Tweet
Share
Share

Outlining a Self-Sovereign Approach to Device Onboarding

Authors: Damian Glover, Richard Allain, Bruce Conrad, Michael Shea, Michele Nati 

Publication date: 19th July 2021

Introduction 

Cryptographic trust needs to be built into IoT device onboarding and across the device lifecycle to address serious security vulnerabilities. The purpose of this post is to propose an alternative, decentralised approach based on W3C standards decentralised identifiers (DIDs) & verifiable credentials (VCs). Let’s start by outlining some challenges with current device onboarding practices and key requirements for secure device onboarding as described in the NIST white paper Trusted Internet of Things (IoT) Device Network-Layer Onboarding and Lifecycle Management.

Challenges with consumer IoT device onboarding solutions 
  • Multiple devices typically use the same pre-shared key to connect to home wi-fi networks; with the same pre-shared key, the device can be easily attacked or information leaked.
  • The decision to grant network access has nothing to do with the individual device identity or device type, leaving a network open to malicious devices being able to join the network.
  • There is usually no way for a consumer device to verify it is connecting to the intended network; this can lead to misconfiguration and exposure to man-in-the-middle attacks.
Challenges with enterprise onboarding solutions 
  • To manually onboard each device with its own credentials is complex and resource intensive – this typically takes more than 20 minutes per device according to NIST, requiring coordination of installation technicians, IT/networking and operational technology staff, and creating a risk that credentials are disclosed to unauthorised parties. 
  • Most zero-touch / bulk onboarding processes today require the onboarding credentials of the network to be built into the device at point of manufacture, which is inefficient and expensive (requiring multiple parties, time, coordination, testing, training / preparation of unique instructions and many manual steps to install the solution).  

Key requirements for secure device onboarding 

The NIST white paper highlights two critical requirements to create a scalable and trusted device onboarding approach. 
  1. Each device needs to receive unique onboarding credentials at the time of deployment on the local network (rather than rely on credentials issued at the time of manufacture).
  2. Credentials should be provisioned to the device over an encrypted channel using a process that prevents anyone from eavesdropping during the creation of the credentials.

Introduction to Decentralised Identifiers (DIDs) and Verifiable Credentials (VCs)

DIDs and VCs are open standards being developed by the WC3 and Decentralized Identity Foundation (DIF). By design, they are under the direct control of the identified entity / credential holder.  DIDs & VCs are deployed in a growing range of applications. Prominent examples include Good Health Pass, Digital Green Certificates, GLEIF (the Global Legal Entity Identifier Foundation) and the NHS Digital Staff Passport (now in live production use).  In addition to these human-centric examples, use cases are emerging in the IoT world. Organisations experimenting with DIDs & VCs for IoT include GS1 (the global body that develops and maintains global standards around barcodes), the US Department of Homeland Security (which is trialling use of DIDs & VCs to track the movement of goods through cross-border supply chains), and the Austrian Power Grid (which has trialled use of DIDs & VCs to identify decentralised energy assets such as solar panels). GS1 and the US Department of Homeland Security continue in active development moving towards full production.

Rationale to use DIDs & VCs within IoT 
Granting devices access to a network based on attributes defined in a machine-readable credential would allow the elimination of pre-shared keys for consumer IoT and provide IT departments with greater control over enterprise device onboarding.  

Application of DIDs & VCs within IoT also opens up other interesting possibilities. What if IoT devices could be managed without the need for cloud-based systems and were permitted to share their resources and data directly with other devices? Such an approach could provide increased edge-computing capacity and potentially enable ultra-low latency applications.

DIDs & VCs could facilitate this scenario by enabling network admins to implement a distributed PKI (public key infrastructure) directly onto IoT devices. This also opens the way to self-onboarding devices. The more the volume of IoT devices grows, the more attractive such a capability becomes according to Geovane Fedrecheski, a researcher at the Department of Electronic Systems Engineering at the University of São Paulo. 

  A viable alternative for trusted device onboarding? 
DIDs & VCs offer a range of deployment options with differing security/convenience trade-offs. For example, DIDs can be pre-provisioned onto devices, or the device could generate its own bootstrapping credentials using a self-generated DID to join the network and download its full credentials. Devices that are capable of handling JSON can host their own DIDs and credentials while more constrained devices can leverage these capabilities via OAuth-based Delegation to an agent. JSON web tokens provide another option. DIDs and VCs also offer choices regarding level of encryption and could potentially support onboarding over constrained communication protocols such as LoRaWan (using small packet sizes). 

 This flexibility should make DIDs & VCs an interesting tool for IoT device and network designers. What’s more, using DIDs and VCs for IoT authorisation and authentication could offer several advantages over how X.509 certificates and PKIs are currently used.

