[From the last episode: We looked at the various kinds of keysA number used to encrypt (or encode) information so that no one can read it. Keys are used when encoding and decoding. You shouldn't have to mess with keys yourself. and how they can interact for authenticationThis is the act of proving to some other entity that you are truly who you are representing yourself to be. That is, you're not pretending to be someone else. "You," of course, means a computer or IoT device or any other entity trying to make a network connection with another computer or device. and data encryptionEncryption refers to encoding and decoding (or encrypting and decrypting) data so that it can't be read unless you have the right key. It's critical for good security..]
So far, we’ve focused on the first of three A-words: authentication. The whole point of authentication is to make sure that someone getting onto the networkA collection of items like computers, printers, phones, and other electronic items that are connected together by switches and routers. A network allows the connected devices to talk to each other electronically. The internet is an example of an extremely large network. Your home network, if you have one, is an example of a small local network. is who they say they are. And if that works perfectly, then, well, you might think that our job here is done.
But let’s say someone fakes a way in. Yeah, that indicates a breach somewhere, but now they’re running amok on the network. Can they do anything they want? Not if we have another backstop in place. One of those backstops is authorizationThe process of deciding what privileges – if any – someone gets on a network, server, or other asset.: giving explicit permissions for people/things to access stuff on the network.
But this isn’t just about unauthorized creepers. Different people who are allowed on the network might have different permissions for what they get to see on the network.
More than Just Getting Through the Door
Let’s go back to a house example we looked at a long time ago. Authentication is like asking the package delivery guy to prove that he’s really the package delivery guy. It thwarts imposters. But what if someone breaks a window and enters anyway? Are they now free to grab whatever they want?
Not if important belongings are further protected. Money? In a safe. Critical papers? Also in a safe. Guns? In a different gun safe. Now, even though some interloper is in the house, there are still things they can’t get to easily. Heck, even people who are allowed in the house can’t get to those things unless they have the right permissions – and the keys or lock combinations that go with that.
Authorization is something like that. Each thing on the network can establish a list of role-based permissions. If you work for a company, then you know that you can’t see the same things on the network that your boss can. Human Resources can see all kinds of stuff about employees that other employees cannot see. The financial guys can see sales and profit numbers that no one else gets access to.
How is this done? Well, it’s kind of brute force. There’s literally a list of people who are authorized to get access, and that list says what they have permission to access. So, if you’re not on the list, well, you’re not getting in at all. If you’re on the list, you get access only to that for which you’ve been given permission.
How Does This Affect the IoT?
It’s important to remember that there are lots of things on a network. Folks are nervous about IoTThe Internet of Things. A broad term covering many different applications where "things" are interconnected through the internet. device securityRefers to whether or not IoT devices or data are protected from unauthorized viewers. not because the devices contain valuable secrets (they might, but probably not), but because, if they can get onto the network using the device, then they can roam around and see lots of other, more interesting things. But if all of those interesting things implement authorization, then the interloper has another hard task to break into those things. Not impossible, but yet another barrier. Each one helps.
As a home example, if someone hackedThis can mean a couple things. A quick-and-dirty (but not elegant) trick to get something done is a hack. A computer security break-in is also a hack (because inelegant tricks are used to break in). It can be a noun or a verb ("he hacked my computer"). into your home network through your thermostat, they’re not there to find out what the temperature is or to monkey with the heater (unless you made someone so mad that they want to roast you alive…). No, once on your network, they can look at your computers, perhaps your phones if you’ve got them on WiFiA common type of wireless network used to connect computers and phones to each other and the internet., and – best yet – they may be able to connect to the cloudA generic phrase referring to large numbers of computers located somewhere far away and accessed over the internet. For the IoT, computing may be local, done in the same system or building, or in the cloud, with data shipped up to the cloud and then the result shipped back down. using the IoT device’s connectionThis refers to some kind of electrical connection. It might be through a network cable, a cable connection, a wireless connection, or a phone - just to name some options. The connection might be to the internet or to some other local device. capability.
This is one reason for having an on-boarding process. The cloud serverA computer with a dedicated purpose. Older familiar examples are print servers (a computer that controls local printing) and file servers (a computer used for storing files centrally). More modern examples are web servers (the computers that handle your web requests when you use your browser) or application servers (computers dedicated to handling the computing needs of a specific application). Servers are often powerful, expensive machines since they have to handle a heavy load. then has a list of all of the devices – identified by some sort of ID or serial number – that are authorized to connect. If someone is wandering around on the network and tries to connect to the cloud server, they’re going to have a hard time. First, remember that they will have to authenticate to the server – it’s not on your home network, but yet another network. So that helps. But you still have to show up on the access list in order for the server let you do anything.
Why Your Device Needs Good Security
Now, as we’ve seen, some authentication methods involve figuring out keys from your device’s ID, so you literally can’t authenticate without that ID. But others (like those involving PKIA system of mathematical algorithms for public and private keys as well as certificates of authority that are used when authenticating a web session.) may not explicitly use the ID for authentication, so, after being authenticated, the ID will still be needed for authorization before you can gain full access to the server.
It’s like trying to get backstage at a show. You may be able to show your ID at the door to prove that you’re you (authentication), but then, you also have to be on the list (authorization). If you’re not on the list, it doesn’t help that you’re you. You’re not getting in.
Of course, if someone can successfully pretend to be the IoT device, then they can do both authentication and authorization. And, if they can do that, it probably means that your IoT device doesn’t have robust enough security. That’s why, even though you don’t think a hackerA misused, but common term for an unauthorized person trying to break into a device or network. Originally, in this context, "hackers" referred to the good guys (or "white hats"), while "crackers" were the bad guys (black hats). would be interested in your thermostat or toaster or whatever, it’s still important for it to have good security.
Leave a Reply