Cryptography for IoT

In any technology based on data exchange, security is a crucial property, where cryptography plays a key role. Let's see how this field developed in the past and try to look into the near future.

Look back

Machine cryptography, since its inception in the twentieth century, relied on the use of specialized encryption devices - initially mechanical, and then electromechanical encryption machines. General-purpose computing computers appeared much later. An example of such machines is the well-known German encryption machine Enigma, the decryption of which by cryptanalysts from Great Britain greatly influenced the outcome of the World War II.

With the development of information theory, started by Claude Shannon in 1948, and the advent of general-purpose computing machines, the development of cryptography has reached a new level. At that time and until the end of the 20th century, two main goals were set for applied encryption:

· The cipher must have sufficient resilience so that an attacker, possessing significant computing resources, could not decrypt the message without knowing the secret key within a reasonable time;

· One key should be able to encrypt as much data as possible.

It should be noted that the tasks set at the end of the 20th century were generally solved. However, new challenges arose related to the advent of the Internet of Things and the threat of quantum computers.

Challenges and Requirements

The Internet of Things (IoT) is an industry based on data exchange, and the protection of this data is integral. The security of Low Power Wide Area Network (LPWAN) class devices, which have limited computational capabilities and work with small data packets, is especially important. The requirements for cryptography for such devices are as follows:

· Working with small data packets. Devices send small data packets via a radio channel with infrequent communication sessions. The cryptographic algorithm must be able to encrypt and decrypt these small data packets effectively. It is preferable to use algorithms with variable block lengths to adapt to different data packet sizes.

· Minimal overhead on traffic. Bandwidth and data transmission costs are limited. The cryptographic algorithm should minimize traffic overhead, not significantly increasing the size of data packets. This will help reduce data transmission costs and extend the device's lifespan.

· Computational efficiency. Devices have limited computational resources. Therefore, the cryptographic algorithm must be computationally simple to work on low-power chips. Such an algorithm will allow devices to efficiently perform encryption and decryption operations without significantly increasing the load on their processors.

· No permanent communication channel. Devices communicate through infrequent communication sessions, usually once an hour or once a day. The cryptographic algorithm should be designed to work without the need to maintain a constantly active connection. This will allow devices to save energy and extend battery life.

As IoT develops and the number of devices connected to the network increases, new challenges for cryptography emerge. One such challenge is the threat of quantum computing, which could compromise the resilience of existing cryptographic algorithms. Consequently, cryptography for IoT should take into account the potential emergence of quantum computing and provide data protection resilient to such threats.

Developing cryptography for the Internet of Things, especially for LPWAN class devices, presents a complex task. It requires considering specific requirements such as working with small data packets, minimizing traffic overhead, computational efficiency, and operation without a constantly active communication channel. Additionally, cryptographic solutions must be ready for new challenges, such as threats from quantum computing, and ensure data security in the rapidly developing and spreading IoT landscape.

Quantum Computing-Based Attack

Quantum computers pose a threat to existing cryptographic systems. Currently, ciphers can be divided into two categories: symmetric and asymmetric. To understand the threat that quantum computers present, it is necessary to consider their impact on each of these categories.

In symmetric ciphers, all parties use the same key for encrypting and decrypting messages. However, the problem of secure distribution of this key among participants arises. This can be solved physically, for example, using special couriers, or automatically using key generation distribution algorithms, including quantum key distribution.

In the case of asymmetric ciphers, each party has two keys: a secret and a public one. The secret key is known only to the user, and the public key is available to everyone. The public key of the recipient is used for encryption, and decryption is done using his secret key. The sender can also apply his secret key to create a digital signature, which guarantees the authorship and integrity of the message.

Now we have refreshed in memory what distinguishes symmetric and asymmetric ciphers. It turns out that almost all modern asymmetric ciphers and the cryptographic algorithms that underpin them are vulnerable to a quantum computer, often referring to Shor's algorithm. However, it is also necessary to clarify what kind of quantum computer is needed - because quantum computers exist, while asymmetric ciphers are successfully used (for example, RSA).

However, as already mentioned, symmetric cryptographic schemes require key distribution among participants: this can be either distributed key generation (QKD, Diffie-Hellman), or their physical delivery (couriers). Obviously, courier delivery is a "technology" of the last century. QKD is expensive and has physical distance limitations. Diffie-Hellman is not quantum-resistant and requires replacement. To solve the problem of quantum cracking, NIST in 2016 launched a program to develop quantum-resistant (or post-quantum) algorithms and in 2022 selected candidatesfor the federal standard from them. The algorithms turned out to be quite resource-intensive for execution, and therefore, they are not always suitable for IoT applications. However, within the scope of another NIST competition focusing on lightweight cryptography, algorithmstailored for IoT were presented. Nevertheless, none of these algorithms possess quantum resistance.

From the above, it is clear that symmetric algorithms are the best candidates for the Internet of Things in the post-quantum era, with key distribution being the main hurdle. Modern asymmetric ciphers and cryptographic algorithms used in them are vulnerable to the threat of quantum computers, particularly Shor's algorithm. However, it's important to note that the requirement of a quantum computer to break asymmetric ciphers depends on their specific implementation. For example, asymmetric ciphers such as RSA are still secure, despite the existence of quantum computers. On the other hand, symmetric ciphers turn out to be more resistant to quantum attacks. For instance, the well-known Grover's quantum algorithm provides a quadratic speedup when guessing a key in the AES cipher, but this can be compensated for by increasing the key length.

