Security is a top concern for the Internet of Things, as essential as low power consumption, affordability, and wireless connectivity.
Because IoT devices are optimized for low power consumption and affordability, many have less than optimal computing resources. The good news is there are several options for using cryptography to make it more difficult for hackers to highjack your living room webcam, video doorbell or car.
The denial-of-service attack last October showed how cheap IoT devices that had no security--in many cases not even proper password protections--could be hacked to flood Web sites with traffic, shutting them down. In an increasingly connected future, consequences could include having water or electricity shut off, security systems disabled, or even loss of life for attacks on medical devices.
For the IoT, authentication ensures that devices are interacting with authorized gateways and cloud services and they in turn verify they are working with authentic IoT nodes. The sender will use a hashing algorithm and shared secret keys to generate a tag known as a message authentication code (MAC). The receiver performs the same hashing algorithm to decode the MAC and compare it with one stored locally.
The strength of the MAC depends on the strength of the hashing algorithm, the length of the key used and whether the key is shared secretly and stored securely. The current state-of-the-art hashing algorithm for cryptographic purposes is SHA-256 with 256-bit keys.
For sharing keys securely, either a secure channel can be used or a Diffie–Hellman key exchange over an insecure channel. Storing keys securely is another challenge, and it’s advisable to store them separately from application data and the data being authenticated. Properly equipped integrated chips can require a secure boot and secure firmware updates.
Encryption has been used for millennia. Ancient Greek generals passed messages to each other encoded on leather strips. To be read they had to be rolled around a scytale, a rod made to a secret diameter. Only a rod of the proper diameter would render the message correctly.
Today AES is the accepted standard to encrypt and decrypt our messages using digital keys. Symmetric key cryptography uses the same key to encrypt and decrypt the message, making it critical to keep the key secret. Asymmetric cryptography uses a shared, public key and a private key which is kept secret.
While asymmetric key cryptography has the benefit of added security over insecure channels, it’s more than 1,000 times more computationally expensive than symmetric key cryptography. Asymmetric cryptography can be used to establish a secure channel to exchange secret keys which can be used for subsequent symmetric methods. Alternatively, symmetric key cryptography used along with Diffie–Hellman key exchange is often secure enough for many embedded applications.
For IoT devices, hardware acceleration makes sense. Authentication chips or cryptographic co-processors can carry out sophisticated encryption and authentication efficiently in hardware, saving battery life and processor cycles. It takes more effort to secure any connected computing device, but in the long run, it’s the right thing to do.
--Lynnette Reese is a technical marketing manager and content team lead at Mouser Electronics.