IoT design, security and PKI

In a 2015 blog post – Securing the Internet of Things – time for another look at PKI? – Quocirca outlined why Public Key Infrastructure (PKI) is likely to see a new lease of life from the increasing deployment of applications that fit the general heading Internet of Things (IoT). As the first blog pointed out, IoT applications will only be a success if underlying security is ensured.

The assertion made in the first blog that the use of digital certificates and PKI to manage them are effective for securing the IoT is supported by a 2015 Quocirca research report (which will be was sponsored by Neustar). PKI achieves two objectives; the authentication of things and the security and integrity of the data they send and receive.

On the surface this use case for PKI may not appear that different from ones that have been around for years, for example, securing the communication of a user’s web browser (or smartphone app) with a banking service or confirming a software update is from a given supplier. The big difference with the IoT is that it involves relentless high volume machine-to-machine (M2M) communications, so PKI will only be effective if it is fast enough and cheap enough.

Application design

At first glance the volume problem may look insurmountable; however it can be addressed through application design. If every city, office, factory, home, car etc. is to be equipped with tens, hundreds or thousands of devices, how can they all even have an IP address let alone a digital certificate? True, the slow move to IPv6 does provide a virtually unlimited number of addresses compared to IPv4, but how do you manage them all? Good design means that volume of things need not be a problem at all. Why? You probably have an example in your pocket!

Smartphones are actually agglomerations of sensors and other devices: cameras, GPS receivers, Bluetooth and wireless chips, motion sensors and so on. None of these individual components has an independent IP address, they communicate, when necessary, via the phone’s CIM card or WiFi chip with a service provider. It is at this point that a digital certificate can guarantee a data feed is valid and secure. The phone is acting as a hub that communicates internally and securely with the various components (spokes). This hub and spoke approach can be repeated at any scale and systems may be layered like onion skins with one hub controlling others. The IoT volume problem is reduced by orders of magnitude and the use of PKI reserved for hub-to-hub and hub-to-central controller communications.

Of course, a hub’s communication with its spokes also needs to be secure. An obvious way is to use hard wired networking which is trickier to interfere with than wireless. However, wireless is a cheap and pragmatic way for implementing many IoT applications; here low cost approaches to security may be sufficient for hub to spoke communications, for example using device signatures based on hardware configuration. In fact, identity and security features are likely to be built more and more into hardware chips and Microsoft Windows 10 has specific features to improve support of IoT security on devices where it is installed. Hub and spoke also helps get around the encryption processing overhead that PKI introduces; this should not be a problem for powerful hubs, but spokes may be small or old devices without much compute power.

Hub and spoke also deals with issues around speed of communications and data volumes that need to be transmitted. A car may have a sensor on each of it 4 tyres, all constantly reporting to the hub every second; the air pressure is OK, the air pressure is OK…. There is no need for the hub to do anything about this until there is an exception; the air pressure is NOT OK. Only then does it need to raise an alert and get guidance from a controller. At this point security is essential, or it would be possible for false guidance to be issued to car, which is exactly the sort of risk that many flag for the IoT. So, hubs need to be smarter than spokes and that includes smart about security.

Why PKI?

The arguments in favour of PKI have been laid out many times. In summary, PKI (or asymmetric encryption) is a way of encrypting communications without both parties in the conversation having to know the key to unlock the encryption as is the case with the alternative symmetric encryption where private keys must be shared. Actually, PKI is often used to share the keys that will be used for symmetric encryption (which could also be used in some cases for secure communication of an IoT hub with its spokes).

The distribution of keys depends on the type of application. Hubs in cars and mobile phones need public keys to communicate with service providers that hold a private key. More complex situations may arise. For example, a wireless router may act as a hub for a home and need a public key to communicate with a given broadband service provider. However, it may also handle direct communications, over the broadband connection with smart TV manufacturer, which will require another set of separately managed keys.

Certificates themselves can be distributed by virtually anyone, shipped with the routers, smartphones, cars, TVs etc. However, they are only useable once validated and that is only done by a trusted certification authority (CA), of which there are many. Wikipedia lists in its Certificate Authority entry the four leading CAs as Comodo, Symantec, GoDaddy and GlobalSign.

The providers of PKI

Once a certificate has been distributed and certified, without the control of PKI systems it has a life of its own. It will expire if a date is set, but there will be no means of renewing, superseding or revoking it without PKI for life-cycle management. Effective PKI systems need to be able to manage certificates from any source as, with so many CAs, there will rarely be a single provider of certificates for any given IoT application. There is also a need to deal with widely varied certificate life-cycles; for example digital payments may be based on single use certificates whilst a road side sensor may require one that is valid for many years.

PKI vendors such as EntrustDatacard and Global Sign are actively repurposing and scaling out their PKI offerings for securing the IoT. Verizon, which ended up with the assets of Baltimore, a onetime star of the dotcom boom, now markets its PKI as Verizon Managed Certificate Services (MCS) and in January 2015 announced a new platform geared for securing IoT deployments.

Symantec has a Managed PKI platform too, as well as its PGP Key Management platform for symmetric keys; it sees a future where these need to be bought together to provide a broad trust capability. Another encryption key management vendor, Venafi, says it can do much of what is offered by PKI vendors to keep the use of certificates secure. Some PKI vendors are less proactive. Quocirca also spoke to RSA, which has a legacy foot in the PKI world as a onetime CA (since spun off as Verisign and now part of Symantec). RSA has put its PKI platform into maintenance mode.

If you think the IoT is going to be relevant to your business, then Quocirca’s 2015 research suggests you will not be alone. PKI is going to be one of the most important ways to secure IoT applications. With good design and a PKI platform provider that is up to the task you can proceed with confidence.