NEWS
Vodafone IoT Spin-off Offers SIM-Based VPN
|
Pairpoint is a young startup, emerging from Vodafone IoT in the last few years, with an interesting approach to Internet of Things (IoT) communications security. Its key offering is a Virtual Private Network (VPN) that doesn’t require the use of certificates or Public Key Infrastructure (PKI). A lightweight agent (<150 kb) deployed on the device leverages the Subscriber Identity Module (SIM) as a hardware root of trust to create a new symmetric key that serves as the device identity.
On the operator’s back end (in a secure gateway), a paired symmetric key is created in a similar fashion. An encrypted VPN tunnel can then be set up between the device and the gateway; effectively using OpenVPN with Advanced Encryption Standard (AES)-256- Galois/Counter Mode (GCM) and SIM-based Pre-Shared Key (PSK)/Transport Layer Security (TLS)-PSK-style authentication. High entropy keys can be rotated automatically based on time or data volume (as often as every 7 seconds to as little as every 200 days). This effectively eliminates the need for a PKI or X.509 certificate support, and the solution can be applied to devices already in the field, a neat way to extend security to legacy and brownfield IoT.
IMPACT
The Quantum-Safe Dilemma
|
The use of AES-256 effectively makes Pairpoint’s VPN solution quantum-safe, eliminating the need to factor in the new Post-Quantum Cryptography (PQC) algorithms that are looking primarily at standardizing asymmetric algorithms. This is particularly appealing for the IoT class of devices. One of the issues with PQC is the large key sizes and the ripple effect this has on compute power, battery life, bandwidth overhead, and therefore, latency. There is an ongoing herculean effort in the cryptographic community to optimize some of these new standardized algorithms into IoT-friendly implementations.
Experts need to focus not just on size and power consumption, but also on Side Channel Attack (SCA) protections—an imperative for many embedded systems. It’s a headache, especially due to the sheer fragmentation of the IoT ecosystem in terms of device types, form factors, connectivity, applications, etc. A solution that eschews the need to make any of these upgrades is a life-line on the quickly compressing PQC migration timeline. The other significant benefit is that it doesn’t require any sort of rip and replace, or costly investments. The existing hardware root of trust that is the SIM (which is already SCA secured) can be easily and cost-effectively leveraged using simple software. Most appealing is that it is lightweight and well suited to the scale of the IoT world.
It’s important to note that Pairpoint’s solution fits best within a specific context. It requires an existing network infrastructure with back end capabilities (and therefore, a central authority) to run the gateways. In this context, it is perfectly suited to the carrier environment, with their Network Operations Center (NOC)/Security Operations Center (SOC) capabilities. One of the advantages of the solution is that the technology is not necessarily tied to the SIM/cellular ecosystem; it can be transposed to other network infrastructure, as long as there is a hardware root of trust that can be leveraged on the device end, and a gateway can be set up on the back end. This network agnosticism makes it especially attractive for large networks and could well be envisioned by hyperscalers and large industrial stakeholders where myriad other connectivity technologies are used (fiber, Ethernet, Wi-Fi, Low-Power Wide Area Network (LPWAN), etc.).
RECOMMENDATIONS
Application by Application
|
Pairpoint offers a VPN solution today, but the underlying technology can have other use cases beyond tunnels, such as signing, attestation, assurance, etc. Key applications can include zero-trust and supply chain security. This is not to say that PQC becomes redundant—there are plenty of IoT devices and use cases that will need PQC.
Carriers are ultimately critical infrastructure providers; the onus is on them to secure all their assets today, and to plan for security in a post-quantum world. The latter is no easy feat. It requires careful planning, risk assessments, asset discovery, inventory management, and staged migration. The heterogeneity of devices means that this will be a complex process. Solutions like those offered by Pairpoint provide a much simpler and cost-effective route to quantum safety, and one that can leverage sunk costs and existing infrastructure. This is a good start to a PQC transition that will be long and arduous.
