Browse Prior Art Database

Method for automatically authorizing an initial certificate enrollment based on a trusted symmetric encryption key owned by the end device.

IP.com Disclosure Number: IPCOM000240311D
Original Publication Date: 2015-Jan-21
Included in the Prior Art Database: 2015-Jan-21
Document File: 7 page(s) / 45K

Publishing Venue

Motorola

Related People

Grzesik, Andrzej: INVENTOR [+5]

Abstract

Establishing trust between two devices for the enrollment and delivery of certificates to one of the devices can be burdensome in an environment where there are thousands of devices in need of certificates.

To automate the certificate enrollment and delivery process in a certificate management infrastructure that uses a public key infrastructure (PKI), one may consider existing trust relationships. This paper describes how using an existing trust relationship between two devices can be used to authenticate and automate the certificate enrollment process for one or more devices.

The invention described in this paper explains how the symmetric encryption keys used in a land mobile radio system for voice or data encryption may be used to obtain one or more certificates for an end device, or subscriber unit (SU). The symmetric encryption keys can be used to authenticate an SU to a certificate management infrastructure device and vice versa. This gives the certificate management infrastructure device the ability to securely issue one or more certificates to the SU without user intervention in a trusted environment.

This text was extracted from a Microsoft Word document.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 25% of the total text.

Method for automatically authorizing an initial certificate enrollment based on a trusted symmetric encryption key owned by the end device

By Andrzej Grzesik, Chris Kruegel, Wojciech Kucharski, Pawel Fafara, Elizeusz Musial

Motorola Solutions, Inc.

 

ABSTRACT

Establishing trust between two devices for the enrollment and delivery of certificates to one of the devices can be burdensome in an environment where there are thousands of devices in need of certificates.

To automate the certificate enrollment and delivery process in a certificate management infrastructure that uses a public key infrastructure (PKI), one may consider existing trust relationships.  This paper describes how using an existing trust relationship between two devices can be used to authenticate and automate the certificate enrollment process for one or more devices. 

The invention described in this paper explains how the symmetric encryption keys used in a land mobile radio system for voice or data encryption may be used to obtain one or more certificates for an end device, or subscriber unit (SU).  The symmetric encryption keys can be used to authenticate an SU to a certificate management infrastructure device and vice versa.  This gives the certificate management infrastructure device the ability to securely issue one or more certificates to the SU without user intervention in a trusted environment.

 

PROBLEM

When a system contains thousands or tens of thousands of two-way subscriber units and the user plans to upgrade the system to enable the SUs with functionality that requires the use of certificates, there are many challenges facing the user in the provisioning of certificates into all SUs.

A first challenge is the authenticated certificate enrollment of the SUs. As is well known in PKI systems, to speed up the process of certificate enrollment, online enrollment using standard certificate management protocols (e.g. RFC4210) may be used. However, there is still an issue of how a CSR (Certification Signing Request) received by the RA (Registration Authority) of the PKI is authorized:

·      With no authorization every CSR request is accepted and there is very little security.  There is no guarantee that unknown or rogue device will not get a certificate.

·      For a higher level of security, a customer may inspect every CSR received by the RA and manually accept or reject the request.  This process can be very time consuming and error prone.

·      For even higher security a customer may use a trusted provisioning device (PD) which authorizes every SU’s CSR by signing it with the PD’s trusted private key; however, this is a manual and effort intensive process as every SU must be found and physically connected to a trusted PD to sign the CSR.

 

A second challenge is the configuration and delivery of the trust chain certificates to every SU. In order for successful operation of a system this transfer must be done in a trusted environment since successful public key operation is...