Actions
Forum Thread Details
  • Replies 3 replies
  • Subscribers 511 subscribers
  • Views 530 views
  • Users 0 members are here
Related

Data Encryption: Is Security a major threat for Internet of Things?

MAb

EE Times published 130 stories and blogs in 2013 about Internet of Things. About one every other work day. Fifty of those stories got more than 2,000 views each, the top 20 got at least 5,000, and the top 10 were each viewed 10,000 times or more. Interesting.

 

But even more interesting, the most viewed IoT story of the year from EE Times revealed that readers are curious primarily about insecurity. Mohit Arora, a security architect at Freescale, posted an article with the provocative title How Secure Is AES Against Brute Force Attacks? This article was read 29,589 times!


In this article, Mohit explains what means Advanced Encryption Standard (AES) and why it is a pretty secure standard despite some of the inherent flaws. Do we need 256-bit AES encryption or 128-bit AES is enough and why?


It's educational and quite easy to understand even for non experts.


Read the article here


aes_security_fig1.jpg

Parents

  • This misses the point. Whether the encryption algorithm itself is secure is mostly irrelevant these days due to side channel attacks that can recover the private keys relatively easily.  Why bother brute force cracking the encryption when you can just use the private keys themselves ?

     

    Here's a recent example CVE -CVE-2013-4576  & the actual paper Acoustic cryptanalysis

     

    Here's a another that really should be quite terrifying in these days of 'everything to the cloud'  Full Disclosure: Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack

     

    Readers really should be interested in insecurity.  Mainly in just how insecure their 'trusted' vendors are making their private personal details even when supposedly securely encrypted.  Having a false sense of security could end up being the worst thing, if you're complacent because you think the algorithm is good you may never be looking for the signs that the attacker already has your keys and all of your data. Until it's too late.

  • in reply to Former Member

    I think security protocols need to be taught somehow as part of education at a certain age, otherwise people go on to develop or use IoT apps with (say) trying to get around Oauth for twitter,

    plain-text to control home applications, etc.

    Also, some people re-invent things and no-one questions it. e.g. why are strings of characters (a certificate I presume) needed to be sent via e-mail, which means people will

    just shave a few seconds copying-and-pasting and instead and just send the unencrypted file using e-mail.

    A lot of services mention security but it's often not clear if it is home-grown procedure which some developer thinks is secure but really isn't, or something that at least is understood

    like TLS. Not saying that is secure, for the (worrying) reasons you mention.

Reply
  • in reply to Former Member

    I think security protocols need to be taught somehow as part of education at a certain age, otherwise people go on to develop or use IoT apps with (say) trying to get around Oauth for twitter,

    plain-text to control home applications, etc.

    Also, some people re-invent things and no-one questions it. e.g. why are strings of characters (a certificate I presume) needed to be sent via e-mail, which means people will

    just shave a few seconds copying-and-pasting and instead and just send the unencrypted file using e-mail.

    A lot of services mention security but it's often not clear if it is home-grown procedure which some developer thinks is secure but really isn't, or something that at least is understood

    like TLS. Not saying that is secure, for the (worrying) reasons you mention.

Children
  • in reply to shabaz

    There are various well understood algorithms that are secure enough today. Whether they are vulnerable to brute force attacks tomorrow is anyones guess.

    Two things have been shown to be true:

    1. Statistical analysis can reveal weaknesses in an algorithm that mean you don't need to brute force the entire keyspace. WEP is the classical example here that turned out to be trivial to break.
    2. Your private keys are not secure, side channel vectors make them far too easy to recover, which makes the quality of the encryption algorithm irrelevant.

     

    Things you mention like sending keys in plaintext via email should be raising red flags everywhere, but ultimately just show that people either don't understand, or don't care.

    Security comes at a cost. There's some level of inconvenience to the user that's necessary to make it work and users simply don't like being inconvenienced.