Identity and access management (commonly known as “IAM”) is a
difficult task for any secure network. Distributing access
credentials, assigning identities and roles, scoping permissions,
etc. become exponentially more complex with the growing number of
dispersed, independent edge assets:
- With so many devices, manual identity assignment and credential
management (as is common with human-centric VPNs or typical insecure
IoT architectures) simply isn’t feasible.
- Edge devices must leave the factory ready to ship, so a device’s
identity must be provisioned autonomously in the field, without the
need for further high-touch configuration.
- Complex supply chains mean access credentials may pass through many
untrusted hands before getting used in the field.
Hardware-based Zero-touch Provisioning
To address these concerns, Xaptum provides secure hardware-based
credential management coupled with in-field identity provisioning:
- Devices are provisioned in batches of various sizes depending on
individual need. These groups can be managed as a block.
- Devices are added to an ENF network in these cryptographically-bound
groups, not individually, allowing IAM to scale easily.
- Credentials are generated at the beginning of the manufacturing
process and stored in secure hardware, so counterfeiting and
spoofing are eliminated.
- Each device has a unique credential, enabling fine-grained tracking
- Devices are assigned identities autonomously, with no need for
- Identity management, like credential management, is done in groups
rather than individually.
Such hardware-secured credential and in-field identity
management is available in addition to a traditional PKI-style
option. For machines in data centers or clouds or just individual
PCs, individual management of keys and certificates is appropriate, so
Xaptum supports that flow as well and can integrate with a customer’s
existing PKI setup.
Trusted Platform Module (TPM)
TPM is an international standard for a secure cryptoprocessor, a dedicated
microcontroller designed to secure hardware through integrated cryptographic keys.
This microprocessor contains unique, secure credentials and its security functions
(illustrated below) primarily enable the authentication of what would otherwise be
an untrusted device.
TPM Security Functions
Xaptum recommends the TPM approach for devices to connect to the ENF. The edge device
may be designed and manufactured with an onboard TPM chip or it may make use of an
expansion card such as an access card or router card that contains a TPM chip.
How It Works
Prior to device manufacturing, secure hardware microprocessors (TPM 2.0
chips) are provisioned with unique credentials. This process can be
performed in Xaptum’s secure facilities in any group size required,
or handled directly by the customer:
- In the secure facility, an operator creates a group or batch
identified by a group public key.
- Each device in the batch creates its own public/private key pair in
- This key is specific to that TPM and never leaves the chip.
- The operator generates a cryptographic credential on each device,
allowing it to prove membership in the batch.
- The operator attaches a QR code containing the group public key (GPK) to
the packaging containing the devices.
- The TPMs are then shipped to the ODM and installed during standard PCB
The credentials thus generated are not yet accessible to the ENF.
Before First Use
The customer follows the same steps whether activating a single device
or thousands of devices on a network:
- The customer receives a batch of devices.
- This can be directly from Xaptum or via many hops in the supply
- The customer uses the Xaptum management interface to associate the
group public key of the batch (via the QR code on the packaging)
with one of the customer’s ENF networks.
- Only after this point will the credentials in the TPMs be able to
access the ENF.
- The device turns on for the first time and receives an identity
(IPv6 address) in the customer’s ENF network.
- This is done by performing a secure handshake with the ENF, to
prove membership in the batch.
This way, the customer need only scan a QR code and log in to the
Xaptum management interface to enable an entire batch of devices to
connect to the ENF and have identities assigned. To audit this
process, the customer is also able to track the status of the
individual credentials and monitor the geolocation metadata of the
identity provisioning handshakes.
After First Use
The provisioning handshake need only be run once. The identity
assigned to the device stays assigned to it for its lifetime.
XTT: Trusted Transit
XTT is a protocol for scalable identity and credential provisioning,
rooted in the trusted computing capabilities of the TPM 2.0 standard.
It’s the protocol implemented to enable devices to securely access
the ENF to obtain their identity.
The draft specification for this cryptographic protocol can be found
Xaptum’s open-source implementation of this protocol is also available