Title Standard for Local and metropolitan area networks – Secure Device Identity
Acronym IEEE 802.1AR
Document Type Standard
Committee WORKING GROUP 802.2
Published Year 2018
Link https://1.ieee802.org/security/802-1ar/

Local Area Networks (LANs) are often deployed in networks that provide publicly accessible services or cannot be completely physically secured. Protocols that configure, manage, and regulate access to these networks typically run over the networks themselves. Secure and predictable network operation depends on authenticating each device attached to and participating in the network, so that the degree of trust and authorization to be accorded to that device by its communicating peers can be determined. Authentication of a human user, through a credential known to or possessed by that user, is often used to authenticate devices such as laptop personal computers, but many network devices are designed for unattended autonomous operation and do not support user authentication.

This standard specifies Secure Device Identifiers (DevIDs) designed to be used as interoperable secure device authentication credentials with Extensible Authentication Protocol (EAP) and other industry standard authentication and provisioning protocols. A standardized device identity facilitates interoperable secure device authentication and simplifies secure device deployment and management.

A device with DevID capability incorporates a globally unique manufacturer provided Initial Device Identifier (IDevID), stored in a way that protects it from modification. The device may support the creation of Locally Significant Device Identifiers (LDevIDs) by a network administrator. Each LDevID is bound to the device in a way that makes it infeasible for it to be forged or transferred to a device with a different IDevID without knowledge of the private key used to effect the cryptographic binding. LDevIDs can incorporate, and fully protect, additional information specified by the network administrator to support local authorization conventions.

The 2018 revision of this standard added the ECDSA P-384/SHA-384 signature suite to align with the Suite B Certificate Profile (IETF RFC 5759).