Why the Internet of Things Needs Different Encryption


The security systems that protect desktops and servers won't work for RFID tags.

The proliferation of internet-enabled devices warrants a new model for cybersecurity, according to a federal agency. 

The National Institute of Standards and Technology is envisioning a new, "lightweight" cryptography that can protect objects with RFID tags and embedded sensors. The conventional cryptography that protects servers, tablets, desktop computers and other complex systems won't work for devices with "limited resources," such as low power supplies and a shorter time frame for determining whether a command is valid, according to NIST researchers.

Shifting from desktop computers to smaller devices "brings a wide range of new security and privacy concerns,” NIST's draft report on lightweight cryptography said. Kerry McKay, one of the authors, told Nextgov NIST is looking to standardize computer algorithms that could be used to make sure those devices aren't infiltrated by outside groups.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

If a household has a digitally enabled electrical meter, residents may use a cryptographic system to ensure the notifications they receive are "from your meter or your power company, as opposed to letting a hacker inject messages," McKay said.

There aren't many standards for lightweight cryptography, McKay said. "People are putting out devices faster than standards bodies can keep up," he said.

The federal government is required to adopt NIST standards when it's buying technology from the private sector, McKay said.

"We certainly don't want anyone having accidents that could have been prevented because another nation state decided to do something," he added.

NIST is asking the private sector entities to submit their thoughts on lightweight cryptography, explaining which algorithms their devices use and why, and what requirements they have for security.