For the tiny processors used in identification tags, wireless sensors, and microcontrollers that control a car's door locks and brakes, security is complicated. They have little computing power and memory to reserve for digital protection.
SecureRF is trying to make it easier for these embedded devices to authenticate each other and encrypt sensitive information. Louis Parks, the company's chief executive, said in an interview that it could fit cryptography algorithms onto 8-bit and 16-bit processors.
The security firm, founded in 2004, built cryptography that can authenticate these simple processors in milliseconds. "With 8-bit or 16-bit processors, we weren’t thinking about security until someone could take control of the brakes in my car with them," Parks told Electronic Design. The interview is edited and condensed below.
Forrester Research said in a recent report that network security is the most important for the Internet of Things. Why do these devices need authentication and even encryption on top of strong network security?
What we are doing specifically is securing the edge points of the Internet of Things. Let’s pretend we don’t need security at those edge points. Well, I put a little piece of malware inside data going into the network and then I move my malware all around so I can infect everything.
You often hear security talked about in layers. Last year, all those devices were improperly secured – this is the Mirai attack that brought down Netflix and a whole lot of other server farms – because hackers got access several thousand unsecured devices connected to very secure networks.
If I issue a command to apply the brakes in a car, you want the brakes to know that the command is coming from the driver and not someone in North Korea. If BMW wants to push a firmware update, its cars may want to confirm that BMW is sending the message and not a hacker. BMW wants to make sure that it pushes out its precious software to an authentic BMW platform and not people trying to steal the code.
Can you explain the problem with running cryptography algorithms on these relatively simple devices?
There is something called public key asymmetric cryptography, which is the foundation of initial authentication for your internet browser and smartphone. It involves multiplying and dividing large numbers – adding and subtracting 0s and 1s at the chip level.
If you can’t fit the entire operation in the width of the bus, you have to break it up. That can take a very long time. You only have 8 bits of an 8-bit processor so, if a public key method needs at least 32 bits, you are going to have significant overhead to do authentication.
What sets apart your technology? How does it work with devices that have small amounts of computing power and memory?
Most of the security that you use today on your smartphone and laptop is 35 to 40 years old, but it works perfectly well. But with an 8-bit processor it does not work well at all. What we have done is brought in a branch of mathematics called group theoretic cryptography. . . . It is done with very small numbers usually 5 to 8-bits in size, which means that the numbers fit in an 8-bit processor. Our operations perform significantly faster and more efficiently.
What other benefits does your approach have?
The faster computation times translates into lower energy consumption. In the Internet of Things devices using 8-bit processors, energy is an issue because you don’t want to run the battery down trying to check the security. No one wants to replace the battery in their device every four or five weeks when they think it is going to last one to two years.
The unique thing we did is bring in this area of cryptography, which is typically used in identification and authentication but which can also support encryption and data protection. It has basically allowed us to use a smaller physical footprint in silicon and software and it has given us ultra-low energy.
In August, a bill was introduced in Congress that would set basic security standards for devices sourced by the U.S. government. It would also task officials with creating guidelines for devices with "limited" processing power. What would your advice be to them?
It’s a great start. I would hope that whoever’s working on the bill would reach out to a number of constituents from across the digital spectrum, especially from the device level because a lot of what they are talking about is device-level security. . . . Best case scenario, the bill results in some kind of comprehensive security framework.