NIST Eyes IoT Security Standards for Small Electronics

With the aim of helping better secure low power, lower cost IoT devices, the National Institute of Standards and Technology (NIST) is working to develop IoT security standards for lightweight cryptography that can work within the confines of resource-constrained environments.

Common encryption methods may demand more electronic resources than things like microcontroller-power devices, RFID tags or key fobs may possess, according to NIST. Lightweight cryptographic algorithm standards can balance IoT security needs within the context of performance and cost, according to Kerry McKay, NIST computer scientist, being mindful of the device and what it’s trying to do.

“Lightweight doesn’t mean weak,” McKay said. “It’s about tailoring a device for a particular application environment. You’re not going to put a $1 tag on a $10 T-shirt.”

While its formal request will be issued this spring, NIST is currently seeking assistance in developing requirements and guidelines, recently issuing its “Draft Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process.” This request for feedback was written with the software development community in mind, and aimed at ensuring that the formal request will produce the sort of encryption algorithms developers agree will help, according to a blog announcing the news. The draft document is available now on the NIST website.

This request comes after several years of research into whether a lightweight standard was necessary, McKay said. NIST is aiming to have a standard out within two to four years, and they’re looking for feedback on that timeline. To that end, NIST is not looking for new designs, but for things that have already been published (though not necessarily adopted), as “people have been working on crypto for constrained environments for several years now,” according to a blog announcing the news.

“My main hope is we get something really useful and it improves security on the Internet of Things,” McKay said. “I hope it gives vendors a tool to add security where they otherwise would not have been able to.”