Securing IoT : Hardware vs Software

Securing the Internet of Things (IoT): The IoT remains a relative unknown in academia despite its burgeoning financial success in the private industry highlights academia’s well-known and problematic struggle to maintain awareness of the private sector and its activities and demands. This research concluded that considering the many features offered by hardware based security implemented by microcontrollers such as PIC24F family, PIC18F ‘K42’, Arduino Mega2560R3, ARM 7/ARM 9 and others, they do not outweigh the implementation of software based security implemented in System on a Chip (SoC) boards such as the Raspberry Pi Zero ($5.00 US), Banana Pi ($9.00 US), C.H.I.P. ($9.00 US), Onion Omega2 ($7.00 US). 


I. INTRODUCTION
A global management consulting firm, McKinsey & Company, estimates the total value potential of IoT will reach $4-11 trillion annually by 2025.The lion's share of value will lie in factories where operations and equipment optimization could yield annual savings of $1.23.7 trillion.The IHS Markit forecasts that the IoT market will grow from an installed base of 15.4B devices in 2015 to 30.7B device in 2020 and 75.4B in 2025.The IoT is not a new technology, in and of itself.What makes IoT distinct is a technology that has been available for many decades, however, in the past 20 years it has gained unparalleled popularity in most societies.This technology improves our standard of living but at the same time: it could compromise our security if it is not properly secured.This research outlines the implementation of security in IoT devices by using hardware based, software based or a combination of both approaches.Also, the limitation of the above-mentioned approaches.
ZDNet has reported that in 2017 8.38 billion devices are currently deployed [1].According to Gartner's Group, this trend will continue (see Fig. 1).Using the trend line equation for the consumer to forecast the IoT related to consumer consumption in the year 2021, we have: Y=2362.3X+3030.2,substituting X for 5 (year 2021), this yields Y=14,841.00 billion devices.This trend is great for the IT industry, but also presents a great risk: security.Many IoT makers have tried to maximize profits by making their devices less secure, in many cases such devices do not have the proper security updates or fixed Manuscript received May 6, 2018; revised August 16, 2018.bugs that were not detected during the quality control process.Cost is one of the main driving force in the design, marketing and deployment of IoT devices.These devices need to be in the marketplace at a fast rate, and normally do not follow Moore's Law.Several schemes of encryption systems are available to designers to implement in IoT devices, the ones covered in this research are Curve25519 (Elliptical Curve Encryption (ECC)/DeffieHellman) and Rivest-Shamir-Adelman (RSA).Both encryption systems have advantages and disadvantages, the RSA is very popular, however, the ECC has a smaller memory profile and it is faster to execute.

RSA Encryption
Currently, one of the most popular encryption systems is based on the RSA encryption algorithm, used to securely transmit messages over the internet.This system uses two keys, one is public and the other is private.Fig. 2 illustrates in a simple mode the basics of the algorithm [2].
Since RSA is based on using a public and private keys, it is important to have an understating on how to create such keys.This examples illustrates the process [3].

Generating Public Key (n,e):
1.-Select two prime numbers, for example P=53 and The main strength of the RSA scheme is the use of large factoring prime numbers.It is based on the principle that it is easy to multiply large prime numbers, but factoring large prime numbers is very difficult.For example, it is easy to check that 9161 multiplied by 8009 yields 73,370,449, but trying to find the prime factors of 73,370,449 is a much longer process [4].
Implementing RSA at 2048 bits on IoT devices with 32-bit processors is not the fastest approach.In order to multiply two 2048 bit numbers requires a 64 word by 64 word long multiply operation.When one considers a 64bit processor, it will require a 4096 long multiply with 64-bit resultant and accumulate [5].Therefore, it is best to consider a 64-bit approach instead of a 32-bit. Source

Elliptical Curve Encryption (ECC)
Unlike RSA, which uses prime factors to determine the value of the public key (see RSA Encryption above).ECC, uses the equation of an ellipse (y2 = x3 + ax + b) to generate its key [6].The main benefit of using ECC compared to RSA is that it provides a high level of security using a shorter key.Shorter keys use less memory, which consequently decrease the computational requirements [7].Fig. 3 shows the graph of the equation of an ellipse.The sender must first encode any message m as a point on the elliptic curve (y2 = x3 + ax + b) Pm, important to note that the ciphertext is a pair of points on the elliptic curve.The sender masks the message using random k, but also sends along a key allowing the receiver who knows the private key to recover k and hence the message.For an attacker to recover the message, the attacker would have to compute k given G and kG, which is hard to calculate [8] long long int P, G, x, a, y, b, ka, kb; // Both persons will be agreed upon the // public keys G and P P = 97; // A prime number P is taken printf("The value of P : %lld\n", P); G = 9; // A primitve root for P, G is taken printf("The value of G : %lld\n\n", G); // Alice will choose the private key a a = 4; // a is the chosen private key printf("The private key a for Alice : %lld\n", a); x = power(G, a, P); // gets the generated key // Bob will choose the private key b b = 3; // b is the chosen private key printf("The private key b for Bob : %lld\n\n", b); y = b, P); // gets the generated key // Generating the secret key after the exchange // of keys ka = power(y, a, P); // Secret key for Alice kb = power(x, b, P); // Secret key for Bob printf("Secret key for the Alice is : %lld\n", ka); printf("Secret Key for the Bob is : %lld\n", kb); return 0; }

