Published on

Let's talk IoT: Don't do crypto!

Authors
  • avatar
    Name
    Tibo Gabriels
    Twitter

On March 29, Trend Micro held a seminar concerning cryptography and IoT. How do you handle encryption on microcontrollers? Udo Schneider, IoT Security Evangelist in Europe, answered exactly that.

Lets Talk IoT Udo started off talking about cryptography basics: Caesar cypher, transposition cypher, ... Nothing very new for me, but what i didn't realize until now was how modern encryption is often build upon these basic methods but combined to form a more complex algorithm.

PRNGs

He continued to talk about random number generation, and the importance of choosing the right method. Not all number generation is created equal, and pretty much any implementation is pseudo random. An interesting method is using the movement of lava lamps or the cosmic background radiation. While not random, it is complex and unpredictable enough to be used for modern encryption.

Hashes

Using modern and secure hashing algorithms is also very important, md5 and sha1 are simply broken these days. You might as well use plain text instead.

Another point is using the right kind of encryption. ECB (electronic codebook mode encryption) chains multiple algorithms but with the same key. This means that, even tough the data is encrypted, there is still an inherent structure that makes it easier to break the encryption. This is very apparent with images. CBC (Cypher block chaining) on the other hand does not make this kind of structure, but actually produced near white noise.

Keys in Firmware... NOT!

Hiding keys in firmware might seem secure, but this is not the case. Someone with reverse-engineering experience and tools can easily decrypt this. So don't rely on compilation to hide your keys or passwords. In the case of microcontrollers, many of these have built in encryption modules you can use, and if not. You should include one in your design if you need encryption.

Conclusion

In the end, you can conclude that most developers aren't experts in encryption. So if you don't know what you are doing with encryption, then use existing, known and secure libraries. Some examples include NIST and cryptool

  • Know your crypto! What to use when, where & how
  • Don't build your own: it's way too easy to screw up
  • Rely on proven frameworks & protocols: trust but verify!