Security for the Internet of Things and Other Things (Was: Re: Observati

Phillip,

> First, I disagree with Jari's original analysis of the problem. The
> Internet security problem is not limited to IoT:
Of course. That’s not the only security problem we have… didn’t think I said it 
was. But apologies if I was unclear. Anyway...

> I think the big difference is that in IoT it is impossible to ignore
> the usability problem that cripples most IETF security protocols.
The usability problem is big in IOT. Although I would probably call it the 
manageability, deployment, and usability problem.

> With
> the new EC curves we can now do public key crypto on 16 bit and even 8
> bit devices (just don't do it too often). But we are still constrained
> by the affordances of the devices:
>
> * IoT devices don't always have display capability
>
> * IoT devices often don't have a keyboard device.
Yup.

> Once we recognize the fact that our principal constraints are
> usability constraints, we can develop an architecture that addresses
> the problems of the IoT world and also the Internet in general.
We can, but having been on the field for some time, I have a feeling that this 
isn’t an easy problem. Step 1 of the path to an improvement is recognising that 
we have a problem. We do! And at least a subset of the engineers working in 
this space have understood that. The world as a whole is beginning to 
understand that given many news stories about this. And I’m eager for us and 
others to do more here. But solutions aren’t necessarily clear cut or easy. It 
will take time and effort.

> We are not going to be able to configure cryptography or any other
> settings on an IoT device. But we have a variety of protocols that can
> be used to connect an IoT device to a 'secure console' where
> administration takes place:
>
> * Device has an LED status light and a QR Code with the SHA-2 digest
> of a public key printed thereon. Administrator connects device through
> a mobile app that uses the camera.
> …  Configuring wireless is harder than wired of course as you have
> to configure the WiFi settings. But that could be sorted with a change
> to the WiFi specs to add a standardized 'calling channel' SSID.
>
>
> This is the set of problems I think I have solved with the
> Mathematical Mesh.
Thanks! And these are all useful things, probably good components for solutions.

I want to add that the security problem for IOT is wider than setting up the 
secure wireless connectivity. I’m going out on a limb and say that that in the 
networks that I work with, that’s a largely solved problem modulo many non-IOT 
related updates that are being handled. However, it would be a mistake to think 
that it is all we need. We obviously do need wireless security, we obviously 
need transport level crypto to protect our COAP and other transactions, but 
perhaps even more than those things, we need to protect the data that is passed 
around, protect data that is stored, safeguard applications that process that 
data and necessarily have to have access to many sources of information, figure 
out how metadata such as directories and semantic definitions need to be 
protected, figure out how we authorise various applications and actors to act, 
and so on.

I think that’s a tall order, and we better get moving!

Jari

signature.asc
Description: Message signed with OpenPGP using GPGMail