1478  Device Provisioning Credentials and Best Practices

Credential Types, Attack Vectors, and Security Best Practices

1478.1 Learning Objectives

After completing this section, you will be able to:

1. Understand different credential types used in device provisioning
2. Identify common attack vectors and their mitigations
3. Apply security best practices for device provisioning
4. Plan credential lifecycle management including rotation and revocation

1478.2 Overview

This section covers the credential types used in IoT device provisioning, common attack vectors targeting the provisioning process, and best practices for securing device onboarding.

NoteWhy Credentials Matter

Credentials are the foundation of device identity. Compromised credentials can lead to: - Unauthorized device access - Data theft and manipulation - Lateral movement in networks - Persistent backdoor access

1478.3 Credential Types Reference

ieeeColors = ({
  navy: "#2C3E50",
  teal: "#16A085",
  orange: "#E67E22",
  gray: "#7F8C8D",
  lightGray: "#ECF0F1",
  darkGray: "#34495E",
  green: "#27AE60",
  red: "#E74C3C",
  purple: "#9B59B6",
  blue: "#3498DB",
  yellow: "#F1C40F"
})

credentialTypesRef = {
  const credentialTypes = [
    {
      name: "X.509 Certificate",
      icon: "Cert",
      description: "Asymmetric PKI credential with public/private key pair",
      security: "High",
      lifecycle: "Months to years",
      storage: "Secure Element, TPM",
      rotation: "Certificate renewal via EST/CMP"
    },
    {
      name: "Pre-Shared Key (PSK)",
      icon: "PSK",
      description: "Symmetric key shared between device and server",
      security: "Medium",
      lifecycle: "Until manually rotated",
      storage: "Flash, secure storage",
      rotation: "Manual re-provisioning"
    },
    {
      name: "Device Token",
      icon: "Tkn",
      description: "Short-lived authentication token for API access",
      security: "Medium-High",
      lifecycle: "Hours to days",
      storage: "RAM, secure enclave",
      rotation: "Automatic refresh"
    },
    {
      name: "Bootstrap Credential",
      icon: "Boot",
      description: "Factory-programmed credential for initial provisioning",
      security: "High",
      lifecycle: "One-time use",
      storage: "One-time programmable memory",
      rotation: "Replaced by operational credential"
    },
    {
      name: "Session Key",
      icon: "Sess",
      description: "Ephemeral key for single session encryption",
      security: "High",
      lifecycle: "Session duration",
      storage: "RAM only",
      rotation: "Per-session derivation"
    },
    {
      name: "Setup Code",
      icon: "Code",
      description: "Short numeric/alphanumeric code for pairing",
      security: "Low-Medium",
      lifecycle: "One-time use",
      storage: "Printed label, QR code",
      rotation: "N/A (one-time)"
    }
  ];

  return html`
    <div style="
      background: white;
      border: 1px solid ${ieeeColors.gray};
      border-radius: 12px;
      padding: 20px;
      margin-top: 20px;
    ">
      <h3 style="margin: 0 0 20px 0; color: ${ieeeColors.navy}; font-size: 16px;">
        Credential Types Reference
      </h3>

      <div style="display: grid; grid-template-columns: repeat(auto-fit, minmax(280px, 1fr)); gap: 15px;">
        ${credentialTypes.map(cred => html`
          <div style="
            background: ${ieeeColors.lightGray};
            border-radius: 10px;
            padding: 15px;
          ">
            <div style="display: flex; align-items: center; gap: 10px; margin-bottom: 10px;">
              <span style="
                font-size: 14px;
                font-weight: bold;
                background: ${ieeeColors.navy};
                color: white;
                padding: 4px 8px;
                border-radius: 4px;
              ">${cred.icon}</span>
              <span style="font-weight: 700; color: ${ieeeColors.navy}; font-size: 13px;">
                ${cred.name}
              </span>
            </div>
            <div style="font-size: 11px; color: ${ieeeColors.darkGray}; margin-bottom: 10px;">
              ${cred.description}
            </div>
            <div style="display: grid; grid-template-columns: 1fr 1fr; gap: 8px; font-size: 10px;">
              <div>
                <span style="color: ${ieeeColors.gray};">Security:</span>
                <span style="color: ${ieeeColors.navy}; font-weight: 600;"> ${cred.security}</span>
              </div>
              <div>
                <span style="color: ${ieeeColors.gray};">Lifecycle:</span>
                <span style="color: ${ieeeColors.navy}; font-weight: 600;"> ${cred.lifecycle}</span>
              </div>
              <div>
                <span style="color: ${ieeeColors.gray};">Storage:</span>
                <span style="color: ${ieeeColors.navy}; font-weight: 600;"> ${cred.storage}</span>
              </div>
              <div>
                <span style="color: ${ieeeColors.gray};">Rotation:</span>
                <span style="color: ${ieeeColors.navy}; font-weight: 600;"> ${cred.rotation}</span>
              </div>
            </div>
          </div>
        `)}
      </div>
    </div>
  `;
}

