The elliptic curve cryptography (ECC) asymmetric algorithm is widely promoted to developers for new Internet of Things (IoT) advancements. At a first glance, it is easy to see why this is the case. While IoT faces new constraints and challenges that make traditional cryptography difficult to implement, these difficulties also empower ECC to emerge as a front-runner. Constraints in IoT include limitations to computational resources such as the bare minimum processor speed and memory needed as such devices are typically designed for low power consumption. Challenges include the need to reengineer things such as identity management, device and user registration, and cryptography to suit IoT needs.
Is ECC the right cryptosystem to meet the aforementioned constraints and challenges? As ECC offers shorter keys, lower central processing unit (CPU) consumption and lower memory usage for equivalent security strength, it is easy to say yes after a quick glance. However, there are many more concerns that must be deliberated. My recent Journal article, “Can Elliptic Curve Cryptography Be Trusted? A Brief Analysis of the Security of a Popular Cryptosystem,” delves into these concerns by assessing and reviewing the key threats and challenges to the famous asymmetric cryptosystem.
Does ECC provide sufficient security that would satisfy the demanding world of IoT? The potential risk is high, and damages are not limited to data theft or loss. Compromise of an IoT device can lead to significant safety issues when related to vehicles, health care devices and control systems. Such an event, whether it results in loss of vehicle control, malfunctioning medical device or other adverse event, may result in injury or worse. Threats such as unauthorized tracking of individual’s locations, manipulation of financial transactions and compromise of the integrity of highly sensitive data (e.g., health data required for proper diagnosis) are significant enough to cause anybody to pause and think. Does the risk of ECC outweigh the rewards?
Read Veronika Stolbikova’s recent Journal article:
“Can Elliptic Curve Cryptography Be Trusted?,” ISACA Journal, volume 3, 2016.
[ISACA Journal Author Blog]