Field of the Invention
Embodiments of the present invention relate generally to secure electronic communications and, more specifically, to automating Internet of Things security provisioning.
Description of the Related Art
As time passes, the number of devices that are connected through networks is expected to steadily increase. With the advent of the “Internet of Things” (IoT), where any physical device with an Internet Protocol (IP) address can connect to the Internet, the number of Internet-connected devices is anticipated to increase by one to two orders of magnitude in the next decade. In addition to computer-based physical devices such as laptop and tablets, “IoT devices” are expected to include buildings, vehicles, wearable technologies, traffic lights, parking meters, and the like.
To protect IoT devices from unauthorized accesses as well as the privacy of data communicated between IoT devices through the Internet, there is a basic set of security functions that many IoT devices implement when connecting to the Internet. For example, authentication, encryption, and authorization security functions are typically enabled for IoT devices as part of the security provisioning process when those devices connect to the Internet. Authentication provides assurance between interacting IoT devices as to the identity of the IoT devices and the authenticity of the data exchanged by those devices. Encryption is applied to data communicated through the Internet to protect the privacy of the data. Authorizations specify the types of interactions in which a given IoT device can engage.
One commonly accepted approach for both device authentication and data encryption is implementing a Public Key Infrastructure (PKI). A PKI uses asymmetric cryptographic key pairs (public/private) associated with a single identity to enable authentication and encryption mechanisms. Each key pair is used to reliably identify devices and/or users associated with a particular identity to other devices and/or other users. A core premise of the PKI is that there is a trusted way of verifying the authenticity of the key pair being used by the particular identity. Typically, a “trusted authority” provides assurance of the legitimacy of the key pairs associated with an identity and verifies linkages between public keys and identities.
A substantial challenge that has prevented the universal adoption of PKI is the logistical difficulty of verifying the linkage between a public key and an identity. For example, during “authorization provisioning” for a particular IoT device, a system engineer could manually generate a key pair that includes a public key and a private key. The system engineer could store the private key in a memory associated with the IoT device. Subsequently, the system engineer could identify a trusted authority that is authorized to generate and sign authorization credentials. The system engineer could then interact with the trusted authority to verify the identity of the IoT device. After the system engineer has established the identity of the IoT device, the system engineer could request that the trusted authority generate and sign an authorization credential that includes the identity of the IoT device and the public key. Thereafter, the IoT device would provide the signed authorization credential to other IoT devices to provide a trusted linkage between the public key and the IoT device and an assurance that the key pair that includes the public key is legitimate.
The time, cost, and expertise associated with the manual efforts involved in the authorization provisioning process have discouraged the adoption of PKI. Further, other commonly accepted approaches to security provisioning for IoT devices require similar manual activities that discourage the adoption of such approaches in the same way. Such manual processes cannot be scaled effectively to accommodate the anticipated increase in the number of IoT devices, which creates a potential security gap in the IoT infrastructure.
As the foregoing illustrates, what is needed in the art are more effective techniques for performing security provisioning for Internet of Things (IoT) devices.