Quantum-resistant algorithms and protocols offer new methods of encryption and key distribution that are resistant to quantum computer attacks. They are based on mathematical principles that cannot be easily resolved by quantum computations. However, transitioning to quantum-resistant algorithms is not a straightforward process. It requires upgrading and replacing existing systems and infrastructure, which may demand significant effort and resources. Furthermore, the implementation of quantum-resistant algorithms needs to be agreed upon and coordinated at an international level to ensure compatibility and secure communication.

Quantum supremacy threatens the security of modern encryption algorithms. In fact, quantum computers of the necessary capacity will soon be able to decrypt any communication protected by asymmetric cryptographic algorithms. Unfortunately, a fully quantum-resistant solution is not yet available, and the existing quantum key distribution schemes are not suitable for large-scale implementation. This article proposes a simple and affordable approach to the problem based on a one-time symmetric key.

Development Road

If we fix the level of resistance for cryptanalysis, which is usually determined by business requirements, there is a relationship between the frequency of key change and the complexity of the cipher: the more often the key is changed, the simpler the cipher can be. A simpler cipher means less demanding on computational resources. The extreme point on this scale is Vernam cipher, where XOR is used as a function for data transformation on the key, i.e., a simple bitwise addition of the message and the key. This cipher consumes keys in the amount equal to the volume of the message; the volume of the message itself does not change. It is proven that Vernam cipher has absolute cryptographic strength, i.e., it cannot be hacked by any means if two conditions are met: each key is truly random and used only once. By the way, this cipher has a rich history - it was used by spies in the pre-computer era. For this purpose, the spy received a set of keys (one-time pad) in the form of a cipher notebook.

Vernam cipher may seem ideal, but its main drawback - a huge key consumption - makes it unacceptable for everyday use: for example, 1 hour of video conference consumes from 0.5 to 7.2 GB of traffic depending on the resolution. This would mean that all parties must have the same volume of keys, delivered in a secure way. However, this method is used in some diplomatic communication channels, where convenience and cost issues give way to confidentiality requirements.

Examples and Estimates

Let's evaluate how realistic the application of Vernam cipher in real scenarios is.

Scenario 1. Temperature and humidity sensor. Suppose we need to transmit sensor readings of temperature and humidity from an agricultural field. Let it measure temperature from 0 to +50°C with a step of 0.5°C and humidity from 0 to 99% with a step of 1%. In total, 100 values or 7 bits each. Let's reserve 1 byte for redundancy (for example, parity check), we get 2 bytes of useful data for one measurement. Suppose measurements are made every hour for 10 years: 2B x 24h x 365d x 10 years = 175,200 B, i.e., <200kB for the entire service life of the device. We remember that for the application of this cipher we need the same volume of keys.

Scenario 2. Water meter. Measurement of water consumption from 0 to 10,000 m³ with an accuracy of 1% - 1,000,000 values, 20 bits + redundancy = 3B. Daily measurements for 16 years: 3B x 365d x 16 years = 17,520 B, an order of magnitude less than the previous case.

We deliberately do not consider scenarios of such connected devices as smartphones, electricity meters, surveillance cameras, or cars. These are devices with significant energy resources and a productive processor, which puts them in a different class. The only limitation that humanity may face with the growth of such devices is the spectrum deficit, but that's another story.

These are just estimates, which, however, give an understanding of the magnitudes of data and keys. So, it can be seen that Vernam cipher in the world of IoT may have a right to exist, but it requires a solution to the task of safe storage of keys, and on both sides - in the cloud platform and in the device itself.

Implementation Details

Safe key storage is required both on the cloud platform and on the device for the implementation of such an approach.

For a long time, HSM (hardware security module) has been used as an infrastructure element for working with cryptography (keys, encryption operations). They have matured and it is unlikely that anything can be significantly improved here. On endpoint devices, it is a good practice to use a security module (secure element), which in cellular devices is a SIM card (including variants eSIM, iSIM, etc.). In turn, the SIM card is the UICC chip with specific software (applets), which is also used in bank payment cards with a different set of applets. The UICC can be represented not only as a replaceable card but also as a soldered chip (eUICC) or as an IP block for placement on another chip (iUICC).

The widespread use, proven safety, and cheapness of the UICC chip make it candidate No. 1 for the role of a security module in Internet of Things devices. This is also supported by the GSMA IoT SAFE concept (IoT SIM Applet For Secure End-2-End Communication), which puts the SIM card in the role of the root of trust in devices. At the same time, the key material can be stored not only on the UICC itself, but also on an external storage in a crypto-container, to which only the security module will have access. If it is necessary to update the key material, a mature Key Wrap technology can be used, which has long been used for key synchronization in HSM.

Thus, all components of this approach are already on the market, tested in the industry, produced in large quantities, so they have an extremely low price. It is also important that the technologies used are familiar to modern engineers, and they can immediately start developing solutions based on them.

So, this approach with the use of one-time symmetric keys paves the way for simple lightweight cryptography for the Internet of Things - with a small overhead, ready for execution even on a SIM card and completely indifferent to the appearance of a powerful quantum computer.