How to secure the internet of things with digital identities

Enabling secure digital identities based on certificates is a crucial step in risk management for the internet of things. In this text, IoT expert Arno Fiedler gives an overview of how this is done.

Parallel to the growing possibilities provided by mobile apps, a gradual networking of our living environment is taking place: every new printer, TV set, smart light bulb, camera or digital door key is connected to the internet. WLAN access points and amplifiers as well as powerline adapters have been installed millions of times in households worldwide. Digital language assistants like Amazon’s Alexa and Google Home connect us permanently with the convenient service offerings of this “beautiful new world.”

Digital identities are necessary for security

The internet of things has already become a reality for most of us in our own homes, but the general understanding of the resulting security risks is lagging. It is urgent to remedy this situation, as there is more risk than just the potential loss of information confidentiality. If attackers are able to explore the data or if the WLAN repeater reveals all passwords, concrete security threats can emerge.

Why the need to say goodbye to passwords has become urgent

As in other areas of internet security, ensuring secure digital identities for IoT devices is a crucial step in risk management. Forgery-proof identities, represented by certificates, for all parties – machines, processes, material, users, products, software code, data, and so on – contribute significantly to improving security, together with authentication and authorization procedures based on these identities. The digital certificates may also contain the necessary information and keys for encryption and signing.

Trustworthy certificate authorities are needed

Secure digital identities require one or more identity infrastructures that ensure the unique and consistent identification of a subscriber, and support authentication and rights assignment based on the identities. Trustworthy certification authorities form an important part of such infrastructure.

The creation and maintenance of identity infrastructures for all identities and certification bodies for all digital certificates of all various parties of a network represent a major challenge, because of the large expected number of identities. In addition to questions regarding the collection or definition of these identities, questions of decentralization and high availability of suitable directories must be answered so that these services are available and can be queried at any time, for example as a part of machine-to-machine identification.

Swedish research project CEBOT has solved one of the toughest IoT security problems

Certificates are only valid for a limited time period to force a regular review, or so-called recertification. The authorizations linked to the identities can be withdrawn if a certificate is not renewed or is compromised. Interoperability and standardization of different identity infrastructures and certification bodies are also relevant issues.

Automated processes allow scalability

Apart from these fundamental technical challenges, it is also essential to determine who will be responsible for setting up and maintaining the identity infrastructures or certification bodies and to which organizational, legal and security requirements and regulations they are subject.

Some certificate management solutions – such as Nexus’s scalable and flexible public key infrastructure (PKI) platform – automate processes such as certificate distribution and ensure end-to-end management throughout the certificate lifecycle: from creation, distribution and use, to renewal and revocation.