This present blog aims to explore how REWIRE’s Zero-Touch Onboarding operates to strengthen the runtime operational assurance across complex, interconnected IoT systems. More specifically, in a rapidly evolving digital world, where devices, apps, and platforms constantly interact, the ability to securely and seamlessly integrate new components into an ecosystem is considered a critical necessity. Thus, the process of secure onboarding guarantees that devices can be authenticated and verified before their operation. The REWIRE Project transforms this paradigm with a robust framework for Zero-Touch Onboarding (ZTO), enabling devices to join domains automatically, securely, and in a privacy-preserving manner.
In a Systems-of-Systems, especially in critical domains such as automotive, satellites and smart cities, device onboarding is not just an operational formality but a key security assurance function. Without a secure onboarding process, malicious devices could impersonate legitimate ones, infiltrate networks, and compromise sensitive data. At the same time, organisations face practical challenges: the sheer scale of devices to be integrated, the need for interoperability across domains, and the necessity of ensuring strong cryptographic guarantees, while keeping processes cost-effective and automated.
Traditional onboarding requires manual provisioning of cryptographic material, which is error-prone and does not scale well. REWIRE addresses this by enabling devices to onboard autonomously, without human intervention, through a crypto-agile, verifiable, and policy-driven onboarding protocol.
REWIRE Building Blocks ZTO
The REWIRE onboarding process integrates multiple advanced cryptographic mechanisms, ensuring that devices prove their legitimacy, obtain credentials, and establish trust with both their own domains and other domains they may need to communicate with. The three main steps are the following:
Step 1: Verifiable Credential (VC) Issuance
Each device begins its onboarding journey by authenticating itself and obtaining a Verifiable Credential (VC) over its attributes. The VC is structured in line with W3C standards, making it interoperable across ecosystems. The device proves possession of its Root ID Key, a hardware-embedded identifier created at manufacturing time, and the Manufacturer and the Privacy Certificate Authority (CA) validate the device’s identity. A new asymmetric key pair is generated by the device and certified by the Manufacturer, binding the device to the VC, which includes attributes such as capabilities, supported protocols, and security properties. This process ensures binding between device hardware, cryptographic identity, and policy-driven credentials.
Step 2: Domain Enrolment
After obtaining a VC, the device requests enrolment into a specific Domain. Domains may represent organisational boundaries (e.g., a hospital, a military network, or a smart city subsystem). Enrolment involves (a) Retrieval of domain-specific attribute keys from the Privacy CA, (b) Verification of policies set by the Domain Manager, (c) Creation of Attribute-Based Signatures (ABS) to prove possession of required attributes and (d) when privacy requirements exist, conversion of the Attestation Key into a Direct Anonymous Attestation (DAA) key ensures unlinkability of transactions. The outcome is that the device becomes part of a domain with credentials tailored to that domain’s policies and privacy requirements.
Step 3: Attribute-Based Signatures and Signcryption (ABS/ABSC)
REWIRE distinguishes between intra-domain and inter-domain communication: (a) within a domain, devices use Attribute-Based Signatures (ABS) and authenticated symmetric encryption for secure communications and (b) Across domains, devices use Attribute-Based Signcryption (ABSC), which merges encryption and signing in one step, guaranteeing confidentiality, authenticity, and efficiency.These mechanisms ensure that only authorised devices, possessing the correct attributes, can communicate or exchange data, even across trust boundaries.
Conclusion
REWIRE’s Zero-Touch Onboarding transforms how devices join secure ecosystems. By combining hardware-rooted trust, verifiable credentials, attribute-based cryptography, and privacy-preserving mechanisms, the framework enables secure, scalable, and automated onboarding. This not only reduces costs and risks but also ensures that large-scale, distributed systems can operate confidently in adversarial environments. As organisations increasingly depend on interconnected devices and services, REWIRE’s ZTO sets a new standard for runtime operational assurance.