avt-201611-avt-article8-v1

The Critical Need for Device Security in the Internet of Things

Ed Baca – Technical Marketing Engineer – Security, Avnet

Data is the foundation for enabling the Internet of Things (IoT) in terms of creating new value and optimizing performance in deployed systems. To achieve the desired results, developers have shifted their focus to capturing data, moving it efficiently through the system and utilizing it to anticipate and improve outcomes. The benefits of these outcomes include improved user experiences and enabling longer term prescriptive and predictive strategic analysis. This, in turn, drives innovation in the quest for profitable growth. Unfortunately, developers are not the only ones interested in this data. Hackers also desire this data for inappropriate, often illegal, purposes. The increasing number of data theft or manipulation events is hampering the realization of the growth potential IoT promises. At the root of many of these negative events are attacks on devices at the edge. According to the Online Trust Alliance (OTA) 100% of recently reported IoT vulnerabilities (were) easily avoidable[1]. Among the OTA’s recommendations thwarting the attacks on devices for the data they capture and transport is encryption. Encryption can be initiated within the device itself by integrating specific security components into the bill of materials or selecting processors that include encryption engines or the ability to be securely programmed.

keyDecrypting Encryption

Encryption is the process of converting a message into a scrambled code to ensure privacy, authenticity and security in the communication between two parties. Encryption can be facilitated by hardware or software. There are several types of encryption or means of implementing cryptographic algorithms. The most common methods are distinguished by how the algorithm used for scrambling, also known as a key, is shared between the parties involved in the communication. A single key shared between the sender and receiver is referred to as secure key encryption or symmetric encryption. An algorithm that uses separate keys for encryption and decryption is known as public key encryption or asymmetric encryption. Finally, an algorithm that encrypts a message that is not decrypted is known as a hash function. Each of these methods serves a unique purpose and there are several options for each type of algorithm. 

A common method for secure key encryption is the Advanced Encryption Standard (AES). This is frequently used for privacy and confidentiality. From an IoT perspective, a recent breakthrough in compressing the encryption computations has had a significant impact in reducing the energy consumption used for encryption[2]. Reducing energy consumption is critical for IoT edge devices such as sensors that are deployed for long periods of time and ideally require little to no maintenance over the life of the device.

Encryption is the process of converting a message into a scrambled code to ensure privacy, authenticity and security in the communication between two parties.

avt-201611-avt-secondary-cryptographyPublic key encryption is useful for verifying the identity of the sender and ensuring the message sent is from them. In an IoT application, this could be between nodes at the edge of the deployment and the gateway or from the gateway out to the nodes. Elliptic Curve Cryptography (ECC), a growing algorithm found in IoT devices, is an example of public key encryption. What makes ECC attractive to IoT developers is the low overhead required from a processing and memory standpoint. This aligns well with edge sensors that perform a specific set of control functions but very little processing or analysis. What makes ECC attractive is the utilization of shorter key strings as compared to other public key encryption options such as RSA. Developers should consider the trade-offs as this benefit could become a liability if the level of data protection is not sufficient. 

Hash algorithms are an encryption generated by the sender that are not decrypted and are used to validate that the content within a message has not been altered. The prevailing standard used for Hash algorithms is the Secure Hash Algorithm (SHA) and currently SHA-3 is the latest version being adopted. SHA-3 employs either a 256- or 512-bit character string and from an IoT device standpoint would be useful when the edge device has some processing capabilities that will require firmware updates or the delivery of software patches.

This general overview of device level encryption options will help to get started. Often across the edge to enterprise continuum of an IoT deployment, all three methods of encryption will be utilized. It’s important to work with an expert with knowledge and experience in developing secure systems. While the individual component in a system level solution may be secure, the passing of information between points in the system could become a vulnerable spot. Avnet’s field application engineers are trained on the latest security standards, understand the tradeoffs between cryptographic algorithm options and have experience integrating security across a system composed of disparate elements. For additional information about the various encryption methodologies and standards, please review Gary C. Kessler’s “An Overview of Cryptography” which covers the topic in great detail.

Integrating Encryption at the Device Level

avt-201611-avt-secondary-developer-2Once a developer has determined the right encryption strategy for their application, they have several options for how to go about integrating the functionality into their design. They can choose between device level implementations or selecting a commercial-off-the-shelf (COTS) motherboard in a variety of form factors. Design considerations include the nature of their device’s function in the system and the associated code that will be run, size and power constraints and the degree of integration in terms of other functionality to be delivered by the chip or board. Chip level solutions range from encryption co-processors that offload the security management from the main processor to microcontrollers and microprocessors that have integrated encryption engines to programmable devices that enable the highest degree of customization along with industry standard encryption resources. There are also co-processors, referred to as Trusted Platform Modules, which ensure the code used to start the system is always authentic. All of these devices have options for AES, ECC and SHA and in some cases offer more than one option for more complex security requirements. Once again, your Avnet field application engineer is well versed in all available options and is prepared to discuss your design requirements and help align the right selection to fit your needs and budget. We invite you to visit the following pages for additional details on the most current security components and boards available today; Infineon, Kontron, Microchip, Renesas and Xilinx.

Design considerations include the nature of their device’s function in the system and the associated code that will be run, size and power constraints and the degree of integration…

Conclusion

There is a competition in place for the data generated in an IoT deployment. The system developers and companies investing in the solution seek the data for increasing performance and profitability. On the other side, hackers want the data to be disruptive and exploitation for personal gain. Investing in an end-to-end security solution, especially for protecting vulnerable edge devices, is a wise choice and well worth the nominal cost of inclusion. Not only will this investment protect valuable data generated by the system but also the company’s reputation with customers and the market by avoiding the negative publicity a data breach causes. Determining the right approach to implementing encryption algorithms and the correct devices to enable the functionality is best done with a knowledgeable expert such as Avnet’s field application engineers. While encryption alone will not address all security concerns, it’s a great place to start especially when combined with system monitoring, firewalls and other security methods. To learn more about the complete range of security solutions and to get more details on encryption techniques, please visit Avnet’s It’s an IoT World.


DOWNLOAD THIS ARTICLE (PDF, 418k)