Zero Touch Provisioning

Identity and access management (commonly known as “IAM”) is a difficult task for any secure network. Distributing access credentials, assigning identities and roles, scoping permissions, etc. become exponentially more complex with the growing number of dispersed, independent edge assets:

  • With so many devices, manual identity assignment and credential management (as is common with human-centric VPNs or typical insecure IoT architectures) simply isn’t feasible.
  • Edge devices must leave the factory ready to ship, so a device’s identity must be provisioned autonomously in the field, without the need for further high-touch configuration.
  • Complex supply chains mean access credentials may pass through many untrusted hands before getting used in the field.

Hardware-based Zero-touch Provisioning

To address these concerns, Xaptum provides secure hardware-based credential management coupled with in-field identity provisioning:

  • Devices are provisioned in batches of various sizes depending on individual need. These groups can be managed as a block.
  • Devices are added to an ENF network in these cryptographically-bound groups, not individually, allowing IAM to scale easily.
  • Credentials are generated at the beginning of the manufacturing process and stored in secure hardware, so counterfeiting and spoofing are eliminated.
  • Each device has a unique credential, enabling fine-grained tracking and blacklisting.
  • Devices are assigned identities autonomously, with no need for high-touch configuration.
  • Identity management, like credential management, is done in groups rather than individually.

Such hardware-secured credential and in-field identity management is available in addition to a traditional PKI-style option. For machines in data centers or clouds or just individual PCs, individual management of keys and certificates is appropriate, so Xaptum supports that flow as well and can integrate with a customer’s existing PKI setup.

Trusted Platform Module (TPM)

TPM is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. This microprocessor contains unique, secure credentials and its security functions (illustrated below) primarily enable the authentication of what would otherwise be an untrusted device.

TPM Security Functions

Xaptum recommends the TPM approach for devices to connect to the ENF. The edge device may be designed and manufactured with an onboard TPM chip or it may make use of an expansion card such as an access card or router card that contains a TPM chip.

How It Works

Before Manufacture

Prior to device manufacturing, secure hardware microprocessors (TPM 2.0 chips) are provisioned with unique credentials. This process can be performed in Xaptum’s secure facilities in any group size required, or handled directly by the customer:

  • In the secure facility, an operator creates a group or batch identified by a group public key.
  • Each device in the batch creates its own public/private key pair in its TPM.
    • This key is specific to that TPM and never leaves the chip.
  • The operator generates a cryptographic credential on each device, allowing it to prove membership in the batch.
  • The operator attaches a QR code containing the group public key (GPK) to the packaging containing the devices.
  • The TPMs are then shipped to the ODM and installed during standard PCB assembly.

The credentials thus generated are not yet accessible to the ENF.

Before First Use

The customer follows the same steps whether activating a single device or thousands of devices on a network:

  • The customer receives a batch of devices.
    • This can be directly from Xaptum or via many hops in the supply chain.
  • The customer uses the Xaptum management interface to associate the group public key of the batch (via the QR code on the packaging) with one of the customer’s ENF networks.
    • Only after this point will the credentials in the TPMs be able to access the ENF.
  • The device turns on for the first time and receives an identity (IPv6 address) in the customer’s ENF network.
    • This is done by performing a secure handshake with the ENF, to prove membership in the batch.

This way, the customer need only scan a QR code and log in to the Xaptum management interface to enable an entire batch of devices to connect to the ENF and have identities assigned. To audit this process, the customer is also able to track the status of the individual credentials and monitor the geolocation metadata of the identity provisioning handshakes.

After First Use

The provisioning handshake need only be run once. The identity assigned to the device stays assigned to it for its lifetime.

XTT: Trusted Transit

XTT is a protocol for scalable identity and credential provisioning, rooted in the trusted computing capabilities of the TPM 2.0 standard. It’s the protocol implemented to enable devices to securely access the ENF to obtain their identity.

The draft specification for this cryptographic protocol can be found here. Xaptum’s open-source implementation of this protocol is also available on GitHub.

Didn't find what you were looking for?

Contact us and we’ll get back to you as soon as possible.

Contact Us