A few days ago, GlobalSign launched the IoT Developer Portal . Here you can register for free (only at corporate addresses), choose an API for integration, get X.509 certificates for free and test your IoT authentication system. So far, GlobalSign remains the only certification authority that issues certificates to IoT devices with a device identifier based on a public key infrastructure (PKI).

Briefly formulating the essence, the new portal is a centralized locale where demo access to all the tools necessary for successful integration of device identity is provided. Here are integration guides, testing tools, product specifications, code examples, RESTful APIs, etc.

Who needs this?

The portal is ideal for testing identification systems during the development phase. Here you can verify that in practice everything will work reliably and safely. And to estimate how much it will cost access to the API and automatic certificate management in a real commercial system.
')

API at the center of everything

Devices connected to the Internet generate a huge amount of data. For example, here is an extreme example - an unmanned vehicle. According to Intel, each such machine will generate about 4-4.5 terabytes of information per day from sensors, cameras, etc.


Of course, this is a kind of “top of the pyramid” in terms of complexity of devices. But billions of simple gadgets in a smart home, in an industrial IoT, in medical sensors due to the enormous scale and number will generate no less traffic.

Obviously, it is difficult to transfer absolutely all information to a remote server for processing. For example, in an emergency, you need to urgently transfer a small amount of important data to the center. This is where the APIs apply. So, in one of the RESTful API implementations , such a set of information about the incident is transmitted in the JSON or YAML format:

{ "CarModel": "Toyota Yaris II 2014", "carNumberPlates": "D65261", "accidentTime": "1985-04-12T23:20:50.52Z", "owner": "Wojtek Konowal", "location": "[47.4925, 19.0513]", "averageSpeed": 110, "passangers": 1, "status": "Service is pending", "injury": "Critical" } 

Thus, it is desirable to integrate IoT device networks with some standard RESTful API.

Security starts with identity

While IoT networks extend to tens of billions of devices, a significant part of their functionality is based on reliable identification of each other (M2M), in front of servers and routers in their network, as well as in front of cloud-based management systems. This forms the end-to-end security authentication channel.

Thanks to authentication, each device has a unique identifier and can confirm its authenticity. This is important for processing data and allocating resources to this device after authorization.

In many cases, authentication should be performed anonymously. So, a device can cryptographically prove that it belongs to a certain group, but at the same time keeps its unique identifier secret. In modern conditions, when all providers try to collect the maximum personal information about each user, and then trade it, it is also very important. Anonymity is often a regulatory requirement, as per the GDPR.

A separate topic is that actual anonymity is more complicated than just hiding an ID. For example, it is now rumored that Apple, Amazon, and Google contractors are listening to audio recordings of user conversations collected by Siri, Alexa, and Google Assistant, personal digital assistants, respectively. These contractors listen to audio recordings of sexual acts , fights, drug purchases and so on - and can easily identify the names and addresses of people who sound in the files. Despite the formal anonymization of the records.

Moreover, recently, scientists have proved that there are many ways to associate any anonymous data with real people. For example, data with 15 demographic attributes “will be revealed by 99.98% of Massachusetts residents.” According to the study, in any complex datasets it is almost impossible to successfully anonymize the data .

Perhaps in the future, to preserve true anonymity, it will be necessary to use methods similar to those used by the Alan Turing team, which decrypted the Enigma ciphers, but could not give this fact out, otherwise the enemy would have changed the cipher. Turing tried to hide statistical anomalies - and issued encryption only in rare cases. In most cases, English cryptographers simply silently watched the Nazis destroy soldiers and civilians - the laws of mathematics did not allow them to prevent these killings. The tactics worked. The Nazis did not notice that the Allies too often “guessed” secret information.

In the case of true IoT anonymization, this can mean randomizing data, adding random IDs and random foreign information, so that an outsider could not figure out the true owner of the intercepted traffic. But these problems will have to be addressed in the future. Today, the main thing is to provide at least basic protection for IoT networks.

In the context of IoT, identification, authentication and authorization protect the device from unauthorized access and protect data from spoofing (as is the case with electricity meters, where the population is likely to try to replace traffic). These are relatively simple tasks that modern technology can handle.