The Internet of Things (IoT) is a paradigm expected to bring about a new era of connectedness and collaboration, and is already revolutionizing the way we live and work. However, it comes with a number of new security challenges. Because IoT devices are often connected to sensitive data and systems, they can be attractive targets for attackers. The amount and variety of devices connected to the internet is constantly increasing, as is the quantity of data generated. This data is often sensitive, confidential, or both.
One way to protect this data is through the use of cryptographic algorithms, the mathematical equations used to encode and decode data. This article with insights from Mouser Electronics explores how electronic devices use complex cryptographic algorithms to keep our information safe from attacks in IoT environments, and how hardware accelerators with cryptographic functions are being used to make this possible.
The ABC of cryptographic functions
Cryptographic algorithms are mathematical functions that are used to encrypt and decrypt data. These algorithms are designed to be very difficult to break, making them essential for keeping information safe. Cryptographic hardware accelerators are specialized microchips or security coprocessors that are designed to perform cryptographic algorithms very quickly. These kinds of devices can achieve complex cryptographic functions faster than software-based algorithms.
There are three main types of cryptographic algorithms: message authentication, message integrity, and security functions.
1) Message Authentication
A Message Authentication Code (MAC) is a cryptographic checksum on data that is used to detect whether a message has been tampered with. A MAC algorithm uses a secret key to generate a message digest, which is then appended to the message. The message and digest are then sent to the receiver, who uses the same secret key to generate a message digest from the received message. If both digests match, the receiver knows there’s been no tampering.
2) Message Integrity
Message integrity is the ability of a message to resist modification or corruption while in transit. Integrity is important because it ensures that the message received is the same message that was sent. To achieve message integrity, cryptographic hash functions are used. A cryptographic hash function takes an arbitrary block of data and produces a fixed-size hash value. The hash value is a summary of the original data, and it is nearly impossible to produce the same hash value from two different pieces of data.
3) Security Functions
Cryptographic algorithms are used in a variety of security functions, including digital signatures, key exchange, and encryption. A digital signature is a mathematical scheme for demonstrating the authenticity of a digital message or document. Encryption is the process of transforming readable data into an unreadable format that protects it from being read if intercepted.
Main Threats of IoT Devices Today
The number of IoT devices connected to the internet makes them desirable prey for malicious hackers. There are a few types of attacks that these devices often encounter:
1) Random data or fuzzing attacks: Fuzzing attacks involve feeding random data to an application or system in order to crash it or force it to reveal information. This type of attack can be difficult to detect and can be used to exploit vulnerabilities in a system.
2) Rowhammer attacks: Rowhammer attacks exploit a hardware vulnerability in some types of DRAM (dynamic random-access memory) chips. This type of attack can be used to gain access to sensitive data or to cause denial-of-service conditions.
3) Side-channel attacks: Side-channel attacks exploit the side effects of cryptographic algorithms that can leak information about the algorithm or the data being processed. This type of attack can be used to break the security of cryptographic systems.
4) Trial and error attacks: Trial and error attacks involve trying different values for a secret key until the correct value is found. This type of attack can be used to break the security of cryptographic systems.
Mutual authentication: a practical example
As we mentioned, cryptography can play a vital role in securing the IoT. It can be used to protect data in transit to authenticate devices and users, and to provide access control. In this section, we will focus on how cryptography can be used for mutual authentication, which is a crucial security measure for IoT devices.
Mutual authentication is a process in which both parties in a communication verify each other’s identity. This is in contrast to single-factor authentication, in which only one party (usually the user) is authenticated. Mutual authentication is important for IoT devices because it helps to ensure that data is only exchanged between legitimate devices. Furthermore, mutual authentication can help to prevent man-in-the-middle attacks, in which an attacker intercepts communication between two parties and impersonates one of them.
