Secure OCF-over-Thread is key to scalable IP based smart building IoT -

Secure OCF-over-Thread is key to scalable IP based smart building IoT

As Cascoda announced the first certified OCF-over-Thread module for secure IP-based mesh networks, we look at the why the technology is significant in addressing interoperability and security in smart building IoT.


Two areas of the internet of things (IoT) are quite well debated for smart homes and building automation: one is the multitude of standards creating interoperability challenges and inability to easily scale; the other is security.

Both these issues are what OCF-over-Thread aims to address. Developed by Cascoda, a manufacturer of IoT semiconductor solutions, OCF-over-Thread is a certifiable solution that simplifies the development of end-to-end products for smart home, and smart commercial buildings.  It offers built-in interoperability and scalable security controls for both large and small IoT applications. The OCF provides the secure application layer and Thread provides the low-power and scalable IPv6-based network layer protocol. Thread is built on open standards to create IEEE 802.15.4 mesh networks that can easily and securely connect thousands of devices.

OCF and Thread both address security and interoperability within the IoT, enabling seamless communications for both device-to-device and device-to-cloud. Thread’s mesh networks are reliable, with no single point of failure, provide immunity to interference, and will self-heal and reconfigure when a device is added or removed. Plus, all devices in a Thread network are authenticated and all communications are encrypted. With this foundation, the OCF-over-Thread solution supports encrypted communications between devices using public key infrastructure (PKI) for authentication and has inherent continuous vulnerability management systems for rapid responsiveness.

Certified IoT platform for secure large area IP-based mesh networks

The OCF-over-Thread solution was announced two years ago, and Cascoda had successfully configured OCF and Thread to work together through a thread border router (an IP-gateway based on OpenThread) and on ultra-low-power constrained IoT devices. Cascoda’s hardware includes a trusted execution environment (TEE), providing secure storage for the OCF PKI key and allowing only signed applications to run on the device. This is a key requirement for creating secure IoT hardware.

As a result of this work Cascoda has now released what it said is the first OCF-certified standards-based low power IoT module to support both IP (with Thread) PKI security (with OCF). Its certified platform is based on an open-source software development kit (SDK) and comprises the Chili2D module, the first to offer OCF’s secure IP framework and application layer, and Thread’s low-power and scalable IPv6-based network layer protocol; the required Thread IP router; and OCF cloud connectivity functionality.

Cascoda Chili2d+2s_with-FCC
Cascoda has now released what it said is the first OCF-certified standards-based low power IoT module to support both IP (with Thread) PKI security (with OCF). (Source: Cascoda)

The combination of platform features, including a root of trust (RoT), cryptographic acceleration and hardware tamper protection features, combined with the security features of OCF and Thread, have also enabled it to gain both European and UK IoT security attestation through the IASME ‘IoT Security Assured scheme’.  As a result, it aligns with OCF’s mission by enabling secure end-to-end IoT deployments that encompass device-to-device, device-to-cloud, and cloud-to-cloud without the privacy concerns of consumer-driven cloud-connected systems.

This development supports another key aim of OCF, which is to drive demand-side energy efficiencies in commercial building automation systems (BAS) and smart city infrastructure through migration to secure IP solutions.

It also represents a significant step towards achieving the vision of IP-BLIS – a market interest group, which brings together standards organizations including OCF, KNX, DALI, BACnet, Thread Group, and Connectivity Standards Alliance to support the adoption of a secure, multi-standard IP-based infrastructure.

The OCF considers the availability of the certified module as a milestone for OCF and for all IoT stakeholders who want to take advantage of the highest levels of security on low power IP-based mesh networks. The chair of OCF, Mark Trayer, commented, “Until now, this hasn’t been possible. Now, however, an opportunity has been unlocked for low power devices on mesh networks, and the services and applications they run, to leverage a chain of trust built on OCF’s public key infrastructure (PKI) to ensure secure end-to-end encryption over IP.”

He added, “This unleashes lots of potential for organizations wishing to scale deployments without limitation, while maintaining simple and secure network control. For example, a network initially built as part of a smart city scheme to control street lighting can be scaled up securely over time to add in other real-time public services, such as air quality or traffic monitoring. Permission-based access can be granted to different stakeholders, ensuring they can only see data from their own applications. We’re excited by the possibilities presented by this platform and applaud Cascoda for leading the way with this development.”

Bruno Johnson - Cascoda
Bruno Johnson

Bruno Johnson, CEO of Cascoda and OCF member, added, “By combining the unique advantages of OCF and Thread’s low power wireless networking protocol into this now certified IoT platform, we have opened up the possibility for battery and energy-harvester powered devices to be uniquely addressable over the internet, while allowing them to benefit from the most advanced level of IoT security. As a result, we have eliminated the cost and complexity of the gateway. This opens up significant opportunities for those planning smart building and smart city infrastructure, where highly secure services can now be delivered through low power, IP-based mesh networks, covering large areas.”

In an interview with, Johnson emphasized the significance. “Hacks are relatively common in IoT devices if the devices are not designed with security from the ground up. What we’ve done is to enable X 509 PKI security in an extremely small, low power M23 microcontroller, using open standards. It’s effectively offering the same grade of security you get in banking, but for IoT devices. The IoT device communicates securely, based on open standards, using a battery. That means manufacturers can put together an end-to-end cloud-based building management system very quickly and easily – and they can own the whole end-to-end system.”

The Cascoda module

The Chili2D module family from Cascoda is a fully-featured Thread-based wireless solution, using an Arm Cortex-M23 microcontroller. The microcontroller features 512kB of application flash and 96kB of on-chip SRAM, and runs using a clock frequency of 48 MHz.  Having only 96kB of RAM is an exceedingly strict constraint for the OCF application layer stack.

Thread is a low-power wireless IPv6 mesh network-layer protocol.  The core benefit of using Thread as opposed to Wi-Fi is that it enables low-cost, battery-powered devices.  Additionally, the self-forming, self-healing mesh network allows for robust deployment of networks containing hundreds of devices.

Since Thread is application-layer agnostic, the Chili2D is able to run multiple application layers over Thread simultaneously, in this case a Domain Name System (DNS) and a Simple Network Time Protocol (SNTP), alongside OCF.  The OCF application framework consists of the following layer-stack, as shown below:

OCF application framework
The OCF application framework. (Source: Cascoda)

OCF uses the Constrained Application Protocol (CoAP), an internet application protocol for constrained devices.  CoAP enables constrained devices to communicate with the wider internet by means of a REpresentational State Transfer (REST) interface common to most internet-connected applications.

This communication is secured with Datagram Transport Layer Security (DTLS), an internet communications protocol providing security for application-level messages.  DTLS facilitates public key infrastructure (PKI) for authentication, which uses certificates rather than an ID and password.  After a DTLS connection is established, all further communication is both authenticated and encrypted using the state-of-the-art advanced encryption standard (AES).

Since both Thread and OCF are IPv6 and User Datagram Protocol (UDP) based, the usage of OCF as an application protocol on top of Thread is a good match.

Related Contents:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.