It is people like you who insist on slow, bloated implementations that only seem to work in reality, because on paper they look so hip and cool.
I insist to use something standard.
That is your prerogative, but why the heck would you even participate in a discussion that discusses non-standard solutions, then?
To try and force everyone to use the standards you prefer?
Like I said twice already, I'm only describing my preference. I tried to describe the reasons why: it is a well known technique, whose only drawback is that the shared secrets must be provided separately. It is the initial (connection-specific) key exchange in TLS that is slow and cumbersome; after the key exchange, TLS too uses a symmetric cipher. Thus, in my view, the obvious solution is to avoid the key exchange, by prearranging the shared secrets. This leaves just a lightweight authentication step for the handshake.
Just because something is standard, does not make it good or practical. Just because a standard is popular, does not mean it is the best option for all the cases where it is popular.
TLS
is best we have for transport layer (say, TCP/IP) security, but it isn't a magical bullet; and it isn't the best possible for all use cases.
The problem with that it is proprietory, not known, not documented, there is no way to easily interoperate with it. And with high level of assurance, it is not secure - although you might think it is. "Don't invent security" slogan exists for a reason.
First, it would be worth zero if it was proprietary. The entire idea is to use the same mechanism with lots of Arduino-style Ethernet-connected devices (I happen to love Teensies, and Teensy 4.1 has both native Ethernet support, and a nice Arduino/PlatformIO development support package, Teensyduino). Nothing about it is proprietary, and it is a well known technique.
To simplify, it is like TLS except that the costly public-key exchange (using either server public key, or
Diffie-Hellman key exchange) is avoided by pre-transferred secrets. The secrets themselves are never transferred encrypted or in plaintext; only the cryptographic hashes of (the/a) secret and random nonces are, to authenticate the other side. (I prefer separate passphrases and symmetric keys.) The authentication technique I'd use is the same as used for password hashing, although there might be even better, zero-knowledge ones, that would still be feasible with current MCUs.
Second, I've done server-side security stuff for a quarter of a century, and am well aware of the difficulty in implementing a "new" security solution. I am only a hobbyist with embedded devices, and an utter Uncle Bumblefuck when it comes to EE, but I know Unix/SuS/POSIX/Linux software development and especially server side stuff. That is, I know exactly how easy it is to do it badly by reinventing a square wheel;
I would not trust myself to design a new security scheme either. I am no cryptographer, I only know how to implement the schemes. The point is, this is not a "new" security solution at all. I'm old enough to have seen this pattern used before SSL and TLS became ubiquitous, and I happen to know that it still is used by parties who do not trust large integer factorization to be unfeasible, but do trust their physical site security.
(I do use TLS on the server side quite happily, but I do not use the
default Apache/Nginx configuration, for example. I can even point out the flaws in Apache SuExec mechanism that tend to bite people but are not mentioned in the official documentation, if you like.)
When a security community comes together and works out a good, documented, lightweight security standard & implementation for embedded systems - I'll gladly switch to it and forget about TLS.
That would be very nice indeed; I'd love that too.
I don't expect them to, though, because very few cryptography specialists understand the limitations of embedded systems, and how that affects the operations underlying the math. That is, most of them tend to be mathematicians, with not so good understanding about real-world programming: they do not intuitively grasp the details in computational cost. The few exceptions (like DJB, V. Rijmen, and J. Daemen) are rather well known, but getting them involved in something like this is a pipe dream.