Security in the Internet of Things(IoT) is the major concern when all the physical entities are connected to the internet because IoT devices are lightweight and the implementation of security algorithms in these devices
Why IoT Security is required?
- Breaches of privacy
- Cybercrime
- Physical safety in the home, across the city and within businesses
- Threats to national infrastructure
- Looming risks of cyberwar
Unique Challenges for IoT Security
- IoT relies on microcontrollers with limited memory and computational power
- This often makes it impractical to implement approaches designed for powerful computers
- This, in turn, requires constrained IoT devices to be hidden behind secure gateways
- Threats based upon gaining physical access to IoT devices
- How to bootstrap trust and security, and ways that this can unravel l Evolving technology
- More powerful Systems on a Chip (SOC) embedding hardware security support
- Ecliptic Curve Cryptography with reduced computational demands
- Anything that is exposed to the Internet must be securely software upgradable
- User experience must be good enough to avoid becoming a weak link in the chain
- The necessity of keeping up to date with security best practices
The Challenges for the IoT and Big Data
Lots of sensors will generate a vast amount of data
- API Research estimated 200 exabytes in 2014 and 1.6 zettabytes in 2020
- 90% is currently processed locally, although this varies by domain l This creates a greater volume of sensitive data, creating a greater risk of l Data and identity theft,
- Device manipulation, Data falsification, IP theft, server/network manipulation, etc.
- Impact of introduction of data consolidation and analytics at the network edge.
- Cisco, HPE, and others.
- App platforms in the cloud or at the network edge will be targets for attacks.
Enabling Data Security for the Internet of Things
- Transport and app layer encryption
- TLS and DTLS for encrypting data transmitted over the Internet
- App layer encryption for greater security (e.g. as in financial transactions)
- Secure key exchange algorithms over unsecured channels
- Authentication and Key management
- IoT devices need to check that the server is who it says it is
- Servers likewise need to check this for IoT devices
- Asymmetric Public/Private key pairs vs Symmetric keys
- Tamper-resistant storage of keys and certificates
- Challenges for provisioning services
Authorization – Determining Who Can Do What
- Authorization rules
- Authentication of the data recipient
- A simple form of rules as access control lists
- More general rules with complex conditions
- Capability-based security
- A capability is the communicable and unforgeable token of authority
- The token is associated with a set of access rights
- IETF work on ACE and JOSE
- ACE: Access control in Constrained Environments
- JOSE: JavaScript Object Signing and Encryption
- Relationship to models of trust
- Prior agreements between two parties l Attestations by trusted third parties
Privacy and the Internet of Things
- The IoT has the potential to provide huge and unprecedented amounts of personal information
- This information may last indefinitely
- Risk of abuse by individuals, criminals, companies and governments l Sense of intrusion into your personal space
- Fear of harm due to disclosure of personal information l Strongly identifying information
- Your address, date of birth, sexual orientation, and so on.
- The principle of data minimization – high cost to companies for handling personal data securely
- Privacy policies determining what purposes data can be used for, and for how long l Weakly identifying information
- When sufficient such data is combined this can uniquely characterize you
- Companies need to provide privacy policies on how they handle such data
- Need for adhering to best practices to avoid reputational damage to companies
- Including regulatory requirements
The IoT and the Web
- Web technologies are increasingly important for the IoT
- Web protocols like HTTP
- Semantic descriptions based on RDF l HTML5 and the Open Web Platform for human-machine interface
- The Web security model and its relationship to the IoT
- Access rights for web apps are scoped to
app’s origin - The Web is moving to encrypt all communication
- It is important to transition the Web from passwords to public key cryptography.
- Users authenticate to the browser, and browser authenticates to the website.
- For the IoT, the user (owner) isn’t around at the time the device needs to authenticate itself to a service.
- We, therefore, need a way for users to authorize the device in advance.
- This is a Form of Trust(FoT) delegation and introduces the need to authenticate users as well as service providers.
Implementing a energy, processing, and memory efficient security techniques to fulfill important IoT security requirement is still a challenging task.
You Might Also Love
IoT Implementation and Testing requirements