Azure RTOS is a secure operating system that provides a foundation for building reliable and secure applications. The RTOS includes a number of security features, including support for PKCS#11, which is a standard interface that allows an operating system to communicate with a hardware security module (HSM).
The Azure RTOS supports a number of HSMs, including the ATECC608 and TA100 secure elements from Microchip Technology. The ATECC608 TrustFLEX Secure Element is a hardware-based security module that can be used to store sensitive data, such as cryptographic keys. It includes a built-in true random number generator (TRNG), which can be used to generate the shared secret.
Secure Boot is a security feature that is built into Azure RTOS. It ensures that only signed, approved software can run on the system. This helps to protect the system from malicious code and other security threats.
Using mutual authentication with Azure RTOS
To use mutual authentication with Azure RTOS and the ATECC608, we will first need to generate a shared secret. We can do this using the TRNG on the ATECC608. Next, we will need to compute the MAC for each message that is sent. To do this, we will use the HMAC-SHA256 algorithm, which is a standard message authentication algorithm. The shared secret and the message will be used as inputs to the HMAC-SHA256 algorithm, and the output will be the MAC. Finally, we will need to verify the MAC on each message that is received. To do this, we will use the same shared secret and HMAC-SHA256 algorithm. If the MAC is valid, then we can be sure that the message came from a legitimate device. Using mutual authentication can help to ensure that data is only exchanged between legitimate devices. It can also help to prevent man-in-the-middle attacks. Mutual authentication is a crucial security measure for IoT devices, and the Azure RTOS platform and ATECC608 TrustFLEX Secure Element can be used to implement it.
More resources for boosting IoT security
There are many products available from Mouser that can be used to build your IoT networks such as sensors, development platforms, and connectivity devices, but when it comes to the IoT, security cannot be overlooked. Solutions need to cover both software and hardware attacks and include features for:
- Secure Boot
- Secure OTA firmware update
- Secure Key storage
- Serial bus encryption
- Hardware attacks and tamper protection
- Detecting and managing abnormal situations
- IP protection for software
And the above are only a few of the possibilities. Today, it is possible (and necessary) to find devices and solutions that help protect IoT products from the initial design and manufacturing stages to the very end of the product’s lifecycle in order to comply with major IoT certification requirements and ensure the highest level of security.
In addition to the Microchip ATECC608 example explained earlier on in this article, several manufacturers offer hardware and ecosystem support to protect IoT devices from attack, thanks to these essential security features. Some examples are:
Integrated Crypto Controllers such as the Maxim Integrated DeepCover Crypto Controller are among other devices that implement cryptographic functions out of the box. This particular one is a security coprocessor that provides turnkey cryptographic functions ranging from Key exchange and TLS secure communication to anti-cloning, anti-counterfeiting, feature and usage control.
Authentication ICs, like the STMicroelectronics STSAFE-A110, provide authentication and secure data management services to a local or remote host. The STSAFE-A100 is the latest generation of highly secure MCUs, featuring both advanced asymmetric and symmetric cryptography, and a secure operating system with kernel for authentication and data management, and protection against logical and physical attacks.
Plug & Trust Elements offer robust defense against different attack scenarios as well as an expanded feature set for a wide range of IoT use cases. The NXP Semiconductors EdgeLock® SE050 Plug & Trust Secure Element Family, a ready-to-use solution for IoT devices at the IC level, provides true end-to-end security from the edge to the cloud without the requirement for security codes, essential keys, or credentials.
Conclusions and main takeaways
Data is becoming more valuable than ever, and this trend is likely to continue and evolve in the future. As IoT devices become more pervasive in our lives, so does the importance of having strong cybersecurity mechanisms to protect them against malicious attacks.
This article explored the main cryptographic techniques to protect IoT devices from attacks, the more frequent kinds of attacks that these devices experience and, the main products that are ideal for achieving state-of-the-art protection in today’s scenario.
For more in-depth technical information about these IoT security devices and solutions, visit the security hub on Mouser Electronics’ website.