Phillip,
First, I disagree with Jari's original analysis of the problem. The
Internet security problem is not limited to IoT:
Of course. That’s not the only security problem we have… didn’t think I said it
was. But apologies if I was unclear. Anyway...
I think the big difference is that in IoT it is impossible to ignore
the usability problem that cripples most IETF security protocols.
The usability problem is big in IOT. Although I would probably call it the
manageability, deployment, and usability problem.
With
the new EC curves we can now do public key crypto on 16 bit and even 8
bit devices (just don't do it too often). But we are still constrained
by the affordances of the devices:
* IoT devices don't always have display capability
* IoT devices often don't have a keyboard device.
Yup.
Once we recognize the fact that our principal constraints are
usability constraints, we can develop an architecture that addresses
the problems of the IoT world and also the Internet in general.
We can, but having been on the field for some time, I have a feeling that this
isn’t an easy problem. Step 1 of the path to an improvement is recognising that
we have a problem. We do! And at least a subset of the engineers working in
this space have understood that. The world as a whole is beginning to
understand that given many news stories about this. And I’m eager for us and
others to do more here. But solutions aren’t necessarily clear cut or easy. It
will take time and effort.
We are not going to be able to configure cryptography or any other
settings on an IoT device. But we have a variety of protocols that can
be used to connect an IoT device to a 'secure console' where
administration takes place:
* Device has an LED status light and a QR Code with the SHA-2 digest
of a public key printed thereon. Administrator connects device through
a mobile app that uses the camera.
… Configuring wireless is harder than wired of course as you have
to configure the WiFi settings. But that could be sorted with a change
to the WiFi specs to add a standardized 'calling channel' SSID.
This is the set of problems I think I have solved with the
Mathematical Mesh.
Thanks! And these are all useful things, probably good components for solutions.
I want to add that the security problem for IOT is wider than setting up the
secure wireless connectivity. I’m going out on a limb and say that that in the
networks that I work with, that’s a largely solved problem modulo many non-IOT
related updates that are being handled. However, it would be a mistake to think
that it is all we need. We obviously do need wireless security, we obviously
need transport level crypto to protect our COAP and other transactions, but
perhaps even more than those things, we need to protect the data that is passed
around, protect data that is stored, safeguard applications that process that
data and necessarily have to have access to many sources of information, figure
out how metadata such as directories and semantic definitions need to be
protected, figure out how we authorise various applications and actors to act,
and so on.
I think that’s a tall order, and we better get moving!
Jari
signature.asc
Description: Message signed with OpenPGP using GPGMail