As Internet of Things (IoT) devices are optimized for lower power consumption and affordability, most of them have poor computing resources. As consequence, these devices are more vulnerable to hacking attacks. The good news is there are several options for using cryptography to make it difficult for hackers to gain access to IoT devices of your smart connected home.
Cheap IoT devices that have little protection or no protection at all can be hacked to flood websites with high traffic and shut the servers down. As “things” are increasingly getting connected to the “internet”, chances are that hackers may have the water or electricity shut off, security system disabled, and even worse – they can cause loss of human life by attacking medical devices.
So, what is the solution? Well, the answer is, “Authentication and Encryption using embedded cryptography”. Now we shall discuss these methods of securing IoT devices from cyber attacks.
For the IoT, authentication works in both directions. An IoT device ensures that it is interacting with an authorized gateway and cloud service, and the cloud service (remote server), in turn, verifies it is working with an authentic IoT node. Only when both the sender and the receiver are sure that they’re dealing with “real” client/server, they proceed further and exchange confidential information. This authentication is done by using a hashing algorithm and shared secret keys to generate a tag known as a message authentication code (MAC). This MAC address is compared with a locally stored address.
Now, it’s clear that effectiveness of the authentication process depends on the strength of the MAC, and the MAC address itself depends on the strength of the hashing algorithm, the length of the key used, and whether the key is shared secretly and stored securely. The current state-of-the-art hashing algorithm for cryptographic purposes is SHA-256 with 256-bit keys. That means if the key is unknown, it will take 2^256 attempts to crack it.
The generated key must be shared over a secure channel to prohibit hackers from cracking it by sniffing the packets. The key can also be shared over an insecure channel using Diffie–Hellman key exchange method. Another important task is to store the key securely. It’s highly recommended not to store the key in the same place along with other application data.
AES is the accepted encryption method to encrypt and decrypt messages using digital keys. Symmetric key cryptography uses the same key to encrypt and decrypt the message. So it’s vital to keep the key secret. Asymmetric key cryptography uses the combination of a shared, public key and a private key which is kept secret locally. Asymmetric key cryptography is more useful and safer to use over insecure channels. But, this method is too much computationally expensive. That means it requires more computing resources to deal with asymmetric key cryptography.
A typical IoT device may not have enough computational strength to encrypt and decrypt all the data with asymmetric key cryptography. Rather this method can be used to create a secure channel only for sharing symmetric keys that encrypt/decrypt all messages.
To make the data exchange more secure, dedicated authentication chips and cryptographic co-processors can be used. This technique makes embedded systems more power efficient and in the long run, it’s the best thing to do.