Security: Authentication or Encryption - What Matters?
There is a fairly common misconception about security (in IoT systems) that it is all about encryption. Security is about protecting secrets, right? Not quite... In most systems what really matters is authentication. I am a door lock. You are sending me an "Open" command. Does it have to be encrypted? Not really. It is like in the analog world you would want to hide the fact you are opening the door. Even if the "unlock" command can be heard by my neighbors... so what? The key part is authentication. I, as a lock, have to trust the command is legitimate and it comes from a legitimate authority. I have to be able to cryptographically verify nobody altered the command. And who is the originator. If it is a verified command coming from a verified trusted source, I accept it, and open. It does not matter the neighbors around can hear it. They also see me standing at my door. So it is rather obvious I am commanding the door lock to open. I don't need to hid...