Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

// // //
01:00 PM
Connect Directly
E-Mail vvv

Securing the Internet of Things in the Age of Quantum Computing

Internet security, privacy, and authentication aren't new issues, but IoT presents unique security challenges.

As industrial applications drive the next major growth phase of the Internet of Things (IoT), there are growing concerns about how the data that flows through its ecosystems is created, validated, protected, transported, shared, and analyzed. Cryptography is the foundation for addressing these issues, but many vendors concentrate on building market share by paring costs rather than implementing security. As a result, many IoT devices are inadequately protected from hacking, which threatens the security of the IoT ecosystem and other networks to which it connects.

Internet security, privacy, and authentication are not new issues, but IoT presents unique security challenges.

Related Content:

3 Security Flaws in Smart Devices & IoT That Need Fixing

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 10K Hackers Defend the Planet Against Extraterrestrials

First, many IoT devices have limited processing power and memory, yet robust cryptography involves substantial computational power and needs memory to store temporary or permanent encryption keys.

One solution is to give every IoT device a unique and unclonable identifier by deriving it from the microscopic physical differences between silicon chips caused by manufacturing process variations across a wafer. Such an identifier can substitute for stored encryption keys, saving memory.

IoT devices with unique identifiers can communicate securely with cloud-based servers that carry out data analysis and decision-making within IoT ecosystems. However, it is critical that devices and servers can authenticate that they are communicating with legitimate members of their ecosystem. This is usually handled using digital signatures and public key infrastructure.

A central server protects the IoT network. Credit: Dr. Charles Grover
A central server protects the IoT network. Credit: Dr. Charles Grover

Digital signatures can also protect against denial-of-service (DoS) attacks, in which malicious actors prevent devices from working properly by creating a fake server to intercept signals sent by the device or by overloading the server using fake devices to issue fake requests. Since IoT networks contain many devices, they are vulnerable to DoS attacks.

IoT devices may be widely distributed and vulnerable to physical attacks. These can include side-channel attacks, which try to analyze how a security algorithm is performed to learn secret information about encryption keys. For example, a timing attack may try to exploit the fact that a key-generation algorithm may take varying amounts of time to run depending upon the key value generated. Perhaps it takes longer to write a 1 into memory than a 0, so analyzing how long it takes to store a key provides insights about the relative population of 0s and 1s within it. Power analysis is another option. If it takes more energy to write a 1 into memory than a 0, this may yield secret information.

IoT fragmentation makes securing an ecosystem tougher. The silicon vendor building the chips must have access to and manage the information that needs to be embedded in each to enable it to find and access the intended IoT network. The device maker that uses these chips must ensure that it's properly implementing cryptographic tasks. IoT hub manufacturers and integrators must provide software for managing, collating, and parsing the data obtained by devices. These providers may also be responsible for managing authentication.

Many parties have access to an IoT ecosystem and the data flowing through it, but none take overall responsibility for security. Hiring third-party specialists to do that will not work if the scope of the task they are given isn't clearly defined.

Much work is being driven by concerns that upcoming quantum computers may undermine or invalidate today's approaches. These post-quantum cryptography (PQC) strategies may also have valuable properties for enabling IoT security.

In the quantum computing era, it's a challenge to handle encryption keys and digital signatures that are long enough to offer good security on devices with limited memory, power, and communications resources.

Digital signatures are vital for authentication between devices and servers. America's National Institute of Standards and Technology (NIST) is exploring technologies to replace today's approaches to digital signatures. A comparison with ECDSA, a standard approach used today, reveals the issue: To transmit a signature with 128 bits of security, ECDSA must send a public key of 256 bits and a signature of around 576 bits. The most compact PQC digital-signature strategy remaining in the NIST analysis uses an 896-byte public key and a 690-byte signature. In other words, the PQC implementation of a digital signature needs about 15 times more bandwidth than ECDSA, as well as more computation and more memory to store cryptographic keys.

Other PQC digital-signature schemes may emerge that use the same bandwidth as ECDSA. If not, IoT devices will have to rely on other ways to authenticate with servers, such as greater use of key-encapsulation mechanisms and pre-shared keys. NIST is also looking for PQC algorithms that are inherently less subject to physical attacks than those used today.

IoT security practitioners need to be aware of standardization processes and work out which PQC strategies will work within the constrained resources of IoT devices. NIST is exploring how robust the new algorithms will be to side-channel attacks and the issues relating to the bandwidth requirements of digital signatures in a post-quantum computing world. Today's signature schemes are too unwieldy, but ongoing work should help secure the IoT in the upcoming age of quantum computing.

Dr. Charlie Grover is a cryptography researcher at Crypto Quantique, where he is driving performance improvements in securely extracting entropy, or randomness, from Physical Unclonable Functions (PUFs) in CMOS semiconductors. His work is contributing to further development ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent t...
PUBLISHED: 2023-05-26
A vulnerability was found in libssh, where the authentication check of the connecting client can be bypassed in the`pki_verify_data_signature` function in memory allocation problems. This issue may happen if there is insufficient memory or the memory usage is limited. The problem is caused by the re...
PUBLISHED: 2023-05-26
Bottles before 51.0 mishandles YAML load, which allows remote code execution via a crafted file.
PUBLISHED: 2023-05-26
Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account the previous ses...
PUBLISHED: 2023-05-26
NSX-T contains a reflected cross-site scripting vulnerability due to a lack of input validation. A remote attacker can inject HTML or JavaScript to redirect to malicious pages.