Get started Bring yourself up to speed with our introductory content.

Cyberidentity disrupted: Thinking beyond PKI

The internet economy since its early years has been protected by public key infrastructure (PKI). From e-commerce and email to online money and knowledge transfers, PKI has arguably secured the entire internet experience as the pillar of trust. And that too at global scale.

But what about the internet of tomorrow?

Gartner forecasts that in 2016 5.5 million new “things” will get connected every day. This explosion in IoT devices and service revenue has already captured our imagination of an intelligent future fueling massive expansion in the economy.

Over the next five years, the number of connected devices is expected to at least double, with 75% of the growth coming from non-hub devices such as sensor nodes and accessories. While driving newer business models, these connections will also exponentially expand the cyberattack space.

Identity management is a central pillar for a secured internet. As such, without smarter identity solutions our imagination may never hit practical grounds.

Today the vast majority of secure communications occurs between consumers and web-facing servers. In PKI, the authentication burden is one way, between four to five popular web browsers and a few dozen certificate authorities.

PKI’s asymmetric cryptography algorithms are compute intensive and too power-thirsty for small IoT sensors. To provision, manage and secure identity, multiple parties are involved and the workflow gets too complex for an unbounded ecosystem like IoT — with several billions of sensors, gateways and servers that require low-cost, two-way authentication and secure communications.

We can’t expect PKI to scale for IoT. Instead, we need to explore schemes that can address the challenges posed by IoT around massive scale and low-power memory-compute resources. Solutions which are robust enough to combat newer threat models and still interoperate with PKI.

At the IoT Security Summit 2016 in Boston, Rod Schultz, Rubicon’s VP of products, shared its identity platform designed to meet these expectations. “At Rubicon Labs we are trying to disrupt the current process of acquiring identity for a device. For low-end microcontrollers –devices with low power and resource constraints — asymmetric cryptography is not practical based on size, speed and power consumption. We use symmetric cryptography to address this.”

Can symmetric cryptography be robust enough?

Rubicon’s solution builds on existing symmetric cryptography models where all keys are secrets.

Its heavily patented technology makes secret keys inaccessible to memory, but still usable by the CPU. “Rubicon does it by a unique coupling of a keyed one-way hashing function with a secure memory space. The coupling creates a vault which can be provisioned by a key whose value is never known by anyone or anything,” Schultz explained. “These are Rubicon’s Zero Knowledge keys.”

Essentially, nothing gets out of this black box or vault; devices use the key without knowing what it is.

Rubicon’s distributed service uniquely identifies each device using its secret and the hashing function, and also helps establish a secure session between devices.

One big benefit of symmetric algorithms is they are much faster than their asymmetric counterparts, and they can execute with tiny memory and power footprints.

“Rubicon’s solution doesn’t replace but compliments PKI,” Schultz pointed out. “With 16 bytes size, our keys are 4,000 times faster compared to 3072-bit RSA and consume 400,000 times less power. Even if you switch over to [elliptic curve cryptography] you are using 20,000 times more power [than Rubicon]. For battery-powered devices, this is a critical calculation.”

And with the ability to morph across hardware platforms and evolving standards, Rubicon’s solution promises to support use cases well beyond resource-constrained devices, such as connected automobiles and emerging payment systems.

Newer business model: Identity as a service

This also opens doors to identity being sold as a service. In the device industry with declining profit margins, this is an interesting avenue to drive subscription-based solutions. Rubicon, for example, plans to act as the “key authority” — rent its Zero Knowledge keys and allow subscription to be built on top of that.

The road ahead

However, like any futuristic innovation, Schultz noted, “People are not receptive to a paradigm shift.” But with growing partnerships with Akamai, Freescale and other ecosystem players, Rubicon is chartering into newer territories and business models.

Managing identity is a critical building block to secure tomorrow’s hyper-connected economy.

Are there any other disruptive innovations in the cyberidentity space that you would like to share?

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Hello, is this technology based on Blockchain?
There are some cryptographic algorithm similarities between Rubicon and Blockchain. Rubicon identities are based on keyed hashing functions, and proof of an identity is done by passing random numbers through a devices keyed hashing function (also called HMAC functions).

The Blockchain proof of work (a reward for doing the proof of work could be bitcoin or some other incentive) is based on the difficulty of finding a specific hash value for the updated Blockchain. 

Both technologies make extensive use of hashing functions, Rubicon using keyed hashing functions (where the output of the hashing function is based three things: the hashing algorithm, the input to the hash, and the key of the hash), and Blockchain using simple hashing functions (no key is used as an input).

Identity for Rubicon is the hashing functions, and could be used as the identity of the Blockchain 'writer' (today this is commonly done with Eliptic Curve Cryptography keys and certs).

Hi. It's not based on the same technology as Blockchain, but it does use some similar cryptographic algorithms. 

Rubicon makes extensive use of keyed hashing functions (also called HMACs) for proving identity. A device proves its identity by passing random numbers through its own HMAC.

Blockchain also uses hashing functions (not keyed hashing functions though) to execute the Blockchain Proof of Work algorithm. Successful execution of the Proof of Work is usually some type of incentive (Bitcoin for instance) and is what motivates miners or nodes on the Blockchain to validate updated blocks. 

Blockchain identities are usually done today with ECC keys (elliptic curve cryptography), but those identities could also be provided by Rubicon HMAC functions.