By Michael R. Tennefoss, Vice President of IoT and Strategic Partnerships, Aruba, a Hewlett Packard Enterprise company

Building owners and tenants are rapidly transforming workplaces into energy-efficient smart spaces. This has amplified a problem that has long faced the building controls market: How do you onboard IP-based EnOcean controllers, displays, and protocol converters onto a building’s secure IT network? A rash of high-profile security breaches that originated in IoT devices has put Chief Information Security Officers on high alert, and restrictions against adding an IoT device to an IT network without first passing a cybersecurity review are intensifying.

Even if a device passes a cybersecurity review, getting it onto the IT network can be tedious. If a device’s user interface wasn’t designed with IT networks in mind, then configuration options might be missing. Security certificate management can become a Catch-22: A device has to be on the network to receive a security credential, but it can’t be on the network without a credential installed. Some companies solve the latter problem by sending secret credentials over an unprotected open network, but that obviously poses its own risks.

Device Provisioning Protocol for secure onboarding

The Device Provisioning Protocol (DPP), certified under the Wi-Fi Alliance as “Easy Connect,” is a standard that allows devices to be easily provisioned onto a secure network using simple, modern techniques such as QR code scanning. This solution replaces Wi-Fi Protected Setup (WPS), a hugely popular onboarding solution that unfortunately had significant security gaps due, in part, to its reliance on inadequate and outdated Wi-Fi encryption services such as Wi-Fi Protected Access (WPA).

DPP addresses this gap by leveraging WPA3 and enhancing certificate handling to provide robust, secure, and scalable provisioning of IoT devices in any commercial, industrial, government, or consumer application. DPP also supports legacy WPA2 connections.

Designed to accommodate devices with or without a user interface, each DPP-enabled device is manufactured with an elliptic curve public/private key pair. The device can be brought onto a network via many paths, but the most common is by scanning a QR code on the device using a smartphone. The QR code contains the public key and, optionally, the device’s MAC address and serial number.

There are four steps to onboarding an IoT device onto an IT network using DPP, and the entire process can be completed in seconds:

  • Bootstrapping: The device shares a public key that is bound to a unique private key;
  • Discovery: Unprovisioned devices are identified by the DPP-enabled network infrastructure;
  • Authentication and configuration: A request-response process authenticates the device and the configuration service, following which a security role and group are assigned to the device;
  • Network access: An Aruba Wi-Fi access point or wired controller advertises the availability of a DPP network. The device and the network exchange keys and separately derive an authenticated Pairwise Master Key (PMK). If each side generates the same PMK, the device is allowed on the network.

Problem solved

DPP can run via Wi-Fi and Ethernet, addressing the vast majority of smart building applications. Cellular-enabled devices can also obtain Wi-Fi credentials via DPP, which allows mobile devices to move between cellular and Wi-Fi networks. DPP QR codes can be scanned individually or batched. Individual scanning is ideal for smaller sites and when a device is being replaced. Batched scanning is perfect for a large upgrade and when commissioning a new site. Finally, DPP eliminates the need to configure security credentials over an open network, thus closing a significant security gap. Once manual steps are eliminated, installation can proceed more quickly and without IT-skilled labor.


If you need to deploy IP-based EnOcean controllers, displays, or protocol converters on a secure IT network, DPP is the answer. DPP speeds up installation time, closes the security gaps of earlier provisioning systems, and meets the high standards set by CISOs by using WPA3 and other security mechanisms.

Related Articles

Ellisys Introduces Support for CCC Digital Key Technology

Ellisys Introduces Support for CCC Digital Key Technology

Protocol Updates Aid in Test, Validation, and Debug for Automotive and Consumer Electronics Developers and Test Labs Ellisys, a leading worldwide provider of Bluetooth®, Universal Serial Bus (USB), Ultra-Wideband, and Wi-Fi® protocol test and analysis solutions has...



Stay Up to Date With The Latest News & Updates

News By Email

This site is continually updated with new videos, features and news. Subscribe here for regular updates sent directly to your inbox!

Select list(s) to subscribe to

By submitting this form, you are consenting to receive marketing emails from: Incisor, Click I.T. Ltd, Rake, GU33 7JR, You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Our Sponsors

Incisor.TV partners with leading organisations in the technology sector.

Follow Us

And stay up to date with our news! We are active across the key social media platforms – please do follow us!