NIST lays groundwork for encrypting IoT devices
- By Sara Friedman
- Apr 19, 2018
As internet-of-things devices infuse IT systems controlling health care equipment, power grids, manufacturing processes and home security, they require a way to defend against cyberattacks. Most cryptographic systems, however, were designed for desktop PCs and servers and are therefore unsuitable for very small devices that have more limited computational resources.
The National Institute of Standards and Technology's lightweight cryptography initiative aims to develop standards that can work within the confines of a simple electronic device. On April 18, the agency issued a call to software developers for help in crafting requirements and guidelines for technology to secure data in constrained environments.
“The IoT is exploding, but there are tons of devices that have nothing for security,” NIST computer scientist Kerry McKay said in an April 18 blog post. “There’s such a diversity of devices and use cases that it’s hard to nail them all down. There are certain classes of attacks to consider, lots of variations. Our thinking had to be broad for that reason.”
McKay and team members spent four years consulting with industry groups to get their feedback on the requirements and evaluation criteria.
“Draft Submission Requirements and Evaluation Criteria for Lightweight Cryptography Standardization Process” lays out the submission requirements and evaluation process for
lightweight cryptography standardization. Once the document is final, NIST plans a year-long review phase of the submitted algorithms, after which it will hold a workshop to discuss the analysis of the first round of candidates.
NIST is specifically looking for solutions that use symmetric cryptography, where both the sender and recipient have an advance copy of a digital key that they can use to encrypt and decrypt messages.
Lawmakers are also looking for a way to ensure the security of IoT devices. Sen. Edward J. Markey (D-Mass.) has proposed creating a label – like the Energy Star seal – that would indicate to buyers that IoT devices meet certain cybersecurity requirements.
A similar bill introduced last year by Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.) would require that devices purchased by the U.S. government are patchable, do not include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities, among other basic requirements.
Researchers at MIT recently developed a tiny chip suitable for inclusion in connected devices that is purpose-built to perform public-key encryption. According to the researchers, their chip uses only 1/400 as much power as software execution of the protocols would require. It also does the job 500 times faster than software.
The draft lightweight cryptography document follows on the heels of NIST's February report on the status of international efforts to standardize IoT components, systems and services.
NIST is accepting comments on the submission requirements draft for 45 days once an announcement appears in a Federal Register. The draft can be found here.
Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.
Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.
Friedman can be contacted at firstname.lastname@example.org or follow her on Twitter @SaraEFriedman.
Click here for previous articles by Friedman.