Worked example: For a 15-question quiz, target correct answers are \(\lceil 0.8 \times 15 \rceil = 12\). If a learner moves from 8/15 to 12/15, score rises from 53.3% to 80%, crossing mastery with four additional correct answers.
Show code
viewof quizQuestions = Inputs.range([5,50], {value:15,step:1,label:"Number of quiz questions"})masteryTarget =Math.ceil(0.8* quizQuestions)masteryPercent = ((masteryTarget / quizQuestions) *100).toFixed(1)html`<div style="background: #f0f7f4; border-left: 4px solid #16A085; padding: 12px 16px; border-radius: 4px; margin: 8px 0;"><strong>Mastery Calculator:</strong> For a <strong>${quizQuestions}-question</strong> quiz, the 80% mastery target is <strong>${masteryTarget} correct answers</strong> (${masteryPercent}%).</div>`
Learning Objectives
After completing this module, you will be able to:
Compare symmetric (AES) and asymmetric (RSA, ECC) encryption approaches and select the appropriate type for IoT use cases
Design multi-layer encryption architectures (E1-E5) based on threat models and device constraints
Evaluate encryption trade-offs for resource-constrained IoT devices including performance, power, and key management
Apply encryption concepts to real-world scenarios including medical IoT, smart grids, and OTA firmware updates
In 60 Seconds
This chapter combines hands-on encryption labs with a comprehensive quiz to consolidate understanding of IoT cryptographic principles, implementation techniques, and architectural patterns.
For Beginners: Encryption: Labs, Quiz, and Review
This hands-on chapter lets you practice cryptographic techniques for IoT security. Think of it as a locksmith training course – you learn to work with encryption tools, set up secure channels, and test your implementations in a safe environment before applying them to real systems.
23.1 Overview
This comprehensive module covers practical encryption implementation for IoT systems. The content has been organized into four focused chapters to support effective learning:
Figure 23.1: This module is structured as a learning progression: start with fundamentals, understand the architecture, work through scenarios, then test your knowledge.
AES-GCM: Authenticated encryption mode combining AES cipher with Galois/Counter authentication — the recommended mode for symmetric IoT encryption.
ECDH Key Exchange: Elliptic Curve Diffie-Hellman — establishes a shared session key between two parties using their respective ECC key pairs.
TLS Handshake: The negotiation sequence establishing a TLS session, including authentication, cipher suite selection, and key derivation.
Hash-then-Sign: A digital signature pattern where the message is hashed first, then the hash is signed with the private key — required because asymmetric operations only process small inputs.
Key Derivation: Using a KDF (HKDF, PBKDF2) to derive multiple keys from a single master secret, ensuring each key is used for only one purpose.
23.5 Knowledge Check
Quiz: Encryption: Labs, Quiz, and Review
Worked Example: Comparing Energy Cost of Encryption Algorithms
Scenario: Design encryption for a solar-powered environmental sensor with strict energy budget.
Device Specs:
MCU: ARM Cortex-M0+ @ 48 MHz (no hardware crypto)
Solar: 50 mW average
Battery: 100 mAh
Data: 32 bytes every 10 minutes
Energy Budget: 50 mW x 600 s = 30 J per 10 minutes Must allocate: MCU (20 J), radio (8 J), sensors (1 J), crypto (?? J) Available for crypto: 1 J per message
Algorithm Analysis:
Algorithm
Time (ms)
Current (mA)
Voltage (V)
Energy (mJ)
Within Budget?
AES-128 (software)
5
15
3.3
0.248
Yes (25%)
AES-256 (software)
7
15
3.3
0.347
Yes (35%)
ChaCha20
3
12
3.3
0.119
Yes (12%)
RSA-2048 sign
200
30
3.3
19.8
NO (1980%)
Ed25519 sign
8
15
3.3
0.396
Yes (40%)
Decision: Use ChaCha20 for encryption + Ed25519 for authentication (every 10th message).
Public data: No encryption, just integrity check (HMAC or checksum)
Saves energy for useful functions
Focus security on private data (API keys, device identity)
Rule: Match security strength to data sensitivity.
Concept Relationships
Concept
Builds On
Enables
Related To
Symmetric vs Asymmetric
Basic encryption principles
Hybrid encryption design
TLS handshakes, key exchange
E1-E5 Architecture
Defense-in-depth security
Multi-layer IoT protection
Network security, gateway trust
Key Management
Cryptographic keys
Secure provisioning, rotation
HSMs, certificate lifecycle
Authenticated Encryption
Confidentiality + integrity
AES-GCM, prevent tampering
AEAD modes, MAC
Forward Secrecy
Ephemeral keys
Past session protection
ECDHE, TLS 1.3
Key Dependencies: Understanding symmetric vs asymmetric fundamentals is prerequisite to multi-layer architecture. E1-E5 layers each address different threat models and trust boundaries. Key management underpins all encryption – even perfect algorithms fail with poor key handling.
Match Encryption Concepts to Their Purpose
Order the IoT Encryption Learning Path
Common Pitfalls
1. Skipping Authenticated Encryption
Mistake: Using AES-CBC for confidentiality without adding a separate MAC for integrity. Why it happens: Labs often demonstrate encryption steps individually. Fix: Always use AES-GCM or ChaCha20-Poly1305 in production — these provide confidentiality and authentication in a single, efficient operation.
2. Forgetting to Test with Real Constrained Hardware
Mistake: Benchmarking encryption only on development PCs and assuming IoT performance scales linearly. Why it happens: Testing on actual hardware is slower and more complex. Fix: Always profile AES and ECC operations on the target MCU (e.g., STM32, ESP32) at target clock speed and voltage before finalizing algorithm selection.
3. Mixing Up Lab Exercises with Production Configurations
Mistake: Using lab-generated certificates (self-signed, 512-bit keys) in production firmware. Why it happens: Lab defaults prioritize speed over security. Fix: Maintain separate key stores and certificate chains for lab, staging, and production; automate the distinction with environment variables or build flags.
