Learn the basics of cryptography in IoT

Cryptography requires navigating the limitations of IoT, but the protection data encryption offers makes it a must-have for secure IoT deployments and communication channels.

As CIOs and their organizations deploy more connected devices and build out more extensive IoT environments, many struggle to secure those ecosystems and all the data generated.

Cryptography is a useful counter to those challenges.

Cryptography uses codes to protect information and communications, making it inaccessible to all but those authorized to decipher the codes.

Security leaders advocate for its use in IoT environments, saying it's an optimal way to secure data at rest and in transit, secure the channels that transmit data and even authenticate devices within the IoT mesh, thereby providing a blanket of protection against hacks.

Merritt Maxim, vice president and research director, Forrester ResearchMerritt Maxim

"Encryption in general is a security best practice, and that applies to IoT use cases to encrypt data in transit from device to back end and at rest. It should be used everywhere, because the more you can encrypt data, the stronger protection you're offering," said Merritt Maxim, vice president and research director at the research firm Forrester Research.

Challenges with IoT security

Any electronic device that holds data can be compromised, regardless of whether it's connected to the internet. A bad actor can steal a laptop and break into the files it holds, for example.

But the risk of unauthorized access to electronic devices and the data they hold skyrockets as soon as those devices connect to the internet.

IoT significantly expands that risk of unauthorized access simply due to the huge number of devices being connected to the internet.

That number is staggering. IoT Analytics, an IoT market research firm, calculated the number of active endpoints in the world in 2021 at 12.3 billion; it predicts more than 27 billion IoT connections by 2025.

Meanwhile, IDC researchers predict that there will be 55.7 billion connected devices in the world by 2025, with 75% of them connected to an IoT platform. They further estimate that those IoT devices will generate 73.1 zettabytes of data by 2025, up from 18.3 zettabytes in 2019.

That massive volume isn't the only security challenge.

IoT deployments also increase hacking risks because their data exists in different places: in endpoint devices, on gateways and in centralized servers, as well as in transit among all those points. Minimizing those risks is where cryptography comes in.

Where to apply cryptography in IoT

Cryptography can be used in various areas of an IoT deployment.

Organizations can use cryptography to secure communication channels. For example, developers can use the cryptographic protocol Transport Layer Security for secure communications.

They can also use cryptography for encrypting and decrypting the data within the IoT ecosystem, using one of the various available options. Options including single-key or symmetric-key encryption algorithms such as the Advanced Encryption Standard (AES), public-key infrastructure (PKI) or asymmetric-key encryption algorithms such as the Rivest-Shamir-Adleman algorithm and the digital signature algorithm.

Jason Pittman, faculty member, University of Maryland Global CampusJason Pittman

When it comes to how it works and the benefits it provides, the use of cryptography in IoT deployments is the essentially the same as it is when used in other types of IT infrastructure, said Jason Pittman, a faculty member at the School of Cybersecurity and Information Technology at the University of Maryland Global Campus.

"A primary principle of technology and cybersecurity is that only the people who should have access should gain access. And the best way to ensure that no one has [unauthorized] access to a device or the data is to encrypt it," Pittman said. "So even if you're not worried about an attack, you should be mindful that no one should access something if they're not authorized to do that and the primary way to do that is encryption."

Challenges and limitations with cryptography in IoT

However, there are challenges and technical considerations within IoT environments that can influence cryptography decisions.

"What [IoT] managers need to think about is the constraints of the devices, mostly because the devices are low-powered, and cryptography, because of the mathematics involved, is hardware intensive," Pittman said.

The hardware-level constraints -- specifically restricted power and restricted memory -- can add considerations to decisions that don't exist when using cryptography in more conventional IT environments, said Yale Fox, IEEE member, TED fellow and CEO of Rentlogic, a platform that analyzes vast amounts of public data to generate letter grades for buildings across New York City.

Yale Fox, IEEE member, TED fellow and CEO, RentlogicYale Fox

Speed requirements can be a factor in cryptography decisions within an IoT deployment, too.

IoT managers must consider those constraints when choosing which cryptographic protocols to use.

"There are different protocols that are better for transmitting information in a more energy efficient way," Fox added.

For example, some experts have found that AES isn't lightweight enough for some IoT use cases, while others have determined that some lightweight options don't offer strong enough protection for highly sensitive IoT use cases.

Another potential challenge with cryptography in IoT is the management of encryption keys due to the high volume of devices involved. Some IoT deployments involve hundreds of thousands of devices generating encrypted data, creating a complexity that doesn't exist in non-IoT environments.

Organizations must ensure that their cryptography choices offer enough protection for the use cases they're securing. No security solution delivers a full guarantee of security and cryptography is no exception to that.

For example, the Data Encryption Standard is significantly more susceptible to brute-force cryptographic hacks than other options; that's one reason the standard, one of the oldest encryption algorithms, has fallen out of favor and isn't in much use today.

"So, you have to be careful about how the encryption is implemented, and companies must make sure that even if they implement the most advanced algorithms that the devices themselves can't be compromised," Maxim added.

Adoption of cryptography in IoT use cases

Security experts and analysts didn't have figures available on cryptography use in IoT environments, but they said its use seems to be on the rise.

"It's being used more than it was, but I'm not sure it's being used as much as it should be," Pittman said. "All modern devices come with the ability to facilitate encryption natively. It's no longer something you have to put on devices, so its implementation is trivial compared to what it was just five years ago."

What [IoT] managers need to think about is the constraints of the devices, mostly because the devices are low-powered, and cryptography, because of the mathematics involved, is hardware intensive.
Jason PittmanFaculty member, University of Maryland Global Campus

Still, experts said many organizations aren't using cryptography to secure their IoT deployments.

They said they hear IT leaders and IoT managers give different reasons for forgoing cryptography.

For instance, some IT admin don't employ cryptography capabilities because it blocks visibility, making network analysis and troubleshooting difficult. Others opt not to use it because they believe managing it or configuring it is beyond their existing expertise and their ability to pay for needed skills. Some organizations decide to use cryptography to secure only part of their IoT environment, such as encrypting data at rest.

Some experts countered those reasons, saying cryptography's benefits outpaces its challenges.

"Security is often a cost center and an afterthought," Fox said. "But using cryptography can be a quick win when you want to persuade people [of its worth]."

Dig Deeper on Internet of Things (IoT) Security Strategy