III. IOT SECURITY: HARDWARE BASED
The hardware-based approach allows designers to produce high-quality IoT devices in a timely manner on the market.This approach offers built-in resources such as optimized Cryptographic Engine, code protection (prevents reverse engineering), and error-free security models, since, the Cryptographic Engine uses its own built-in memory, this consequently allows designers to use more main memory to incorporate additional features.The main drawback of hardware-based encryption is the increase of cost compared to the software-based approach.Also, since the Cryptographic Engine is hard-wired; it is very difficult to update when new cryptographic security models emerge or are revised.
The choices available in microcontrollers and Systems On a Chip having a cryptography engine are limited compared to the rest of such systems.These Systems On a Chip with built-in cryptography engines can save considerable effort, time and money.Microchip has integrated several security features into the PIC24F GB2 family of microcontrollers to protect embedded data Table I display the main characteristics of the PIC24F family of microcontrollers [10].
The fully featured hardware crypto engine supports the AES, DES and 3DES standards to reduce software overheads, lower power consumption and enable faster throughput.A Random Number Generator is also implemented which can be used to create random keys for data encryption, decryption, and authentication.The One-Time-Programmable (OTP) key storage prevents the encryption key from being read or overwritten.This microcontroller has many features highly suitable for embedded encryption but its cost ($3.95each) may not be suitable in some cases [11].Other microcontrollers with built-in cryptography are PIC18F 'K42', Arduino Mega2560R3, ARM 7/ARM 9.

IV. IOT SECURITY: SOFTWARE BASED
The software-based approach allows companies to reduce cost in hardware, develop encryption systems in less time, use extensive open source libraries, and incorporate security features that could be easily updated if the need arises.Also, the ability to implement software-based solution in ready-to-run small boards such as the Raspberry Pi Zero ($5.00),Banana Pi ($9.00) and Onion Omega 2 ($9.00) is very appealing to developers who are familiar with Linux operating system and programming languages such as C, C++, PERL, ERLANG, Python and other programming languages.
The software-based approach makes easier to update locally or remotely, does not create hardware dependency (most cases) and is able to be used in multiple platforms.Table II, displays a comparison between these small boards.

V. CONCLUSION
The conclusion of this research is that considering the many features offered by hardware based security implemented by microcontrollers such as PIC24F family, PIC18F 'K42', Arduino Mega2560R3, ARM 7/ARM 9 and others, they do not outweigh the implementation of software based security implemented in System on a Chip (SoC) boards such as the Raspberry Pi Zero ($5.00 US), Banana Pi ($9.00 US), C.H.I.P. ($9.00 US), Onion Omega2 ($7.00 US) [12].These systems in general are faster and provide more resources such as memory, Input and Output interfaces, open source: operating system (Linux), development tools, libraries.
However, either software base or hardware-based cryptography may have a short life once quantum computing becomes readily available.More research is necessary to address future cryptography schemes capable of being immune to quantum computing [13].

Figure 1 .
Figure 1.Gartner's IoT 2017 II.IOT SECURITY: ENCRYPTION Implementing software-based security in IoT devices is more difficult than other platforms such as desktops, laptop, tablets, and phones.The difficulties are driven by the constraints of this technology, that is speed, power consumption, cost, and excessive demand worldwide.Cost is one of the main driving force in the design, marketing and deployment of IoT devices.These devices need to be in the marketplace at a fast rate, and normally do not follow Moore's Law.Several schemes of encryption systems are available to designers to implement in IoT devices, the ones covered in this research are Curve25519 (Elliptical Curve Encryption (ECC)/DeffieHellman) and Rivest-Shamir-Adelman (RSA).Both encryption systems have advantages and disadvantages, the RSA is very popular, however, the ECC has a smaller memory profile and it is faster to execute.

Figure 3 .
Figure 3. Elliptical curve for Y2=X3-4x+4BasicImplementation of ECC Encryption/DecryptionThe sender must first encode any message m as a point on the elliptic curve (y2 = x3 + ax + b) Pm, important to note that the ciphertext is a pair of points on the elliptic curve.The sender masks the message using random k, but also sends along a key allowing the receiver who [9].The main features of this Cryptographic Engine are: *AES Engine with 128,192 or 256-Bit Key *Supports ECB, CBC, OFB, CTR and CFB128 modes *DES/Triple DES (TDES) Engine: Supports 2-Key and 3-Key EDE or DED TDS *Supports up to Three Unique Keys for TDES *True Random Number Generator *Pseudorandom Number Generator *Non-Readable, On-Chip, OTP Key Storages

Code for RSA Encryption/Decryption Visual Studio 2017: C# RSA program
:This program was originally posted in itechtuts.com,I do not claim ownership, but humbly pay tribute to such elegant design.

TABLE I .
PIC24F FAMILY

TABLE II .
COMPARISON OF SMALL COMPUTER BOARDS