The IoT has security issues, a history of weak encryption keys and inadequate provisioning and planning for data protection and lock-down. Okay, so you knew all that already.
What matters now is how we fix things. How we build the next generation of IoT devices with security in their DNA from the start. The trouble is, when it comes to security, a good random number is hard to find these days. What we need is a new approach to crypto-based IoT applications based on entropy, argues Richard Moulds, managing director of Whitewood Security.
What is entropy?
With machine intelligence and massive cloud-driven compute power at our disposal, it is becoming easier and easier to ‘guess’ the codes that underpin encryption and crypto-based applications. Thus, entropy is needed.
In terms of mathematics, entropy is a lack of order or predictability and a gradual decline into a state of numerical disorder. In terms of physics, entropy is a thermodynamic quantity representing the unavailability of a system’s thermal energy for conversion into mechanical work, often interpreted as the degree of disorder or randomness in the system.
As an example, our Earth’s moon is uniform and relatively static, but the blistering whirl of bubbling fire in the sun displays entropy. Entropy describes the number of ‘states’ that any system can take on. This video explains the concept in very plain terms.
Moulds and team at Whitewood claim to be addressing the lack of randomness in IoT security by developing what they call ‘Entropy-as-a-Service’, using quantum technology to help deliver ‘truly random’ number generation, on demand.
The technology is born out of a decade-long research project conducted by the quantum security team at the Los Alamos National Laboratory and is designed to strengthen cryptographic security systems from encryption in traditional datacenters and virtual cloud environments.
“The IoT is the security professional’s worst nightmare – lots of sensitive and often regulated data is being collected and stored on lots of low-performance, low-power devices scattered across the country. These are devices that are easy to tamper with, have to work for a long time and are hard to update. That’s not a good combination,” says Moulds.
All IoT devices need to talk – the question is, how secure are their communications?
They rely on encryption to protect data but how strong is that encryption? The strength of encryption often comes down to how good encryption keys are and in particular, how random they.
If keys can be guessed, then the game is up. Making truly random keys is harder than you would think and IoT devices are notoriously bad at it.
Feeding entropy starvation
Moulds continues, “Randomness relies on gathering entropy and IoT devices can suffer entropy starvation. IoT devices tend to be low-power and low-cost devices, designed for a specific task. Security in general often takes a back seat and specialist security functions like key generation are frequently overlooked and yet, can undermine the entire security model.”
“Whitewood provides pure quantum entropy to devices over the network. Think of it like a flu shot: we inoculate IoT devices from making weak keys,” he adds.
As we know, almost all random numbers come from a machine’s operating system and its core operational chipset. This does, obviously, lead us to a situation where we know that software can not actually generate true random numbers. The situation is so real that when an application does something truly random we tend to call that a bug, not a feature.
True software-based entropy then (and the promise of true IoT security perhaps) comes from capturing that process in the physical world to create unpredictability. There are stories of IT security professionals using cameras to video capture the shapes created by lava lamps, for example, in the search for true captured entropy.
As Whitewood’s Moulds reminds us, “[This zany idea] is fine until someone turns the lights off and it’s really hard to scale to the IoT. Plus it hardly fits the virtualized philosophy of the cloud where you know virtually nothing about the hardware your stuff actually runs on.”
The quest for IoT security entropy is on… and it’s no random matter.