Security: Authentication or Encryption - What Matters?

There is a fairly common misconception about security (in IoT systems) that it is all about encryption. Security is about protecting secrets, right?

Not quite... In most systems what really matters is authentication.

I am a door lock. You are sending me an "Open" command. Does it have to be encrypted? Not really. It is like in the analog world you would want to hide the fact you are opening the door. Even if the "unlock" command can be heard by my neighbors... so what?

The key part is authentication.

I, as a lock, have to trust the command is legitimate and it comes from a legitimate authority. I have to be able to cryptographically verify nobody altered the command. And who is the originator. If it is a verified command coming from a verified trusted source, I accept it, and open. It does not matter the neighbors around can hear it. They also see me standing at my door. So it is rather obvious I am commanding the door lock to open. I don't need to hide that fact.

As long, of course, as the system is protected against a replay attack. If if they hear it and record and replay later, it won't work.

Same for many sensors, like a temperature sensor. It does not make sense to encrypt temperature data. It is a public information. Anybody can bring their own thermometer and measure it. But it does make a lot of sense to authenticate the data. So the subscriber can be sure it is reported by a trusted sensor in a known location.