Authentication Techniques for the IoT

Subscribe To Download This Insight

By Michela Menting | 1Q 2017 | IN-4470

For RSA and Mobile World Congress 2017, and the most prominent battle cry related to IoT security, notably regarding identity and authentication. Many security vendors, OEMs, silicon IP & semiconductors, carriers, and other service providers are keen to exploit the opportunity, and are keen on promoting various solutions that will tackle the issue. Identity is an issue within all layers of the IoT: perception, infrastructure (network), and application. Authentication is required to establish trusted connections, and this relies on the ability to correctly identify the various assets (devices, people, servers, applications) throughout the value chain. The various efforts are promoting private and public, as well as one-time, signature based techniques. Vendors are promoting authentication techniques in cloud-centric IoT environments, as well as for resource-constrained devices. There is no clear decisive method that currently stands out as developers try to adapt traditional mechanisms to the IoT.

Registered users can unlock up to five pieces of premium content each month.

Log in or register to unlock this Insight.

 

Authenticating Things

NEWS


For RSA and Mobile World Congress 2017, and the most prominent battle cry related to IoT security, notably regarding identity and authentication. Many security vendors, OEMs, silicon IP & semiconductors, carriers, and other service providers are keen to exploit the opportunity, and are keen on promoting various solutions that will tackle the issue. Identity is an issue within all layers of the IoT: perception, infrastructure (network), and application. Authentication is required to establish trusted connections, and this relies on the ability to correctly identify the various assets (devices, people, servers, applications) throughout the value chain. The various efforts are promoting private and public, as well as one-time, signature based techniques. Vendors are promoting authentication techniques in cloud-centric IoT environments, as well as for resource-constrained devices. There is no clear decisive method that currently stands out as developers try to adapt traditional mechanisms to the IoT. 

Private or Public Keys?

IMPACT


Proponents of public key infrastructure (PKI) are touting its advantages to the IoT ecosystem, and are keen to finally see successful and widespread adoption of the often-contested X.509 technology. There are both benefits and obstacles to PKI adoption for IoT. One downside for embedded devices is that they require high computation, communication, and storage overhead, so PKI may not be suitable to edge devices like sensors and actuators if client-side authentication is implemented for mutual authentication purposes. In addition, integrating an X.509 certificate at the manufacturing stage for each device is costly and complex (not including the necessity of needing a certification authority, revocation list, and dealing with expiration). What often happens is that the same certificate is used for all devices of a certain category, diluting the security posture of such devices if the certificate were ever to be exploited. Yet, PKI may be more easily implemented at the gateway level.

Private key mechanisms, however, are better suited to constrained devices. The application of a lightweight symmetric key algorithm allows lower energy consumption, which is critical for many sensor-type nodes. Where there is ownership of the server and the devices, a private key solution will be the easier and less costly option. Nonetheless, while private key encryption may overcome some of the PKI obstacles (notably in terms of CA requirements and complex management), it is difficult to scale to the billions of IoT devices that are forecasted for the end of the decade. Furthermore, where devices and servers are owned by separate entities, the security risks of the private key being compromised are much higher, especially where devices communicate via public APIs to other services. Transport Layer Security (TLS) can minimize some of that risk, but then there is the added complexity of certificate expiration management. 

A Slow Start

COMMENTARY


Today, the choice for authentication IoT is broad: centralized or distributed, hierarchical or flat? IoT developers will have to consider the merits of each, as it applies to their specific context. What is clear from the market today is that many of the current solutions are centralized and are more or less split evenly between hierarchical and flat architectures. Primarily, they favor mutual authentication but few are making use of secure hardware, multiple credentials, or additional authentication levels. The main reasons for this are bound with cost and complexity, driven by the usual careless attitude with regards to security that generally permeates most industries.

IoT is no exception, although there will be some pushback against such lassitude in regulated sectors. It seems unlikely that the continued threat of cyberattacks against the IoT space will suddenly drive en masse adoption of more comprehensive authentication methods, but in time, liability for breaches, reputational damage, and the knock-on effect for both functional safety and privacy may well drive better adoption. The onus is also on the security industry to come up with the magic formula: provide robust, lightweight solutions for end-to-end security that are easily implemented, managed, integrated, and can scale; and all this at a reasonable price.

Services