The US National Institute of Standards and Technology (NIST) has selected the Ascon cryptographic algorithms to be its lightweight cryptographic standard. Lightweight cryptography algorithms need to be powerful enough to protect small Internet of Things (IoT) and other lightweight devices with limited computational resources.
- It is a very important move by NIST to recognize that IoT devices with limited hardware capabilities need different encryption standards. Ascon appears to be a solid choice. But also remember that weak or missing encryption is just one of many security issues hurting IoT users. Encryption issues rank far below vulnerabilities like default passwords, outdated software components and the inability to efficiently upgrade IoT devices.
- There is a definite need for data encryption on a wide range of devices. While the phrase “lightweight cryptography” gives me pause, much the way “healthy fried food” does, the public process NIST uses for this has a good track record. Start by informing all device suppliers that security and privacy is an important criteria for all future procurements.
- Get ready to add Ascon to your cryptographic lexicon. While some encryption is available in hardware, such as AES, having a lightweight option than can fit within the resources of IoT devices makes it all that easier to incorporate without impact to performance or price point. There are seven members of the Ascon family. Keep an eye on solutions in the authenticated encryption with associated data (AHED) which will help better secure vehicle and RFID communications. While these show promise of raising the bar for IoT security, consumer education will be needed to drive demand for adoption and selection of products with increased security.
- Defining the US national standard for lightweight cryptography has been many years in the making. Unfortunately, it will be of little use for the billions of IoT devices in use today.
- In order to be useful and efficient, cryptographic algorithms need only raise the cost of attack to a point greater than the value of success. One must be sure to that use them only for the intended application and environment.
Read more in