IoT Security – Cryptography
Editor's Note: Securing the Internet of Things is critical not only for the integrity of data streams and software within each IoT application, but also for the integrity of the enterprise resources tied into those applications. IoT security is a complex problem, requiring a systematic approach for understanding possible threats and corresponding mitigation methods.
Adapted from Internet of Things for Architects, by Perry Lea.
Chapter 12. IoT Security
By Perry Lea
Cryptography
Encryption and secrecy are absolute requirements of IoT deployments. They are used for securing communication, protecting firmware, and authentication. Regarding encryption, there are generally three forms to consider:

Symmetric key encryption : Encryption and decryption keys are identical. RC5, DES, 3DES, and AES are all forms of symmetric key encryption.

Public Key encryption : Encryption key is published publicly for anyone to use and encrypt data. Only the receiving party has a private key used to decrypt the message. This is also known as asymmetric encryption. Asymmetric cryptography manages data secrecy, authenticates participants, and forces non repudiation. Wellknow internet encryption and message protocols such as Elliptic Curve, PGP, RSA, TLS, and S/MIME are considered public keys.

Cryptographic hash : Maps data of an arbitrary size to a bit string (called the digest). This hash function is designed to be “one way”. Essentially, the only way to recreate the output hash is to force every possible input combination (it cannot be run in reverse). MD5, SHA1, SHA2, and SHA3 are all forms of oneway hashes. These are typically used to encode digital signatures such as signed firmware images, message authentication code s (MAC ), or authentication. When encrypting a short message like a password, the input may be too small to effectively create a fair hash; in that case, a salt or nonprivate string is appended to the password to increase the entropy. A salt is a form of key derivation function (KDF ):
click for larger image
Elements of cryptography. Here are the symmetric, asymmetric, and hashing functions. Note the key usage in symmetric and asymmetric cryptography. Symmetric has the requirement of using identical keys to encrypt and decrypt data. While faster than asymmetric encryption, the keys need to be secured.
Symmetric cryptography
In encryption, plaintext refers to the unencrypted input and the output is called ciphertext, as it is encrypted. The standard for encryption is the Advanced Encryption Standard (AES ) which replaced older DES algorithms dating from the 1970s. AES is part of the FIPS specification and the ISO/IEC 180333 standard used worldwide. AES algorithms use fixed blocks of 128, 192, or 256 bits. Messages larger than the bit width will be split into multiple blocks. AES has four basic phases of operation during the cipher. The pseudo code for a generic AES encryption is shown here:
// Psuedo code for an AES128 Cipher
// in: 128 bits (plaintext)
// out: 128 bits (ciphertext)
// w: 44 words, 32 bits each (expanded key)
state = in
w=KeyExpansion(key) //Key Expansion phase (effectively encrypts key itself)
AddRoundKey(state, w[0, Nb1]) //Initial Round
for round = 1 step 1 to Nr–1 //128 bit= 10 rounds, 192 bit = 12 rounds, 256 bit = 14 rounds
SubBytes(state) //Provide nonlinearity in the cipher
ShiftRows(state) //Avoids columns being encrypted independently which can
weaken the algorithm
MixColumns(state) //Transforms each column and adds diffusion to the
cipher
AddRoundKey(state, w[round*Nb, (round+1)*Nb1]) //Generates a subkey an
combines it with state.
end for
SubBytes(state) //Final round and cleanup.
ShiftRows(state)
AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb1])
out = state
Scroll or drag the corner of the box to expand as needed. ↑
AES key lengths can be 128, 192, or 256 bits. Generally, the larger the key length the better the protection. The size of the key is proportional to the number of CPU cycles needed to encrypt or decrypt a block: 128 bit needs 10 cycles, 192 bit needs 12 cycles, and 256 bit needs 14 cycles. 
Block ciphers represent encryption algorithms that are based on a symmetric key and operate on a single block of data. Modern ciphers are based on Claude Shannon's work on product ciphers in 1949. A cipher mode of operation is an algorithm that uses a block cipher and describes how to repeatedly apply a cipher to transform large amounts of data consisting of many blocks. Most modern ciphers also require an Initialization Vector (IV ) to ensure distinct ciphertexts even if the same plaintext is entered repeatedly. There are several modes of operation such as:

Electronic Codebook (ECB) : This is the most basic form of AES encryption, but it is used with other modes to build more advanced security. Data is divided into blocks and each is encrypted individually. Identical blocks will produce identical ciphers which makes this mode relatively weak.

