NIST Issues First Call for ‘Lightweight Cryptography’ to Protect Small Electronics
April 19, 2018 | NISTEstimated reading time: 4 minutes
Cryptography experts at the National Institute of Standards and Technology (NIST) are kicking off an effort to protect the data created by innumerable tiny networked devices such as those in the “internet of things” (IoT), which will need a new class of cryptographic defenses against cyberattacks.
Creating these defenses is the goal of NIST’s lightweight cryptography initiative, which aims to develop cryptographic algorithm standards that can work within the confines of a simple electronic device. Many of the sensors, actuators and other micromachines that will function as eyes, ears and hands in IoT networks will work on scant electrical power and use circuitry far more limited than the chips found in even the simplest cell phone. Similar small electronics exist in the keyless entry fobs to newer-model cars and the Radio Frequency Identification (RFID) tags used to locate boxes in vast warehouses.
All of these gadgets are inexpensive to make and will fit nearly anywhere, but common encryption methods may demand more electronic resources than they possess.
Today, NIST is launching an effort to create worthy solutions to the problem of securing data in this sort of constrained environment. As an initial step, it seeks assistance in developing requirements and guidelines for these solutions. The Draft Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process is the first draft of this request, written with the software development community in mind and aimed at ensuring that the formal request—slated for release later this spring—will produce the sort of encryption algorithms that developers agree will help.
The draft document is available now on the NIST website(link is external). A Federal Register Notice will soon announce a public comment period so that the community can weigh in on the draft submission guidelines.
The ultimate goal is to develop lightweight encryption standards that benefit the entire marketplace. According to NIST computer scientist Kerry McKay, effective standards must bring a well-defined solution that applies to a wide class of situations—and that made the wording of the request tricky.
“The IoT is exploding, but there are tons of devices that have nothing for security,” McKay said. “There’s such a diversity of devices and use cases that it’s hard to nail them all down. There are certain classes of attacks to consider, lots of variations. Our thinking had to be broad for that reason.”
Many of the manufacturers who create these small devices say that the time is right for establishing effective standards.
“As industries adopt authentication apps for things like flu-shot syringes and baby formula, it’s important that there is agreement on security practices,” said Matt Robshaw, a technical fellow at Impinj, a company that develops RAIN RFID(link is external) technology used to keep track of these kinds of objects. “It’s a good time to begin to establish guidance about which of these techniques will be most appropriate.”
To ensure they were getting off to the right start, McKay and the team members spent four years consulting with industry groups ranging from smart power grid experts to auto manufacturers. Their advice led the team to stipulate that submitted algorithms must have been published previously and been analyzed (though not necessarily adopted) by a third party.
“We feel it’s a fair request because people have been working on crypto for constrained environments for several years now,” McKay said. “We want to see things that the world has looked at already.”
These solutions typically use symmetric cryptography—the less resource-intensive form, in which both the sender and recipient have an advance copy of a digital key that can encrypt and decrypt messages. The NIST team specifies that these algorithms should provide one useful tool in symmetric crypto applications: authenticated encryption with associated data, or AEAD, which allows a recipient to check the integrity of both the encrypted and unencrypted information in a message. They also stipulate that if a hash function is used to create a digital fingerprint of the data, the function should share resources with the AEAD to reduce the cost of implementation.
McKay said that while the AEAD and hash tools should cover nearly everything that a developer would want to do with symmetric cryptography, she and the team are looking forward to comments from the public on whether the draft’s requirements are sufficient.
“We will be relying on community feedback to determine what other use cases we should include in subsequent editions of the pub,” she said. “We want the entire lightweight crypto standards development process to be open and transparent, with the public involved at every step.”
After the Federal Register notice appears, NIST will be accepting comments on the draft for 45 days, and will consider these comments before releasing the formal submissions guideline document. Following its release, NIST anticipates a 6-month submission window for lightweight cryptographic algorithms.
Suggested Items
Real Time with… IPC APEX EXPO 2024: My Role as a Technology Solutions Director
05/02/2024 | Real Time with...IPC APEX EXPOPeter Tranitz, senior director of technology solutions at IPC, shares insights into his role as the design initiative lead. He details his advocacy work, industry support, and the responsibilities of the design initiative committee. The conversation also covers the revamping of standards, the IPC Design Competition, and the implementation of design rules in software tools.
Alternative Manufacturing Inc. Awarded QML Requalification to IPC J-STD-001 and IPC-A-610
04/24/2024 | IPCIPC's Validation Services Program has awarded an IPC J-STD-001 and IPC-A-610 Qualified Manufacturers Listing (QML) requalification to Alternative Manufacturing Inc (AMI).
What’s Next Becomes Now at IPC APEX EXPO 2024
04/22/2024 | IPCFrom revolutionary advancements in artificial intelligence, augmented reality and the latest innovations in capital equipment on the show floor to a heightened learner experience through the 16th Electronic Circuits World Convention (ECWC16) technical conference, IPC APEX EXPO 2024 provided education, professional development and numerous networking opportunities, for 3,723 attendees from 57 countries.
I-Connect007 Editor’s Choice: Five Must-Reads for the Week
04/19/2024 | Marcy LaRont, PCB007 MagazineFor my must-read picks of the week, I’m highlighting Parker Capers, a young professional seeking employment, solid counsel from Dan Beaulieu on what your post-show plan should look like, more information and insight on “chiplets” and the need for secure data transfer standards from columnist Preeya Kuray, as well as Matt Stevenson’s design for reality wisdom. It’s a reminder to download one of our newest books (there are several) you don't want to miss if you are an assembler.
Absolute EMS Champions Collaboration Between Humans and Robots in Modern Manufacturing
04/19/2024 | Absolute EMS, Inc.Absolute EMS, Inc., an award-winning EMS provider of turnkey contract manufacturing services, offers a perfect factory environment that seamlessly blends robotic automation with human expertise.