What are the future of traditional authentication protocols that are based on DH or RSA for securing the IoT, Fog and Edge computing in case of emergence of the quantum computing ?
The cryptography community has already started preparation for the post-quantum world. For example, there is a paper by Daniel J. Bernstein (et al.) ''Post-quantum RSA'' (https://cr.yp.to/papers/pqrsa-20170419.pdf), where authors propose RSA parameters for which:
key generation, encryption, decryption, signing, and verification are feasible on today’s computers,
all known attacks are infeasible, even assuming highly scalable quantum computers.
Based on that I assume that a lot of traditional protocols will be adjusted to the modifications of classical DH and RSA. On the other hand, alternative public key algorithms attract increasing attention, e.g. hash-based cryptography, code-based cryptography or lattice-based cryptography. Thus, protocols based on those concepts will become an interesting alternative.
Dear Tomasz Mazurkiewicz, firstly, thank for your answer.
Since the IoT devices have constraints in its memory, computation and packet size, the post-quantum cryptography needs a larger key size and more consume computation than traditional cryptography. Therefore, it may not suitable for IoT devices.
The IoT is much more than connected devices and ideally requires an organized and dedicated IoT infrastructure, which is typically viewed as having four distinct stages to reflect the path data travels from IoT devices to final analysis. Data processing can occur at each of these four stages. These stages are:
The sensor or actuator – For example, a sensor may collect data to monitor water temperature while an actuator will perform a physical function, such as closing or opening a valve when a predetermined temperature is reached.
Internet Gateways – Analog sensor data is collected and converted to digital, then streamed over your chosen protocol, whether Wi-Fi, wired LAN or the Internet. This allows all data to be sent out for processing as real-time analysis is data intensive and could slow down your network. Think of it as a pre-processing aggregation stage from all IoT devices. One example is the Azure IoT hub – where device data is sent to the cloud.
Edge IT – An intermediary stage that performs additional analysis before sending data to the data center. Again, this is to reduce traffic to the data center and ensures that network bandwidth is not exceeded at the data center. For example, you will not require all data from all devices but only data that satisfies defined criteria for further action.
The Data Center or Cloud – Detailed analysis of remaining data is possible, and reports generated are sent to the on-premise network. When data-intensive processing and analysis takes place off-site, IT teams do not need to worry about lack of network bandwidth onsite.
How each of these stages is implemented will depend on the number of IoT sensors and devices, the volume of data generated and how this data is processed. An effective IoT ecosystem must consider security and authentication is one way of achieving that goal, whether involved in the Industrial Internet or simply leveraging the benefits of IoT devices that complement operational processes.
Don't let your business data fall into the wrong hands. Download this free eBook.
What is IOT Authentication?
The ability to secure data and limit it to only those with the correct permissions is not a new idea and is used extensively in many industries. One can only wonder why connected devices were not subject to the same security principles from the beginning.
There are simply too many categories of IoT devices to mention in a post of this size but they vary widely in terms of security levels. Some connect using proximity-based protocols such as Bluetooth, RFID (radio frequency identification), or Wi-Fi while others use GPS, 4G or are hard-wired. Connecting them is often as easy as scanning for nearby devices, by inputting a short code (that may or may not be changed from a default) or by using a form of multi-factor authentication to verify device and recipient permissions.
Cue the game show Jeopardy! “What is IoT authentication?”. The answer is, of course, impossible to define in a short sentence but perhaps in a paragraph or two.
IoT use cases are as varied as the IoT products they utilize but current trends suggest that change is coming, although it may take a while to filter through to all device manufacturers. Most of us are familiar with online shopping. Would you buy from a store that does not utilize SSL, where the lock symbol is displayed on some browsers or the address starts with https? A similar approach to IoT devices is likely and is known as PKI (public key infrastructure) where digital certificates prove the authenticity of the site or in this case, the IoT device.
Digital certificates would ensure a level of trust in an IoT device that may otherwise be lacking and, when combined with IoT applications to monitor the infrastructure, could identify and prevent access to uncertified devices with weak security.
In my opinion, there is no real blockchain vs. PKI argument but it’s worth mentioning. Blockchain’s use of a decentralized ledger could enhance PKI and ensure digital cert management is audit-able and of course any changes made are irreversible. If not decentralized, PKI for the IoT could well be perceived as a financially-motivated initiative by digital cert providers. That said, the primary concern is how to manage authentication.
Implementing IOT Authentication Methods
Regardless of authentication method, IoT security is the aim. You may decide two-factor authentication is sufficient or require SSO (single sign-on) for convenience. You may wish to use Azure IoT to manage all devices. You may have specific requirements for quality of service that require the use of an MQTT client. MQTT (Message Queuing Telemetry Transport) is a messaging protocol and one of many possibly used by IoT devices.
However, IoT devices use a wide variety of protocols and standards and your authentication methods must consider this variation. Therefore, familiarity with these variations is a must and intimate knowledge of the IoT devices purchased is necessary to ensure that each device is capable of authentication in a secure manner. Some may need manual update (lacking OTA functionality) and others may have locked settings that cannot be changed from the default. Perhaps an IoT platform will automate most of your requirements?
In conclusion, IoT authentication methods are necessary to secure IoT devices and there are several ways to achieve this objective. Some may assign dedicated IoT networks, sacrificing beneficial features in the name of security. Bear in mind that it is possible to integrate everything in a manner that is also secure, but you need to ensure that devices are built with security by design. As a result, you may need to decommission some devices but surely that’s a small price to pay for peace of mind and a secure infrastructure?