\]

Step 4: Energy consumption (ESP32 @ 160 mA during TLS) \[E = P \times t = (3.3\text{V} \times 0.16\text{A}) \times 0.072\text{s} = 38\text{ mJ}\]

Result: TLS 1.3 handshake takes 72 ms and consumes 38 mJ. After handshake, AES-GCM session encryption adds only 0.05 mJ per message.

In practice: TLS handshake energy (38 mJ) equals ~760 AES-encrypted messages. For battery devices, use session resumption to amortize handshake cost across many messages, or maintain persistent connections.

viewof rtt_ms = Inputs.range([10, 200], {value: 50, step: 5, label: "Network RTT (ms)"})
viewof voltage_v = Inputs.range([1.8, 5.0], {value: 3.3, step: 0.1, label: "Supply voltage (V)"})
viewof current_a = Inputs.range([0.05, 0.5], {value: 0.16, step: 0.01, label: "TLS current draw (A)"})
viewof keygen_ms = Inputs.range([2, 30], {value: 8, step: 1, label: "ECDHE key generation (ms)"})
viewof certverify_ms = Inputs.range([5, 50], {value: 12, step: 1, label: "Certificate verification (ms)"})
viewof hkdf_ms = Inputs.range([1, 10], {value: 2, step: 1, label: "HKDF key derivation (ms)"})

tlsCalc = {
  const crypto_ms = keygen_ms + certverify_ms + hkdf_ms;
  const total_ms = rtt_ms + crypto_ms;
  const total_s = total_ms / 1000;
  const power_w = voltage_v * current_a;
  const energy_mj = power_w * total_s * 1000;
  const aes_msg_equivalent = Math.round(energy_mj / 0.05);

  const tls12_ms = (rtt_ms * 2) + crypto_ms;
  const tls12_energy_mj = voltage_v * current_a * (tls12_ms / 1000) * 1000;

  return html`<div style="background: linear-gradient(135deg, #f8f9fa, #e9ecef); padding: 1.2em; border-radius: 8px; border-left: 4px solid #16A085; font-family: system-ui, sans-serif;">
    <div style="font-weight: 600; color: #2C3E50; margin-bottom: 0.8em; font-size: 1.05em;">TLS 1.3 Handshake Energy Calculator</div>
    <table style="width: 100%; border-collapse: collapse; font-size: 0.95em;">
      <tr><td style="padding: 4px 8px;">Crypto operations time</td><td style="padding: 4px 8px; font-weight: 600;">${crypto_ms} ms</td></tr>
      <tr><td style="padding: 4px 8px;">TLS 1.3 total handshake</td><td style="padding: 4px 8px; font-weight: 600; color: #16A085;">${total_ms} ms</td></tr>
      <tr><td style="padding: 4px 8px;">TLS 1.2 total handshake (comparison)</td><td style="padding: 4px 8px; color: #7F8C8D;">${tls12_ms} ms</td></tr>
      <tr><td style="padding: 4px 8px;">Power during handshake</td><td style="padding: 4px 8px; font-weight: 600;">${power_w.toFixed(3)} W</td></tr>
      <tr style="background: rgba(22, 160, 133, 0.1);"><td style="padding: 4px 8px; font-weight: 600;">TLS 1.3 handshake energy</td><td style="padding: 4px 8px; font-weight: 700; color: #16A085;">${energy_mj.toFixed(1)} mJ</td></tr>
      <tr><td style="padding: 4px 8px;">TLS 1.2 handshake energy</td><td style="padding: 4px 8px; color: #7F8C8D;">${tls12_energy_mj.toFixed(1)} mJ</td></tr>
      <tr><td style="padding: 4px 8px;">TLS 1.3 savings vs 1.2</td><td style="padding: 4px 8px; font-weight: 600; color: #E67E22;">${(tls12_energy_mj - energy_mj).toFixed(1)} mJ (${((1 - energy_mj / tls12_energy_mj) * 100).toFixed(0)}%)</td></tr>
      <tr><td style="padding: 4px 8px;">Equivalent AES-GCM messages</td><td style="padding: 4px 8px;">${aes_msg_equivalent} messages @ 0.05 mJ each</td></tr>
    </table>
    <div style="margin-top: 0.6em; font-size: 0.85em; color: #7F8C8D;">Adjust sliders above to model different IoT devices and network conditions.</div>
  </div>`;
}

17.8 See Also

Prerequisites:

• E2: Device-Gateway Encryption - Understanding per-device keys
• Asymmetric Cryptography - Public-key crypto for TLS

Related Layers:

• E5: Key Renewal - Refreshing E3 session keys
• Security Properties - Defense-in-depth with all layers

Implementation:

• TLS/DTLS Configuration - Practical E4 setup
• Certificate Management - X.509 for E4
• Key Management - E3 key provisioning

Security:

• Zero-Trust Security - Why E3 matters
• Threat Modeling - Untrusted gateway scenarios

Label the Diagram

💻 Code Challenge

Order the Steps

Match the Concepts

17.9 Summary

This chapter covered E3 device-to-cloud and E4 gateway-to-cloud encryption:

• E3 Purpose: Enables use of untrusted gateways by encrypting directly to cloud with keys stored only in device and cloud
• E4 Purpose: Industry-standard TLS/DTLS protects gateway-to-cloud communication with certificate-based authentication
• TLS 1.3 Benefits: 1-RTT handshake, mandatory forward secrecy, 0-RTT resumption for battery efficiency
• Cipher Selection: ChaCha20-Poly1305 for devices without AES-NI hardware, AES-128-GCM for hardware-accelerated platforms
• Common Pitfalls: Unencrypted communications, hardcoded credentials, missing certificate validation, lack of input validation

17.10 Knowledge Check

Quiz: E3-E4: Transport Encryption

::

Key Concepts

• E3 (Gateway-to-Cloud): TLS/DTLS protecting data between an IoT gateway and cloud backend; the gateway decrypts and re-encrypts at this boundary.
• E4 (End-to-End): Encryption that spans from the end device to the cloud application, so no intermediate node (including the gateway) can read the plaintext.
• TLS Handshake: The negotiation phase at the start of a TLS session where parties authenticate each other and agree on cipher suites and session keys.
• Cipher Suite: A named combination of key exchange, authentication, encryption, and MAC algorithms negotiated during TLS handshake (e.g., TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256).
• Session Resumption: A TLS optimization that allows clients to reuse a previously negotiated session, reducing handshake overhead for reconnecting IoT devices.
• Certificate Pinning: Hardcoding the expected server certificate or CA fingerprint in device firmware to prevent man-in-the-middle attacks using fraudulent certificates.

::

17.11 What’s Next

If you want to…	Read this
Review link and device-layer encryption	E1/E2 Encryption Levels
Understand key lifecycle management	Key Renewal & Management (E5)
Study the full architecture overview	Encryption Architecture & Levels
Explore TLS/DTLS in depth	TLS and DTLS for IoT

Continue to E5: Key Renewal and Asymmetric Cryptography to learn how periodic key refresh using RSA/ECC provides long-term security and forward secrecy.

Related Chapters