RSA 2013: Vint Cerf Issues Challenge To Secure Internet Of Things

A version of common cryptography could be the answer to securing Internet of Things

Founding father of the Internet Vint Cerf has issued a challenge for security researchers to ensure that the surge of devices hooking up to the Web in the so-called  “Internet of Things”.

Cerf, who is now an evangelist at Google, said an identity-led system would bring security to the world’s connected devices, speaking at RSA 2013 in San Francisco. Cerf’s suggestion is for a system based on devices that can generate a truly unique public-private key pair. The private key cannot be extracted without destroying the pair, and could not be computed from the public key. It should also be able to encrypt or decrypt “digital objects” on demand.

Internet censorship © Matthias Pahl Shutterstock 2012PKI to fix Internet of Things security?

It appeared Cerf wants public key infrastructure at the heart of how identity works on the Internet of Things, with little standardised chips in each device initiating secure communications.

The overall aim is to “design a system that capitalises on the strong authentication property to configure either closed or open systems to manage or access authenticated devices”, on a massive scale. “The ideas may even turn out to be stupid. They might be about simple ideas to make things more likely to work,” Cerf admitted.

“We should be very thoughtful right now about the fact that a lot of these devices are going to be part of our environment and a lot of them are going to need to be managed.”

He backed the idea of third parties given control over certain areas of the Internet of Things, such as home entertainment systems or energy usage, to provide greater efficiency.

Cerf also supported the use of strong “pseudonymity”, where pieces of information about people are given away, but not enough to figure out who they are. Where someone wants to know more about another, if they were after a loan, for example, a trusted authority could be contacted, which can verify certain things about Internet denizens, he suggested.

“We don’t need to bind identity and identifier, we can keep those separate.”

The idea of psudonymous data has been used heavily in submissions to the European Union on privacy from the likes of Google and Yahoo. The Internet giants argue that pseudonymous data allows them to make use of Internet content without infringing people’s privacy – something which privacy advocates argue strongly against.

Are you a pedant on privacy? Try our quiz!