IoT security is the area of endeavor concerned with safeguarding connected devices and networks in the Internet of Things. – TechTarget
What is IoT security? We often hear that we need to add security to our IoT devices to prevent intrusions, data theft, and denial of service attacks, but what exactly does that mean?
The first thing that comes to mind for most people when they think of IoT security is encryption. If you are one of those people, then don’t worry, you are not totally incorrect. Encryption is an important component of security, but it is just one part of the whole story. However, by itself, encryption does not provide security in the way that most people tend to think.
Security, like most things, has a curve of diminishing returns versus cost. What IoT requires is a good balance of reasonably strong security measures that are economical and massively scalable. With all this in mind, we need to layer three basic components into the design of IoT devices to provide robust security:
1) Encryption: Ensure that no one can intercept and read your messages
2) Authentication: Verify whom you are communicating with
3) Secure Storage: Ensure that no one can impersonate or spoof your IoT device by stealing its key
To fully comprehend what comprises security, let’s discuss what each component does and how they work together.
Encryption’s purpose is to prevent eavesdropping or interception of messages in transit. Forms of encryption have been around for millennia and were used throughout history to allow commanders, generals and kings to send coded messages to each other, but were also protected from an enemy in case the messenger was caught. This is a perfect example of symmetric key cryptography.
In these situations, these groups of important people knew and trusted each other and exchanged deciphering books ahead of time. If you had a code book, then you were a member of the trusted inner circle, and as a result, any message using the code book came from someone who was trusted.
This example illustrates why it’s important to realize that the encryption by itself does not verify identity of senders and recipients. Encryption simply prevents the interception of messages. The Allied code breakers of World War II could read German and Japanese battle plans because recipients were not authenticated and messages were broadcast. Although the messages were still encrypted, it did not provide adequate protection.
Today’s encryption methods are exponentially more difficult to break, but there are ways to set up encrypted sessions with parties over the Internet without knowing who they actually are. This is sometimes referred to as “anonymous Diffie-Hellman,” which I’ll talk about this more in future blog posts. It gives the veneer of security, but at the end of the day, you do not know whom you are communicating with.
Anonymous Diffie-Hellman is the very reason authentication is such a critical component of security. It’s not sufficient to prevent eavesdropping and interception of your messages. It’s also critical for you to know that the entity you are communicating with is, in fact, who they claim they are.
Digital certificates provide a very efficient and strong means of authentication and are issued from a reputable source, such as a company or government body. You can think of them as a digital identity card. The cryptographic signatures within the certificates cannot feasibly be forged or recreated unless you have the proper private key at the source. If the private key(s) were to be compromised, then malicious actors could sign data and no one would be able to tell what was real and trustworthy. This is why certificate authorities put so much emphasis on restricting access to the Root and signing keys for a particular ecosystem.
Security for private keys is almost Hollywood in nature. Retinal scanners, 24/7/365 video surveillance and live guards, air-gapped signing computers operating in Faraday cage rooms, multi-person authenticated access, etc…You get the idea! It’s serious business because if a private key ever got out, then the whole ecosystem based on that key collapses.
Security is a layered solution that if designed and implemented properly can be economical and strong enough to deter the vast majority of attacks. Requiring mutual authentication ensures that the server knows the origin and identity of the device, while at the same time the device knows that it is indeed giving information to an authorized server. Layering encryption on top of that prevents anyone from intercepting the messages between the device and server. Securely storing the private keys and credentials of all communicating entities makes it very difficult for someone to steal the identity of a trusted device to gain network access.
There are economical mass-market solutions in the market today that can address each one of these security layers so that even the smallest IoT end device can still have strong, layered security built-in by design. Using digital certificates from a pre-created ecosystem root for authentication with a secure crypto chip is inexpensive, fast and does not require a powerful microcontroller.
In my next blog, I’ll explain how to implement IoT security in a way that’s simple and economical. In the meantime checkout our other posts on IoT:
- Improving IoT Interoperability, Security for Connected Health
- Kyrio Offers Open Connectivity Foundation Certification for IoT Devices
For those whose business is connecting people, places and devices, Kyrio is the trusted and secure source for everything networkable. As a subsidiary of CableLabs, Kyrio is the most experienced and comprehensive security provider in the market. If you have any questions about IoT security, digital certificates, or launching an IoT connected product, contact us today to find out how we can help you secure your entire ecosystem and provide trusted connectivity for your products.