Zero Touch Provisioning


Identity and access management (commonly known as “IAM”) is a difficult task for any secure network. Distributing access credentials, assigning identities and roles, scoping permissions: these issues become exponentially more complex with the numerous, dispersed, independent assets typical of IoT.

  • With so many devices, manual identity assignment and credential management (as is common with human-centric VPNs or typical insecure IoT architectures) simply isn’t feasible.
  • IoT devices must leave the factory ready to ship, so a device’s identity must be provisioned autonomously in the field, without need for further high-touch configuration.
  • Complex supply chains mean access credentials may pass through many untrusted hands before getting used in the field.

Hardware-based Zero-touch Provisioning

To address these concerns, Xaptum provides secure-hardware-based credential management coupled with in-field identity provisioning.

  • Devices are added to an ENF network in cryptographically-bound groups, not individually, allowing IAM to scale easily.
  • Credentials are generated at the beginning of the manufacturing process and stored in secure hardware, so counterfeiting and spoofing are eliminated.
  • Each device has a unique credential, enabling fine-grained tracking and blacklisting.
  • Devices are assigned identities autonomously, with no need for high-touch configuration.
  • Identity management, like credential management, is done in groups rather than individually.

* Note that this hardware-secured credential and in-field identity management is available in addition to a traditional PKI-style option. For machines in data centers or clouds or just individual PCs, individual management of keys and certificates is appropriate, so Xaptum supports that flow as well and can integrate with a customer’s existing PKI setup.

How It Works

Before Manufacture:

Prior to device manufacture, secure hardware microprocessors (TPM 2.0 chips) are provisioned with unique credentials. This process can be performed in Xaptum’s own secure facilities, or handled by the customer.

  • In the secure facility, an operator creates a group or batch identified by a group public key.
  • Each device in the batch creates its own public/private key pair in its TPM.
    • This key is specific to that TPM and never leaves the chip.
  • The operator generates a cryptographic credential on each device, allowing it to prove membership in the batch.
  • The operator attaches a QR code containing the group public key (GPK) to the packaging containing the devices.
  • The TPMs are then shipped to the ODM and installed during standard PCB assembly.

At this point, the credentials generated are not yet able to access any ENF network.

Before First Use:

The customer follows the same steps whether activating a single device or thousands of devices on a network.

  • The customer receives a batch of devices.
    • This can be directly from Xaptum or via many hops in the supply chain.
  • The customer uses the Xaptum management interface to associate the group public key of the batch (via the QR code on the packaging) with one of the customer’s ENF networks.
    • Only after this point will the credentials in the TPMs be able to access the ENF.
  • The device turns on for the first time, and receives an identity (IPv6 address) in the customer’s ENF network.
    • This is done by performing a secure handshake with the ENF, to prove membership in the batch.

In this way, the customer need only scan a QR code and log in to the Xaptum management interface to enable an entire batch of devices to connect to the ENF and have identities assigned. To audit this process, the customer is also able to track the status of the individual credentials and monitor the geolocation metadata of the identity provisioning handshakes.

After First Use:

The provisioning handshake need only be run once. The identity assigned to the device stays assigned to it for its lifetime.

XTT: Trusted Transit

XTT is a protocol for scalable identity and credential provisioning, rooted in the trusted computing capabilities of the TPM 2.0 standard. This is the protocol mentioned above for a device to securely access the ENF to obtain an identity.

The draft specification for this cryptographic protocol can be found here.

Xaptum’s open-source implementation of this protocol is also available on github.

Didn't find what you were looking for?

Contact us and we’ll get back to you as soon as possible.

Contact Us