SCP 70: Delivering IoT Security to Constrained Devices
Pascal Dumas, IDEMIA
In this blog, Pascal Dumas explores what Secure Channel Protocol 70 (SCP 70) is, how it can be used and why it is delivering value to a growing area of the IoT that is in need of updated security provisions.
In 2017, hackers were able to access and export over 10 GB of data from a North American Casino all via a fish tank temperature sensor. While the ecosystem has come a long way since then, this incident still highlights that even the most innocuous of connected devices can be a target.
As the IoT continues to expand, the different types of devices that are being connected is becoming more and more diverse. The more traditional connected devices such as laptops and phones are being joined by devices that represent innovative new use cases. Weather monitoring, traffic sensors and agricultural automation are just three of the industries that are becoming more and more established in connected ecosystems, each bringing with them a host of new requirements.
However, for many of these use cases, it is simply not practically or economically viable for all connected devices to uphold some of the more demanding management protocols. Many have limited capacity in terms of processing power, memory, communication capability and battery life. These constrained devices therefore must be managed differently to account for their limitations. However, if these concessions are met at the expense of device security, then device makers risk putting data, networks, other devices and even lives at risk. GlobalPlatform’s SCP 70 addresses these concerns, giving device manufacturers a trusted protocol upon which to model their device security provisions.
The challenges of resource-constrained devices
One of the most prominent hallmarks of constrained devices is that they often lack some of the more advanced communication capabilities. IoT devices that rely on public bandwidth have severe limitations on how much and how often they can communicate. They are unable to be in constant contact with the server, meaning that they must be as efficient in their communication as possible.
These devices are often also low power, meaning that they cannot be online at all times without draining their battery life. Devices in remote or inaccessible locations are often designed in this way to reduce the frequency in which their battery must be changed to limit costs and operational complexity. As these devices therefore only turn on when they need to communicate with the server, they are often incapable of receiving transmissions. Therefore, the protocol must be device-initiated rather than done by the server itself.
How SCP 70 addresses these needs
SCP 70 is designed to provide end-to-end and bearer-independent authenticated encryption of messages for low power, long range devices. SCP 70 is designed to avoid unnecessary data handshakes in communication-constrained environments by using pre-shared keys. In doing so, it enables the exchange of messages between the device and server while ensuring the integrity and confidentiality of the connection. It does this by accounting for the specific constraints of long range, low power transport layers like LoRaWaN and Sigfox.
Adding value to the ecosystem
SCP 70 facilitates the efficient, economic transfer of data to the server but, crucially, it does so without compromising on security. Device makers want to be able to offer products with high end security capabilities that can be used in a zero-trust IoT application that helps increase its value. SCP 70 utilizes AES standard cryptography as part of its simple-to-adopt provisions to help standardize secure data transfer in a way that did not exist before. This enables the encryption and signature of the data without the need for a resource-intensive authentication step.
What’s next for GlobalPlatform?
As the demand for smaller and more efficient IoT deployments continues, the proliferation of resource-constrained devices looks to be one that will continue for some time. This first release of SCP 70 takes a step to safeguarding its future, most notably by bringing cryptographic encryption to the ecosystem. We can now capitalize on this progress to keep devices secure and efficient.
GlobalPlatform is already considering how to enhance version 1.0 of SCP 70. It is considering how it can deliver lightweight cryptography and crypto agility to make devices even lower cost and even more resource-efficient.
Download the full SCP 70 specification here.