This chapter is directed squarely at IoT implementers, those developing IoT devices (consumer or industrial) or integrating IoT communications into their enterprises. It provides you with an A to Z for their IoT implementations and deployments. While most of this book is devoted to practical application and guidance, this section diverges a bit to delve into deeper background topics associated with applied cryptography and cryptographic implementations. Many security practitioners will find this information common sense, but given the myriad cryptographic implementation errors and deployment insecurities even security-aware tech companies continue to deploy, we decided this background was needed. The risks are growing worse, evidenced by the fact that many industries historically unfamiliar with security (for example, home appliance vendors) continue to network-connect and IoT-enable their products. In the process, they make...
You're reading from Practical Internet of Things Security - Second Edition
Our world is witnessing unprecedented growth in machine connectivity over the internet and private networks. Unfortunately, on any given day, the benefits of that connectivity are soured by yet more news reports of personal, government, and corporate cyber security breaches. Hacktivists, nation states, and organized crime syndicates play a never-ending game of cat and mouse with the security industry. We are all victims, either as a direct result of a cyber breach or through the costs we incur to improve security technology services, insurance, and mitigate other risks. The demand for more security and privacy is finally gaining traction in corporate boardrooms and high-level government circles alike. A significant part of that demand is for wider adoption of cryptography to protect user and machine data. Secure by default principles suggest the need for near ubiquitous use of cryptography, thus it will play an ever growing role in securing the...
So far, we have discussed cryptographic algorithms, algorithm inputs, uses, and other important aspects of applied cryptography. Familiarity with cryptographic algorithms is not enough, however. The proper implementation of cryptography in what are called cryptographic modules, though a topic not for the faint of heart, is needed for IoT security. Earlier in my (Van Duren) career, I had the opportunity not only to test many cryptographic devices but also to manage, as laboratory director, two of the largest NIST-accredited FIPS 140-2 cryptographic test laboratories. In this capacity, I had the opportunity to oversee and help validate hundreds of different device hardware and software implementations, smart cards, hard drives, operating systems, Hardware Security Modules (HSM), and many other cryptographic devices. In this section, I will share with you some of the wisdom gained from these experiences. But first, we must define a cryptographic module.
A cryptographic...
Now that we have addressed basic cryptography and cryptographic modules, it is necessary to delve into the topic of cryptographic key management. Cryptographic modules can be considered cryptographically secured islands in larger systems, each module containing cryptographic algorithms, keys, and other assets needed to protect sensitive data. Deploying cryptographic modules securely, however, requires secure key management. Planning key management for an embedded device and/or full scale IoT enterprise is essential to securing and rolling out IoT systems. This requires organizations to normalize the types of cryptographic material within their IoT devices and ensure they work across systems and organizations. Key management is the art and science of protecting cryptographic keys within devices (crypto modules) and their interactions across the enterprise. It is an arcane technical discipline that was initially developed and evolved by the US Department...
This section examines cryptographic controls as integrated into various IoT protocols. Lacking these controls, IoT point-to-point and end-to-end communications would be impossible to secure.
One of the primary challenges for IoT device developers is understanding the interactions between different types of IoT protocols and the optimal approach for layering security across these protocols.
There are many options for establishing communication capabilities for IoT devices, and often these communication protocols provide a layer of authentication and encryption that should be applied at the link layer. IoT communication protocols such as ZigBee, ZWave, and Bluetooth-LE all have configuration options for applying authentication, data integrity, and confidentiality protections. Each of these protocols supports the ability to create wireless networks of IoT devices. Wi-Fi is also an...
The IoT is creating vast data stores, some of which need to be protected for very long periods of time. Banking organizations, healthcare companies, insurance agencies, intelligence agencies, and so on all have the imperative to protect data for the time it is sensitive.
Cryptographic algorithms, unfortunately, tend to age out due to constant advances in both computational speed and cryptanalysis. This section briefly addresses crypto agility and quantum resistance, two topics gaining much attention given the proliferation of cryptography into almost everything.
Crypto agility refers to the fundamental ability to replace and upgrade cryptographic algorithms, key lengths, crypto-dependent protocols, and the keys themselves. This is enormously challenging due to the pervasiveness and deep entrenchment of cryptologic in our devices and computing systems.
Cryptographic replacement may be required either as a response to newly discovered vulnerabilities...
In this chapter, we touched on the enormously large and complex world of applied cryptography, cryptographic modules, key management, cryptographic application in IoT protocols, and a possible future of the cryptographic enablement of distributed IoT trust in the form of blockchain technology.
Perhaps the most important message in this chapter is to take cryptography and its methods of implementation seriously. Many IoT devices and service companies simply do not come from a heritage of building secure cryptographic systems and it is unwise to consider a vendor's hyper-marketed claims that their 256-bit AES is secure. There are just too many ways to thwart cryptography if not properly implemented.
In Chapter 7, Identity and Access Management Solutions for the IoT, we will dive into Identity and Access Management (IAM) for the IoT.