Securing the Internet of Things: Exploring Lightweight Cryptography Solutions
 |
| Light weight cryptography |
Lightweight cryptography serves as a safeguard for data generated and transmitted by IoT and miniature technologies, ensuring their protection.
In the realm of IoT systems utilizing real-world data, the collection of data from devices has become a prime target for cyberattacks. This realization has elevated the significance of countermeasures based on encryption. An emerging solution known as lightweight cryptography offers a promising approach due to its small footprint and low computational complexity. This encryption method aims to enable cryptography applications on resource-constrained devices, and efforts are currently underway for international standardization and the compilation of guidelines.
Of particular interest is authenticated encryption, which provides both confidentiality and integrity. This powerful combination has garnered significant attention, leading to the organization of a technology competition called CAESAR. In response to this demand, NEC has made noteworthy advancements in the field. They have developed two noteworthy solutions: TWINE, a lightweight block cipher, and OTR, an authenticated encryption method that successfully passed the CAESAR second-round selection process.
1. Introduction
The Internet of Things (IoT) has revolutionized connectivity among various devices, opening up new possibilities. However, it has also exposed significant security threats, such as the manipulation of surveillance cameras and automobile hacking. In fact, the Information-technology Promotion Agency of Japan (IPA) ranked the "Exteriorization of vulnerability of IoT devices" as the 8th major security threat in its 2017 report.
To address these concerns, encryption has emerged as an effective countermeasure. The IoT now demands the application of encryption to sensor devices, even in environments that were previously exempt from such security measures. This is where lightweight cryptography comes into play, offering a technology that caters to these unique requirements. In this article, we will explore the security threats faced by IoT and delve into the encryption-based countermeasures. We will discuss the prerequisites of lightweight cryptography, its technological advancements, and NEC's contributions in the form of the TWINE block cipher and the OTR authenticated encryption.
2. Security Threats for IoT and Encryption-Based Countermeasures
One of the most significant security threats posed by IoT systems, as compared to traditional IT systems, is the vulnerability of devices used for data collection from the physical world. Consider an example where IoT is employed in a factory setting to enhance productivity and maintainability by collecting data from numerous sensors embedded in production equipment. Real-time analysis and autonomous control are performed based on this data. However, if the sensor data were to be manipulated or falsified during this process, it could lead to incorrect analysis results and erroneous control, potentially causing significant damage. Additionally, as the measurement data and control commands often contain proprietary trade secrets related to production and management know-how, preventing data leakage is crucial to maintain competitiveness. It is essential to anticipate future threats and their potential impact, even if they may not be apparent currently.
Implementing encryption on sensor devices enables data protection, ensuring both confidentiality and integrity. Lightweight cryptography plays a pivotal role in achieving secure encryption, even on resource-constrained devices. It empowers these devices with the capability to safeguard data effectively.
Encryption is widely implemented as a standard on the data link layer of communication systems, including cellphones. However, it is crucial to understand that encryption at the application layer plays a vital role in ensuring end-to-end data protection, securing data from the device to the server independently of the underlying communication system. To achieve comprehensive security, encryption must be applied at the application processor, including unused resources. In this context, lightweight encryption is highly desirable, as it minimizes the computational burden and resource usage while maintaining robust security measures.
3. Lightweight Cryptography
3.1 Requirements for Lightweight Cryptography
When implementing lightweight cryptography, several key factors come into play:
1. Size: The size of the circuit, ROM/RAM sizes, and overall footprint of the implementation are crucial considerations.
2. Power: Power consumption is particularly important for devices like RFID and energy harvesting devices, while battery-driven devices also require efficient power management.
3. Processing Speed: Devices with large data transmissions, such as cameras or vibration sensors, necessitate high throughput, while real-time control systems like car-control systems require low processing delays.
The size factor is particularly relevant as it determines both the feasibility of implementation in a device and the power consumption, which is heavily influenced by hardware factors like circuit size and processor choice. Processing speed directly affects power consumption due to execution time, making the number of computations a critical factor in determining the lightweight nature of an encryption method. Furthermore, achieving high throughput relies on the parallel processing capabilities of the cryptographic system.
