It’s often been said that for IoT to be successful it must be secure and, because the sending of data from devices to IoT platforms is fundamental to IoT, it follows that the ability to authenticate devices and to secure communications with them will be essential.
Across today’s internet, public key infrastructure (PKI) has long played a key role in authenticating communicating parties and ensuring the integrity of their communication by encrypting messages, so it’s an obvious candidate to play the same role in IoT.
PKI relies on digital certificates issued by a trusted authority – for the public internet, three security technology companies dominate in this role. When a web browser wants, for example, to start a secure session with a web server, the site will send it a digital certificate that validates the authenticity of the server, as established by the certificate issuing authority.
The certificate also includes the server’s public encryption key, which the browser uses to encrypt a one-time key for the session. The server decrypts this using its own private key and uses that key to encrypt the ensuing communications session.
This same mechanism is, in principle, applicable to any IoT system. However, one of the biggest barriers to its use is the amount of processing power required in the device to validate certificates and to encrypt and decrypt data.
Also, for IoT devices that are designed to communicate very small data packets, the data required to communicate certificates and keys could vastly exceed the payload.
Framework for Securing Devices
Forrester Research, in its TechRadar report Internet of Things Security, 2017, identifies a number of issues with the use of PKI for IoT. It says hardware limitations in some IoT devices may constrain or completely inhibit their ability to use PKI, but that, notwithstanding these limitations, PKI can provide a proven framework for securing devices. Forrester also says that large upfront investment and significant ongoing management and investment can be needed to use PKI for a large fleet of IoT devices.
An IoT implementation of PKI does not need to rely on certificates issued by a public authority: an organization could establish its own issuing authority for a closed IoT ecosystem. However, many industrial IoT systems will have large numbers of devices and this could impose significant overhead. Operating and managing a certificate authority is also technically challenging.
As a result of these limitations, Forrester estimates it will take three to five years for PKI in IoT to reach a level of deployment and diversity able to sustain the market and generate strong customer demand.
IoT Driving the Deployment of PKI
Notwithstanding these limitations, according to the Ponemon Institute, IoT is a significant force driving the deployment of public key infrastructure (PKI).
That was one of the conclusions of its 2017 PKI Global Trends Study, based on survey responses from 1,510 IT and IT security practitioners in the US, UK. Germany, France, Australia, Japan, Brazil, the Russian Federation, India, Mexico and Arabia. The study was part of Ponemon’s larger 2017 Global Encryption Trends Study.
The Institute reported that the most important trend driving the deployment of PKI continued to be its use by cloud-based services (flagged by 54 percent of respondents), but said the use of PKI in IoT had increased from 21 percent to 40 percent of respondents over the past three years.
Ponemon predicted that, over the next two years, an average of 43 percent of IoT devices would rely primarily on digital certificates for identification and authentication. This was despite the report identifying several challenges to the use of PKI in an IoT environment, with the most significant being the lack of clear ownership of the PKI function as there is no real business unit responsible for it: 69 percent of respondents believed there to be no one function responsible for managing PKI.
Other deployment problems identified by respondents included: insufficient skills (47 percent), insufficient resources (42 percent), too much change or uncertainty (41 percent) and uncertainty about performance and reliability (39 percent of respondents).
A Bright Future for PKI
There is, however some good news on the challenges of shoehorning PKI support into devices with limited processing power.
Swedish non-profit research organization RISE SICS in 2016 started a three-year research project to develop lightweight PKI technologies suitable for resource-constrained IoT devices, the “SecureIoT: Certificate-based Security for Resource-constrained Internet of Things,” together with partners from Sweden and South Korea.
According to the project’s leader, Shahid Raza, it will target much needed but currently missing IoT security products and services primarily to the Swedish and South Korean IoT markets and generally expand the outcomes of the projects to the global IoT market as well.
The project will build on an earlier achievement by RISE SICS, CEBOT (Certificate Enrollment for Billions of Things) that finished in mid 2017. It aimed to solve the challenging problem of automated certificate enrollment in IoT.
A draft standard based on CEBOT has been submitted to the Internet Engineering Task Force (IETF), and RISE SICS has also received funding to develop a lightweight PKI system to secure the hundreds of IoT devices in an autonomous vehicle.
So the future for PKI in IoT looks bright, but it might be a few years before the technology is readily available for use with resource-limited devices.
Learn more about IoT Security:
- Security IoT Infographic
- Blockchain for IoT Security: Potential Still Unrealized
- The Potential of API for IoT Security
- Securing IoT : Threat Detection using Security and Behavioral Analytics
- Securing IoT: Segmentation At Scale
- Securing the Internet of Things: Identity in an IoT world