Encryption is often talked about as a fundamental component for Internet of Things security. Although encryption is certainly necessary, it is by itself insufficient to provide a proper level of meaningful security in network communications. If encryption does not provide sufficient security, what does?
Authentication vs Encryption
Encryption is an important part of any security solution, but it has a specific purpose: to prevent eavesdropping on transmissions. If you send data from one place to another, you do not want unauthorized people to intercept and read that data in transit. Modern encryption schemes, known as ciphers, are quite strong and effective at preventing interception of data transmissions.
However, encryption by itself lacks a critical capability: It is unable to verify whom you are communicating with.
If you cannot verify whom you are sending data to, encryption by itself becomes less meaningful. Even though people cannot eavesdrop on your transmissions, you may be communicating with an entity you were trying to avoid because their identity cannot be established with reasonable certainty.
The ability to exchange verifiable credentials and validate them is known as authentication. The two most common forms of cryptographic authentication are symmetric and asymmetric authentication.
Symmetric and Asymmetric Encryption
Symmetric authentication is fairly simple: The sender and receiver share the same key, and you can do a relatively simple random number challenge to determine whether the entity you are communicating with has the same key without actually transmitting any keys between you. Thus, for every entity you want to authenticate with, you have a unique symmetric key.
The issue with symmetric authentication is that scalability becomes an issue when the size of the ecosystem becomes very large. If an ecosystem contains millions of members, you will need something that manages millions of keys, and soon key management becomes a complex and costly system to maintain.
Asymmetric authentication involves a system in which the sender and receiver have different keys. The two keys are mathematically related to each other and are generated in pairs. The private key is protected and is used to “sign” digital data. The public key is often included in what is called a digital certificate and is used to verify the signature on its certificate.
In the case of asymmetric authentication, only the signing (private) key needs to be protected. This accomplishes authentication in which the public key verifies that the device holding the paired private key sent the message. The strength of a public key cryptography system depends on the impractical amount of computation required to derive the private key from its paired public key. This means that effective security only requires keeping the private key private; the public key can be openly distributed without compromising security.
Asymmetric Cryptography is the Foundation for Public Key Infrastructure
A common scenario is to use asymmetric private keys as signing or “certificate authorities” (CAs) and arrange them into a hierarchy that generates, signs and organizes digital certificates. This security hierarchical structure is referred to as public key infrastructure (PKI).
To learn more about how you can leverage asymmetric cryptography and PKI to secure Internet of Things (IoT) devices at scale, download my white paper, “Internet of Things Security: Implement a Strong, Simple & Massively Scalable Solution.”