NIST seeking comment on IoT encryption
- By Derek B. Johnson
The National Institute of Standards and Technology wants comments on the best way to design criteria to evaluate new encryption standards for small computing devices.
NIST will eventually ask researchers and cryptographers for algorithms that could be used to encrypt data on small, "constrained devices," such as sensors, RFID tags, industrial controllers and smart cards that are being incorporated into automobiles, internet-of-things devices, the smart grid and distributed control systems.
But first the agency needs to establish the requirements and evaluation criteria that will guide the review of the algorithms.
In a May 14 Federal Register notice, NIST says its current encryption standards were designed for "general purpose computing platforms" like personal computers and tablets and have not been optimized for smaller devices that have access to less power.
"The shift from desktop computers to small devices brings a wide range of new security and privacy concerns," the notice reads. "It is challenging to apply conventional cryptographic standards to small devices, because the tradeoff between security, performance and resource requirements was optimized for desktop and server environments, and this makes the standards difficult or impossible to implement in resource-constrained devices."
Comments will be accepted for 45 days. Once the evaluation criteria are established, NIST will put out a call for public submissions of encryption algorithms from security experts, cryptographers, academia and government. The algorithms will be subject to a year of public review and an additional 10 to 11 months of analysis by NIST officials before being considered for standardization.