Editor's Note: Securing the Internet of Things is critical not only for the integrity of data streams and software within each IoT application, but also for the integrity of the enterprise resources tied into those applications. IoT security is a complex problem, requiring a systematic approach for understanding possible threats and corresponding mitigation methods.
Adapted from Internet of Things for Architects, by Perry Lea.
Chapter 12. IoT Security
By Perry Lea
Encryption and secrecy are absolute requirements of IoT deployments. They are used for securing communication, protecting firmware, and authentication. Regarding encryption, there are generally three forms to consider:
Symmetric key encryption : Encryption and decryption keys are identical. RC5, DES, 3DES, and AES are all forms of symmetric key encryption.
Public Key encryption : Encryption key is published publicly for anyone to use and encrypt data. Only the receiving party has a private key used to decrypt the message. This is also known as asymmetric encryption. Asymmetric cryptography manages data secrecy, authenticates participants, and forces non- repudiation. Well-know internet encryption and message protocols such as Elliptic Curve, PGP, RSA, TLS, and S/MIME are considered public keys.
Cryptographic hash : Maps data of an arbitrary size to a bit string (called the digest). This hash function is designed to be “one way”. Essentially, the only way to recreate the output hash is to force every possible input combination (it cannot be run in reverse). MD5, SHA1, SHA2, and SHA3 are all forms of one-way hashes. These are typically used to encode digital signatures such as signed firmware images, message authentication code s (MAC ), or authentication. When encrypting a short message like a password, the input may be too small to effectively create a fair hash; in that case, a salt or non-private string is appended to the password to increase the entropy. A salt is a form of key derivation function (KDF ):
click for larger image
Elements of cryptography. Here are the symmetric, asymmetric, and hashing functions. Note the key usage in symmetric and asymmetric cryptography. Symmetric has the requirement of using identical keys to encrypt and decrypt data. While faster than asymmetric encryption, the keys need to be secured.
In encryption, plaintext refers to the unencrypted input and the output is called ciphertext, as it is encrypted. The standard for encryption is the Advanced Encryption Standard (AES ) which replaced older DES algorithms dating from the 1970s. AES is part of the FIPS specification and the ISO/IEC 18033-3 standard used worldwide. AES algorithms use fixed blocks of 128, 192, or 256 bits. Messages larger than the bit width will be split into multiple blocks. AES has four basic phases of operation during the cipher. The pseudo code for a generic AES encryption is shown here:
Scroll or drag the corner of the box to expand as needed. ↑
|AES key lengths can be 128, 192, or 256 bits. Generally, the larger the key length the better the protection. The size of the key is proportional to the number of CPU cycles needed to encrypt or decrypt a block: 128 bit needs 10 cycles, 192 bit needs 12 cycles, and 256 bit needs 14 cycles.|
Block ciphers represent encryption algorithms that are based on a symmetric key and operate on a single block of data. Modern ciphers are based on Claude Shannon's work on product ciphers in 1949. A cipher mode of operation is an algorithm that uses a block cipher and describes how to repeatedly apply a cipher to transform large amounts of data consisting of many blocks. Most modern ciphers also require an Initialization Vector (IV ) to ensure distinct ciphertexts even if the same plaintext is entered repeatedly. There are several modes of operation such as:
Electronic Codebook (ECB) : This is the most basic form of AES encryption, but it is used with other modes to build more advanced security. Data is divided into blocks and each is encrypted individually. Identical blocks will produce identical ciphers which makes this mode relatively weak.
Cipher Block Chaining (CBC) : Plaintext messages Xored with the previous ciphertext before being encrypted.
Cipher Feedback Chaining (CFB) : Similar to CBC but forms a stream of ciphers (the output of the previous cipher feeds into the next). CFB depends on the previous block cipher to provide input to the current cipher being generated. Because of the dependency of previous ciphers, CFB cannot be processed in parallel. Streaming ciphers allows for a block to be lost in transit but subsequent blocks can recover from the damage.
Output Feedback Chaining (OFB) : Similar to CFB, this is a streaming cipher but allows for error correcting codes to be applied before encryption.
Counter (CTR) : Turns a block cipher into a stream cipher but uses a counter. The incrementing counter feeds each block cipher in parallel allowing for fast execution. The nonce and counter are concatenated together to feed the block cipher.
CBC with Message Authentication Code (CBC-MAC) : A MAC (also known as tag or MIC) is used to authenticate a message and confirm the message came from the stated sender. The MAC or MIC is then added to the message for verification by the receiver.
These modes were first constructed in the late 1970s and early 1980s and were advocated by the National Institute of Standards and Technology in FIPS 81 as DES modes. These modes provide encryption for the confidentiality of information but will not protect against modification or tampering. To do that, a digital signature is needed and the security community developed CBC-MAC for authentication. Combining CBC-MAC with one of the legacy modes was difficult until algorithms like AES-CCM were established, which provide both authentication as well as secrecy. CCM stands for Counter with CBC-MAC Mode.
|CCM is an important encryption mode used to sign and encrypt data and is used in a plethora of protocols covered in this book including Zigbee, Bluetooth Low Energy, TLS 1.2 (after key exchange), IPSEC, and 802.11 Wi-Fi WPA2.|
AES-CCM makes use of dual ciphers: CBC and CTR. AES-CTR or counter mode is used for the general decryption of the ciphertext stream flowing in. The incoming stream contains an encrypted authentication tag. AES-CTR will decrypt the tag as well as the payload data. An “expected tag” is formed from this phase of the algorithm. The AES-CBC phase of the algorithm tags as input the decrypted blocks from the AES-CTR output and the original header of the frame. The data is encrypted; however, the only relevant data needed for authentication is the calculated tag. If the AES-CBC calculated tag differs from the AES-CTR expected tag, then there is the possibility that the data was tampered with in transit.
