As the Internet of Things (IoT) continues to connect objects and relay information to people, new possibilities for business and personal life abound. IDC projects that by 2020, the IoT will grow to 200 billion objects. Yet, for all of the IoT’s possibilities, hackers are innovating as well. In light of the reams of sensitive data that the IoT generates, the need for security has never been greater. One answer comes from a solution that has been working quietly to protect data for 20 years: Public Key Infrastructure (PKI). Its full capabilities have never been explored, but that is about to change thanks to the IoT.
The challenge of trust
Regarding security, the IoT has two requirements: trust and control. This is hard to achieve on the grand scale of IoT, but it’s indisputable that cryptography is going to play a central role. Of course, crypto and PKI technologies have already been proven in large-scale systems like the global payments network. However, securing the IoT brings new challenges that force us to rethink traditional assumptions about key management and the impending security threats.
Connected devices must provide trustworthy information, sometimes directly to the user and sometimes to the infrastructure provider, often employing data analytics that span millions of such devices. Establishing trust across disparate devices on a massive scale is, of course, a significant challenge. The devices themselves are susceptible to physical attacks, and the networks they communicate over are usually difficult to secure. Additionally, back-end systems and data repositories where information is aggregated and analyzed and decisions are made are also attractive targets. Under the control of malicious actors, the IoT could quickly become the Internet of Listeners or the Army of Things.
What the IoT needs to succeed
High integrity messaging, secure communications and mutual authentication at an internet scale will be absolutely necessary for IoT to succeed. Having secured network-connected devices for decades, digital certificates issued by a PKI are well situated to serve as the online identity for those things. PKI has performed well for years in trusted environments where hundreds of millions of device certificates have been deployed for ATMs, cellular base stations and smart phones. While the things in the IoT have much in common with such devices, they do raise some new issues regarding assurance, scale and technology.
First, when it comes to assurance and validation, there’s a distinction between public PKI applications and private or closed PKI applications. Common PKI applications such as email security often require a level of public trust – the ability for anyone to validate the assurance claims made by the PKI-based credentials, such as certificates. This requires the ability to equip all potential receivers to test the claims of all potential senders and, even harder, to revoke the ability to make claims if trust is lost. In many ways, the situation in IoT is easier because many IoT deployments don’t need public trust – they are closed systems. Furthermore, revocation checking and online validation may no longer be required since the organization in control will already know the status of its own devices in the network and won’t need to rely on checking the status of the device’s credentials.
The second challenge is around scale. Although PKI deployments certainly exist that have the ability to manage millions of certificates, most operate at significantly smaller levels. The magnitude of many IoT deployments will make systems with tens or even hundreds of millions of credentials commonplace. However, many of these devices’ deployments will be relatively static, credentials will have relatively long lifecycles and changes might be rare.
Lastly, we have the issue of technology. Unlike traditional PKIs and connected devices, extremely low-power and low-budget devices will populate the IoT. Traditional cryptography is not designed for these environments and is mathematically intensive, which requires CPU power. Another problem is credential generation. Making good keys is not easy, and making them in high volumes can quickly become a bottleneck. Again, crypto algorithms designed for low-power devices and rapid key generation already exist and have been widely proven.
Securing the future
The benefits of a connected world mean that the IoT will only get bigger. As it does, so will the possibility of security threats. For this reason, it is essential to rethink key management. As more devices connect to the Internet and each other, those devices will require certificates. PKI has been securing network-connected devices all along, so expanding its use for the IoT makes sense. PKI has proven its worth in solving high-assurance problems for the past two decades and stands ready to securely manage digital certificates for the IoT.