Why cryptography is essential to IoT security

Cryptography is the use of codes and ciphers to protect private communication and keep it private from everyone except the intended recipients. The earliest known use of cryptography is from Egypt circa 1900 BCE. Along with the development of cryptography has been a parallel effort in cryptanalysis, which is the science of “breaking” codes and ciphers. The Enigma was an electromechanical cryptographic machine used by Nazi Germany during World War II for secure communication. The Enigma code was eventually “broken” with great difficulty by an Allied cryptanalysis team. Some believe that this shortened the war by as much as two years.

Cryptography use was largely limited to governments until 1977 when two events moved it into the public domain — the creation of a U.S. government-approved cipher, the Data Encryption Standard (DES), and the public introduction of RSA, which was the first practical public-key cryptosystem.

The Data Encryption Standard (DES) is a symmetric-key algorithm. DES has a 56-bit key size, which although secure when introduced, no longer provides sufficient security. In January 1999, it was demonstrated that a 56-bit DES key could be broken using a brute-force attack in 22 hours and 15 minutes. Breaking this key so quickly was done using a worldwide network of nearly 100,000 PCs that were testing keys at a rate of 245 billion keys per second.

In a symmetric-key algorithm, like DES, two or more parties have an identical (or nearly identical) key. This approach works but has the practical difficulty that securely delivering the key from the first party to the other parties can introduce a security risk. Anyone who gains access to the symmetric key can read any of the messages and/or modify and send on the messages without the recipients knowing that the messages have been modified. Asymmetric cryptography or public-key cryptography, effectively fixes these issues.

Public-key cryptography uses public keys and private keys that are mathematically related to each other. The public keys can be known by anyone and everyone, while the private keys are kept secret and are known to only their owners. Using this system, anyone can encrypt a message using a public key and the encrypted message can then be left on a public server or transmitted over a public network without security concerns. This message can only be decrypted by the intended receiver using their private key. This system relies on cryptographic algorithms based on mathematical problems that do not currently have efficient solutions, such as certain integer factorizations, discrete logarithms, and elliptical curves. Public key/private key pairs can be generated relatively easily and can be used for encryption and decryption. The strength of the security lies in the fact that it is extremely difficult to determine a properly generated private key from its public key. Also, private keys of sufficient length cannot be broken through brute-force attacks using the entire world’s computational power over decades of elapsed time. NIST has determined recommended key lengths to provide effective security through the year 2031 and beyond based on the projected rate of growth in computational power.

The proper use of cryptography through cryptographic ICs is therefore essential to securing all IoT devices, as well as many other electronic products. In a prior blog titled, “Robust IoT security costs less than you think,” I gave an example of how effective IoT security can be accomplished by a cryptographic IC that adds less than $1 to an IoT device bill of material (BOM). Implementing public-key cryptography for IoT devices requires significant expertise, but organizations can turn to IoT security partners who are capable of providing complete, robust security solutions, typically in a matter of weeks, which is mostly performed in parallel with other development efforts.

Obviously, any key can theoretically be broken using a brute-force attack with sufficient computing power. The practical approach of modern cryptography is to use a key of sufficient enough length that it can’t be broken without an extraordinary amount of computing power that would be significantly in excess of the value of the contents that the cryptography protects. The good news is that the above mentioned sub-$1 cryptographic IC utilizes 256-bit Elliptical Curve Cryptography (ECC) keys, each of which is so secure that the computational power to break a single key would require computing resources equal in cost to 300 million times the entire world’s annual GDP (78 trillion USD) working for an entire year.

Modern cryptographic ICs make IoT security so affordable that no IoT product maker has any valid excuse to continue to ignore IoT security risks.

Charlie Beebout is the Program Manager for IoT Security Products at Astek Corp. He has more than 30 years of engineering management experience in the IC industry. Astek security experts have more than eight years of extensive experience delivering highly-secure, robust scalable IoT Security solutions for Fortune 100 companies as well as hundreds of smaller companies including start-ups. Charlie holds a BSEE degree from Iowa State University.