Building owners and tenants are rapidly transforming workplaces into energy-efficient smart spaces. This has amplified a problem that has long faced the building controls market: How do you onboard IP-based EnOcean controllers, displays, and protocol converters onto a building’s secure IT network? A rash of high-profile security breaches that originated in IoT devices has put Chief Information Security Officers on high alert, and restrictions against adding an IoT device to an IT network without first passing a cybersecurity review are intensifying.
Even if a device passes a cybersecurity review, getting it onto the IT network can be tedious. If a device’s user interface wasn’t designed with IT networks in mind, then configuration options might be missing. Security certificate management can become a Catch-22: A device has to be on the network to receive a security credential, but it can’t be on the network without a credential installed. Some companies solve the latter problem by sending secret credentials over an unprotected open network, but that obviously poses its own risks.
Device Provisioning Protocol for secure onboarding
The Device Provisioning Protocol (DPP), certified under the Wi-Fi Alliance as “Easy Connect,” is a standard that allows devices to be easily provisioned onto a secure network using simple, modern techniques such as QR code scanning. This solution replaces Wi-Fi Protected Setup (WPS), a hugely popular onboarding solution that unfortunately had significant security gaps due, in part, to its reliance on inadequate and outdated Wi-Fi encryption services such as Wi-Fi Protected Access (WPA).
DPP addresses this gap by leveraging WPA3 and enhancing certificate handling to provide robust, secure, and scalable provisioning of IoT devices in any commercial, industrial, government, or consumer application. DPP also supports legacy WPA2 connections.
Designed to accommodate devices with or without a user interface, each DPP-enabled device is manufactured with an elliptic curve public/private key pair. The device can be brought onto a network via many paths, but the most common is by scanning a QR code on the device using a smartphone. The QR code contains the public key and, optionally, the device’s MAC address and serial number.
There are four steps to onboarding an IoT device onto an IT network using DPP, and the entire process can be completed in seconds:
- Bootstrapping: The device shares a public key that is bound to a unique private key;
- Discovery: Unprovisioned devices are identified by the DPP-enabled network infrastructure;
- Authentication and configuration: A request-response process authenticates the device and the configuration service, following which a security role and group are assigned to the device;
- Network access: An Aruba Wi-Fi access point or wired controller advertises the availability of a DPP network. The device and the network exchange keys and separately derive an authenticated Pairwise Master Key (PMK). If each side generates the same PMK, the device is allowed on the network.
DPP can run via Wi-Fi and Ethernet, addressing the vast majority of smart building applications. Cellular-enabled devices can also obtain Wi-Fi credentials via DPP, which allows mobile devices to move between cellular and Wi-Fi networks. DPP QR codes can be scanned individually or batched. Individual scanning is ideal for smaller sites and when a device is being replaced. Batched scanning is perfect for a large upgrade and when commissioning a new site. Finally, DPP eliminates the need to configure security credentials over an open network, thus closing a significant security gap. Once manual steps are eliminated, installation can proceed more quickly and without IT-skilled labor.
If you need to deploy IP-based EnOcean controllers, displays, or protocol converters on a secure IT network, DPP is the answer. DPP speeds up installation time, closes the security gaps of earlier provisioning systems, and meets the high standards set by CISOs by using WPA3 and other security mechanisms.
Rick Bogart of Ellisys shows Packetcraft's Auracast™ broadcaster alongside Vanguard protocol analyzer American Association of Audiology hosted their annual conference/exhibition in Seattle this year. Packetcraft went to demo our leading-edge bluetooth software...
Company's Analysis and Qualification Systems on Target for Latest Core Specification Features Ellisys, a worldwide provider of test and analysis solutions for Bluetooth, Wi-Fi, Universal Serial Bus (USB), and other wired and wireless communications technologies, has...
DisplayPort 2.0 technology, managed by VESA (Video Electronics Standards Association), supports up to 16K pixel resolution with HDR at 60Hz Teledyne LeCroy has announced the availability for order of the quantumdata M21 Video Analyzer for HDMI 2.1 and DisplayPort 2.0...