Cipher Block Chaining (CBC) : Plaintext messages Xored with the previous ciphertext before being encrypted.

Cipher Feedback Chaining (CFB) : Similar to CBC but forms a stream of ciphers (the output of the previous cipher feeds into the next). CFB depends on the previous block cipher to provide input to the current cipher being generated. Because of the dependency of previous ciphers, CFB cannot be processed in parallel. Streaming ciphers allows for a block to be lost in transit but subsequent blocks can recover from the damage.

Output Feedback Chaining (OFB) : Similar to CFB, this is a streaming cipher but allows for error correcting codes to be applied before encryption.

Counter (CTR) : Turns a block cipher into a stream cipher but uses a counter. The incrementing counter feeds each block cipher in parallel allowing for fast execution. The nonce and counter are concatenated together to feed the block cipher.

CBC with Message Authentication Code (CBCMAC) : A MAC (also known as tag or MIC) is used to authenticate a message and confirm the message came from the stated sender. The MAC or MIC is then added to the message for verification by the receiver.
These modes were first constructed in the late 1970s and early 1980s and were advocated by the National Institute of Standards and Technology in FIPS 81 as DES modes. These modes provide encryption for the confidentiality of information but will not protect against modification or tampering. To do that, a digital signature is needed and the security community developed CBCMAC for authentication. Combining CBCMAC with one of the legacy modes was difficult until algorithms like AESCCM were established, which provide both authentication as well as secrecy. CCM stands for Counter with CBCMAC Mode.
CCM is an important encryption mode used to sign and encrypt data and is used in a plethora of protocols covered in this book including Zigbee, Bluetooth Low Energy, TLS 1.2 (after key exchange), IPSEC, and 802.11 WiFi WPA2. 
AESCCM makes use of dual ciphers: CBC and CTR. AESCTR or counter mode is used for the general decryption of the ciphertext stream flowing in. The incoming stream contains an encrypted authentication tag. AESCTR will decrypt the tag as well as the payload data. An “expected tag” is formed from this phase of the algorithm. The AESCBC phase of the algorithm tags as input the decrypted blocks from the AESCTR output and the original header of the frame. The data is encrypted; however, the only relevant data needed for authentication is the calculated tag. If the AESCBC calculated tag differs from the AESCTR expected tag, then there is the possibility that the data was tampered with in transit.
The figure below illustrates an incoming encrypted stream of data that is both authenticated using AESCBC and decrypted using AESCTR. This ensures both the secrecy and authenticity of the origin of a message:
click for larger image
AESCCM mode.
One consideration for IoT deployments in a fully connected mesh is the number of keys necessary. For n nodes in a mesh that desire bidirectional communication, there are n(n1)/2 keys or O(n ^{2 } ) . 
Asymmetric cryptography
Asymmetric cryptography is also called public key cryptography. Asymmetric keys are generated in pairs (encrypting and decrypting). The keys can be interchangeable meaning a key could both encrypt and decrypt, but that is not a requirement. The typical use, however, is to generate a pair of keys and keep one private and the other public. This section describes the three foundational public key cryptograms: RSA, DiffieHellman, and Elliptical Curves.
Note that unlike symmetric key counts in a mesh where any node can communicate with any other node, asymmetric cryptography only requires 2n keys or O(n). 
The first asymmetric public key encryption method described is the RivestShamirAdleman algorithm, or RSA, developed in 1978. It is based on a user finding and publishing the product of two large prime numbers and an auxiliary value (public key). The public key can be used by anyone to encrypt a message but the prime factors are private. The algorithm operates as follows:

Find two large primes, p and q

n = pq

φ(n) =(p1)(q1)

Public key : Choose an integer e so that 1
φ(n), e is coprime to φ(n); a typical value is 2^{16} + 1 = 65537 
Private key : Compute d to solve the congruence relation de ≡1 (mod φ(n))
Therefore, to encrypt a message using the public key (n,e) and to decrypt a message using the private key (n,d):

