Two startups aiming to secure the IoT

If you’re an IoT security company, I’m pretty sure you only have to place your pitch deck somewhere in the general vicinity of venture investors to get a meeting these days. It’s a hot topic, but also a complicated one. It’s sometimes hard to tell how companies plan to secure the IoT. Especially given that IoT encompasses a lot of different realms.

But I’m currently intrigued by two startups, each with a similar approach to security — yet very different ways of executing on that approach. The first one, Crypto Quantique, raised $8 million last week, so I’m now finally able to share the details of a technical conversation about its chips that I had a year ago with CEO Shahram Mossayebi. The other startup, Ockam, has recently launched.

Both are taking a hardware and cloud-based approach to securing connected devices at the device level.

The hardware-plus-cloud approach involves some type of secure element on the device silicon. Usually some form of secure key sits on or is generated by the device, and is then compared against a secure key in the cloud. This tactic is becoming the de facto standard method for securing devices; even Microsoft has built a hardware-plus-cloud security offering with Azure Sphere. ARM’s Platform Security Architecture has similar parameters.

So how do these two firms tackle the device security problem? Their differences lie in the details. Let’s start with Crypto Quantique, which builds its device security into the silicon itself. Instead of storing a digital key in a secure enclave, it literally manufactures a physical key in the chip by using quantum tunneling.

Quantum tunneling sounds very exciting, but it’s also easy to grasp. During manufacturing, where a foundry layers on several different types of materials to create a finished chip, the Crypto Quantique manufacturing process calls for a thin layer of crystals to be added. That layer of crystals then gets etched down into a random pattern unique to each chip. The way that electrons move through the crystalline structure is unique to every chip and becomes the secure key that will be used to identify the device.

That key affiliated with the specific chip is also stored in a secure cloud. The result is a product that secures the chip, and can handle the identification of that chip at low power (less than a microamp). It’s relevant to note here, that power consumption can be a problem for on-device security. Encryption, which is how most device security is handled, can consume a lot of power. That’s why there are several companies offering low-power encryption for IoT sevices and why Crypto Quantique’s ability to deliver a unique key without consuming a lot of power is worth pointing out.

Crypto Quantique launched this week with plans to sell the chip along with a crypto API that calls to the cloud. There is a one-time cost per device and a small annual recurring cost for maintenance and support of the relevant APIs. Thales, a defense and security company, is a customer.

For a slightly less complicated approach from the manufacturing perspective, we have Ockam. It was created by Matthew Gregory, an early employee at platform-as-a-service provider Heroku. Gregory’s vision is to build a platform-as-a-service for device security based on a standard called Decentralized Identity (DID), which is governed by the Decentralized Identity Foundation.

The idea behind DID is to create an immutable, unique identity for each device. This makes a ton of sense. You can’t secure something that you can’t match with an identity. Gregory describes the Ockam platform as Public Key Encryption (PKI) meets DNS. Both PKI and DNS rely on certificate authorities to certify that a device or URL is what it says it is. In his analogy, instead of requiring a certificate authority, the device itself will generate its ID and register itself on a blockchain (see the diagram above).

The company that owns the device can then make the identity data public on Ockam’s network or keep it private in a shared cloud or a dedicated cloud environment. The identity is stored on the device’s secure enclave. The chip-side product is called Ockam Vault; device makers get a software development kit to ensure the placement of the DID on a piece of hardware. Ockam already works on ARM-based chips and has a plan to enable companies to sell boards with the Ockam Vault software already on it.

If a company is using a certified device, programmers will only need one line of code to generate secure keys. From there, the software can identify the certified devices and apply rules accordingly. Ockam plans to charge based on the number of devices registered using Ockam Vault. It could also charge for the cloud-based storage of the keys, and could later charge for maintaining and supporting companies that have private networks.

The company is working with the iPhone’s CryptoKit and the Android’s cryptographic service, and with Microsoft to layer Ockam Vault on top of Azure Sphere. Ockam’s Vault software can sit on top of those services and soon it will open-source a version of the Vault software to make it accessible to others.

Ockam’s product will go beyond device security, although identity is an essential aspect of security. The end goal is a way to ensure that each device has appropriate permissions, can communicate only with devices it has permission to speak to, and that data coming from each device can be trusted. Gregory’s experience in building technology stacks associated with prior technology generations is informing his approach with Ockam. He hopes it becomes the layer associated with device trust and identity for the IoT tech stack.

So far, we have no idea what that tech stack looks like. I am constantly searching for it, and I’m not even sure that model is the right one for the current stage of IoT development, but I welcome the ideas Gregory has around identity and security.

Both Ockam and Crypto Quantique are solving real problems in very different ways.

Update: This story was corrected on Oct. 7, 2019 to reflect the fact that Ockam will not sell boards, but it will make Vault available on a variety of boards sold by other companies.