IoT authentication presents a major IoT security challenge -- one that leaders must overcome to provide a first line of defense against attacks.
With the spread of IoT technology to the network edge, strict access regulation requires that all endpoints and architectural components have reliable protection. IoT devices rely on the security of the infrastructure and devices they connect to, which means attackers can compromise the entire network if they find one hole in an IoT deployment. Effective access control mechanisms are comprised of authentication and authorization.
Authentication permits only approved users and technology from internal resource access. Every security team must address three levels: user, device and network. Any IoT device manufacturer, security developer or IT admin must understand the various authentication mechanisms that secure IoT at each level, such as biometrics at the user level, tamper resistant memory at the device level and different architectures at the network level.
The book IoT Security: Advances in Authentication -- written by a group of experts and edited by Madhusanka Liyanage, An Braeken, Pardeep Kumar and Mika Ylianttila -- gives a guide on the evolution of IoT, the many sectors that can use IoT, a classification of vulnerabilities, exploitable attacks and possible countermeasures, and how authentication can counter these vulnerabilities at each level. With chapters dedicated to authentication at each level, security developers can follow the best practices for the access control mechanisms required to build a strong IoT security foundation.
The following excerpt from Chapter 2 of IoT Security: Advances in Authentication, written by Anca D. Jurcut, Pasika Ranaweera and Lina Xu, introduces the basics of authentication before admins dive into methods for risk prevention and mitigation.
Authentication is the process of verifying the identity of an entity. The entity to be verified could either be human or a machine. Authentication is the first phase of any access control mechanism which can determine the exact identity of the accessing party in order to establish the trust of the system. In most cases, authentication is initiated between a human and a machine in a process to log into the internet banking portal by entering the credentials. However, in this scenario, the access-seeking entity does not have a guarantee regarding the identity of the access granting entity. In order to overcome this concern, mutual-authentication should be established between the entities, by verifying the identity of the access-granting entity with the involvement of a TTP, such as a Certificate Authority (CA). CAs are globally recognized institutions which are responsible for issuing and maintaining secure digital certificates of web entities registered under them. These certificates are imperative for the operation of all modern day authentication protocols such as SSL/TLS, IPSec, and HTTPS.
IoT devices have stretched many enterprise networks well beyond the data center, which expanded the attack surface that organizations must defend. With multiple IoT authentication methods, such as device certificates or Trusted Platform Modules, organizations can ensure only authorized devices can connect to the network.
The process of authentication is merely facilitating credentials of an entity to the access granting system, which are unique to that entity and could only be possessed by them. This mechanism could be enabled with or without a TTP. The credentials used are often categorized as factors. The authentication schemes' accuracy and efficiency depend on the number of factors engaged in the mechanism. The types of factors are listed below.
- Knowledge factor -- passwords, keys, PINs, patterns
- Possession factor -- Random Number Generators (RNG), ATM card, ID card
- Inherence factor -- Biometrics such as fingerprint, palm print, iris, etc.
Recent innovations in embedding biometric sensors to smart handheld devices have enabled the possibility of using multi-factor multi-mode (if more than one biometric is used for verification) Human-to-Machine (H2M) authentication protocols for IoT devices. However, Machine-to-Machine (M2M) authentication can only be conducted using cryptographic primitives. Moreover, including strong cryptographic primitives (PKI, Hashing, Timestamps, etc.) for the authentication protocols involved is crucial in order to ensure data confidentiality, integrity, and availability, as the credentials being conveyed are highly sensitive and unique for the authenticating entity.
Excerpted with the permission of the publisher, Wiley, from IoT Security: Advances in Authentication, edited by Madhusanka Liyanage, An Braeken, Pardeep Kumar and Mika Ylianttila. Copyright © 2020 by John Wiley & Sons Ltd. All rights reserved. This book is available wherever books and eBooks are sold.