Identity and access management (commonly known as “IAM”) is a
difficult task for any secure network. Distributing access
credentials, assigning identities and roles, scoping permissions:
these issues become exponentially more complex with the numerous,
dispersed, independent assets typical of IoT.
- With so many devices, manual identity assignment and credential
management (as is common with human-centric VPNs or typical insecure
IoT architectures) simply isn’t feasible.
- IoT devices must leave the factory ready to ship, so a device’s
identity must be provisioned autonomously in the field, without need
for further high-touch configuration.
- Complex supply chains mean access credentials may pass through many
untrusted hands before getting used in the field.
Hardware-based Zero-touch Provisioning
To address these concerns, Xaptum provides secure-hardware-based
credential management coupled with in-field identity provisioning.
- Devices are added to an ENF network in cryptographically-bound
groups, not individually, allowing IAM to scale easily.
- Credentials are generated at the beginning of the manufacturing
process and stored in secure hardware, so counterfeiting and
spoofing are eliminated.
- Each device has a unique credential, enabling fine-grained tracking
- Devices are assigned identities autonomously, with no need for
- Identity management, like credential management, is done in groups
rather than individually.
* Note that this hardware-secured credential and in-field identity
management is available in addition to a traditional PKI-style
option. For machines in data centers or clouds or just individual
PCs, individual management of keys and certificates is appropriate, so
Xaptum supports that flow as well and can integrate with a customer’s
existing PKI setup.
How It Works
Prior to device manufacture, secure hardware microprocessors (TPM 2.0
chips) are provisioned with unique credentials. This process can be
performed in Xaptum’s own secure facilities, or handled by the
- In the secure facility, an operator creates a group or batch
identified by a group public key.
- Each device in the batch creates its own public/private key pair in
- This key is specific to that TPM and never leaves the chip.
- The operator generates a cryptographic credential on each device,
allowing it to prove membership in the batch.
- The operator attaches a QR code containing the group public key (GPK) to
the packaging containing the devices.
- The TPMs are then shipped to the ODM and installed during standard PCB
At this point, the credentials generated are not yet able to access
any ENF network.
Before First Use:
The customer follows the same steps whether activating a single device
or thousands of devices on a network.
- The customer receives a batch of devices.
- This can be directly from Xaptum or via many hops in the supply
- The customer uses the Xaptum management interface to associate the
group public key of the batch (via the QR code on the packaging)
with one of the customer’s ENF networks.
- Only after this point will the credentials in the TPMs be able to
access the ENF.
- The device turns on for the first time, and receives an identity
(IPv6 address) in the customer’s ENF network.
- This is done by performing a secure handshake with the ENF, to
prove membership in the batch.
In this way, the customer need only scan a QR code and log in to the
Xaptum management interface to enable an entire batch of devices to
connect to the ENF and have identities assigned. To audit this
process, the customer is also able to track the status of the
individual credentials and monitor the geolocation metadata of the
identity provisioning handshakes.
After First Use:
The provisioning handshake need only be run once. The identity
assigned to the device stays assigned to it for its lifetime.
XTT: Trusted Transit
XTT is a protocol for scalable identity and credential provisioning,
rooted in the trusted computing capabilities of the TPM 2.0 standard.
This is the protocol mentioned above for a device to securely access
the ENF to obtain an identity.
The draft specification for this cryptographic protocol can be found
Xaptum’s open-source implementation of this protocol is also available