IoT Security - Cryptography

Perry Lea

May 28, 2019

Perry LeaMay 28, 2019

Editor's Note: Securing the Internet of Things is critical not only for the integrity of data streams and software within each IoT application, but also for the integrity of the enterprise resources tied into those applications. IoT security is a complex problem, requiring a systematic approach for understanding possible threats and corresponding mitigation methods.


Adapted from Internet of Things for Architects, by Perry Lea.

Chapter 12. IoT Security
By Perry Lea


Encryption and secrecy are absolute requirements of IoT deployments. They are used for securing communication, protecting firmware, and authentication. Regarding encryption, there are generally three forms to consider:

  • Symmetric key encryption: Encryption and decryption keys are identical. RC5, DES, 3DES, and AES are all forms of symmetric key encryption.

  • Public Key encryption: Encryption key is published publicly for anyone to use and encrypt data. Only the receiving party has a private key used to decrypt the message. This is also known as asymmetric encryption. Asymmetric cryptography manages data secrecy, authenticates participants, and forces non- repudiation. Well-know internet encryption and message protocols such as Elliptic Curve, PGP, RSA, TLS, and S/MIME are considered public keys.

  • Cryptographic hash: Maps data of an arbitrary size to a bit string (called the digest). This hash function is designed to be "one way". Essentially, the only way to recreate the output hash is to force every possible input combination (it cannot be run in reverse). MD5, SHA1, SHA2, and SHA3 are all forms of one-way hashes. These are typically used to encode digital signatures such as signed firmware images, message authentication codes (MAC), or authentication. When encrypting a short message like a password, the input may be too small to effectively create a fair hash; in that case, a salt or non-private string is appended to the password to increase the entropy. A salt is a form of key derivation function (KDF):

click for larger image

Elements of cryptography. Here are the symmetric, asymmetric, and hashing functions. Note the key usage in symmetric and asymmetric cryptography. Symmetric has the requirement of using identical keys to encrypt and decrypt data. While faster than asymmetric encryption, the keys need to be secured.


Symmetric cryptography

In encryption, plaintext refers to the unencrypted input and the output is called ciphertext, as it is encrypted. The standard for encryption is the Advanced Encryption Standard (AES) which replaced older DES algorithms dating from the 1970s. AES is part of the FIPS specification and the ISO/IEC 18033-3 standard used worldwide. AES algorithms use fixed blocks of 128, 192, or 256 bits. Messages larger than the bit width will be split into multiple blocks. AES has four basic phases of operation during the cipher. The pseudo code for a generic AES encryption is shown here:

   // Psuedo code for an AES-128 Cipher
   // in: 128 bits (plaintext)
   // out: 128 bits (ciphertext)
   // w: 44 words, 32 bits each (expanded key)
   state = in
   w=KeyExpansion(key) //Key Expansion phase (effectively encrypts key itself)
   AddRoundKey(state, w[0, Nb-1]) //Initial Round
for round = 1 step 1 to Nr–1 //128 bit= 10 rounds, 192 bit = 12 rounds, 256 bit = 14 rounds
    SubBytes(state)   //Provide non-linearity in the cipher
    ShiftRows(state)  //Avoids columns being encrypted independently which can
   weaken the algorithm
    MixColumns(state) //Transforms each column and adds diffusion to the
    AddRoundKey(state, w[round*Nb, (round+1)*Nb-1]) //Generates a subkey an
   combines it with state.
   end for
   SubBytes(state)    //Final round and cleanup.
   AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1])
out = state

Scroll or drag the corner of the box to expand as needed.

AES key lengths can be 128, 192, or 256 bits. Generally, the larger the key length the better the protection. The size of the key is proportional to the number of CPU cycles needed to encrypt or decrypt a block: 128 bit needs 10 cycles, 192 bit needs 12 cycles, and 256 bit needs 14 cycles.

Block ciphers represent encryption algorithms that are based on a symmetric key and operate on a single block of data. Modern ciphers are based on Claude Shannon's work on product ciphers in 1949. A cipher mode of operation is an algorithm that uses a block cipher and describes how to repeatedly apply a cipher to transform large amounts of data consisting of many blocks. Most modern ciphers also require an Initialization Vector (IV) to ensure distinct ciphertexts even if the same plaintext is entered repeatedly. There are several modes of operation such as:

  • Electronic Codebook (ECB): This is the most basic form of AES encryption, but it is used with other modes to build more advanced security. Data is divided into blocks and each is encrypted individually. Identical blocks will produce identical ciphers which makes this mode relatively weak.

  • Cipher Block Chaining (CBC): Plaintext messages Xored with the previous ciphertext before being encrypted.

  • Cipher Feedback Chaining (CFB): Similar to CBC but forms a stream of ciphers (the output of the previous cipher feeds into the next). CFB depends on the previous block cipher to provide input to the current cipher being generated. Because of the dependency of previous ciphers, CFB cannot be processed in parallel. Streaming ciphers allows for a block to be lost in transit but subsequent blocks can recover from the damage.

  • Output Feedback Chaining (OFB): Similar to CFB, this is a streaming cipher but allows for error correcting codes to be applied before encryption.

  • Counter (CTR): Turns a block cipher into a stream cipher but uses a counter. The incrementing counter feeds each block cipher in parallel allowing for fast execution. The nonce and counter are concatenated together to feed the block cipher.

  • CBC with Message Authentication Code (CBC-MAC): A MAC (also known as tag or MIC) is used to authenticate a message and confirm the message came from the stated sender. The MAC or MIC is then added to the message for verification by the receiver.


These modes were first constructed in the late 1970s and early 1980s and were advocated by the National Institute of Standards and Technology in FIPS 81 as DES modes. These modes provide encryption for the confidentiality of information but will not protect against modification or tampering. To do that, a digital signature is needed and the security community developed CBC-MAC for authentication. Combining CBC-MAC with one of the legacy modes was difficult until algorithms like AES-CCM were established, which provide both authentication as well as secrecy. CCM stands for Counter with CBC-MAC Mode.

CCM is an important encryption mode used to sign and encrypt data and is used in a plethora of protocols covered in this book including Zigbee, Bluetooth Low Energy, TLS 1.2 (after key exchange), IPSEC, and 802.11 Wi-Fi WPA2.

AES-CCM makes use of dual ciphers: CBC and CTR. AES-CTR or counter mode is used for the general decryption of the ciphertext stream flowing in. The incoming stream contains an encrypted authentication tag. AES-CTR will decrypt the tag as well as the payload data. An "expected tag" is formed from this phase of the algorithm. The AES-CBC phase of the algorithm tags as input the decrypted blocks from the AES-CTR output and the original header of the frame. The data is encrypted; however, the only relevant data needed for authentication is the calculated tag. If the AES-CBC calculated tag differs from the AES-CTR expected tag, then there is the possibility that the data was tampered with in transit.

The figure below illustrates an incoming encrypted stream of data that is both authenticated using AES-CBC and decrypted using AES-CTR. This ensures both the secrecy and authenticity of the origin of a message:

click for larger image

AES-CCM mode.

One consideration for IoT deployments in a fully connected mesh is the number of keys necessary. For n nodes in a mesh that desire bidirectional communication, there are n(n-1)/2 keys or O(n2).

Continue reading on page two, Asymmetric cryptography >>

< Previous
Page 1 of 2
Next >

Loading comments...