Cryptography and security implementations in the
Internet of Things
Aki Koivu, B.Sc
University of Turku
Abstract—Internet of Things (IoT) device is deﬁned as a device
that is embedded with network connectivity among others. When
an IoT device has network connectivity, in today’s standards it
needs to have at least the basic security protocols implemented.
The need for solid network security protocols increases when
the devices operate at an environment that produces conﬁdential
data, industry or military environments for example.
IoT devices can differ from each other a lot, but usually
they are small and portable by nature. This means the cost of
computation is a critical factor. Implementing too many features
will decrease the systems computational power to an unacceptable
state. This makes standardizing a set of security protocols tough.
So how these protocols are best utilized in IoT devices is a
In this review article we will explore the nature of IoT, the
fundamentals of IoT security, the possible security risk factors
and their challenges, focusing on cryptosystems and their protocol
implementations considering network security. Symmetric and
public key algorithms are presented and Lightweight Cryptog-
raphy as a new solution for IoT security.
Index Terms—IoT, security, protocol, lightweight, cryptogra-
The Internet of Things is the new innovative technology
that promises to enhance and optimize our many aspects of
our life with intelligent sensors and smart objects working
together [Keoh et al., 2014]. It contains of a plethora of dif-
ferent devices with embedded features. These features main
responsibilities are to collect data and to transfer said data to
The use of IoT devices is increasing rapidly, with es-
timations of 50 billion connected devices by 2020. Areas
of application are numerous, from health analysis devices
around peoples arms to industrial implementations designed
for monitoring or remote control. The potential of these
devices is inspiring organizations to invest into Industrial
Internet and Machine-to-Machine (M2M) communications.
[Schurgot et al., 2015].
The fundamental feature of IoT is to share information. The
beneﬁt of this feature can be seen in home automation for
example, where a system can improve the energy efﬁciency of
your home and improve costs on other areas. This is done by
installing sensors and controllers throughout the house. The
sensors can work with our smartphones, lowering the heat
when the phones user is outside or open the front door when
the user is outside for example. The connectivity of these
devices enable constant and sometimes even real-time sharing
of information. [Schurgot et al., 2015].
The concept of IoT has been that numerous physical devices
or objects with different kinds of sensors and actuators are con-
nected to the Internet. This is done via heterogeneous access
networks, which are enabled with technologies like embedded
sensing and actuating, radio frequency identiﬁcation (RFID),
Bluetooth Low Energy (BTLE), wireless sensor networks, and
real-time and semantic web services among others. IoT could
be categorized as a network of networks. [Wang et al., 2013].
Since the number of connected ”Things” is estimated to
be colossal in nature, so is the amount of raw data trans-
ferred and processed. The raw data is analyzed and mined
to abstract factual information such as correlations among
things [Wang et al., 2013]. With all of this data collecting,
there is also a risk that emerges. This data, if not correctly
secured, can be collected by a nefarious entity to exploit the
situation. Since the usage of IoT devices is gaining popularity,
the occurrence of nefarious usage also grows. This is why
securing the continuous stream of data and hardware of IoT
II. IOT SECURITY
A. Security risk factors
The factors that contribute to IoT security problems can
be categorized in to two, the diversity of IoT and the com-
munication of IoT. The problem of diversity embodies itself
as vulnerabilities produced by careless program design. This
enables the usage of malware and backdoor installations in
the device. Because of the diversity of devices, these security
problems are more complex compared to traditional systems.
[Zhang et al., 2014].
The communication of IoT can cause security complications
when we consider the core concepts of information security;
integrity, conﬁdentiality, and availability of the data (Figure
1). Integrity can be compromised by modifying the data
midway of transfer, thus altering the results of a process that
takes said data as an input. Conﬁdentiality can be broken
by simply reading the transferred data midway. Availability
can be denied if the transferred data never reaches its target
destination. Because IoT devices are by design well connected
to multiple other devices and that they collect and transfer
large amounts of data, securing the M2M communication
Figure 1. Fundamental concepts of information security
especially is crucial. This is however a considerable challenge
given the restrictions of IoT.
The lack of security in IoT devices can manifest itself as
privacy problems, when a good amount of data is collected
based on your behavior. An attacker with an unauthorized
access to a smart homes sensor data could know when the
owner leaves the house. The lack of security could also be
fatal, for example when a pacemaker could be wirelessly
hacked to malfunction [Storm, 2015].