Encrypt : Ciphertext = (plaintext) ^{e } mod n

Decrypt : Plaintext = (ciphertext) ^{d } mod n
It is often the case that artificial padding is injected into m before encryption to avoid cases of short messages failing to produce good ciphertext.
Perhaps the bestknown form of asymmetric key exchange is the DiffieHellman key exchange process (named after Whitfield Diffie and Martin Hellman). Typical of asymmetric cryptography is the notion of a Trapdoor Function which takes a given value A and produces an output B. However, trapdoor function B does not produce A.
The DiffieHellman method of key exchange allows two parties (Alice A and Bob B ) to exchange keys without any previous knowledge of any shared secret key s . The algorithm is based on the plaintext exchange of a starting prime number, p, and a prime generator. The generator g is a primitive root modulo p. Let Alice's private key be a and Bob's private key be b . Then, A=g ^{a } mod p and B=g ^{b } mod p. Alice computes the secret key as s=B ^{a } mod p and Bob computes the secret key as s=B ^{a } mod p.
In general, (g ^{a } mod p) ^{b } mod p = (g ^{b } mod p) ^{a } mod p :
click for larger image
DiffieHellman key exchange. The process begins with the plaintext exchange of an agreed upon prime and generator of prime. With an independent private key generated by Alice and Bob, the public keys are generated and sent in plaintext over the network. This is used to generate a secret key used for encryption and decryption.
The strength of this form of secure key exchange is generating a true random number for each private key. Even the slight predictability of a pseudorandom number generator (PRNG ) can lead to breaking the encryption. However, the principal issue is the lack of authentication which can lead to an MITM attack.
The other form of key exchange is EllipticCurve DiffieHellman (ECDH) and was proposed by Koblitz and Miller in 1985. It is based on the algebra of elliptic curves over a finite field. NIST has endorsed ECDH and the NSA allows ECDH for topsecret material using 384bit keys. Elliptic Curve Cryptography (ECC ) shares these basic tenets regarding the properties of an elliptical curve:

Symmetric about the xaxis

A straight line will intersect the elliptic curve at no more than three points
The process of ECC starts with drawing a straight line from a given point on the edge towards MAX . A line is drawn from point A to B . A dot function is used to draw a line between two points and then to draw a line straight up (or down) from the new unlabelled intersection to its counterpart on the positive or negative yaxis. This process is repeated n times, where n is the key size.
This process is analogous to seeing the end results of a pool table after a ball has been hit and strikes the cushions many times. An observer seeing the ending location of the ball would have a difficult time determining where the original location of the ball was.
MAX corresponds maximum value on the xaxis, placing a limit on how far a vertex will stretch. If by chance the vertex is greater than MAX , the algorithm forces the value that would have extended beyond the MAX limit and sets a new point xMAX distance away from the origin A. MAX is equivalent to the key size being used. A large key size results in more vertices being constructed and increasing strength of secrecy. Essentially this is a wrap around function:
click for larger image
Elliptical Curve Cryptography (ECC). Here is a standard elliptical curve on an x, yaxis. The process starts by following straight line paths from a given point A to a second point and locating the third new unlabelled intersection. A line is drawn to the opposite but identical y plane coordinate which now becomes a labeled entity. The process continues for n points which correspond to the key length.
Elliptical curves are becoming prevalent over RSA. Modern browsers are capable of supporting ECDH, which is the preferred method of authentication over SLL/TLS. ECDH is also found in Bitcoins, as we will see later, and several other protocols. RSA is only used now if an SSL certificate has a matching RSA key. The other advantage is that the key lengths can be kept short and still have the same cryptographic strength as a legacy method. For example, a 256 bit key in ECC is equivalent to a 3072bit key in RSA. The importance of this should be considered for constrained IoT devices. 
The next article in this series will continue the discussion of cryptographic methods.
Reprinted with permission from Packt Publishing. Copyright © 2018 Packt Publishing
Perry Lea is a 27year veteran in the technology industry and sees himself as a technologist, strategist, business developer, entrepreneur, researcher and inventor. Besides writing the book, Internet of Things for Architects, he holds more than 50 patents. He served as Chief Architect at Hewlett Packard, where he architected and steered the design of more than 60 product lines. He holds three engineering degrees and a post graduate degree from Columbia University.
“”A salt is a form of key derivation function (KDF)” – is that right? I thought a salt was used as an *input* to a KDF.”
“@Srl100, yes, you're absolutely correct of course. Perhaps that was a bit of writerly shorthand on the part of the author, where “salt” is meant to reflect the process (as in “salt the password”) rather than the random data that is the salt value itse