The search for Lightweight Cryptographic Champions is on now that the National Institute of Standards and Technology (NIST) has launched a call for submissions of previously published and analyzed algorithms that will help set standards to better secure the entire market of the Internet of Things (IoT).
Protecting the tiny networks within IoT devices demands a new class of lightweight cryptography, which is why NIST has kicked off its effort to find lightweight solutions to this heavyweight challenge of IoT security.
One of the challenges in defending IoT devices is that most cryptographic systems were designed for desktops and servers, not the now-often-used smaller devices that have more limited computational resources. These devices, though, are everywhere, from critical infrastructure to medical devices to cars and common household electronics. In large part, they are vulnerable to cyberattacks because the are so difficult to secure.
This week, NIST announced its push to establish viable solutions to the problem of securing data in the myriad gadgets across the IoT’s rather small and inexpensive networked devices. “Creating these defenses is the goal of NIST’s lightweight cryptography initiative, which aims to develop cyrptographic algorithm standards that can work within the confines of a simple electronic device,” NIST wrote in a blog post.
“As industries adopt authentication apps for things like flu-shot syringes and baby formula, it’s important that there is agreement on security practices,” Matt Robshaw, a technical fellow at Impinj, told NIST. “It’s a good time to begin to establish guidance about which of these techniques will be most appropriate.”
NIST computer scientist Kerry McKay said, "The IoT is exploding, but there are tons of devices that have nothing for security. There’s such a diversity of devices and use cases that it’s hard to nail them all down. There are certain classes of attacks to consider, lots of variations. Our thinking had to be broad for that reason.”
Still in its draft form, the Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process details the proposed requirements and evaluation process and will soon allow the community to weigh in on the draft guidelines. Feedback received on the draft will inform the final submission process.
One specification NIST is looking for in the submitted algorithms is an authenticated encryption with associated data (AEAD) tool so that recipients can verify the integrity of both the encrypted and unencrypted information in a message. Additionally, in order to reduce costs, any hash function must share resources with the AEAD.
NIST will accept comments on the draft for 45 days before releasing a formal document, after which time it anticipates accepting submissions over a six-month period.