B. Challenges of Secure Software
IoT can be abstracted to three layers, they are the
sensing layer, transport layer, and application layer
[Guicheng and Zhen, 2013]. Software vulnerability in
the application layer is one of the most important aspects of
current security research. When a new vulnerability is found
in software, attackers can use it to exploit every machine that
has the software installed. With traditional computer systems
this is not a big problem, because when a ﬁx is found it
can be applied quickly to numerous different systems. This
is because modern system architectures tend to be similar.
Security awareness on software programming is almost
effortless to impose thanks to this. [Zhang et al., 2014].
In the heterogeneous IoT environment things are not as
simple. Because of the diverse pool of hardware platforms
and modiﬁed operating systems it is difﬁcult to apply even the
most common security features to all devices. It also makes it
difﬁcult for programmers to keep up with security awareness
because of the numerous distinct implementations on multiple
differing platforms. Programmers are also faced with more
and more complex software solutions in IoT devices, so
considering every aspect of secure programming can be brutal.
[Zhang et al., 2014].
C. Challenges of Secure Communication
The most commonly used types of connections in IoT are
Local area network (LAN), Infrared, Bluetooth, RFID, wire-
less ﬁdelity (Wi-Fi), and Cellular broadband among others.
Securing the communication of two devices requires working
mechanisms to identify, authenticate, and authorize devices. To
implement these abstract mechanisms in the transport layer,
various cryptosystems and protocols are used. To identify
a device in a network is the ﬁrst important issue when it
comes to secure communication. For IoT, in a TCP/IP utilized
connection the Domain Name System (DNS) is mostly used as
a way to identify a device in a network. This might change in
the future, as the more speciﬁc Object Name Service (ONS)
mechanism has been invented and it theoretically could be
applied to IoT. After a device has been identiﬁed, it needs to
be located within the network. The most popular way of doing
this is the IPv4 and IPv6 protocols. [Zhang et al., 2014].
After identifying and locating a device, it is authenticated.
At this point the security aspect of the connection starts.
Verifying a device’s genuineness is vital when we consider the
scale of IoT. Imagine a device that could imitate other devices,
feeding false information to a server that creates decisions
automatically based on said data. [Crossman and Liu, 2015].
The attacks can be made to the sensing layer of IoT as well,
by controlling or blocking real nodes in a system with vicious
nodes. Denial Of Service (DOS) attack is also a possibility,
by attacking the gateways or servers of the overall system.
[Guicheng and Zhen, 2013].
III. CRYPTOSYSTEMS AND PROTOCOLS
Different organizations provide multiple architectures and
models for network and information security. They include
time-based protection, Prevention and Detection and Response
model (PDR) and its variants, TCP/IP security mechanism,
ISO/OSI system, and the Internet Engineering Task Force
model (IETF) among others. The nature of IoT makes the
implementation of these models and systems difﬁcult, because
the traditional architectures do not take into account the con-
struction of entire networks and information security systems.
They mostly concentrate on simple protection measures that
can not be aimlessly implemented in mass [Zhang, 2006].
Because traditional solutions do not work in this environment,
new ways to secure IoT devices are needed. [Liu et al., 2013].
A. Symmetric and Public Key algorithms
A cryptosystem usually has mechanisms to generate a key,
encrypt said key, and decrypt it. Because of the resource
limitations of IoT devices, these mechanisms have to be
lightweight. Although commonly used cryptosystems are too
heavyweight to be implemented to IoT, there are versions of
conventional cryptosystems that can pass this limitation and
are speciﬁcally made to support constrained environments like
IoT devices. Advanced Encryption Standard (AES) is an open
encryption standard that has been successfully ported to a few
of IoT devices. It uses symmetric cryptography, so that the en-
cryption and decryption use the same key, and is considered to
be secure enough when it is used with initialization vector that
scrambles data before encryption, so that no two identical mes-
sage do not result in identical encrypted data [Goluboff, 2015].
There are also new symmetric cryptography based solutions
Figure 2. Symmetric and public key algorithms
proposed; block ciphers CLEFIA and PRESENT, stream ci-
pher project eSTREAM and the lightweight hash algorithm
SHA-3. [Katagi and Moriai, 2008].
