The Public Eye

 

Keeping tabs on federal government efforts to protect citizens' privacy

Authenticating the Internet of Things Vint Cerf's Homework Assignment to the Infosec Community

Digital photo frames - those gadgets that continuous stream dozens of pictures of grandchildren and favorite nieces and nephews - can be found on the bookshelves of hundreds of thousands of grandparents. But buyer beware.

"There is a security issue here, though, because if the website that the pictures are uploaded to gets hacked, the grandparents may see pictures of what they hope are not the grandchildren," Internet visionary Vint Cerf says. "It's pretty clear that we should be thoughtful about protecting resources not only at work, but at home and out on the Net."

It's pretty clear that we should be thoughtful about protecting resources not only at work but at home and out on the Net. 

Cerf, speaking of the "Internet of Things," points out that one of the biggest challenges the IT security community faces in the coming years is authenticating the billions of devices that will be connected to the Internet. Hacking into third-party websites or service providers could prove more calamitous than a licentious image appearing in an e-frame found in the family den.

That's because a growing number of third-party providers will manage more critical services than family photos, such as monitoring home and office security and environmental controls over the Internet. Disruptions to those services could have an adverse, cascading impact on our critical infrastructure

These systems will be programmed to follow instructions such as turning off air conditioners for short periods of time to help prevent blackouts or brownouts.

Strong Authentication as 'Our Friend'

"All that kind of advice has to be authenticated because otherwise somebody can get in and turn all the air conditioners off in the United States and then turn them all back on again and then turn them all off then turn them back on," says Cerf, vice president and chief evangelist at Google. "And that will probably whiplash the power generation system. So, we want strong authentication to be our friend here."

Cerf says he has a fanciful notion that every device connected to the Internet will register its public key or can respond, when asked, for the public key in order to provide secure communications with the device. He says he just hasn't figured out yet how to make that notion a reality

Speaking at RSA Conference 2013 in San Francisco late last month, Cerf gave a homework assignment to his audience of several thousand IT security professionals: Design a system that capitalizes on a strong authentication to configure systems to manage or access devices.

Creating Manageable Systems

Cerf says these systems needn't be large; perhaps they'll support only tens or hundreds of devices each, even though eventually billions of devices will be part of the Internet environment. "The numbers that have to manage in any one instance might actually be fairly reasonable in size," he says.

"This idea here is basically a challenge to all of us - including me - to see whether or not we can build into the core of the devises we use in network environments the ability to do strong authentication in a way that can't be easily compromised. You can never say never because there is always somebody who comes along, but at least you hope it will be a strongly supported system."

Finishing Cerf's assignment is vital if the Internet is to be a trusted environment for commerce and communication, but it represents only one of many challenges the IT security community cannot ignore.



About the Author

Eric Chabrow

Eric Chabrow

Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow, who oversees ISMG's GovInfoSecurity and InfoRiskToday, is a veteran multimedia journalist who has covered information technology, government and business. He's the former top editor at the award-winning business journal CIO Insight and a long-time editor and writer at InformationWeek.





Around the Network