Now that I've made the case for using PKI to secure your IoT deployments and posed some questions to keep in mind as you design a solution for your environment, I'd like to take a look at what implementing PKI for IoT that would actually involve.
While there are already a number of early stage IoT deployments using standard PKI capabilities, as the number of devices continues to grow and become more varied, it's likely PKI as it stands today won't be able to cut it. Let's take a look at some of the considerations that need to be addressed in order for PKI to take on the scale and heterogeneity that comes along with IoT.
Shorter or Longer Certificate Validity Periods
Depending on the capabilities or constraints of devices in your environment, you may be looking at leveraging certificate validity periods much longer than traditional certificate validities. For example, you might use this path if you’re not able to update the devices ones they’ve been deployed. Conversely, in some scenarios, you may wish to not utilize revocation services, or have a more uncertain/dynamic environment and look toward shorter certificate validities with continuous updates to manage the risk.
Future-proofing Considerations
If you’re going with longer certificate validities, you may also need to consider stronger than standard crypto algorithms and key sizes (e.g., 4096 RSA / NISTP-256) to meet future-proofing needs.
Alternative Algorithms and Root Hierarchies
As I mentioned above, devices may be resource-constrained with limited processing and storage. You’ll look toward higher performing algorithms like ECC for faster key generation and signing, or shorter root hierarchies for quicker chain validation.
Bootstrapping Trust
Bootstrapping trust in the thing ecosystem is a very tricky problem and will vary greatly depending on your environment. For example, you may choose to bootstrap trust by embedding a root with the devices at time of manufacturing.
Custom EKUs
As the certificates deployed in your environments may be to address new use cases, you may find the need to leverage non-standard or custom EKUs to support advanced access control or permission management.
Flexible Subject Parameters
Finally, the method of identifying and naming these devices will likely be non-standard, so there is a high probability that they will need to use subject names not aligned with the standard naming conventions.
Volume and Velocity
Beyond the unique cryptographic and certificate feature requirements outlined above, IoT deployments involve a volume and velocity far beyond traditional PKI deployments (think millions rather compared to thousands). To achieve these high volume scenarios, it's essential that the PKI services are exposed via effective APIs for automation. You will also need to understand the performance and availability needs of the relying servers and devices.
These are just a few of the ways PKI needs to evolve to accommodate the scale and diversity of IoT deployments. The good news is that all these changes are within reach, if not already in use. The most important thing is to find an agile Certificate Authority (CA) that is willing and able to work with your specific needs and create a solution that meets all your requirements.