From a security standpoint, encryption serves as the foundational technology for overall system security. Therefore, lightweight cryptography must adopt methods that are deemed to have sufficient security levels comparable to modern cryptography. Even if the block length and/or secret key length are shorter than those of standard cryptography to prioritize ease of implementation (e.g., using a 64-bit block and an 80-bit secret key), it is crucial to employ proven methods correctly.
3.2 Symmetric Key and Public Key Cryptography
Cryptography can be broadly categorized into two types: symmetric key cryptography and public key (asymmetric key) cryptography. Symmetric key cryptography employs the same secret key for both encryption and decryption, making it suitable for lightweight processing tasks like data encryption and authentication. In contrast, public key cryptography involves a secret key for decryption and a distinct public key for encryption. The secret key is exceedingly difficult to deduce from the public key. While the computational complexity of public key cryptography is typically much higher (over 1,000 times) than that of symmetric key cryptography, it is employed for sharing secret keys used in symmetric key cryptography and for digital signatures due to its asymmetrical properties.
In systems like plants or car control systems, it is feasible to embed pre-shared secret keys within the devices. In such cases, secure and efficient data protection can be achieved using symmetric key cryptography alone. Conversely, in systems that require dynamic encrypted communications with unspecified parties, such as inter-vehicle communication systems, public key cryptography proves effective.
Our focus primarily lies on symmetric key cryptography, as it can be widely applied to devices with stringent resource constraints. Symmetric key cryptography encompasses core functions such as block or stream ciphers (cryptographic primitives) and methods for applying these core functions to packets, known as block cipher modes of operation for encryption and/or authentication. Figure 3 illustrates an example of a block cipher mode of operation used for authentication, known as Cipher Block Chaining Message Authentication Code (CBC-MAC). To achieve lightweight cryptography, it is imperative to enhance the efficiency of both the block cipher mode of operation and the cryptographic primitives.
3.3 Trends in Lightweight Cryptography
The research and development of lightweight cryptography began around 2004 with a European project and has recently gained renewed momentum through the M2M/IoT process. The international standard ISO/IEC 29192 for "Lightweight Cryptography" was established by ISO/IEC JTC 1/SC 27. In 2013, the U.S. National Institute of Standards and Technology (NIST) initiated the Lightweight Cryptography Project and issued a public call for applications of lightweight cryptographies in 2017.
One notable block cipher in the lightweight cryptography domain is PRESENT, which was published in 2007 and is registered in ISO/IEC 29192. It has a small circuit size, making it suitable for implementation in RFID tags, which is not feasible with standard AES encryption. The U.S. National Security Agency (NSA) introduced the lightweight block cipher SIMON/SPECK in 2013. It features a very small ROM size ideal for constrained microprocessors and was proposed for addition to ISO/IEC 29192 to achieve international standardization.
The concept of "authenticated encryption" refers to a block cipher mode of operation that achieves both encryption and message authentication. Considering the significance of detecting false data in IoT, authenticated encryption is expected to play a crucial role in the future. The efficiency and security of a block cipher used for authenticated encryption can vary significantly based on its implementation. While NIST-recommended authenticated encryptions like AES-CCM/GCM exist, the importance of authenticated encryption and advancements in research call for next-generation solutions that offer lighter weight and higher security. To address this, an international competition called CAESAR (Competition for Authenticated Encryption: Security, Applicability, and Robustness) was initiated by NIST in 2014, with 60 submissions received. The selection process narrowed down the candidates each year based on algorithm characteristics and functions, with the final selection set to be announced by the end of 2017.
In Japan, the Cryptography Research and Evaluation Committee (CRYPTREC) assesses electronic government-recommended ciphers and monitors cryptographic technology trends. Its Lightweight Cryptography Working Group has been actively involved in evaluating the implementation of representative block ciphers, conducting security surveys, and researching effective utilization of lightweight cryptographies since 2013.