credentialTypesRef

1478.4 Attack Vectors and Mitigations

attackVectorAnalysis = {
  const attacks = [
    {
      name: "Supply Chain Attack",
      phase: "Manufacturing",
      severity: "Critical",
      mitigation: "Hardware security modules, secure provisioning facilities, firmware signing",
      affected: ["ZTP", "X.509", "Manufacturer"]
    },
    {
      name: "DNS Spoofing",
      phase: "Discovery",
      severity: "High",
      mitigation: "DNSSEC, certificate pinning, pre-configured endpoints",
      affected: ["ZTP", "X.509"]
    },
    {
      name: "Man-in-the-Middle",
      phase: "Connection",
      severity: "High",
      mitigation: "Mutual TLS, certificate validation, secure channels",
      affected: ["PSK", "QR/App"]
    },
    {
      name: "Credential Theft",
      phase: "Storage",
      severity: "High",
      mitigation: "Secure elements, encrypted storage, key attestation",
      affected: ["PSK", "All methods"]
    },
    {
      name: "Replay Attack",
      phase: "Authentication",
      severity: "Medium",
      mitigation: "Nonces, timestamps, session binding",
      affected: ["PSK", "Token-based"]
    },
    {
      name: "Unauthorized Pairing",
      phase: "Onboarding",
      severity: "Medium",
      mitigation: "Timeout windows, physical confirmation, user verification",
      affected: ["QR/App", "BLE pairing"]
    }
  ];

  return html`
    <div style="
      background: white;
      border: 1px solid ${ieeeColors.gray};
      border-radius: 12px;
      padding: 20px;
      margin-top: 20px;
    ">
      <h3 style="margin: 0 0 20px 0; color: ${ieeeColors.navy}; font-size: 16px;">
        Common Attack Vectors & Mitigations
      </h3>

      <div style="overflow-x: auto;">
        <table style="
          width: 100%;
          border-collapse: collapse;
          font-size: 11px;
        ">
          <thead>
            <tr style="background: ${ieeeColors.navy}; color: white;">
              <th style="padding: 10px; text-align: left;">Attack</th>
              <th style="padding: 10px; text-align: center;">Phase</th>
              <th style="padding: 10px; text-align: center;">Severity</th>
              <th style="padding: 10px; text-align: left;">Mitigation</th>
              <th style="padding: 10px; text-align: left;">Affected Methods</th>
            </tr>
          </thead>
          <tbody>
            ${attacks.map((attack, i) => html`
              <tr style="background: ${i % 2 === 0 ? "white" : ieeeColors.lightGray};">
                <td style="padding: 10px; font-weight: 600; color: ${ieeeColors.navy};">
                  ${attack.name}
                </td>
                <td style="padding: 10px; text-align: center; color: ${ieeeColors.darkGray};">
                  ${attack.phase}
                </td>
                <td style="padding: 10px; text-align: center;">
                  <span style="
                    background: ${attack.severity === "Critical" ? ieeeColors.red : attack.severity === "High" ? ieeeColors.orange : ieeeColors.yellow};
                    color: white;
                    padding: 2px 8px;
                    border-radius: 10px;
                    font-size: 10px;
                    font-weight: 600;
                  ">${attack.severity}</span>
                </td>
                <td style="padding: 10px; color: ${ieeeColors.darkGray};">
                  ${attack.mitigation}
                </td>
                <td style="padding: 10px;">
                  ${attack.affected.map(a => html`
                    <span style="
                      background: ${ieeeColors.lightGray};
                      padding: 2px 6px;
                      border-radius: 4px;
                      margin-right: 4px;
                      font-size: 9px;
                    ">${a}</span>
                  `)}
                </td>
              </tr>
            `)}
          </tbody>
        </table>
      </div>
    </div>
  `;
}

