The Internet of Things (IoT) will never be fully secure — nothing ever is. But an IoT security specialist at ARM outlined the road ahead in the wake of the company's acquisition of Offspark, a provider of one key piece of the puzzle.

Offspark’s PolarSSL is an implementation of Transport Layer Security (TLS), one of the most popular device-to-service security standards. TLS is widely used to secure everything from emails to Google searches.

ARM would not give financial details of the transaction to buy Offspark, but in an interview with EE Times, Zach Shelby, a director in ARM’s IoT group did provide perspective on its TLS technology and ARM’s intentions in IoT security going forward. The interview shines a light on what ARM believes should be a basic level of IoT security --available essentially free with its cores -- and suggests levels of value-added security others could build on top of it.

Tens of companies provide implementations of TLS, a mainstream standard from the Internet Engineering Task Force for creating secure connections. ARM chose the PolarSSL version from Offspark because it is well vetted and suitable for microcontroller-based systems.

PolarSSL is modular and can work with a wide variety of encryption techniques ranging from AES-128, which is popular in embedded systems, to RSA cyphers more often used on microprocessor-based systems. It also supports a version based on the UDP protocol required by the CoAP protocol used in some IoT implementations.

Overall, PC implementations of TLS might require megabytes of code, but the PolarSSL version should be closer to tens of kilobytes of code.

"We wanted something trusted by the open source community and ready to be used…and we wanted a modular library so you can choose the pieces you want," Shelby said. “We also like the simplicity and quality of the code, and it’s been well tested by governments and corporations,” he added, noting that PolarSSL has been available for about five years.

Today PolarSSL uses a GPL license, which means any software that uses it also has to become open source. ARM will fold the code into its mbed OS and make that available based on an Apache 2.0 license, which does not require mbed users to make their code open source.

"Companies can't use GPL [for their internal products], and we don't think that's reasonable for IoT," Shelby said. "All devices need security, and they shouldn't have to pay extra for it," he said.

This article is from our partners at EET Asia. To read the full article, please click here.

See a comparison table of selected Android-based TV set-top box suppliers on GlobalSources.com