Commissioning for a private Thread Network

[Werner-Prbk]

Hello community,

I am quite new to Thread and have some questions about commissioning and device onboarding.
The idea is to set up a private Thread network, consisting only of devices that I fully control (hardware, software, configuration, certificates (PKI), etc.).
The Thread network also has no connection to any non-Thread networks.
There are two types of devices—let’s call them Nodes and Hubs:
Nodes are MCUs and have both 802.15.4 and Bluetooth LE (BLE) interfaces.
Hubs are Linux-based and have 802.15.4, BLE, and LAN/WiFi interfaces.

A Thread network contains many Nodes but exactly one Hub.
Thread commissioning of Nodes should be as easy as possible, but still secure (only my own devices must be allowed to join the network).

The goal is essentially a zero‑touch commissioning approach:

• a private Thread network with only my devices
  • only my Nodes are allowed to join the Thread network
  • my Nodes must not join any foreign Thread network
• never expose the Thread Master Key to the user
• never expose PSKc or PSKd to the user
• the Hub defines all network parameters (channel, master key, network name, …)
• commissioning/joining is initiated either by the Node or by the Hub (via smartphone)

My first idea was to configure the Hub as Border Agent and Commissioner and use CCM (Commercial Commissioning Mode) for commissioning.
However, I realized that CCM only changes how the Commissioner connects to the Border Agent.
The actual device joining procedure is still based on PSKd, and not on certificates.
Is this correct, or am I missing here something?

Is there any way in OpenThread to achieve a certificate-based, zero-touch, PSKd-free commissioning flow?

Any feedback is greatly appreciated — thank you!
Werner

[jwhui]

Thread Commercial Commissioning Mode (CCM), which is described as part of the Thread 1.2 Specification, also includes use of certificates by CCM Thread devices to join a network.

There is a prototype implementation at #10805 .

cc @EskoDijk

[EskoDijk]

The CCM prototype implementation was made to validate the specification cBRSKI (link which is nearing completion in IETF. Extensive final reviews still have to start, so some changes could be expected.

It's basically X509 certificate-based zero-touch onboarding of new devices, in which (typically) an external service on the Internet called MASA provides the authorization for a new device to join a particular owner's domain. cBRSKI also enables operation without such online MASA service: in this case, a digitally signed artifact called the "voucher" is generated by the device vendor and handed to the device owner/customer. The voucher enables the new device to trust the new owner and do the onboarding in the owner's network.

Although the PR hasn't been active for a while, I'm planning to revive it as a nice test case for new commissioning methods for Thread devices, after some work related to this (e.g. #12201) gets merged.

A simpler variant could also be defined that does not use the voucher, just certificates - this works also well when a single vendor creates or owns all of the devices i.e. a private network situation. Then the access of devices is pre-configured based on "allowed" CAs for example.

So using certificates by devices, both for initial onboarding (using IDevID as defined in IEEE 802.1AR) and for later attaching to designated Thread Network(s) (using LDevID), is defined as part of CCM, but wasn't implemented in OpenThread yet.

[Werner-Prbk]

Thank you @EskoDijk and @jwhui for the quick response.
I'll definitely take a closer look at that PR!

In the meantime, I also took a look at the joiner protocol and the ot-commissioner and openthread joiner codebase (master).
From what I understand, a DTLS session is established between the Joiner and the Commissioner. That DTLS session uses the PSK-based cipher suite MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8.
Wouldn't it be a straightforward task to change that DTLS session to a certificate-based cipher suite — specifically MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8?
Since all devices have pre-installed CA certificates and a unique device certificate, it should be possible to do even mutual authentication.
I am not sure yet if the Thread specification allows this type of DTLS session for joining, but from a technical point of view this should work, right?

Is this a viable approach for the "simple variant" you mentioned, @EskoDijk?

[EskoDijk]

Yes, this is the "simple variant" I considered, which basically skips the phase 1 of cBRSKI - the deployment of operational certificates (LDevID). In this variant the LDevIDs are pre-provisioned (for nodes and hubs) and mutual trust is established by checking that the peer certificate CA matches the own stored CA. Then over the trusted secure DTLS session, the network credentials are sent to the joiner. This was called the "NKP" protocol in Thread CCM and in that design it also worked without an active Commissioner (the BR/BA itself would take the server role).

In terms of having OpenThread support this, it seems best to start with this feature (NKP) as it is simpler than the entire cBRSKI solution; and it can be re-used for cBRSKI but also other onboarding protocols like the "private network" case. So this could be in a separate PR or set of PRs for NKP only. One potential obstacle : NKP isn't defined anymore in Thread versions after 1.2 so it would need some discussion with the OT maintainers if they're willing to integrate such feature now.