IoT Security Blog

Articles and Posts on IoT Security, Embedded Systems, and the Internet of Things

Security Is Not Just Encrypting Data

When I meet people and they ask me what my company does, the dialogue in 2010 often used to go like this:

Them: What do you do?
Me: My company provides security solutions for wireless sensors and RFID.
Them: Oh, so you encrypt data.

If I was running to catch a train, a benefit of living in the northeast, I smiled and responded Yes, but I always felt a little guilty because the real answer is, Security is not just encrypting data, it is so much more.

When you get that important email from BigBank apologizing for a recent security breach and they then ask you to validate your account on their website how do you really know it is BigBank? Authenticating who you are communicating with (and you to them) is a big part of many security systems. In some cases, such as anti-counterfeiting applications, it is the only security function needed. You may not care that someone sees a message that you have just received so there is no need for encryption.

Now you get an email from a friend, someone you know, asking you to wire a $1,000 to an unfamiliar account/address. It turns out they had sent you a message, just not this one. Content integrity, that is, confirming that the message sent is the message you received is another important security function.

In business, it can take a lot of work to get someone to agree to do something. The last thing you want is to have the agreement challenged. Non-repudiation, the ability to ensure that neither party can deny having been part of a transaction is yet another key security function we all rely on.

And yes, there are many times when we only want the intended party to receive and read a message. So for message confidentiality, and to ensure it is not disclosed to an unauthorized entity, we can turn to encryption.

Security is much more than just encrypting data. In fact, we still have not looked at symmetric (private-key) versus asymmetric (public-key) methods, when you would use them, and the many protocols that have been developed to deliver confidential, authenticated messages, where we can be certain of their integrity, and know that the parties cannot repudiate their involvement.

Of course, any discussion on security gets much more interesting when your targeted device is a low-resource computing platform like a wireless sensor. Is that your tag on the asset? Should the tag trust the reader now interrogating it? Has the data collected and transmitted been altered in anyway? Can you prevent a rogue reader from intercepting and collecting your tag’s messages?

The good news is that SecureRF offers many security options for these low powered devices being implemented as part of the Internet of Things and many of them go beyond just encrypting. SecureRF has also developed industry specific solutions that apply their security protocols to the issues surrounding anti-counterfeiting, track & trace and logistics.

These days the dialogue when I meet new people often goes like this:

Them: What do you do?
Me: My company provides the world’s most advanced supply chain and brand protection technology.
Their response is never about encrypting data.

Note: The original version of this post was written by Louis Parks in 2010 and appeared in an industry association blog which is no longer online.