Security related to the Internet of Things has been a key theme this week at the Fog Computing Conference in San Jose.
The reason we hear so much about security breaches lately, suggested Steve Kirsch of OneID, is because organizations typically use shared secrets. What they should be doing, he said, is providing authentication using signatures. For the Internet of Things, he added, there’s a need for two or more signatures (each more than 128 bit) in the user-to-device authentication process, and one ECDSA signature (also more than 128 bit) to provide a key from the thing to the user.
There’s a myth that biometrics will fix security concerns, he added, but “they are kind of a shared unsecret,” noting that fingerprints could be lifted from a glass or from another application using this method.
The idea that passwords are bad is another myth, according to Kirsch.
“Passwords are inherently good,” he explained. “The problem is the way we use passwords is wrong.”
Passwords, he said, should be combined with salt and used as an ECDSA signing key, with the challenge coming from the other end saying “hey sign this.”
“When you do passwords that way it’s extremely safe,” he said.
Dmitri Varsanofiev, CTO of IP Cores Inc., talked about the need for asymmetric (public-private key) cryptography in fog computing. He said there’s a choice between what he called tried and true RSA and ECC.
But ECC, he said, needs much shorter keys, involves an easier process to generate private keys, and has the blessing of the NSA as part of the Suite B algorithm so works for U.S. government applications and thus is unlikely to have major problems.
Organizations that are designing new gadgets, he said, should include ECC cryptography.
Don Banks, distinguished engineer for CTG architecture at Cisco, the Diamond sponsor of the Fog Computing Conference, said for fog node security you need encryption at line rate (both for data at rest and in motion); an encryption SoC device for high bandwidth scenarios and ISA support for lower bandwidth scenarios; MACsec (802.1AE) to ensure an Ethernet frame came from the station that claimed to send it; and WEP authentication for endpoints on the WLAN.
Remote attestation can be used to detect unauthorized software changes, he added, and remote orchestrators can do end-to-end trust and identity management. He also said there’s a need to extend security up into the application beyond the hypervisor.
Edited by Stefania Viscusi