We’ll now review four key characteristics that we believe make DIDs and VCs an attractive alternative to X.509 certificates in the design of secure device onboarding solutions.  

  1. High assurance identity. The combination of cryptographically verifiable DIDs and an immutable verifiable credentials registry provides a high assurance trust anchor.  A DID is resolved to a DID document, usually (though not always) stored on a Distributed Ledger. A DID provisioned during manufacture by the device OEM would point to the device manufacturer’s identifier, enabling an onboarding server to verify the authenticity of the device, establish a secure channel using the DIDcomm protocol and provision network credentials (potentially an additional DID and one or more VCs). Such a scenario provides a comparable degree of assurance as CA-issued X.509s and superior assurance when compared to self-signed certificates. 
    2.  
  2. User control. In a DIDs and VCs based solution, the data streaming from an IoT device remains under the control of the device owner / controller – leaving the OEM, device user and other ecosystem participants to agree on what data belongs to whom. The data can then be streamed to the device’s digital twin, with DIDs & VCs mediating access. Several specific features enhance data privacy and could potentially provide greater control to network admins:
    • Selective disclosure / zero knowledge proofs. Highly relevant where data privacy is particularly important. Tibco, a professional services group, is using this feature to ensure a patient’s digital twin is accurate and representative without identifying the patient, preserving their privacy. Zero knowledge proofs are likely to be particularly relevant where a zero-trust architecture is present.
    • Ability to rotate keys. This is becoming more relevant now that more microcontrollers can generate keys. 
    • Easier revocation. This capability could enable use cases such as secure end of life and transfer of ownership. Credentials don’t need to be wiped from a device as they can easily be revoked. For example, this feature could prevent unauthorised access to patient data from medical devices in circulation among patients without needing to rely on the patient or their family to wipe the data.
     
  3. Programmatic trust. In a DIDs & VCs world, attributes are attested by identities. One device can present multiple attributes signed by multiple identities. Combined with support for semantic text within DID documents, this enables policies regarding the rights and duties of ecosystem participants to be encoded within machine-readable trust frameworks. Good Health Pass and similar initiatives are founded on this approach. 

    The potential to automatically implement granular trust policies supports multiple IoT device self-onboarding scenarios. For example, it could be used to enable devices ‘in the wild’ (e.g. medical devices in patients’ homes) to establish trust and communicate securely with central systems (such as Electronic Health Records).

    More generally, automation of machine to machine processes rules out deferred maintenance and updates, making IoT devices less vulnerable to human error or negligence. Phil Windley, a thought leader within the decentralised identity community, has said, “DIDComm-capable agents can be used to create a sophisticated relationship network that includes people, institutions, things and even soft artifacts like interaction logs. The relationships in that network are rich and varied—just like relationships in the real world. Things, whether they are capable of running their own agents or employ a soft agent as a digital twin, are much more useful when they exist persistently, control their own agent and digital wallet, and can act independently. Things now react and respond to messages from others in the relationship network as they autonomously follow their specific rules.”
    4.  
  4. Lower cost. The capabilities outlined in points 1 to 3 mean DIDs & VCs provide comparable assurance to established approaches, without the need to purchase third party certificates. As wide area networks such as public utilities may comprise tens or hundreds of thousands of IoT devices, there is a potential for significant cost savings. According to researchers at Athens University’s Department of Informatics and Aalto University, “Theoretically all the improvements could also be implemented with X.509 certs as well, but due to the significantly higher cost of X.509 certification and the number of certificates required that would be highly impractical if not impossible.” (Enabling Decentralised Identifiers and Verifiable Credentials for Constrained Internet-of-Things Devices using OAuth-based Delegation

    In the case of consumer devices, DIDs & VCs provide a user-friendly way to enable users to take control of a device without needing to purchase an X509 certificate.

    More generally, the use of open standards reduces reliance on third parties, opens up high assurance identity to smaller players and promotes interoperability across device types and vendors.

Remaining challenges to full adoption

DIDs and VCs are not yet a mature technology and their use within device onboarding is still at an early stage. Interested parties may find there is a shortage of experienced talent, vendors and/or collaborators. Also, the requirement to establish a bespoke trust framework (if a suitable generic framework does not already exist) may present a barrier compared to the initially simpler option of relying on CA-issued certificates. 


Conclusion

Decentralised identity is a potential alternative route to implement secure and trusted IoT device onboarding, as defined by NIST.    By replacing a centralised trust model with decentralised identifiers and machine-readable verifiable credentials, underpinned by explicit trust policies, these open standards can help assure data privacy and enhance control over IoT data while bypassing the need for expensive third party certificates.      

To learn more about SSI & IoT visit https://sovrin.org/library-iot/.

To read the “Self-Sovereign Identity & IoT” whitepaper, go to https://sovrin.org/wp-content/uploads/SSI-and-IoT-whitepaper.pdf.