NIST’s Kerry McKay discusses the agency’s recent call for new cryptographic standards to protect web-enabled devices

It’s estimated that more than 30 billion Internet of Things (IoT) devices will be in operation around the world by 2020, ranging from new consumer products to legacy infrastructure systems that have been in place for decades but only recently connected to the internet.

While some IoT devices have been developed to help facilitate the execution of important tasks (such as those found in the healthcare industry), a great many others have simply been created for convenience or entertainment (that smart energy meter in your home or fitness tracker on your wrist).

With the IoT space projected to enjoy continued double-digit growth over the coming years, issues surrounding the security of so-called ‘connected’ devices are now more important than ever.

Over the past few months alone, reports have surfaced relating to vulnerabilities in everything from IoT baby monitors to CCTV systems.

The hype surrounding IoT security has not escaped the attention of lawmakers around the world. Yet while the UK government recently issued guidelines for manufacturers, and Australia is looking to create a mandatory cybersecurity rating for web-enabled products, there has thus far been no consensus on the best route forward.

Crypto constraints

One of the key problems associated with IoT security spawns from the fact that internet-connected devices, by their very nature, often have access to limited resources.

Compared to, say, a typical desktop computer, these (often tiny) gadgets are generally designed to operate with significantly reduced power consumption or computation power, meaning that common encryption methods may demand more electronic resources than they possess.

In an effort to address this fundamental issue, the National Institute of Standards and Technology (NIST) recently unveiled a new initiative that aims to improve the protection of the data that is created, stored, and transmitted by IoT devices.

Last month, NIST issued a call for ‘lightweight cryptography’ submissions from the software development community, as the agency looks to develop new standards that can work within the confines of a simple electronic device.

The ultimate goal, according to NIST computer scientist Kerry McKay, is to develop lightweight encryption standards that benefit the entire marketplace across a wide range of applications.

“Lightweight cryptography standards will offer new capabilities that ‘constrained’ devices, such as the smallest ones used in the IoT, can use to authenticate and authorize other devices, and to secure data when it is stored and transmitted,” McKay told The Daily Swig.

Tailored algorithms

Although the term ‘lightweight cryptography’ may appear to be something of an oxymoron, McKay was quick to refute the idea that ‘lightweight’ means ‘easy-to-break’.

“A common misconception is that ‘lightweight’ means ‘weak’,” she explained. “This isn’t the case. Lightweight cryptography is about tailoring algorithms for specific classes of devices and applications.

“Lightweight algorithm design is about making informed and meaningful tradeoffs between security, performance, and cost in the context of the devices and applications where it will be applied.”

According to McKay, the NIST lightweight cryptography standards will still require strong security, but will be targeted for different implementation environments, performance needs, and algorithm characteristics than the agency’s current algorithms.

As an initial step, NIST is seeking assistance in developing requirements and guidelines for these solutions.

The Draft Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process is the first draft of this request, written with the software development community in mind and aimed at ensuring that the formal request – slated for release later this spring – will produce the sort of encryption algorithms that developers agree will help shore up IoT security defenses.

“The IoT is exploding, but there are tons of devices that have nothing for security,” McKay said.

“We will be relying on community feedback to determine what other use cases we should include in subsequent editions of the [publication],” she said. “We want the entire lightweight crypto standards development process to be open and transparent, with the public involved at every step.”