NIST Issues First Call for ‘Lightweight Cryptography’ to Protect Small Electronics
April 19, 2018 | NISTEstimated reading time: 4 minutes
Cryptography experts at the National Institute of Standards and Technology (NIST) are kicking off an effort to protect the data created by innumerable tiny networked devices such as those in the “internet of things” (IoT), which will need a new class of cryptographic defenses against cyberattacks.
Creating these defenses is the goal of NIST’s lightweight cryptography initiative, which aims to develop cryptographic algorithm standards that can work within the confines of a simple electronic device. Many of the sensors, actuators and other micromachines that will function as eyes, ears and hands in IoT networks will work on scant electrical power and use circuitry far more limited than the chips found in even the simplest cell phone. Similar small electronics exist in the keyless entry fobs to newer-model cars and the Radio Frequency Identification (RFID) tags used to locate boxes in vast warehouses.
All of these gadgets are inexpensive to make and will fit nearly anywhere, but common encryption methods may demand more electronic resources than they possess.
Today, NIST is launching an effort to create worthy solutions to the problem of securing data in this sort of constrained environment. As an initial step, it seeks assistance in developing requirements and guidelines for these solutions. The Draft Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process is the first draft of this request, written with the software development community in mind and aimed at ensuring that the formal request—slated for release later this spring—will produce the sort of encryption algorithms that developers agree will help.
The draft document is available now on the NIST website(link is external). A Federal Register Notice will soon announce a public comment period so that the community can weigh in on the draft submission guidelines.
The ultimate goal is to develop lightweight encryption standards that benefit the entire marketplace. According to NIST computer scientist Kerry McKay, effective standards must bring a well-defined solution that applies to a wide class of situations—and that made the wording of the request tricky.
“The IoT is exploding, but there are tons of devices that have nothing for security,” McKay said. “There’s such a diversity of devices and use cases that it’s hard to nail them all down. There are certain classes of attacks to consider, lots of variations. Our thinking had to be broad for that reason.”
Many of the manufacturers who create these small devices say that the time is right for establishing effective standards.
“As industries adopt authentication apps for things like flu-shot syringes and baby formula, it’s important that there is agreement on security practices,” said Matt Robshaw, a technical fellow at Impinj, a company that develops RAIN RFID(link is external) technology used to keep track of these kinds of objects. “It’s a good time to begin to establish guidance about which of these techniques will be most appropriate.”
To ensure they were getting off to the right start, McKay and the team members spent four years consulting with industry groups ranging from smart power grid experts to auto manufacturers. Their advice led the team to stipulate that submitted algorithms must have been published previously and been analyzed (though not necessarily adopted) by a third party.
“We feel it’s a fair request because people have been working on crypto for constrained environments for several years now,” McKay said. “We want to see things that the world has looked at already.”
These solutions typically use symmetric cryptography—the less resource-intensive form, in which both the sender and recipient have an advance copy of a digital key that can encrypt and decrypt messages. The NIST team specifies that these algorithms should provide one useful tool in symmetric crypto applications: authenticated encryption with associated data, or AEAD, which allows a recipient to check the integrity of both the encrypted and unencrypted information in a message. They also stipulate that if a hash function is used to create a digital fingerprint of the data, the function should share resources with the AEAD to reduce the cost of implementation.
McKay said that while the AEAD and hash tools should cover nearly everything that a developer would want to do with symmetric cryptography, she and the team are looking forward to comments from the public on whether the draft’s requirements are sufficient.
“We will be relying on community feedback to determine what other use cases we should include in subsequent editions of the pub,” she said. “We want the entire lightweight crypto standards development process to be open and transparent, with the public involved at every step.”
After the Federal Register notice appears, NIST will be accepting comments on the draft for 45 days, and will consider these comments before releasing the formal submissions guideline document. Following its release, NIST anticipates a 6-month submission window for lightweight cryptographic algorithms.
Suggested Items
2024 IPC CEMAC China Electronics Manufacturing Annual Conference Focuses on the Electronics Industry’s Future
10/24/2024 | IPCThe 2024 IPC CEMAC China Electronics Manufacturing Annual Conference, co-organized by IPC and the Shanghai Pudong New Area Quality Technology Association, kicked off with a grand opening ceremony in Shanghai. Themed "Making Your Imagination Reality," the event has brought together leaders, technical experts, and corporate representatives from the global electronics manufacturing industry to explore future trends and opportunities.
Counterfeit Concerns: Navigating the Risks
10/23/2024 | Nolan Johnson, SMT007 MagazineNolan Johnson meets with Diganta Das, PhD, and Michael Azarian, PhD, research scientists at the CALCE Electronic Products and Systems Center at the University of Maryland, to discuss the increasing issue of counterfeiting in the electronics and assembly industry. Diganta and Michael highlight the need for robust detection methods and standards to mitigate risks, specifically referencing SAE AS6171 for inspection and AS5553 for counterfeit mitigation. They cover real-world cases, like counterfeit network equipment scandals to relatively simple issues of consumer electronics accessories to illustrate the complexity of the issue and debate the philosophical implications of labeling products that contain a few minor counterfeit components as “counterfeit.”
SEMICON Japan 2024 to Expand Scope with Spotlight on Advanced Design Innovation
10/23/2024 | SEMISEMICON Japan 2024, the largest gathering of leaders from the microelectronics manufacturing supply chain in Japan, will assemble more than 1,000 exhibitors showcasing semiconductor solutions for smart technologies from Dec. 11-13 at Tokyo Big Sight.
Fall 2024 Issue of IPC Community Now Available
10/14/2024 | IPC Community Editorial TeamThere’s so much happening at IPC, so be sure to open the latest issue of IPC Community, brimming with must-read features on members of the electronics industry who are making a difference in their own unique way. Just for starters, our member profiles feature Virginia-based Weidmuller, a heart-warming story from E-Tron, and you’ll discover how the owners of Out of the Box Manufacturing are successfully tackling workforce talent challenges.
Green Circuits Expands Certified Workforce with Ongoing Training in J-STD-001 and Space Addendum Standards
10/02/2024 | Green CircuitsGreen Circuits, a full-service Electronics Manufacturing Services (EMS) partner to leading OEMs, is proud to announce the successful completion of its latest round of employee training in ITAR (International Traffic in Arms Regulations) and the J-STD-001 Space and Military Addendum.