At the recent KNOW 2019 event, an event focused on issues around all things having to do with digital identity, we were honored that Kristin Clark, Intertrust Technologies’ Vice President of Security Operations, was invited to speak as well as our CTO Dave Maher. Clark was one of three panelists chosen to speak on the subject of “Smart Cities. Smart Solutions.” Other panelists included John Wittrock, Senior Software Engineer at Sidewalk Labs and Salvatore D’Agostino, CEO of IDmachines.
Based on her experience as one of the driving forces behind Seacert, Intertrust’s Managed Public Key Infrastructure (PKI) service, Clark discussed the role that “robust identities” can play in devices that are parts of a smart city ecosystem. She explained that robust identities are cryptographic identities capable of securely supporting the multiple events in a device lifecycle that require trust. “Often device implementations only think to give a device a single key or key pair. They don’t realize that including additional credentials can expand the capabilities of the device over time,” (Clark).
Clark focused on the seemingly inconsequential street light as an example of how robust identities could benefit smart city devices. In San Francisco, the Public Utilities Commission has proposed placing cameras on street lights to quickly and inexpensively detect burned out bulbs in surrounding street lights. While this is one role for a camera, Clark noted that the camera’s software could be updated to allow it to add additional roles. For example, “you could give it a software update to connect to a parking app to show where empty parking spaces are,” (Clark). Video from cameras could also be used by other city departments such as law enforcement and traffic planning. Robust identities for each camera could also include the specifications needed to be trusted in any new role (e.g. high definition versus low definition, software version(s), applicable standards when manufactured, etc.). This simplifies the task of identifying which cameras can be assigned a new role.
Another role robust identities could perform for smart city cameras is to enforce security policies for the camera. For example, a camera’s software may not have been upgraded with a needed security bug fix and “you need to shun it and not allow it to participate in the ecosystem until it’s been upgraded,” (Clark). PKI-enforced security policies can also help ensure privacy and security. One way is to use them to limit who can receive information from the camera and ensure all data is encrypted both at rest and in-transit. They can also make sure that software updates will only be accepted from authorized parties.
Clark pointed out that commonly used X.509 certificates can be extended with standard or custom policies to support robust identities. Using symmetric and asymmetric cryptographic keys in identities also allow management of their security status. These and other currently available technologies (e.g. key derivatives, hashes, and digitally signed configuration and assertion files) can form robust identities to give smart cities the smart devices they need.