Get started Bring yourself up to speed with our introductory content.

Cyberidentity disrupted: Thinking beyond PKI

The internet economy since its early years has been protected by public key infrastructure (PKI). From e-commerce and email to online money and knowledge transfers, PKI has arguably secured the entire internet experience as the pillar of trust. And that too at global scale.

But what about the internet of tomorrow?

Gartner forecasts that in 2016 5.5 million new “things” will get connected every day. This explosion in IoT devices and service revenue has already captured our imagination of an intelligent future fueling massive expansion in the economy.

Over the next five years, the number of connected devices is expected to at least double, with 75% of the growth coming from non-hub devices such as sensor nodes and accessories. While driving newer business models, these connections will also exponentially expand the cyberattack space.

Identity management is a central pillar for a secured internet. As such, without smarter identity solutions our imagination may never hit practical grounds.

Today the vast majority of secure communications occurs between consumers and web-facing servers. In PKI, the authentication burden is one way, between four to five popular web browsers and a few dozen certificate authorities.

PKI’s asymmetric cryptography algorithms are compute intensive and too power-thirsty for small IoT sensors. To provision, manage and secure identity, multiple parties are involved and the workflow gets too complex for an unbounded ecosystem like IoT — with several billions of sensors, gateways and servers that require low-cost, two-way authentication and secure communications.

We can’t expect PKI to scale for IoT. Instead, we need to explore schemes that can address the challenges posed by IoT around massive scale and low-power memory-compute resources. Solutions which are robust enough to combat newer threat models and still interoperate with PKI.

At the IoT Security Summit 2016 in Boston, Rod Schultz, Rubicon’s VP of products, shared its identity platform designed to meet these expectations. “At Rubicon Labs we are trying to disrupt the current process of acquiring identity for a device. For low-end microcontrollers –devices with low power and resource constraints — asymmetric cryptography is not practical based on size, speed and power consumption. We use symmetric cryptography to address this.”

Can symmetric cryptography be robust enough?

Rubicon’s solution builds on existing symmetric cryptography models where all keys are secrets.

Its heavily patented technology makes secret keys inaccessible to memory, but still usable by the CPU. “Rubicon does it by a unique coupling of a keyed one-way hashing function with a secure memory space. The coupling creates a vault which can be provisioned by a key whose value is never known by anyone or anything,” Schultz explained. “These are Rubicon’s Zero Knowledge keys.”

Essentially, nothing gets out of this black box or vault; devices use the key without knowing what it is.

Rubicon’s distributed service uniquely identifies each device using its secret and the hashing function, and also helps establish a secure session between devices.

One big benefit of symmetric algorithms is they are much faster than their asymmetric counterparts, and they can execute with tiny memory and power footprints.

“Rubicon’s solution doesn’t replace but compliments PKI,” Schultz pointed out. “With 16 bytes size, our keys are 4,000 times faster compared to 3072-bit RSA and consume 400,000 times less power. Even if you switch over to [elliptic curve cryptography] you are using 20,000 times more power [than Rubicon]. For battery-powered devices, this is a critical calculation.”

And with the ability to morph across hardware platforms and evolving standards, Rubicon’s solution promises to support use cases well beyond resource-constrained devices, such as connected automobiles and emerging payment systems.

Newer business model: Identity as a service

This also opens doors to identity being sold as a service. In the device industry with declining profit margins, this is an interesting avenue to drive subscription-based solutions. Rubicon, for example, plans to act as the “key authority” — rent its Zero Knowledge keys and allow subscription to be built on top of that.

The road ahead

However, like any futuristic innovation, Schultz noted, “People are not receptive to a paradigm shift.” But with growing partnerships with Akamai, Freescale and other ecosystem players, Rubicon is chartering into newer territories and business models.

Managing identity is a critical building block to secure tomorrow’s hyper-connected economy.

Are there any other disruptive innovations in the cyberidentity space that you would like to share?

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.