Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
// // //
5/6/2021
01:00 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv

Securing the Internet of Things in the Age of Quantum Computing

Internet security, privacy, and authentication aren't new issues, but IoT presents unique security challenges.

As industrial applications drive the next major growth phase of the Internet of Things (IoT), there are growing concerns about how the data that flows through its ecosystems is created, validated, protected, transported, shared, and analyzed. Cryptography is the foundation for addressing these issues, but many vendors concentrate on building market share by paring costs rather than implementing security. As a result, many IoT devices are inadequately protected from hacking, which threatens the security of the IoT ecosystem and other networks to which it connects.

Internet security, privacy, and authentication are not new issues, but IoT presents unique security challenges.

Related Content:

3 Security Flaws in Smart Devices & IoT That Need Fixing

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 10K Hackers Defend the Planet Against Extraterrestrials

First, many IoT devices have limited processing power and memory, yet robust cryptography involves substantial computational power and needs memory to store temporary or permanent encryption keys.

One solution is to give every IoT device a unique and unclonable identifier by deriving it from the microscopic physical differences between silicon chips caused by manufacturing process variations across a wafer. Such an identifier can substitute for stored encryption keys, saving memory.

IoT devices with unique identifiers can communicate securely with cloud-based servers that carry out data analysis and decision-making within IoT ecosystems. However, it is critical that devices and servers can authenticate that they are communicating with legitimate members of their ecosystem. This is usually handled using digital signatures and public key infrastructure.

A central server protects the IoT network. Credit: Dr. Charles Grover
A central server protects the IoT network. Credit: Dr. Charles Grover

Digital signatures can also protect against denial-of-service (DoS) attacks, in which malicious actors prevent devices from working properly by creating a fake server to intercept signals sent by the device or by overloading the server using fake devices to issue fake requests. Since IoT networks contain many devices, they are vulnerable to DoS attacks.

IoT devices may be widely distributed and vulnerable to physical attacks. These can include side-channel attacks, which try to analyze how a security algorithm is performed to learn secret information about encryption keys. For example, a timing attack may try to exploit the fact that a key-generation algorithm may take varying amounts of time to run depending upon the key value generated. Perhaps it takes longer to write a 1 into memory than a 0, so analyzing how long it takes to store a key provides insights about the relative population of 0s and 1s within it. Power analysis is another option. If it takes more energy to write a 1 into memory than a 0, this may yield secret information.

IoT fragmentation makes securing an ecosystem tougher. The silicon vendor building the chips must have access to and manage the information that needs to be embedded in each to enable it to find and access the intended IoT network. The device maker that uses these chips must ensure that it's properly implementing cryptographic tasks. IoT hub manufacturers and integrators must provide software for managing, collating, and parsing the data obtained by devices. These providers may also be responsible for managing authentication.

Many parties have access to an IoT ecosystem and the data flowing through it, but none take overall responsibility for security. Hiring third-party specialists to do that will not work if the scope of the task they are given isn't clearly defined.

Much work is being driven by concerns that upcoming quantum computers may undermine or invalidate today's approaches. These post-quantum cryptography (PQC) strategies may also have valuable properties for enabling IoT security.

In the quantum computing era, it's a challenge to handle encryption keys and digital signatures that are long enough to offer good security on devices with limited memory, power, and communications resources.

Digital signatures are vital for authentication between devices and servers. America's National Institute of Standards and Technology (NIST) is exploring technologies to replace today's approaches to digital signatures. A comparison with ECDSA, a standard approach used today, reveals the issue: To transmit a signature with 128 bits of security, ECDSA must send a public key of 256 bits and a signature of around 576 bits. The most compact PQC digital-signature strategy remaining in the NIST analysis uses an 896-byte public key and a 690-byte signature. In other words, the PQC implementation of a digital signature needs about 15 times more bandwidth than ECDSA, as well as more computation and more memory to store cryptographic keys.

Other PQC digital-signature schemes may emerge that use the same bandwidth as ECDSA. If not, IoT devices will have to rely on other ways to authenticate with servers, such as greater use of key-encapsulation mechanisms and pre-shared keys. NIST is also looking for PQC algorithms that are inherently less subject to physical attacks than those used today.

IoT security practitioners need to be aware of standardization processes and work out which PQC strategies will work within the constrained resources of IoT devices. NIST is exploring how robust the new algorithms will be to side-channel attacks and the issues relating to the bandwidth requirements of digital signatures in a post-quantum computing world. Today's signature schemes are too unwieldy, but ongoing work should help secure the IoT in the upcoming age of quantum computing.

Dr. Charlie Grover is a cryptography researcher at Crypto Quantique, where he is driving performance improvements in securely extracting entropy, or randomness, from Physical Unclonable Functions (PUFs) in CMOS semiconductors. His work is contributing to further development ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Practical Network Security Approaches for a Multicloud, Hybrid IT World
The report covers areas enterprises should focus on for their multicloud/hybrid cloud security strategy: -increase visibility over the environment -learning cloud-specific skills -relying on established security frameworks -re-architecting the network
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-30333
PUBLISHED: 2022-05-09
RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
CVE-2022-23066
PUBLISHED: 2022-05-09
In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may decide whether to tra...
CVE-2022-28463
PUBLISHED: 2022-05-08
ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow.
CVE-2022-28470
PUBLISHED: 2022-05-08
marcador package in PyPI 0.1 through 0.13 included a code-execution backdoor.
CVE-2022-1620
PUBLISHED: 2022-05-08
NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.