NIST scientists ‘nervous’ about lightweight crypto for IoT
Federal scientists at the National Institute for Standards and Technology are working on new cryptographic standards for the tiny computers embedded into car engines, lightbulbs and other devices connected to the internet — but the process makes some of them uneasy.
“Speaking for myself, I’m nervous,” said Kerry McKay, from the agency’s Computer Security Division. “There’s a lot of potential for misuse.”
At stake, McKay told Cyberscoop, is a new set of “lightweight” cryptographic standards the agency is working on. McKay was the lead author on a draft paper the agency just published, laying out some ideas for discussion.
NIST already has a set of cryptographic benchmarks that constitute the gold standard for encryption in both the federal government and private sector. But those standards are designed to work on full-sized microprocessors, such as those in a conventional laptop or smartphone, not on the tiny chips that are becoming increasingly ubiquitous in the “Internet of Things” movement.
Lightweight cryptography uses “algorithms specially tailored for specific environments and applications … where there are constraints” like a smaller memory, less processing power, or more rigorous performance demands, McKay said.
For instance, the tiny RFID chips embedded in electronic passports have very limited memory. And the standards for connected cars have to enable ultra-low latency — meaning those chips have to be near instantaneous as they encrypt and decrypt information.
But as a result, some of the lightweight crypto standards might end up weaker, and this easier to crack.
“It’s all about the trade-offs … You have to choose,” she said. “The trick is to make sure that these lightweight standards aren’t used when they’re not necessary.”
Crypto keys: Size does matter
As an example of one parameter NIST is looking at, McKay cited key size. Cryptographic keys are the heart of encryption; mathematical values that can be used to obfuscate data. The larger the key, the harder the encryption is to crack.
Keys for use in current NIST-approved encryption standards must be at least 112 bits long. Some have proposed using keys as short as 80 bits in the new lightweight standards.
“I don’t think that will fly,” said McKay, who has been working on the topic with other NIST scientists, private sector cryptographers and computer engineers for about a year.
“I think almost everyone would be unhappy” about approving such a small key, she said. “They feel whatever the opposite of warm and fuzzy is about … that length.”
For some applications, dealing only with low risk data, keys as short as 96 bits might be acceptable she said, “We’ll have to see.”
“In any case,” she said, “I expect these standards to have much shorter lifetimes” than the conventional cryptologic guidelines, many of which are more than a decade old.
“When you’re figuring out how secure something is, you have to make assumptions about the power of potential attackers,” she said. “I think those assumptions are going to change more quickly” in the future.
Standards-setting by consensus
The NIST standards-setting process works largely by consensus. There’ll be a workshop meeting in October to discuss the draft and get input from industry, McKay said.
“We have a lot of questions for industry,” she said. “What do they need and why.” The description of the way the lightweight algorithms will be used is what NIST refers to as a “use case.”
“What you need to avoid is standards that are approved for use ‘x’ being actually used for ‘y,'” she said, “That’s the potential for misuse.”