IoTOGRAPHY

Reading Time: 5 minutes

IoT Overview 

We are living in a world where technology is developing exponentially. You might have heard the word IoT, Internet of Things. You might have heard about driverless cars, smart homes, wearables.

The Internet of things is a system of interrelated computing devices, mechanical and digital machines provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction

IoT is also used in many places such as farms, hospitals, industries. You might have heard about smart city projects too (in India). We are using lots of sensors, embedded systems, microcontrollers and lots of other devices connecting them to the internet to use those data and improve our current technology.

Our sensors will capture lots of data and it will be used further depending on the user or owner. But what if I say this technology can be harmful too? It may or may not be safe to use it. How?

These data transferring from using IoT from source to its destination can be intercepted in between and can be altered too. It can be harmful if the data is very important, For ex. Reports of a patient generated using IoT can be intercepted and altered so the doctor can not give the correct treatment to the patient. Also, some IoT devices can be used by the Army transferring very secret data. If it can get leaked, then it can create trouble for the whole country.

The Information-technology Promotion Agency of Japan (IPA) has ranked “Exteriorization of the vulnerability of IoT devices” as 8th in its report entitled “The 10 Major Security Threats”.

So, can we just stop using IoT? No, we can’t. We have to secure our data or encrypt our data so the eavesdropper can never know what we are transferring.

Cryptography Overview :

Cryptography is a method of Protecting information and communications through the use of codes, so that only those for whom the information is intended can read and process it.

There are mainly two types of encryption methods.

  1. Symmetric key
  2. Asymmetric key 

Symmetric key uses the same secret key to encrypt or decrypt data while Asymmetric key has one public key and one private key. A public key is used to encrypt data and it is not a secret, anyone can have it and use it to encrypt data but only a private key (of the same person whose public key was used) can be used to decrypt that plaintext.

In Cryptography, We usually have a plaintext and we use some functions, tables and keys to generate ciphertext depending on our encryption method. Also In order to make our data exchange totally secure, we need a good block cypher, secure key exchange algorithm, hash algorithm and a message authentication code.

IoTOGRAPHY

Block cipher – It is a computable algorithm to encrypt a plaintext block-wise using a symmetric key. 

Key Exchange Algorithm – It is a method to share a secret key between two parties in order to allow the use of a cryptography algorithm. 

Hash Algorithm – It is a function that converts a data string into a numeric string output of fixed length. The hash data is much much smaller than the original data. This can be used to produce message authentication schemes.

Message Authentication Code (MAC) – It is a piece of information used to authenticate the message. Or in simple words, to check that the message came from the expected sender and the message has not been changed by any eavesdropper.   

NOTE: you might wonder why we don’t just send data using key exchange algorithms when it is reliable to share secret keys. You can search for it or tell you in short. It is neither reliable nor secure to share data using key exchange algorithms.

LightWeight Cryptography:

Encryption is already applied at the data link layer of communication systems such as the cellphone. Even in such a case, encryption in the application layer is effective in providing end-to-end data protection from the device to the server and to ensure security independently from the communication system. Then encryption must be applied at the processor processing the application and on unused resources and hence should desirably be as lightweight as possible.

There are several constraints required to achieve encryption in IoT.

  1. Power Consumption
  2. Size of RAM / ROM
  3. Size of the device
  4. Throughput, Delay

Embedded systems are available in the market with 8bit, 16-bit or 32-bit processors. They have their own uses. Suppose we have implemented a system of Automated doors which open and close automatically at a bank. Which also counts how many people entered or left the bank. We want to keep this record secret and store it on the cloud. Using a 1GB RAM, 32bit / 64bit processor with a very good ROM just to ensure the privacy of data doesn’t make sense here. Because we will need a good space to install our setup, we will need to spend a lot more money than we should while this thing can be achieved with cheaper RAM, ROM and processor.

Keeping the above points in mind, implementing conventional cryptography in IoT which are used for Mobile Phones, Tablet, Laptop / PC, Server is not possible. We have to develop a separate field “Lightweight Cryptography” which can be used in Sensor networks, Embedded systems etc.

Applying encryption to sensor devices means the implementation of data protection for confidentiality and integrity, which can be an effective countermeasure against the threats. Lightweight cryptography has the function of enabling the application of secure encryption, even for devices with limited resources.

IoTOGRAPHY

Talking about AES, It usually takes 128bit long keys with 128 lock size. It uses 10 rounds of different steps like subbytes, shift rows, mix columns and add round keys. Implementing this requires a good amount of space, processing speed and power. We can implement it in IoT with reduced length of key or length of the blocksize but then it will take less than 30 minutes to break AES. 

IoTOGRAPHY

There are many Lightweight cryptography algorithms developed like TWINE, PRESENT, HEIGHT etc. Discussing all of them requires a series of blogs but I am adding a table showing a comparison of some Lightweight Cryptography.  You can observe changes in block size from 64 to 96 can create a huge difference in power consumption and area requirement. 

