Why do I care about cryptography as an IoT architect?
“Encryption, Cryptography, Hashing,” chatter coming from experts in the IoT world. The laugh factor, cyber security experts relay this message as a new concept. News alert, cryptography has been around for a long period of time.
My first introduction to cryptography was in the 80’s during breakfast. Back then, I loved eating Captain Crunch cereal. I could not resist the ARTIFICAL goodness of those yellow, square-shaped cereal puffs made up of corn, oats and fake peanut butter. It was so unhealthy (which is probably the reason why it tasted so good). Besides the great taste, it also came with cool gifts inside the box. The best one of all was the “Captain Crunch Decoder Ring.” It made me feel like a spy. It worked by using a simple letter substitution algorithm. For example, 'a' becomes 'n' and 'b' becomes 'o', so on and so forth. It may be pretty simple but encryption cryptography none the less.
What is the deal with cryptography?
Why do people have a hard time understanding the concept? Let’s start by explaining encryption. Encryption simply takes data (plain text) and scrambles it using a cipher (algorithm + key) so it become illegible (cipher text). Decryption is the act of turning it back into real information for use.
Overall, cryptography tries to solve the following problems:
- Privacy/confidentiality - Ensuring that no one can read the message except the intended receiver.
- Authentication - The process or action of proving or showing something to be true, genuine, and valid.
- Integrity: Assuring the receiver that the received message has never been altered in any way from the original source.
- Non-repudiation - Ability to ensure that a party to a contract or a communication cannot deny the authenticity of their signature on a document or the sending of a message that they originated.
There are fundamentally 3 types of cryptography that are important to understand:
- Symmetric Cryptography - Uses a single key for both encryption and decryption of a message. For this to work between two parties, they must both have identical keys. The issue becomes the transfer of the key. One party must generate and “hand-off” the key in the most secure way possible. One option to ensure security is for the key exchange to use Public key cryptography.
- Asymmetric/Public Key Cryptography - This concept uses both a public key and private key which have related features. The private key is used to decrypt a message, and a public key is used to encrypt. The most common usage of key exchange between two parties is used within Public Key Infrastructure (PKI). Asymmetric schemes can also be used for non-repudiation and user authentication. An example of this in action is SSL certificates used on web sites.
- Hash Functions – A hash function is a one-way function in where plain text is converted into a digest. Hash functions can also be combined with asymmetric crytopgraphy to create a digital thumbprint. Overall, the intended purpose is for verification, identification and data integrity. The reason why it is so effective is that it is highly unlikely that two different messages that are hashed with the same algorithm will yield the same hashed value. Another example of usage is passwords. Passwords are something you don't want to store in plain-text and certainly would not want the option to decipher.
Why does cryptography matter in the IoT world?
Currently, it is estimated that there are about 8.4 billion devices online. Within the next 3 years, the number will be over 20.4 billion devices. As more connected devices are deployed, there becomes a greater need to control and manage the identity of those devices. There is also a need to protect the devices “data at rest” and “data that is transmitted.” Cryptography gives us a way to do that with high assurance and reliability. In the IoT world, the biggest issue is not the cryptography itself, but the orchestration and implementation. That problem will be exponentially more difficult as more connected devices come online. The good news is that there are companies out there that enable you to do this with effectiveness and velocity.
There are many facets to cryptography and unfortunately this post just scratches the surface. At the very least, I hope that it was informative. If not, I certainly hope it made you hungry for a good old-fashioned bowl of cereal!