SecureIoT: Making PKI security available for resource-constrained IoT devices

The internet of things (IoT) applications have started to hit the market in big numbers – but security is lagging behind. “For most use cases, IoT security should be based on public key infrastructure (PKI) and asymmetric cryptography, and we have launched a new three-year project to make that possible,” says Shahid Raza, director of the Security Lab at Swedish non-profit research organization RISE SICS.

The public key infrastructure (PKI) security method is used to implement strong authentication, data encryption and digital signatures.

“PKI is the state of the art when it comes to internet security. It enables you to, for example, securely conduct online banking and communicate without having someone eavesdropping,” says Raza.

PKI is also used for securing communication between things that are not resource-constrained, such as servers or the devices that make up the infrastructure of LTE networks.

“But when it comes to very resource-constrained devices in the IoT, for most current deployments there is either no security at all or security that is based on shared keys or pins/passwords. This means that the risk of hacker attacks and eavesdropping is huge. As we are getting more and more dependent on the IoT, this risk is not acceptable,” says Raza.

Sometimes PKI is used, but then it is only in the gateways and not in the end devices. The reason for this is that the current PKI technologies are too heavy for very resource-constrained devices.

“The problem with using PKI only in the gateways is that if a gateway is compromised, the whole network falls. We need end-to-end security. Many IoT companies realize this, and security is on the very top of their agendas. But they have no alternatives to shared keys or pins/passwords, or using PKI only in the gateways,” says Raza.

As a first step in trying to get us out of this predicament, the new super light-weight enrollment protocol called CEBOT was recently created by RISE SICS and its partners in a VINNOVA-funded project.

“CEBOT makes it possible to give resource-constrained IoT devices the trusted identities – in the form of signed certificates – they need to be able to communicate in a secure manner. CEBOT was the missing piece in IoT security, and it is huge that we now have this protocol. But it is not enough,” says Raza.

RISE SICS has therefore kicked off the new three-year-long Eurostars-funded project “SecureIoT: Certificate-based Security for Resource-constrained Internet of Things,” together with partners from Sweden and South Korea.

“Very resource-constrained IoT devices need very light-weight PKI technologies, such as CEBOT. In SecureIoT, we are going to create the other light-weight PKI technologies needed for securing the IoT,” says Raza.

The new project has four objectives:

  1. To enable automatic initial certificate enrollment with lightweight certificates and lightweight certificate revocation in battery-powered IoT devices.
  2. To integrate IoT enrollment protocols with communication security protocols such as Datagram TLS (DTLS) and Internet Key Exchange (IKE).
  3. To develop a secure IoT gateway that is able to support contemporary IoT security protocols as well as legacy protocols to support existing deployments, such as industrial sensor networks.
  4. To perform validations of the designed protocols with two real IoT pilot deployments: smart metering and a smart factory.

The project started in October 2016 and will be finished in October 2019.

“So far we are on track with our time plan, and right now our partners are designing the different things we aim to create. If everything goes as planned, the design documents will be ready in September of 2017.”

One of the partners is the Swedish-owned identity and security company Nexus Group, a contributor in the CEBOT project.

“SecureIoT and CEBOT are both paramount projects, since the need for better IoT security is huge and expected to increase exponentially,” says Martin Furuhed, product owner of Nexus’s certificate authority (CA) software Certificate Manager.

“We build support in Certificate Manager for the new light-weight PKI technologies that are created in these research projects, which of course gives both our customers and ourselves great advantages. Innovation is in our DNA, and for us it is natural and important to collaborate in research projects. Taking part in these projects help us stay at the leading-edge,” says Furuhed.

Raza feels confident that the project will reach its goals.

“We will solve the problems in some way, but we still do not know exactly how. We might have to compromise, and we will most definitely make mistakes along the way – but making mistakes are instructive and a necessary part of the process,” says Raza.

Read the blogpost: Swedish research project CEBOT has solved one of the toughest IoT security problems