Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.Is an international and interdisciplinary peer-reviewed open access journal of entropy and information studies, published monthly online by MDPI.
Jane Melia, Ph.D., is vice president of strategic business development at QuintessenceLabs.
Following retirement from the Navy, Bob was an executive with TRW and Northrop Grumman, and then returned to government service as the CTO of the Defense Intelligence Agency. Bob was the first Director of Intelligence (J-2) at the Defense Department ’s cyber defense organization Joint Task Force-Computer Network Defense. Bob’s first career was as a naval intelligence officer, which included operational tours in Europe and Asia. The architecture is open and reviewable by experts.īob Gourley is a co-founder and partner of Cognitio and the publisher of and. The architecture distributes trust across thousands of servers scattered around the world scalable enough that every country’s government and every major technology company in the world could participate directly in the decentralized root of trust, each actively and independently ensuring that all others stay honest. By combining known cryptographic techniques in novel ways, EaaS provides fresh timestamps and entropy to IoT devices on boot. EaaS is designed to distribute and aggregate trust across a scalable collective of participants, yielding a collective authority. Many users do not trust any centralized authority for a service of such fundamental importance. Whether EaaS is being supplied by the IOT manufacturers or via a service provider, good sources of entropy must be found to ensure a strong deployment. The main components of the base EaaS architecture include the quantum entropy device, the EaaS server and a hardware root of trust device in the client system.ĮaaS does not generate keys it only enables client systems to generate strong cryptographic keys without any possibility for the EaaS server to gain any insight into the client keys. This development will employ a standards-based approach to create a universally available method of securely providing high-quality entropy to cloud-based applications and embedded and IoT devices. NIST has proposed the development of Entropy as a Service (EaaS) for delivering entropy. How do we instill the next generation of IoT devices with adequate security? What’s needed is an original approach to crypto-based IoT applications based on entropy. What matters now is how we prevent another Chrysler episode.
#Entropy magazine full#
Finding ways to unlock the full potential of cryptography to secure data on the IoT can offer hope for a better future. The best sources of true randomness are based on unpredictable physical phenomena such as quantum effects, but they can be impractical to include in IoT devices. Security in general often takes a back seat, and specialist security functions like key generation are frequently overlooked and can undermine the entire security model. Randomness relies on gathering entropy, and IoT devices can suffer entropy starvation, usually because they’re designed for a specific task and have little opportunity to build entropy locally before starting network communications. The National Institute of Standards and Technology ( NIST) states that “Entropy in the information theoretic sense is a measure of randomness or uncertainty in a signal.” Entropy is essentially the randomness, or unpredictability, collected for use in cryptography-a lack of entropy will negatively impact both performance and security.Ĭomputers, especially low-power and low-cost devices, generally have trouble producing good randomness. But cryptography fails when a device uses weak keys, low-entropy randomness or inaccurate time sources. One of the things that makes vehicles and all IoT devices vulnerable is a history of weak encryption keys and inadequate provisioning and planning for data protection and lockdown.Ĭryptography is critical for securing data at rest or in transit on the IoT. You may have heard that hackers remotely hijacked a Jeep’s digital systems, leading to Chrysler recalling 1.4 million vehicles. These devices are easy to tamper with, have to work for a long time and are hard to update. Sensitive and often, regulated, data is being collected and stored on low-performance, low-power devices scattered across the globe.
The IoT is one of a security professional’s worst nightmares. Not only do we need to safeguard our computers and smartphones, now we must worry about protecting our homes, vehicles, appliances, wearables and other IoT devices. The fundamental weakness is that it adds to the number of devices behind a network firewall that can be compromised. The Internet of Things (IoT) has security issues.