The figure below illustrates an incoming encrypted stream of data that is both authenticated using AES-CBC and decrypted using AES-CTR. This ensures both the secrecy and authenticity of the origin of a message:
click for larger image
|One consideration for IoT deployments in a fully connected mesh is the number of keys necessary. For n nodes in a mesh that desire bidirectional communication, there are n(n-1)/2 keys or O(n 2 ) .|
Asymmetric cryptography is also called public key cryptography. Asymmetric keys are generated in pairs (encrypting and decrypting). The keys can be interchangeable meaning a key could both encrypt and decrypt, but that is not a requirement. The typical use, however, is to generate a pair of keys and keep one private and the other public. This section describes the three foundational public key cryptograms: RSA, Diffie-Hellman, and Elliptical Curves.
|Note that unlike symmetric key counts in a mesh where any node can communicate with any other node, asymmetric cryptography only requires 2n keys or O(n).|
The first asymmetric public key encryption method described is the Rivest-Shamir-Adleman algorithm, or RSA, developed in 1978. It is based on a user finding and publishing the product of two large prime numbers and an auxiliary value (public key). The public key can be used by anyone to encrypt a message but the prime factors are private. The algorithm operates as follows:
Find two large primes, p and q
n = pq
Public key : Choose an integer e so that 1
φ(n), e is coprime to φ(n); a typical value is 216 + 1 = 65537
Private key : Compute d to solve the congruence relation de ≡1 (mod φ(n))
Therefore, to encrypt a message using the public key (n,e) and to decrypt a message using the private key (n,d):
Encrypt : Ciphertext = (plaintext) e mod n
Decrypt : Plaintext = (ciphertext) d mod n
It is often the case that artificial padding is injected into m before encryption to avoid cases of short messages failing to produce good ciphertext.
Perhaps the best-known form of asymmetric key exchange is the Diffie-Hellman key exchange process (named after Whitfield Diffie and Martin Hellman). Typical of asymmetric cryptography is the notion of a Trapdoor Function which takes a given value A and produces an output B. However, trapdoor function B does not produce A.
The Diffie-Hellman method of key exchange allows two parties (Alice A and Bob B ) to exchange keys without any previous knowledge of any shared secret key s . The algorithm is based on the plaintext exchange of a starting prime number, p, and a prime generator. The generator g is a primitive root modulo p. Let Alice's private key be a and Bob's private key be b . Then, A=g a mod p and B=g b mod p. Alice computes the secret key as s=B a mod p and Bob computes the secret key as s=B a mod p.
In general, (g a mod p) b mod p = (g b mod p) a mod p :
click for larger image
Diffie-Hellman key exchange. The process begins with the plaintext exchange of an agreed upon prime and generator of prime. With an independent private key generated by Alice and Bob, the public keys are generated and sent in plaintext over the network. This is used to generate a secret key used for encryption and decryption.
The strength of this form of secure key exchange is generating a true random number for each private key. Even the slight predictability of a pseudo-random number generator (PRNG ) can lead to breaking the encryption. However, the principal issue is the lack of authentication which can lead to an MITM attack.
The other form of key exchange is Elliptic-Curve Diffie-Hellman (ECDH) and was proposed by Koblitz and Miller in 1985. It is based on the algebra of elliptic curves over a finite field. NIST has endorsed ECDH and the NSA allows ECDH for top-secret material using 384-bit keys. Elliptic Curve Cryptography (ECC ) shares these basic tenets regarding the properties of an elliptical curve:
Symmetric about the x-axis
A straight line will intersect the elliptic curve at no more than three points
The process of ECC starts with drawing a straight line from a given point on the edge towards MAX . A line is drawn from point A to B . A dot function is used to draw a line between two points and then to draw a line straight up (or down) from the new unlabelled intersection to its counterpart on the positive or negative y-axis. This process is repeated n times, where n is the key size.
This process is analogous to seeing the end results of a pool table after a ball has been hit and strikes the cushions many times. An observer seeing the ending location of the ball would have a difficult time determining where the original location of the ball was.
MAX corresponds maximum value on the x-axis, placing a limit on how far a vertex will stretch. If by chance the vertex is greater than MAX , the algorithm forces the value that would have extended beyond the MAX limit and sets a new point x-MAX distance away from the origin A. MAX is equivalent to the key size being used. A large key size results in more vertices being constructed and increasing strength of secrecy. Essentially this is a wrap around function:
click for larger image
Elliptical Curve Cryptography (ECC). Here is a standard elliptical curve on an x, y-axis. The process starts by following straight line paths from a given point A to a second point and locating the third new unlabelled intersection. A line is drawn to the opposite but identical y plane coordinate which now becomes a labeled entity. The process continues for n points which correspond to the key length.
Elliptical curves are becoming prevalent over RSA. Modern browsers are capable of supporting ECDH, which is the preferred method of authentication over SLL/TLS. ECDH is also found in Bitcoins, as we will see later, and several other protocols. RSA is only used now if an SSL certificate has a matching RSA key.
The other advantage is that the key lengths can be kept short and still have the same cryptographic strength as a legacy method. For example, a 256- bit key in ECC is equivalent to a 3072-bit key in RSA. The importance of this should be considered for constrained IoT devices.
The next article in this series will continue the discussion of cryptographic methods.
Reprinted with permission from Packt Publishing. Copyright © 2018 Packt Publishing
Perry Lea is a 27-year veteran in the technology industry and sees himself as a technologist, strategist, business developer, entrepreneur, researcher and inventor. Besides writing the book, Internet of Things for Architects, he holds more than 50 patents. He served as Chief Architect at Hewlett Packard, where he architected and steered the design of more than 60 product lines. He holds three engineering degrees and a post graduate degree from Columbia University.