Industry 4.0: The Authentication of Things within the Internet of Things – PKI as a Solution Approach

Signature law

The German Signature Act solely provides regulations on the authentication of natural persons within the digital world, as well as on the verification of content. The purpose of the German Signature Act was to create an appropriate framework for the use of electronic signatures and therefore it aims at facilitating legal certainty. The act is limited to the regulation of qualified certificates and timestamps issued by certification providers and provides minimum-security levels in particular. The regulations of the German Signature Act were superseded by the eIDAS regulation of the European Union which is binding for each member state in the European Union and came into effect on 7 July 2016. Insofar, the electronic signature legislation is newly regulated. 

Public key infrastructure

Despite those legal barriers, the technical infrastructure built by certification service providers may provide a solution to the above-mentioned issues within the Internet of Things. Public key infrastructure (PKI) is not an innovation, but a system that has been used rather quietly for the past few years. It is an approach that allows the issuance, distribution, and verification of digital certificates to secure the electronic transfer of information within an unsecured public network. 

Every user within the PKI has to apply for a certificate with a registration authority. This authority verifies the data within the requested certificate as well as the identity of the user (company, person, or machine), approves the application and passes it on to the certificate authority (CA), which signs the certificate. The user receives a cryptographic key pair from the certificate authority consisting of a public and a private key. When using electronic signatures in electronic communication, the CA thus acts as a trust center that issues certificates identifying the communication partner. 

The authenticity of the public key can be confirmed by a digital certificate, which itself is protected by a digital signature. The private key is sent solely to the requester and serves to decrypt messages sent with the corresponding public key (called asymmetric encryption). It can also be used in order to verify the identity of the communication partner. 

Identifying things within the Internet of Things

Securing things in the Internet of Things poses new challenges for legal practice because of the great diversity and plurality of connected devices. When things communicate with each other, the traditional authentication methods such as passwords or tokens cannot be used. Connected devices have a need to provide trustworthy information not only among themselves, but also directly to users or infrastructure providers. Creating trust among different devices is a significant challenge, considering the large scale of devices. The devices themselves are susceptible to physical attacks and manipulations and the software used to connect them is enormously difficult to secure. Implementing a PKI could provide connected devices with a public and private key allowing information to be transferred within the Internet of Things with a significantly lower chance of manipulation. However, PKI has not been used on such a large scale before and would have to undergo several modifications adjusting it to the needs of the Internet of Things. 

German legislation has already considered the scope of application of PKI within the Internet of Things: The German Meter Operation Act (section 52, paragraph 4 Messstellenbetriebsgesetz, MsbG) already mentions the use of a PKI in connection with smart meters in order to authenticate and encrypt any communication between smart meters and gateways and systems of the respective providers, and thus also to secure the exchange of users’ personal data. This means that every meter and every gateway has to be integrated into the PKI. Although this use of PKI within the Internet of Things cannot be called a success story since this scope of application is not widespread, the experience gained can be used and taken to a broader scope of application.  

A case in point: Security specification for smart power meters

In the energy sector in Germany, significantly stricter specifications need to be fulfilled by CAs in connection with smart meters, since the CA of this sector is the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI). When considering using PKI to identify and encrypt things within the Internet of Things, one needs to first discuss whether device manufacturers might act as CAs, and implement other manufacturers as trustworthy CAs within the devices, in order to enable the connected devices to check whether the respective connected device has a certificate of another manufacturer classified as a trustworthy CA. Whether a manufacturer can be classified as trustworthy, and its certificate as accepted, is subject to pre-defined criteria. Thus, a detailed list of criteria needs to be compiled, comparable to the technical guidelines of the German Federal Office for Information Security. With this list, it is possible to check whether and to what extent the devices of a manufacturer with their installed software can be classified as secure. 

Klaus Brisch, LL.M. is a certified specialist lawyer for information technology law in Germany. He consults complex IT projects in the areas of transactions, compliance, IT security, data protection, and data security, advises companies in the entire field of internet law and electronic commerce as well as on hardware and software contracts. He also focuses on eGovernment.

Marco Müller-ter Jung, LL.M. is also a certified specialist lawyer for information technology law in Germany. His consulting practice lies in the areas of information technology law, intellectual property rights and copyright law. He advises in the entire field of internet law, e-commerce law (e.g. e-business, contract law, law of general terms and conditions, consumer protection, data protection and privacy, etc.) and IT contract law.

Klaus Brisch and Marco Müller-ter Jung are focused on the legal issues and requirements related to future technologies like industrial-internet, additive manufacturing, connected devices and cars, big data, wearables to name but a few.