Lightweight cryptography has received increasing attention from both academic and industry in the past two decades. There is no standard lightweight cryptosystem like we have AES in conventional cryptography. Research is still going on. You can get updates of the progress at https://csrc.nist.gov/Projects/lightweight-cryptography.  

The whole idea behind this blog is to discuss lightweight cryptography and overview of it. 🙂

Author: Aman Gondaliya

Keep reading, keep learning!

TEAM CEV

Terrorism and Data Privacy

Reading Time: 5 minutes

Terrorism is very scary, especially when it happens close to home and not in some faraway place. Nobody likes to be afraid, and we were eager to make the fear go away. So we demanded more security. In the last decade, it’s become increasingly normal for civil liberties to be eroded and for government agencies to spy on citizens, to collect and store their personal information. Regardless of whether you’re a fan of right- or left-wing policies, this affects every one of us.

So we have to take a look at the data and ask ourselves honestly, “Has all of this actually made us safer?”

Terrorism and Data Privacy

The Beginning

After the attack of 9/11, the US government concluded that the law had not kept pace with technology. It created the Terrorist Surveillance Program initially to break communications linked to al-Qaeda. Officials were confident that if the program had been in place before 9/11, the hijackers could have been stopped. But soon the new powers were also used to prove guilt by association.

The FBI used immigration records to identify Arab and Muslim foreign nationals in the US. On this basis, 80,000 individuals were required to register, another 8,000 were called in for FBI interviews, and more than 5,000 locked up in preventive detention. Not one terrorist was found in this campaign.

Terrorism and Data Privacy

In 2013 Snowden leaked the document that reveals how the government sees and stores the private data of public. They showed how the NSA(National Security Agency) can demand information about users from companies like Microsoft or Google in addition to their daily collection of data from civilian internet traffic such as email content and contact lists. So, instead of focusing on criminals, governments are increasingly turning their attention to everyone. But if you are looking for a needle in a bundle of grass, adding more grass to the bundle isn’t going to make it any easier to find the needle.

Terrorism and Data Privacy

On the contrary, every recent success announced by the NSA has come from classic target surveillance. Despite high hopes, the NSA surveillance program has not stopped any major terror attack.

Apple Vs FBI

In early 2016, the FBI asked Apple to produce a backdoor program to disable the encryption of a terrorist’s iPhone. Apple publicly declined, not only because this tool could be used to permanently weaken the privacy of law-abiding citizens worldwide, but fearing to open the floodgates for governments requesting access to a technology used by billions of people, a fear shared by security experts and cryptographers. A few weeks later, the FBI revealed that they had hacked the phone themselves, basically admitting that they lied to the public about the need for a backdoor, which questions how trustworthy spy agencies are in the debate about privacy and security, especially considering that the NSA, for example, already has the capability to turn on your iPhone microphone or activate your laptop camera without you noticing. Concerns about this are often met with the argument,

                           If you have nothing to hide, you have nothing to fear.”

But this reasoning depends on person to person because if a person wants to keep privacy about own life then it doesn’t mean he/she is doing anything wrong. Right now, we live in a democracy. But imagine the damage the wrong person could do with our data because data is the new treasure of the current world.

The Government uses this law for own benefits 

For example, following the November 2015 Paris attacks, France expanded its already extensive anti-terrorism laws by giving law enforcement greater powers to conduct house raids and place people under house arrest. Within weeks, evidence emerged that these powers were being used for unintended purposes, such as quashing climate change protests. The governments of Spain, Hungary, and Poland have introduced more restrictive laws on the freedom of assembly and speech.

If we talk about the FBI, then there is a case of former FBI director James Comey used this NSA data for his personal use.

 There is also a case of Cambridge data analytica.

Indian Cases related to Data privacy :

 Now if we talk about the case of India, this data privacy issue first come is light when aadhar card details were easily available. In Supreme court hearing Unique Identification Authority of India(UIDAI), the agency implementing aadhar repeatedly argued about Aadhaar that It will help against terrorism and banking fraud by ensuring that only “genuine” persons get access to mobiles, and banking services but in reality, the bank fraud cases were increased.

There is also a big question about how these aadhar card can be misused? Adhar card become more dangerous when other documents linked with aadhar. Imagine a third party hacker can access all your data like biometrics and bank account details then he can damage you in a bad way. 

None of this is effectively helping us fight terrorism. The motivation behind this might be good, even noble, but if we let our elected governments limit our personal freedom, the terrorists are winning.

Terrorism and Data Privacy

Then what is the Solution?

What’s worse, if we’re not careful, we might slowly move towards a surveillance state. The data is pretty clear: the erosion of rights, along with mass surveillance, hasn’t led to significant successes so far, but it has changed the nature of our society.

Terrorism is a complicated problem…

…without simple solutions.

No security apparatus can prevent a few guys from building a bomb in their basement. Creating master keys to enter millions of phones is not the same as searching for a single house. To take full advantage of this existing condition, we need better international cooperation and more effective security and foreign policies, better application of our present laws instead of new and stricter ones that undermine our freedom. We live in Democracy and we have our rights in our hands.

Keep reading, keep learning

TEAM CEV!

CEV - Handout