Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
5/6/2021
01:00 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Securing the Internet of Things in the Age of Quantum Computing

Internet security, privacy, and authentication aren't new issues, but IoT presents unique security challenges.

As industrial applications drive the next major growth phase of the Internet of Things (IoT), there are growing concerns about how the data that flows through its ecosystems is created, validated, protected, transported, shared, and analyzed. Cryptography is the foundation for addressing these issues, but many vendors concentrate on building market share by paring costs rather than implementing security. As a result, many IoT devices are inadequately protected from hacking, which threatens the security of the IoT ecosystem and other networks to which it connects.

Internet security, privacy, and authentication are not new issues, but IoT presents unique security challenges.

Related Content:

3 Security Flaws in Smart Devices & IoT That Need Fixing

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 10K Hackers Defend the Planet Against Extraterrestrials

First, many IoT devices have limited processing power and memory, yet robust cryptography involves substantial computational power and needs memory to store temporary or permanent encryption keys.

One solution is to give every IoT device a unique and unclonable identifier by deriving it from the microscopic physical differences between silicon chips caused by manufacturing process variations across a wafer. Such an identifier can substitute for stored encryption keys, saving memory.

IoT devices with unique identifiers can communicate securely with cloud-based servers that carry out data analysis and decision-making within IoT ecosystems. However, it is critical that devices and servers can authenticate that they are communicating with legitimate members of their ecosystem. This is usually handled using digital signatures and public key infrastructure.

A central server protects the IoT network. Credit: Dr. Charles Grover
A central server protects the IoT network. Credit: Dr. Charles Grover

Digital signatures can also protect against denial-of-service (DoS) attacks, in which malicious actors prevent devices from working properly by creating a fake server to intercept signals sent by the device or by overloading the server using fake devices to issue fake requests. Since IoT networks contain many devices, they are vulnerable to DoS attacks.

IoT devices may be widely distributed and vulnerable to physical attacks. These can include side-channel attacks, which try to analyze how a security algorithm is performed to learn secret information about encryption keys. For example, a timing attack may try to exploit the fact that a key-generation algorithm may take varying amounts of time to run depending upon the key value generated. Perhaps it takes longer to write a 1 into memory than a 0, so analyzing how long it takes to store a key provides insights about the relative population of 0s and 1s within it. Power analysis is another option. If it takes more energy to write a 1 into memory than a 0, this may yield secret information.

IoT fragmentation makes securing an ecosystem tougher. The silicon vendor building the chips must have access to and manage the information that needs to be embedded in each to enable it to find and access the intended IoT network. The device maker that uses these chips must ensure that it's properly implementing cryptographic tasks. IoT hub manufacturers and integrators must provide software for managing, collating, and parsing the data obtained by devices. These providers may also be responsible for managing authentication.

Many parties have access to an IoT ecosystem and the data flowing through it, but none take overall responsibility for security. Hiring third-party specialists to do that will not work if the scope of the task they are given isn't clearly defined.

Much work is being driven by concerns that upcoming quantum computers may undermine or invalidate today's approaches. These post-quantum cryptography (PQC) strategies may also have valuable properties for enabling IoT security.

In the quantum computing era, it's a challenge to handle encryption keys and digital signatures that are long enough to offer good security on devices with limited memory, power, and communications resources.

Digital signatures are vital for authentication between devices and servers. America's National Institute of Standards and Technology (NIST) is exploring technologies to replace today's approaches to digital signatures. A comparison with ECDSA, a standard approach used today, reveals the issue: To transmit a signature with 128 bits of security, ECDSA must send a public key of 256 bits and a signature of around 576 bits. The most compact PQC digital-signature strategy remaining in the NIST analysis uses an 896-byte public key and a 690-byte signature. In other words, the PQC implementation of a digital signature needs about 15 times more bandwidth than ECDSA, as well as more computation and more memory to store cryptographic keys.

Other PQC digital-signature schemes may emerge that use the same bandwidth as ECDSA. If not, IoT devices will have to rely on other ways to authenticate with servers, such as greater use of key-encapsulation mechanisms and pre-shared keys. NIST is also looking for PQC algorithms that are inherently less subject to physical attacks than those used today.

IoT security practitioners need to be aware of standardization processes and work out which PQC strategies will work within the constrained resources of IoT devices. NIST is exploring how robust the new algorithms will be to side-channel attacks and the issues relating to the bandwidth requirements of digital signatures in a post-quantum computing world. Today's signature schemes are too unwieldy, but ongoing work should help secure the IoT in the upcoming age of quantum computing.

Dr. Charlie Grover is a cryptography researcher at Crypto Quantique, where he is driving performance improvements in securely extracting entropy, or randomness, from Physical Unclonable Functions (PUFs) in CMOS semiconductors. His work is contributing to further development ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23394
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.