Internet of Things, or IoT, devices are everywhere in the world, whether you are at home, in the office, or just on the Internet in general. An IoT device is any type of device that connects to a network to access the Internet, so Personal Computers, cellphones, some speakers, and even some outlets are considered IoT devices. Today, even cars and airplanes use IoT devices, meaning if these devices are attacked by threat actors, then cars or airplanes could be hijacked or stolen. With such a widespread use of IoT devices in place in our world, authenticating and authorizing IoT devices within your organization’s network has become vital. Allowing unauthorized IoT devices onto your network can lead to threat actors leveraging these unauthorized devices to perform malware attacks within your organization.
Software-Based IoT Authentication
Before talking about specific ways to give authorization to IoT devices, we should first take a look at some of the general, software-based authentication methods available to Internet of Things devices.
When two devices are both attempting to communicate with each other, one-way authentication can be used to authenticate only one of the devices as opposed to both. This is similar to how a client-server relationship works, where the client is just authenticating itself with the server, not the other way around. An example of one-way authentication could be signing onto a server with a username and password.
Similar to one-way authentication is two-way authentication, where both parties authenticate themselves to each other. An example of two-way authentication could be a SSL/TLS handshake.
Three-way authentication is also another method of authentication used. Three-way authentication uses a central point, like a server, to authenticate both of the devices attempting to communicate, with the central point itself as well as with each other. An example of three-way communication could be using a server that is trusted by both communicators to trust each other.
Another method of authentication used with IoT devices is Distributed authentication. Distributed authentication uses a distributed system to authenticate the two communicating parties.
Similar to distributed authentication is centralized authentication. Instead of using a distributed system to authenticate the parties, a centralized location system is used for authentication. One final way to authenticate devices is one of the more common methods: two-factor authentication. When logging into a network, a user may use a username and password and two-factor authentication. Two-factor authentication can be verifying the user’s identity by sending an email or text message to the user, or scanning a QR code, thus authenticating that device.
These are commonly used methods of authentication for the most part, but the following hardware-based authorization methods are found more commonly in larger organizations.
Hardware-Based Authorization Methods
As I mentioned previously, hardware-based authorization methods are more commonly used within an organization, as they provide the most widespread and secure method of authenticating IoT devices within a network. One of these hardware-based methods is the use of Hardware Security Modules. Hardware Security Modules, or HSMs, are used to securely store private keys from asymmetric key pairs. An asymmetric keypair has a public and private key mathematically linked together.
The private key, as the name suggests, is kept private while the public key can be viewed by anyone. When discussing IoT device authentication, devices within a network will have an asymmetric keypair, and a digital certificate associated with that keypair, connected to the device being authenticated. If the certificate provided to the HSM contains a public key linked to the private key stored within the HSM, then that device is allowed access to the network. If not, it’s access is denied.
Another method, usually used in conjunction with HSMs, is the use of a Public Key Infrastructure. A Public Key Infrastructure, or PKI, is a connection of Certificate Authorities stemming from a Root Certificate Authority, which create and distribute certificates to authorized devices in a network. These certificates can be traced back to the trusted Root Certificate Authority (Root CA), authorizing the IoT device connected to that certificate to use the organization’s network. Most PKIs will integrate an HSM with their PKI systems, to provide the highest level of security. The HSM handles the storage of the private keys of the certificates generated by the CAs. If a valid certificate, with a valid certificate chain connecting the certificate to the Root CA, is not found, then the device will not have any access to the network utilizing the PKI.
Some organizations will set up a Trusted Execution Environment (TEE) to protect their network and any sensitive data stored within that network. TEE is set up within a device that connects to an organization and uses high level encryption to authorize that device to be able to connect to and use an organization’s network. TEE is used in many organizations because it does not overtax the systems in place in a device, but instead uses a minimal amount of computing power to function.
One final authentication method that organizations will often use is a Trusted Platform Module. A Trusted Platform Module, or TPM, is a microchip that is put into an IoT device which completes the process of IoT device authentication due to the host-specific encryption keys stored within it. The chip, and the keys held within, are not accessible from software, so an attacker would not be able to leverage the chip to gain access to a network. When connecting to a network using TPMs, the chip provides a key and the network compares that key to known host keys. If they match with one of the known host keys, then access is granted.
These are just a few of the many different solutions available for IoT device authentication available to organizations. Choosing the right solution is very important, as not every organization has the same needs and wants for their IoT device security. It is important to have a detailed discussion within your cybersecurity team to determine what important points this authentication method must deal with, and how vast it needs to be spread. If your organization is massive and has minimal sensitive information, a TPM would likely not be the way to go as security does not need to be so strict and putting a chip in every device on the network would be extremely expensive. Something to note with these systems is that many of them would need to be handled manually. IoT management platforms can help with this as they allow an organization to manage security tools and get health reports on hundreds of IoT devices in their life using that portal. For any consultation needs relating to PKI or HSM work, visit our website at www.encryptionconsulting.com.
Datasheet of Public Key Infrastructure
We have years of experience in consulting, designing, implementing & migrating PKI solutions for enterprises across the country.