LoRaWAN Encryption 101

Semtech_Blog_LoRaWAN_IoTSecurity

When talking about data security, throwing terms such as “asymmetric cryptography”, “end-to-end encryption” and “key derivation” will either impress someone deeply with your sound knowledge of the mysterious ways of the web, or you instantly become an obscure, lock-picking villain. A pity really, because the fundamentals of data security are not that difficult to understand and many companies consider this the highest priority in LoRaWAN™ implementations.

Today, the workforce in the technology space ranging from sales agents to programmers, from interns to CEOs should know of the fundamentals of data security. Luckily, understanding the security flow of Internet of Things (IoT) solutions is quite easy if you ask the right questions and understand the few scary words that people often use.

lwa blog pic 1Encryption, a term so mainstream these days, is nothing more than a modern form of cryptography to hide information from others. An algorithm, called a cipher, is used to scramble the data which makes the message look like a bunch of random characters. Only with the right key you can make sense out of the characters. The obscure word for scrambling is encrypting, while descrambling is called decryption. This is a common practice on the Internet. The green lock in the navigation bar shows that the data you send and receive is encrypted between your browser and the domain on which the website is running.

We are fortunate that over the past few decades, smart people have made encryption methods available. How you use the encryption methods determines the level of security of your solution. Anyone can audit an IoT solution by asking these two simple questions:

  1. Where is the first “end” and where is the second “end” in an end-to-end encrypted solution?
  2. Who has the keys?

When we encrypt the data with a key and we decrypt the data with the same key on the other end, we call this symmetric cryptography (also called secret key cryptography or private key cryptography). The lock of your house uses this method as there is only one key that can be used both for locking as well as unlocking the door. You might have created a few copies for people who you want to grant access to your house - for instance watering the plants, cleaning the house, etc. You trust them not to create a copy or hand it to someone else. The LoRaWAN protocol uses symmetric cryptography, as the key for encrypting and decrypting the application payload is the same and known to the device, as well as the application server.

For most of the LoRaWAN solutions, symmetric cryptography is a very secure way of working; however, the keys need to be added in the sensors by someone, which usually happens in a non-controlled environment. Often, the device manufacturer or the field service technician who installs the sensors add the keys. If you are certain you can trust this person, just like you trust your neighbor to water the plants, you are all good. But chances are this is not the case.

Luckily, there is a way to secure this workflow. The so called embedded secure elements (also called crypto chips) can securely store the keys in the sensor in such a way that they cannot be recovered. It has a kind of a self-destruction functionality which is activated when someone tries to break in the device to steal the keys. Smart ways of injecting the keys on to the chips are available as well. This can be done in a secure environment where suppliers come with guarantees with regards to the safety of your keys. These are called key management services. Secure elements can also add another layer of encryption to the data, making use of asymmetric cryptography (also called public key cryptography or public/private key cryptography). Asymmetric cryptography is another fancy word which simply means that you need two different keys, one for locking the door, another for opening it. This prevents the person who installs the sensor from copying the key, as he only has access to key one and not to key two. What does this mean in practice? Before the data leaves the sensor it is encrypted with key one. The encrypted data is sent over the network to your application which decrypts your data using key two.

lwa blog pic 2Are you still puzzled by the two methods of encryption? Please have a look at this YouTube video about encryption:

Building secure IoT solutions is not that hard as the encryption technology is very powerful and hard to crack. In many cases, the vulnerability of an IoT solution has nothing to do with the technology, but with the humans involved who do not have the required knowledge or know-how for handling the keys with care. Therefore, make sure you know where the endpoints are in the end-to-end encryption and who has the keys to encrypt and decrypt the data.

The eighth week in the LoRaWAN Academy focuses specifically on the security aspect of LoRaWAN. In this week, Johan Stokking, co-founder of The Things Network and CTO of The Things Industries talks about the fundamentals of LoRaWAN security, while giving hands-on tips and tricks to make solutions much more secure. Have a look at the introduction of the eighth module of the course: 

lwa blog pic 3

Want to know more? We are happy to help you setup your secure IoT application. Drop us a line!

Tags: Internet of Things

LoRaWAN Academy

LoRaWAN Academy is a comprehensive, global university program connecting next-generation engineers with LoRa-based LPWAN technology for applied learning and advanced research. Learn more: www.lorawanacademy.com.

Recent Posts