Authentication and device identification in IoT security

IoT technology is experiencing a significant growth in consumer and business environments. The importance of device identification in IoT is growing as more and more devices in IoT are connecting to the network intermittently and are required to communicate securely with other devices as well as the backend infrastructure.

Experts and researchers will point out that that the IoT must be secure in order for its value to be realized. Usually this point is justified by describing a scary scenario where an attacker is able to access a device with which he can reset an insulin pump. Such incidences of impersonation of valid users highlights the importance of device identification in IoT. If organizations are not sure of what IoT entity they are messaging with, then they won’t able to protect the potentially sensitive sensor data being shared or the transactions being conducted.

Enabling device identification in IoT with PKI

Organizations are relying on digital communications that are secured with digital certificates based on Public Key Infrastructure (PKI) for their daily operations. These certificates are used typically for conducting several types of security measures such as device authentication, securing communications using TLS/SSL, and for securing machine-to-machine and program-to-program communication. Due to PKI's versatility and its ability to scale, PKI is considered to be significant in enabling a secure foundation for device identity and authentication.

The following are the adaptations that PKI should have in order to enhance IoT security:

IoT scale

PKI should be able to effectively sustain the process of issuing digital certificates in high volumes. In some cases, it may require issuing certificates at high velocity, for example, issuing certificates for manufacturing lines or short-lived certificates. Experts say that IoT scale can be achieved with on-premises PKI, while cloud-based PKIs mostly offer organizations a more economical and feasible way of achieving IoT scale.

Long-lived certificates

Typically, digital certificates have a finite life span which means they have expiry dates. Previously, the expiry date of an enterprise digital certificate was measured in years. But in the case of IoT devices, some use cases may demand short-lived certificates, while many other devices may require longer-lived certificates.

A longer-living certificate is required where a consumer device requires a long-term certificate based authentication. Customers seeking long-living certificates should be aware of the fact that because these certificates require a little change over time, it may be problematic when dealing with PKI/CA compromises. IoT project leaders must carefully determine the required lifespan of these digital certificates and also recognize the pros and cons.

PKI hardware interoperability

PKI must have the ability to enable direct communication with a hardware security environment such as secure element, or TEE for properly generating cryptographic keys and storing certificates. One of the main issues that have affected mobile device environments is that these secure environments have always been inaccessible by the software stack. This has led to a number of developers store cryptographic key information in a software, something that is viewed as being less secure when compared with hardware security.

Certificate life cycle management

As certificates are considered to be critical entities that have life cycles, they are required to be managed. Manual tracking and identification processes of certificates will not be able to scale and thereby, will not suffice the requirements of IoT. Thus PKI should be combined with such certificate management vendors who are focusing their efforts on creating a scalable management platform. This platform should then be able to handle IoT use cases.

As IoT project leaders are recognizing the need of implementation of IoT hardware security, they understand the importance of PKI in their IoT security architecture for enabling device identity, authentication, and enhancement of the overall security.