CyberWisdom Safe Harbor Commentary PKI myth of the Internet of Things
Although PKI has achieved many successes, it also has critics. However, I generally believe that PKI is definitely the direction in which IoT security advances. Let me solve this problem by eliminating some of the common misconceptions about PKI about the Internet of Things.
Myth #1: PKI cannot be expanded to protect billions of IoT devices
Fact: Extending PKI for the Internet of Things is unlikely to extend the enterprise PKI solution. However, the IoT PKI does not necessarily need to expand the public CA infrastructure. IoT devices are currently deployed in most closed private ecosystems or hybrid semi-closed ecosystems. Some PKI vendors have shown you how to expand the PKI ecosystem to publish and manage billions of device certificates.
Myth #2: PKI cannot shrink to run and protect constrained IoT devices
Truth: Here, we are actually talking about the underlying technology of PKI, namely asymmetric ciphers. Indeed, asymmetric cryptographic operations that are part of the TLS handshake are both time- and computation-intensive. However, with the advent of elliptic curve cryptography, ECC keys are used as the root cause of IoT device identities.
The 256-bit ECC key provides the same encryption strength as the 3072-bit RSA key, but at a lower cost. CPU cycles and the required memory footprint are also lower, resulting in a 200% increase in SSL certificate processing time. ECC support is now common across operating systems, SSL libraries, and cryptographic software stacks. As a result, limited IoT devices can now more easily generate their own private keys, perform verification operations, and be secure while using less CPU and memory to save energy. This is especially important for battery-powered devices.
All aspects revolve around support for the agreement. IoT devices standardize various protocols – Secure Transport Registration (EST) via Constrained Application Protocol (CoAP) and LightWeight Machine-to-Machine (LWM2M) protocols are increasingly used for IoT devices – these devices support local PKI.
Misconception 3: PKI is not applicable due to the heterogeneity of IoT devices
Fact: As of today, hundreds of millions of cable boxes, ATMs, mobile LTE towers, TV receivers, and smart meters have deployed digital certificates to form the core of their identity. However, there are really not many standard IoT devices that use PKI. As a result, equipment manufacturers and architects are drawing heavily on IT standards – usually from the IEEE 802.x family of standards. The Internet of Things is still the Internet – so many management standards for PCs, mobile devices and servers can be easily modified to fit IoT devices.
This does require some work from agencies such as certification authorities and browser forums (CA/B). However, for IoT, this kind of organization does not exist – therefore, the industry alliance is adopting a standard for their vertical standards. A vertically integrated IoT security solution. PKI is usually the technology of choice for establishing their identities.
Another proof of PKI is that it fits well into the device architecture, just like a Swiss Army knife. Most IoT device manufacturers (should) include a hardware-based root of trust (ROT) in their devices. This can be a Trusted Platform Module (TPM) device, physically unclonable function (PUF) or other secure microcontrollers (MCU) or security chip. These chip vendors are actively developing and/or integrating encryption stacks into their products so that they can be used in conjunction with device certificates or at least asymmetric encryption (public-private key pairs).
This will ensure that the chip has its own private identity, and the device certificate forms a public identity.
Myth #4: PKI does not enjoy the ecosystem of the Internet of Things as it does in IT.
Fact: This is partly correct. However, the reason is that there is currently no such thing as a mature IoT ecosystem. If we look at product trends, all major public cloud providers now own the Internet of Things. Amazon Web Services (AWS) IoT, Microsoft Azure IoT Hub, Google Cloud IoT Core, and ARM Mbed Cloud are some of the largest PaaS vendors that also provide IoT device management capabilities. All these vendors now need some kind of unique identification for connecting to each IoT device. Their main choice – equipment certificate. All of these also support “bring your own certification authority” (BYOC) or program. This allows equipment manufacturers to easily select their PKI vendors into these cloud platforms.
Myth #5: PKI will not be able to withstand the quantum age of computing
Fact: Although there is a lot of discussion on this topic, there is no consistent answer here. Quantum computing is not universally understood, and its application is even more so. Although many people have made breakthroughs in computing speed, including the ability to easily crack ECC keys, the fact remains that there is not much evidence to prove when and how to effectively achieve this – this may or may not significantly affect PKI in the future Technology. Research advances in cryptography will hopefully propose techniques to mitigate future risks associated with post-quantum acceleration algorithms.
Looking to the future: PKI + blockchain
The blockchain is a potentially revolutionary technology that will destroy many of today’s technologies. In explaining what the blockchain is and its potential impact is beyond the scope of this article, we can certainly discuss its impact on PKI.
Many claims that blockchain and its distributed and distributed systems will spell out a centralized, trusted third party, such as a certificate authority. I do not agree with this view. I believe that the blockchain and PKI are very complimentary and they will work together to solve many of the defects of each technology. The blockchain distributed ledger is a good storage mechanism – it is immutable and therefore a good candidate for PKI certificate transparency or CT logs and revocation lists. It replicates across multiple nodes and can, therefore, be more easily used for edge IoT devices.
Finally, we can use blockchains to form a peer-to-peer trust network, similar to today’s WWW. However, the first blockchain Bitcoin blockchain relies on the anonymity of participants, and identity is the core of any IoT ecosystem – the identification, classification, grouping and management of IoT devices is a basic system requirement. . Therefore, we will see a hybrid architecture that uses PKI as a device credential, but Blockchain will be used for any transaction and record management information.
In addition, we will also see that the PKI system has access to the blockchain interface, and both will be merged into a joint device ecosystem management solution. This is where I see the market and the technology going – in order for the IoT blockchain to succeed, they must rely on PKI.
At the turn of the century, there are discussions about the next generation of technologies that will eventually replace decades of PKI. However, today we have vendors like Google that are driving the conversion of all sites into certificate protected domain names. Destructors like blockchain will rely on PKI to meet device identity requirements. Encryption researchers will propose new post-quantum algorithms. One thing is for sure – the PKI we know today will change and evolve. But it stayed here for a long time.
A long, long time ago, nearly 4,000 years, in a land far, far away ancient cryptography was born. The Place? Egypt. It is there historians believe the technique was invented by priests as a character substitution for hieroglyphics. Then in Greece, it is believed the ancient Spartan military also relied on cryptography, though it’s not clear if it was used for encryption, authentication or to avoid bad omens. One certainly wonders! Engaging post, Read More…
thumbnail courtesy of helpnetsecurity.com.
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post »