attackVectorAnalysis

1478.5 Security Best Practices

bestPracticesChecklist = {
  const practices = [
    { category: "Identity", items: [
      "Use unique per-device identity (not group credentials)",
      "Store credentials in hardware security modules when possible",
      "Implement device attestation for hardware integrity"
    ]},
    { category: "Certificates", items: [
      "Use short-lived certificates (< 1 year)",
      "Implement automated certificate rotation",
      "Check CRL/OCSP for revocation status"
    ]},
    { category: "Network", items: [
      "Always use TLS 1.2+ for provisioning channels",
      "Implement certificate pinning where feasible",
      "Use mutual TLS for high-security deployments"
    ]},
    { category: "Operations", items: [
      "Log all provisioning events for audit",
      "Implement device decommissioning procedures",
      "Test provisioning failure scenarios"
    ]},
    { category: "Zero-Touch", items: [
      "Secure DHCP/DNS infrastructure",
      "Use bootstrapping with ownership vouchers",
      "Implement secure software update mechanisms"
    ]},
    { category: "User-Assisted", items: [
      "Limit pairing window timeouts",
      "Require physical confirmation when possible",
      "Display pairing codes on both devices"
    ]}
  ];

  return html`
    <div style="
      background: linear-gradient(135deg, ${ieeeColors.lightGray}, white);
      border: 1px solid ${ieeeColors.gray};
      border-radius: 12px;
      padding: 20px;
      margin-top: 20px;
    ">
      <h3 style="margin: 0 0 20px 0; color: ${ieeeColors.navy}; font-size: 16px;">
        Provisioning Security Best Practices
      </h3>

      <div style="display: grid; grid-template-columns: repeat(auto-fit, minmax(250px, 1fr)); gap: 15px;">
        ${practices.map(cat => html`
          <div style="
            background: white;
            border-radius: 10px;
            padding: 15px;
            border-left: 4px solid ${ieeeColors.teal};
          ">
            <div style="
              font-weight: 700;
              color: ${ieeeColors.navy};
              font-size: 13px;
              margin-bottom: 12px;
            ">${cat.category}</div>
            <ul style="margin: 0; padding-left: 18px; font-size: 11px; color: ${ieeeColors.darkGray};">
              ${cat.items.map(item => html`
                <li style="margin-bottom: 6px;">${item}</li>
              `)}
            </ul>
          </div>
        `)}
      </div>
    </div>
  `;
}

bestPracticesChecklist

1478.6 Credential Lifecycle Management

Understanding the lifecycle of credentials is essential for maintaining security:

1478.6.1 Certificate Lifecycle

%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#7F8C8D', 'secondaryColor': '#16A085', 'tertiaryColor': '#ECF0F1'}}}%%
flowchart LR
    A[Generation] --> B[Enrollment]
    B --> C[Validation]
    C --> D[Operation]
    D --> E{Expiring?}
    E -->|Yes| F[Rotation]
    F --> B
    E -->|No| D
    D --> G{Compromised?}
    G -->|Yes| H[Revocation]
    H --> I[Re-provision]
    I --> B

1478.6.2 Key Rotation Strategies

Strategy	Use Case	Complexity	Security
Automatic renewal	Cloud-connected devices	Low	High
Manual rotation	Air-gapped systems	High	Medium
Rolling updates	Large fleets	Medium	High
Emergency rotation	Compromise response	High	Critical

1478.7 Security Considerations

WarningCritical Security Points

1. Supply Chain Security - Secure manufacturing and credential injection are foundational
2. Certificate Lifecycle - Plan for rotation, renewal, and revocation from day one
3. Channel Security - Always use encrypted channels for credential exchange
4. Trust Anchors - Carefully manage root CA certificates and their distribution
5. Failure Modes - Design for graceful handling of provisioning failures

1478.8 Summary

Device provisioning security requires attention to:

• Credential types - Match credential type to security requirements
• Attack mitigation - Layer defenses against common attack vectors
• Best practices - Follow industry standards for each provisioning method
• Lifecycle management - Plan for the full credential lifecycle

NoteKey Takeaways

1. Defense in depth - Layer multiple security controls throughout provisioning
2. Plan for lifecycle - Consider certificate rotation and device decommissioning
3. Test failure scenarios - Ensure graceful degradation when provisioning fails
4. Audit everything - Log provisioning events for compliance and troubleshooting
5. Stay current - Keep up with evolving threats and security standards

1478.9 Related Topics

• Zero-Trust Security Architecture
• PKI and Certificate Management
• Device Identity and Authentication
• Secure Boot and Attestation

1478.10 What’s Next

Continue exploring device provisioning:

• Device Provisioning Flow Visualizer - Interactive step-by-step visualization
• Security Analysis and Trust Boundaries - Deep dive into attack surfaces
• Method Comparison and Decision Guide - Choose the right method