4. Lightweight Cryptographies of NEC
4.1 Block Cipher TWINE
NEC has developed a lightweight block cipher called TWINE, designed to address the limitations of previous lightweight cryptography, such as PRESENT, by providing ease of software implementation and enabling implementation in small-size circuits. TWINE employs the same block length as PRESENT (64 bits) and offers two secret key lengths (80 and 128 bits).
TWINE was selected as one of the ciphers to be evaluated by CRYPTREC's Lightweight Cryptography Working Group, and it demonstrated top-class performance in both hardware and software evaluations. The circuit size per round for TWINE is approximately 2K gates, about 1/7th the size of AES (similar to PRESENT). When comparing circuit size per throughput, TWINE exhibits more than twice the efficiency of AES. While encryption increases the circuit size due to parallel processing for high-speed communication compatibility, TWINE's small-scale circuitry remains effective in such scenarios.
On the software implementation front, AES outperforms lightweight cryptographies, including TWINE, when the ROM size is 1K bytes or more, especially on microprocessors like Renesas RL78. However, when the ROM size is limited to 512 bytes, AES cannot be implemented, whereas TWINE can. Compared to PRESENT, TWINE achieves a higher processing speed of 250%.
4.2 Authenticated Encryption: OTR
In general, the computational requirements for message authentication are comparable to those for encryption (secrecy). The NIST-recommended authenticated encryptions AES-CCM/GCM, for example, require twice the computational effort of encryption alone. The computation required for authenticated encryption is limited by the computation required for encryption alone.
OCB is an authenticated encryption scheme that surpasses this theoretical limit, but it requires a block cipher decryption function for decryption operations. On the other hand, AES-CCM reduces its size by minimizing the number of composite elements, as evidenced by the configuration of decryption processing through the block cipher encryption function. NEC's OTR2) is the world's first authenticated encryption that achieves the theoretical limit of computation using exclusively block cipher encryption functions. OTR was proposed in the aforementioned CAESAR authenticated encryption competition and successfully passed the first round in 2015 and the second round in 2016, being selected as one of the 30 and 15 candidates, respectively.
OTR performs message authentication (authentication tag generation) by encrypting the checksum of data blocks. Remarkably, this can be accomplished by encrypting a single block regardless of the data length. The encryption process in OTR utilizes a structure called the 2R Feistel structure, enabling decryption using the block cipher encryption functions, just as in the encryption process.
5. Conclusion:
Secure and Efficient IoT Systems with Lightweight Cryptography
In this article, we have explored the realm of lightweight cryptography, specifically focusing on the innovative solutions developed by NEC. These lightweight cryptographic techniques are designed to address the unique challenges faced by resource-constrained environments in IoT.
One notable solution is OTR, an authenticated encryption method whose security is based on the underlying block cipher. OTR can be combined with various block ciphers, offering flexibility and compatibility. The combination of OTR with AES, known as "AES-OTR," leverages the robust implementation assets of AES. Additionally, NEC has proposed "TWINE-OTR," which combines OTR with TWINE, resulting in further size reduction compared to AES-OTR.
Furthermore, NEC has collaborated with Nagoya University and others to develop CLOC/SILC, an authenticated encryption solution that strikes a balance between computation amount and small data size. CLOC/SILC has also undergone rigorous evaluation in the CAESAR competition, successfully passing the second-round selection.
It is crucial to consider key management functions and operational aspects in practical applications of lightweight cryptography. To address this, NEC is actively engaged in research and development efforts to realize a lightweight cryptography library, encompassing key updating and exchange mechanisms. Additionally, NEC is conducting research on lightweight cryptography for key exchange based on public key encryption.
Looking ahead, NEC remains committed to advancing cryptographic technologies and contributing to the security of IoT systems. Through ongoing research and development, we strive to empower organizations with secure and efficient solutions, enabling them to harness the full potential of the IoT landscape.
Together, let's build a future where IoT systems thrive securely and seamlessly.
0 Comments