The IoT shines the security spotlight on PKI
John Grimm, Thales e-Security
John Grimm, Senior Director, Thales e-Security
From smartphones to connected cars to smart cities, The Internet of Things (IoT) is transforming the ways that we live and work. ZK Research reports that the IoT will have 50 billion endpoints by 2020. Billions of connected devices like sensors, meters, actuators and other types of devices that can be attached to any object or person will be capable of connecting to the network, sharing information and taking instructions.
These “things” will sense and deliver more data, respond to control inputs and provide more information to help people and machines make decisions. Examples include IPTV cameras in major metropolitan areas, sensor grids for earthquake detection and crop-growing water detection systems, smart meters that communicate energy consumption, assembly line robots that automate factory floor operations and smart transportation systems that adapt to traffic conditions. These are all computing systems that are Internet-connected and operate with no human intervention.
However, security concerns are casting clouds in the sunny skies of the IoT.
Public key infrastructure (PKI) has been behind the scenes, playing a “quiet” security role for two decades, issuing credentials used to perform strong authentication, validating integrity of transactions, and securely exchanging keys used to ensure confidentiality of communications between systems and devices. For this reason and others, the security challenges presented by the IoT is causing a resurgence of interest in PKI.
Security Concerns on a Whole New Scale
In the IoT, security is comprised of the twin components of trust and control.
This is hard to achieve on the grand and diverse scale of IoT, but one thing is clear: cryptography—done properly—is going to play a central role in making it happen. Of course, crypto and PKI technologies are nothing new and have already been proven in large-scale systems like the global payments network and the SSL/TLS fabric we use every day. However, securing the IoT brings some new challenges that might force us to rethink traditional assumptions around key management and the potential security threats.
In infrastructure systems fitted with IoT devices, the machine-to-machine communication of environmental and other readings will enable simple decisions such as which control valve to turn on or off, or when to shut off someone’s electricity. These devices must provide trustworthy information, sometimes directly to the user and sometimes to the infrastructure provider (such as an energy utility) often employing data analytics that span millions of such devices taking system-wide decisions. Users, service providers or even regulators need to be sure that they are talking to the correct device (authentication), that the device is functioning properly and has not been tampered with (integrity), is configured correctly (access control and policy setup), and that data is protected when at rest, in use, or in motion (confidentiality).
That’s a tall order, to be sure. The devices themselves can be out on the front line, in hostile environments, or may not have been built to do what is now being asked of them. The networks they communicate over can be untrusted and difficult to secure. Additionally, back-end systems and data repositories where information is aggregated, analyzed and decisions taken are also an attractive target. There’s certainly the threat of a homeowner cheating the electric company, that’s nothing new, but the sheer scale of IoT creates a new set of threats. Under the control of malicious insiders or hacktivists, thieves or terrorists, the IoT could quickly become the Internet of listeners or the army of things.
IoT Breathes New Life Into PKI
If the IoT is to succeed long-term, it will require Internet-scale secure communications, high-integrity messaging and mutual, strong authentication. Having secured network-connected devices for decades, digital certificates issued by a PKI are well situated from a technology perspective to serve as an online identity for those things. PKI has performed well for years in trusted environments where hundreds of millions of device certificates have been deployed for ATMs, cellular base stations and smart phones. While the things in the IoT have much in common with such devices, they do raise some new issues around assurance, scale and technology.
The primary issue is that there is a distinction regarding assurance and validation
between public PKI applications and private or closed PKI applications. Common PKI applications such as email security and even SSL often require a level of public trust – the ability for anyone to validate the assurance claims made by the PKI based credentials, such as certificates. This requires the ability to equip all potential receivers to test the claims of all potential senders and even harder, to revoke the ability to make claims if trust is lost. In many ways the situation in IoT can be easier because some IoT deployments don’t need public trust – they are closed systems. For instance, if a certificate in a vehicle is used only to communicate telemetry data back to the manufacturer, no other third party needs to rely on that certificate or the PKI that issued it. Furthermore, revocation checking and online validation may no longer be required since the organization in control may have other means to know the status of its own devices in the network and won’t need to rely on checking the status of credentials of the device itself.
Another issue surrounds scale – remember those 50 billion projected endpoints?
Although PKI deployments certainly exist that have the ability to manage millions of certificates, most operate at levels that are significantly smaller. The magnitude of many IoT deployments will make systems with tens or even hundreds of millions of credentials commonplace. The good news is that many of these devices’ deployments will be relatively static, credentials will have relatively long lifecycles and changes might be rare – but in very large systems, even a relatively small change can be an operational nightmare.
Technology is the third issue. In contrast to connected devices—like ATMs, servers and smartphones—and traditional PKIs, the IoT will be populated by extremely low power and low budget devices – saving microwatts of power or cents to bill will be a big deal. Traditional cryptography is not designed for these environments. Cryptography is mathematically intensive and that requires CPU power. Another related problem is credential generation. Making good keys (just special random numbers) is not easy and making them in high volumes, for example on a production line, can quickly become a bottleneck. Again, the good news is that crypto algorithms designed for low power devices and rapid key generation already exist and have been widely proven. Generally falling into the category of elliptic curve cryptography (ECC), this technology is rapidly growing in terms of availability.
Old Dog, New Tricks
The IoT is a world of wonders in many ways, improving quality of life and work not just in developed nations but across the globe. However, it also challenges traditional assumptions about key management in light of impending security threats. Like many innovations, adjustments must be made to accommodate the evolving threat landscape as well as the impending surge of connected devices that will require certificates.
If ever there were a high-assurance problem child, the IoT is it. Fortunately, PKI has a proven track record of using hardware security modules and prudent security practices to help solve such problems. Though this new, multi-billion-endpoint environment will shake up current thought on key and certificate management, digital certificates and the PKIs that manage them are an established method that can scale and adapt to meet the security needs of the Internet of Things.
About the Author:
John Grimm has over 25 years of experience in the information security field, starting as a systems and firmware engineer building secure cryptographic key distribution systems for government applications, and progressing through product management, solution development, and marketing leadership roles. He received his bachelor's degree in electrical engineering from Worcester Polytechnic Institute in Worcester, Mass., and is a member of Tau Beta Pi, the engineering honor society.