Public key authentication (PKA) differs from symmetric
ones that when symmetric key algorithms use the same key
for encryption and decryption, PKA uses a paired set of keys
that consist of a secret key for decryption and a public key
for encryption (Figure 2) [Tatham, 2004]. PKA does not get
broken if the one of the keys is discovered, thus it is more
secure than symmetric algorithms. But this mechanism also
requires great number of resources, and at this time there are
no solutions that would be lightweight and secure enough to
be a good ﬁt for IoT. [Katagi and Moriai, 2008].
B. Lightweight Cryptography
Lightweight Cryptography (LWC) could resolve the prob-
lems that the conventional cryptosystems present. LWC is a
cryptographic protocol made speciﬁcity to use with devices
that have limited resources, RFID tags and sensors for ex-
ample. LWC could be implemented in IoT, by standardiz-
ing a general-purpose solution. ISO/IEC 29192 describes the
lightweight properties based on target platform [ISO, 2012].
When implementing a protocol to an IoT device, energy con-
sumption, and the amount of random access memory (RAM)
used are good indications of lightweight or heavyweight solu-
tions. LWC would have a smaller footprint when considering
implementation compared to other network security protocols
like TLS. The beneﬁts would be more efﬁcient end-to-end
communication and smaller footprint of the cryptographic
resources needed. LWC for IoT is currently only theorized,
since standardization for a variety of devices is complex.
[Katagi and Moriai, 2008].
IoT is an evergrowing technology and with it comes an
everﬂowing stream of data. What follows is an acute need
for better security implementations, as the data is presumed
to preserve the fundamental aspects of information security.
Secure communications and software present challenges, since
traditional solutions are poor in the IoT environment. New
cryptographic solutions like LWC are theorized, but not stan-
dardized yet because of the diverse pool of IoT hardware.
[Crossman and Liu, 2015] Crossman, M. A. and Liu, H. (2015). Study of
authentication with iot testbed. In Technologies for Homeland Security
(HST), 2015 IEEE International Symposium on, pages 1–7. ID: 1.
[Goluboff, 2015] Goluboff, M. (2015). Aes vs ssl/tls: Encryption for the
internet of things. Electronic Products. Lantronix.
[Guicheng and Zhen, 2013] Guicheng, S. and Zhen, Y. (2013). Application
of elliptic curve cryptography in node authentication of internet of things.
Ninth International Conference on Intelligent Information Hiding and
Multimedia Signal Processing, pages 452–455.
[ISO, 2012] ISO (2012). Iso/iec 29192-1.
[Katagi and Moriai, 2008] Katagi, M. and Moriai, S. (2008). Lightweight
cryptography for the internet of things. Sony Corporation.
[Keoh et al., 2014] Keoh, S. L., Kumar, S. S., and Tschofenig, H. (2014).
Securing the internet of things: A standardization perspective. Internet of
Things Journal, IEEE, 1(3):265–275. ID: 1.
[Liu et al., 2013] Liu, C., Zhang, Y., and Zhang, H. (2013). A novel approach
to iot security based on immunology. In Computational Intelligence and
Security (CIS), 2013 9th International Conference on, pages 771–775. ID:
[Schurgot et al., 2015] Schurgot, M. R., Shinberg, D. A., and Greenwald,
L. G. (2015). Experiments with security and privacy in iot networks. In
World of Wireless, Mobile and Multimedia Networks (WoWMoM), 2015
IEEE 16th International Symposium on a, pages 1–6. ID: 1.
[Storm, 2015] Storm, D. (2015). Researchers hack a pacemaker, kill a man
[Tatham, 2004] Tatham, S. (2004). Using public keys for ssh authentication.
PuTTY User Manual.
[Wang et al., 2013] Wang, C., Daneshmand, M., Dohler, M., Mao, X., Hu,
R. Q., and Wang, H. (2013). Guest editorial - special issue on internet of
things (iot): Architecture, protocols and services. Sensors Journal, IEEE,
13(10):3505–3510. ID: 1.
[Zhang, 2006] Zhang, C. Y. (2006). Network security architecture. University
of Electronic Science and Technology of China Press.
[Zhang et al., 2014] Zhang, Z.-K., Cho, M. C. Y., Wang, C.-W., Hsu, C.-W.,
Chen, C.-K., and Shieh, S. (2014). Iot security: Ongoing challenges and
research opportunities. In Service-Oriented Computing and Applications
(SOCA), 2014 IEEE 7th International Conference on, pages 230–234. ID: