METHOD AND DEVICE FOR INITIAL CERTIFICATE REGISTRATION IN A WIRELESS COMMUNICATION SYSTEM

The method allows trusted mobile devices to proxy unregistered devices in secure wireless networks, using short-range connections and biometric data for efficient and secure certificate registration, addressing the inefficiencies of manual and trust-based methods in secure communication systems.

DE112016002319B4Active Publication Date: 2026-06-11MOTOROLA SOLUTIONS INC

Patent Information

Authority / Receiving Office
DE · DE
Patent Type
Patents
Current Assignee / Owner
MOTOROLA SOLUTIONS INC
Filing Date
2016-05-16
Publication Date
2026-06-11

Smart Images

  • Figure 00000000_0000_ABST
    Figure 00000000_0000_ABST
Patent Text Reader

Abstract

Method for providing an initial certification registration in a wireless communication system, wherein the method comprises: Establishing an initial wireless connection to an infrastructure using an initial mobile device; Establishing a second wireless connection with a second mobile device through the first mobile device; Receiving an initial certification request by the first mobile device from the second mobile device and via the second wireless connection, wherein the initial certification request includes a request for a digital certificate for the second mobile device and for initial biometric data associated with a user of the first mobile device; Obtaining second biometric data, where the second biometric data is associated with a user of the second mobile device; Transmitting a second certification request to the infrastructure and over the first wireless connection, wherein the second certification request includes the request for the digital certificate for the second mobile device, the first biometric data, and the second biometric data; in response to the transmission of the second certification request to the infrastructure, receiving the digital certificate for the second mobile device from the infrastructure and via the first wireless connection, wherein a certification response includes the digital certificate for the second mobile device, wherein the certification response is signed with a third private key; Transferring the digital certificate to the second mobile device via the second wireless connection; Transferring a digital certificate associated with the first mobile device from the first mobile device to the second mobile device; in response to the transfer of the digital certificate associated with the first mobile device to the second mobile device, receiving a public key from the second mobile device; where receiving the first certification request includes receiving the first certification request signed by a private key that corresponds to the public key; where the private key includes a first private key and where the process involves submitting a second certification request to the infrastructure: Signing the second certificate request using a second private key to generate a signed second certificate request; and Transferring the signed second certification request to the infrastructure; the process still includes validating the initial certification request based on the public key.
Need to check novelty before this filing date? Find Prior Art

Description

AREA OF INVENTION

[0001] The present invention relates generally to wireless communication systems and in particular to a method and a device for certificate registration in a wireless communication system. BACKGROUND OF THE INVENTION

[0002] In a highly secure wireless communication system, employees may need to use at least one layer of security tunnels to remotely access their corporate or company applications or data. The most widely used security tunnel technology is an Internet Protocol Security (IPsec) Virtual Private Network (VPN), which typically uses a public key infrastructure (PKI) based on the certificate-based Internet Key Exchange protocol (IKE or IKEv2) to establish a secure tunnel.

[0003] A PKI scheme uses a digital certificate to verify that a specific public key belongs to a particular endpoint and can be used for access control. The certificate is an electronic document issued by a trusted entity and used to prove ownership of a public key. The certificate contains information about the key and the identity of the key holder, and it also includes a digital signature from a Certificate Authority (CA), that is, an entity that has verified the accuracy of the certificate's contents. To obtain a certificate, a user—that is, a user's mobile device—must complete a PKI registration process with a PKI infrastructure set up by their organization.In most cases, the PKI infrastructure includes at least one CA that issues all certificates and manages their lifetime, as well as a Registration Authority (RA) that performs user / mobile device authentication for the CA before any certificate can be generated for the user / mobile device. Authenticating a new user / mobile device as part of an initial certificate registration often involves many manual operations because the mobile device lacks credentials to authenticate it against the organization's network prior to initial certificate registration.

[0004] A typical solution for initial certificate registration involves using a personal computer trusted by the organization's network. The user must generate a certificate signing request (CSR) file on their mobile device and then transfer the CSR file to the PC using a wired connection, such as a USB interface. The user then uses the PC to submit the CSR to the RA or CA to obtain a certificate through the organization's network. In highly secure systems, such as government and defense networks, the user may be required to hand over their mobile device to a system administrator who performs the initial registration using a PC located in a monitored environment.

[0005] Another approach to initial certificate registration involves the use of a Trusted Platform Module (TPM) chip. Based on current TPM 2.0 standards, the TPM chip manufacturer embeds a unique root key pair (usually RSA) into each TPM during the manufacturing process. A mobile device with a TPM can request the TPM to sign / encrypt messages sent to the network during initial registration. However, the keys are generated outside the control of the organization / company operating the wireless system, and this approach only works if the organization / company trusts both the keys and the TPM manufacturer. This type of inter-organizational trust is generally not permitted in highly secure government and public safety systems.US patent 2008 / 0222711 A1 discloses a method for the initial certificate registration of a new mobile device using near-field communication. Another method for initial certificate registration is disclosed in US patent 2013 / 0247161 A1. BRIEF DESCRIPTION OF THE DIFFERENT VIEWS OF THE DRAWINGS

[0006] The accompanying drawings, in which the same reference numerals refer to identical or functionally similar elements through the separate views, are incorporated into the specification together with the following detailed description, and they form a part thereof, and they serve to further illustrate embodiments and concepts that include the claimed invention, and they explain various principles and advantages of those embodiments. Fig. Figure 1 is a block diagram of a communication system in which a service instance selection is implemented in accordance with some embodiments of the present invention. Fig. 2 is a block diagram of a mobile device of the communication system according to Fig. 1, in accordance with some embodiments of the present invention. Fig. Figure 3 is a block diagram of a public key infrastructure (PKI) device of the communication system according to Fig. 1 in accordance with some embodiments of the present invention. Fig. 4A is a message flow diagram illustrating a process that proceeds through the communication system to Fig. 1 is performed when performing an initial certificate registration of a mobile device, in accordance with some embodiments of the present invention. Fig. 4B is a continuation of the message flow diagram according to Fig. 4A, which illustrates a procedure which is carried out by the communication system according to Fig. 1 is performed when performing an initial certificate registration of a mobile device, in accordance with some embodiments of the present invention. Fig. 4C is a continuation of the message flow diagram according to Fig. 4A and Fig. 4B, which illustrates a procedure which is carried out by the communication system according to Fig. 1 is performed when performing an initial certificate registration of a mobile device, in accordance with some embodiments of the present invention.

[0007] Experts will recognize that, for the sake of simplicity and clarity, elements in the figures are not necessarily drawn to scale. For example, the dimensions and / or relative positions of some elements may be exaggerated compared to others to aid in understanding the various embodiments of the present invention. Likewise, common but well-understood elements that are useful or necessary for a commercially viable embodiment are often omitted to allow a less obstructive view of these various embodiments of the present invention. It will also be recognized that certain actions and / or steps are described or depicted in a specific order of occurrence, although experts will understand that such specificity regarding the sequence is not actually necessary.Those skilled in the art will further recognize that references to specific implementation execution forms, such as "circuit," can equally be achieved by substitution with software instruction executions, either on a general-purpose computing device (for example, a CPU) or a specialized processing device (for example, a DSP). It will also be understood that the terms and expressions used herein have the ordinary technical meanings attributed to such terms and expressions by those skilled in the art, as explained above, except where different specific meanings are otherwise explained herein. DETAILED DESCRIPTION OF THE INVENTION

[0008] A method and a device that provide initial certification registration in a wireless communication system are provided. A first mobile device establishes a first wireless connection with an infrastructure, and it establishes a second wireless connection with a second mobile device. The first mobile device receives a first certification request from the second mobile device over the second wireless connection, the first certification request comprising a request for a digital certificate for the second mobile device and for initial biometric data associated with a user of the first mobile device.The first mobile device receives second biometric data, which is associated with a user of the second mobile device, and transmits a second certification request to the infrastructure via the first wireless connection. This second certification request includes a request for the digital certificate for the second mobile device, the first biometric data, and the second biometric data. In response to the transmission of the second certification request to the infrastructure, the first mobile device receives the digital certificate for the second mobile device from the infrastructure via the first wireless connection and transmits the digital certificate to the second mobile device via the second wireless connection.

[0009] In general, one embodiment of the present invention relates to a method for providing an initial certification registration in a wireless communication system. The method comprises establishing a first wireless connection with an infrastructure by a first mobile device; establishing a second wireless connection with a second mobile device by the first mobile device; receiving a first certification request by the first mobile device from the second mobile device and via the second wireless connection, wherein the first certification request comprises a request for a digital certificate for the second mobile device and for first biometric data associated with a user of the first mobile device; and receiving second biometric data, wherein the second biometric data is associated with a user of the second mobile device.and transmitting a second certification request to the infrastructure and over the first wireless connection, wherein the second certification request includes the request for the digital certificate for the second mobile device, the first biometric data, and the second biometric data. The procedure further includes, in response to the transmission of the second certification request to the infrastructure, receiving from the infrastructure and over the first wireless connection, wherein a certification response includes the digital certificate for the second mobile device, the certification response being signed with a third private key; and transmitting the digital certificate to the second mobile device over the second wireless connection. The procedure further includes transmitting a digital certificate associated with the first mobile device from the first mobile device to the second mobile device.In response to the transfer of the digital certificate associated with the first mobile device to the second mobile device, a public key is received from the second mobile device. Furthermore, receiving the first certificate request includes receiving the first certificate request signed by a private key corresponding to the public key. The private key comprises a first private key, and transferring a second certificate request to the infrastructure includes: signing the second certificate request using a second private key to generate a signed second certificate request; and transferring the signed second certificate request to the infrastructure. The process further includes validating the first certificate request based on the public key.

[0010] Another embodiment of the present invention relates to a mobile device capable of enabling initial certification registration in a wireless communication system, the mobile device comprising a processor and at least one memory device. The at least one memory device is configured to store instructions which, when executed by the processor, cause the processor to: establish a first wireless connection with an infrastructure; establish a second wireless connection with another mobile device; receive a first certification request from the other mobile device and via the second wireless connection, wherein the first certification request comprises a request for a digital certificate for the other mobile device and for first biometric data associated with a user of the mobile device.Receive a second set of biometric data, wherein the second set of biometric data is associated with a user of the other mobile device; and transmit a second certificate request to the infrastructure and over the first wireless connection, wherein the second certificate request includes the request for the digital certificate for the other mobile device, the first set of biometric data, and the second set of biometric data. The at least one storage device is further configured to store instructions which, when executed by the processor, cause the processor to: In response to the transmission of the second certificate request to the infrastructure, receive from the infrastructure and over the first wireless connection the digital certificate for the other mobile device;and transferring the digital certificate to the other mobile device over the second wireless connection. The at least one storage device is configured to store instructions which, when executed by the processor, cause the processor to: transfer a digital certificate associated with the mobile device to the other mobile device and, in response to the transfer of the digital certificate associated with the mobile device to the other mobile device, receive a public key from the other mobile device by receiving a certification response from the infrastructure and over the first wireless connection that includes the digital certificate for the other mobile device, wherein the certification response;

[0011] Yet another non-inventive embodiment of the present one relates to a PKI device (“public key infrastructure”) comprising a processor and at least one storage device.The at least one storage device is configured to store instructions which, when executed by the processor, cause the processor to perform the following: receive a certificate request from a first mobile device, which includes a request for a digital certificate for a second mobile device, for biometric data associated with a user of the first mobile device, and for second biometric data associated with a user of the second mobile device; verify the identity of the user of the first mobile device and the identity of the user of the second mobile device based on the first biometric data and the second biometric data; and issue the digital certificate in response to the verification of the identity of the user of the first mobile device and the identity of the user of the second mobile device.

[0012] Another embodiment not according to the invention relates to a PKI device comprising a processor and at least one storage device configured to maintain a Certificate Revocation List (CRL) and a Certificate Authorization List (CAL), wherein the CAL comprises a list of digital certificate serial numbers or hashes of digital certificate serial numbers associated with mobile devices authorized to participate in a given event response.

[0013] The present invention can be described in relation to the Fig. 1 to 4C will be described in more detail. Fig. Figure 1 is a block diagram of a wireless communication system 100 according to an embodiment of the present invention. The communication system 100 comprises several mobile devices 104, 114 (two shown) and corresponding users 102, 112. In various embodiments of the present invention, the users 102 and 112 can be the same or different users. Each mobile device 104, 114 can be any mobile device configured to request a digital certificate from a PKI device.For example, any mobile device 104, 114 can be a cellular phone, a smartphone, a personal digital assistant (PDA), a laptop computer or a personal computer with radio frequency (RF) capabilities or any other type of mobile device with wireless wide area communication capabilities, such as wide area network (WAN) or wireless local area network (WLAN) capabilities, and / or wireless near-field communication capabilities, such as Bluetooth or near field communication (NFC) capabilities.In various technologies, the mobile devices 114 and 104 can be referred to as mobile station (MS), user equipment (UE), user terminal (UT), subscriber station (SS), subscriber unit (SU), remote unit (RU), access terminal, and so on.

[0014] The communication system 100 further includes an infrastructure 120 with a radio access network (RAN) 122 communicating with a VPN gateway 126 (Virtual Private Network) and, via the VPN gateway, with several PKI devices 132, 136 (two shown), such as a Registration Authority (RA) 132 and a Certificate Authority (CA) 136, hosted in a PKI infrastructure 130. In various illustrative embodiments, the RA 132 and the CA 136 can each be hosted on the same or a different server, the server(s) comprising memory, a processor, and a suitable wired and / or wireless interface, which is operationally coupled to communicate with one or more of the multiple mobile devices 104, 114 via the RAN 122 and the VPN gateway 126.

[0015] The PKI infrastructure 130 further includes a Certificate Revocation List (CRL) 140, as known in the art, which contains a list of serial numbers of digital certificates that have been revoked, and a Certificate Authorization List (CAL) 142, which comprises a signed list of digital certificates, digital certificate serial numbers, or hashes of serial numbers associated with mobile devices authorized to participate in a given event response. The CRL 140 and the CAL 142 can be maintained by the CA 136 and distributed by the RA 132, or they can be maintained by one or more PKI devices that are separate from and accessible to both the RA 132 and the CA 136.The CRL 140 and the CAL 142 can be transferred intermittently or periodically through the PKI infrastructure to trusted mobile devices, such as the mobile device 104 and the VPN gateway 126.

[0016] A mobile device (104, 114) can then use CRL 140 to determine the revocation status of the digital certificate during the establishment of a secure tunnel using the PKI certificate-based Internet Protocol Security (IPsec) Internet Key Exchange protocol (IKE or IKEv2) and during other security protocol negotiations, such as Transport Layer Security (TLS). Furthermore, a mobile device (104, 114) can use CAL 142 to determine which digital certificates / mobile devices are authorized to participate in a given security procedure. This means that a mobile device can only accept a digital certificate with a serial number or checksum that is included in CAL 142 for a given security procedure.Thus, CAL 142 can be used to provide automated, ad-hoc, mission-specific trust building. For example, at the start of a tactical mission, a team leader can have a trusted mobile device, such as Mobile Device 104, which helps provide an initial certificate registration for other team members' mobile devices, as described here. Once all team members' mobile devices are registered, the trusted mobile device can generate a CAL for that specific mission and send the CAL to a RA, such as RA 132, in Infrastructure 120.The RA can then send the CAL, for example, using a PKI Certificate Management Protocol (CMP) notification, to all mobile devices, such as mobile device 114 operated by other team members, and to other equipment involved in the mission, such as unmanned drones. This enables the mobile devices and other equipment to participate in secure communications with each other during the mission. Any other mobile device with a valid certificate that is not displayed by the CAL cannot participate in communications for the mission, even if its certificate could pass traditional PKI validation.

[0017] Infrastructure 120 also contains a biometric database 150, which can be accessed by the multiple PKI devices 132 and 136. The biometric database stores participant or user identifiers associated with their biometric data. The biometric database 150 can be hosted by or separately from PKI infrastructure 130. When a PKI device, such as PKI devices 132 and 136, provides biometric data to the biometric database 150, the biometric database returns to the PKI device a participant or user identifier associated with the biometric data. The RAN 122 includes one or more wireless access nodes 124 (one shown) that provide wireless communication services to mobile devices located within a coverage area of ​​the access node, via a suitable air interface, such as the mobile devices 104 and 114 and the air interface 116.Air interface 116 contains an uplink and a downlink, with each uplink and downlink containing multiple traffic channels and multiple signal channels. While mobile devices 104 and 114 are in... Fig. In other embodiments of the present invention, where the mobile devices 114 and 104 are shown to be served by the same RAN, each of the mobile devices 114 and 104 can be served by different RANs than the other mobile devices. The different RANs can implement the same wireless technology or different wireless technologies, or they can be served by no RAN at all. For example, one of the mobile devices 104 and 114 can be a narrowband mobile device served by a narrowband RAN, and the other of the mobile devices 104 and 114 can be a broadband mobile device served by a broadband RAN.

[0018] The wireless access node 124 can be any network-based wireless access node, such as a Node B, an evolved Node B (eNB), an access point (AP), or a base station (BS). The RAN 122 can also include one or more access network controllers (not shown), such as a radio network controller (RNC) or a base station controller (BSC), coupled with the one or more wireless access nodes; however, in various embodiments of the present invention, the functionality of such an access network controller can be implemented in the access node.

[0019] For the purposes of the present invention, a first mobile device 104 of the multiple mobile devices 104, 114 of the communication system 100 is assumed to be a “trusted” mobile device, that is, a mobile device that is already registered with respect to the multiple PKI devices 132, 136 and that has received multiple digital certificates 106, 108, 138 from them. For example, in an Android operating system, a trusted mobile device, such as the mobile device 104, can carry multiple private keys 105, 107 (two shown) that were generated using digital signature algorithms (DSAs) such as Suite B Elliptic Curve DSAs (ECDSA), wherein the corresponding digital certificates, that is, the digital certificates 106, 108, are obtained from the PKI infrastructure 130. Such digital certificates 106, 108 are considered device certificates that are signed by a private key 137 of CA 136.In addition to device certificates 106 and 108, the mobile device 104 receives a certificate from Certificate Authority (CA) 138 from CA 136.

[0020] When a secure connection is established, such as an Internet Protocol Security (IPsec) Virtual Private Network (VPN) tunnel, with VPN gateway 126, the mobile device 104 presents its certificate 106 to VPN gateway 126 and, using CA certificate 138, validates a gateway / server certificate 128 (also referred to here as VPN certificate 128) presented by VPN gateway 126. When establishing the secure connection with mobile device 104, VPN gateway 126 also provides VPN certificate 128 to mobile device 104 and verifies the device certificate 106 of mobile device 104 using CA certificate 138. Similarly, mobile device 104 can establish a secure tunnel with another device, such as a device in the PKI infrastructure 130 or mobile device 114.The device certificate 108, also referred to here as device RA certificate 108, and its associated private key 107 are used by the mobile device 104 to perform a functionality of a Registration Authority (RA).

[0021] Each of the digital certificates 106, 108 and 138 contains a public key, that is, 'K PUB_106 ,' ‚K PUB_108 ' or 'K PUB_138 ,' and it also contains subject information / identity information of the key owner. Each of the public keys K PUB_106 , K PUB_108 and K PUB_138 has a corresponding private key, that is, K PVT_105 , K PVT_107 and K PVT_137 , which is managed by the key owner. For example, device certificate 106 includes a public key K. PUB_106 , which corresponds to the private key 105, that is, K PVT_105of the mobile device 104, the device RA certificate 108 includes a public key K PUB_108 , which corresponds to the private key 107, that is, K PVT_107 , used by the mobile device 104 when it operates as a RA, and the CA certificate 138 includes a public key K PUB_128 , which corresponds to a private CA key 137, that is, K PVT_137 of CA 136. In other words, K PUB_106 / K PVT_105 a public / private key pair associated with the mobile device 104 and the device certificate 106, K PUB_108 / K PVT_107 are a public / private key pair associated with the mobile device 104 and the RA device certificate 108, and K PUB_138 / K PVT_137are a public / private key pair associated with CA certificate 138 and CA 136. Based on the trust placed in CA certificate 138 by all devices in the system, the trusted mobile device, i.e., mobile device 104, is able to establish a secure connection or "tunnel," for example, an IPSec VPN tunnel, with infrastructure 120 and, in particular, with the VPN gateway 126 of communication system 100. And since an RA device certificate 108 is also issued by CA 136 (and through the private key 137, i.e., K), PVT_137 (is signed), the trusted device 104 is able to establish a direct secure tunnel with the RA 132 to make the functionality of the RA 132 available to other mobile devices, such as the mobile device 114.

[0022] A second mobile device 114 of the multiple mobile devices 104, 114 is an entity that has not yet received a digital certificate from the PKI infrastructure 130 and therefore lacks the ability to establish a secure connection or tunnel with the infrastructure 120.

[0023] Mobile devices 104 and 114 are "paired" to cooperate, so that information sent to or received from one of the mobile devices 104 or 114 can be based on information sent to or received from the other mobile device 114 or 104. "Pairing" the devices means that the devices are within range of each other and establish a connection via a short-range wireless connection 110, such as a Bluetooth connection, near-field communication (NFC), or Wi-Fi connection. The ability to perform device cooperation between mobile devices 104 and 114 enables mobile device 114 to use mobile device 104 as a proxy to communicate with the infrastructure 120.

[0024] Since elements of the RAN 122, such as the access node 124 and the gateway 126, the multiple PKI devices 132, 136, and the biometric database 150 are all elements of the infrastructure 120, each of them can be referred to as an infrastructure element of the communication system 100. The infrastructure 120 can be any type of communication network, with the mobile devices communicating with the infrastructure elements using any suitable air interface protocol and modulation scheme.Although not shown, the infrastructure 120 may include a further number of infrastructure elements for a commercial embodiment, which are generally, but not limited to, referred to as bridges, switches, zone controllers, routers, authentication centers, or any other type of infrastructure equipment that enables communication between units in a wireless or wired environment. Finally, it should be noted that the communication system 100 is represented by reference to a limited number of devices for illustrative purposes. However, any suitable number of PKI devices, mobile devices, and infrastructure elements can be implemented in a commercial system without losing the generality of the teachings presented here.

[0025] It will now be on Fig. Reference is made to Figure 2, which provides a block diagram of a mobile device 200, such as mobile devices 104 and 114, in accordance with some embodiments of the present invention. The mobile device 200 generally includes a processor 202, at least one memory device 204, and one or more input / output interfaces 210 (one shown), one or more wireless interfaces 212, 214 (two shown), and one or more biometric data acquisition devices 216 (one shown). It should be apparent to those skilled in the art that Fig. 2 shows a mobile device 200 in a highly simplified manner and that a practical embodiment may include additional components and may be suitably configured to process logic to support known or conventional operating features not detailed here.

[0026] The mobile device 200 operates under the control of the processor 202, such as one or more microprocessors, microcontrollers, digital signal processors (DSPs), combinations thereof, or other devices known to those skilled in the art. The processor 202 operates the mobile device according to data and instructions stored in the at least one memory device 204, such as random access memory (RAM), dynamic random access memory (DRAM), and / or read-only memory (ROM), or equivalents thereof, which stores data and instructions that can be executed by the processor, enabling the mobile device to perform the functions described herein.

[0027] The data and instructions maintained by the at least one storage device 204 contain software programs that include an ordered list of executable instructions for implementing logical functions. For example, the software in at least one storage device 204 includes a suitable operating system (O / S) and programs. The operating system essentially controls the execution of other computer programs and provides scheduling, input / output control, file and data management, memory management, and communication control, as well as related services. The programs may include various applications, add-ons, etc., configured to provide user functionality with the mobile device 200.Furthermore, at least one storage device 204 carries one or more mobile device identifiers, such as a mobile station identifier (MS ID), a subscriber unit identifier (SU ID), an International Mobile Subscriber Identity (IMSI), or a Temporary Mobile Subscriber Identity (TMSI), which uniquely identifies the mobile device in the communication system.

[0028] The mobile device 200 includes encryption and key management functionality. For example, at least one storage device 204 can contain a software-based encryption and key management module 206, which includes programs, for example an algorithm, for generating a key pair, that is, a private key (K). PVT ) and a corresponding public key (K PUB) of the mobile device, to compile other information needed to generate a certificate request, such as a certificate signing request (CSR), a certificate response, and a certificate acknowledgment relating to obtaining a digital certificate, such as a device certificate 106, as described herein, and to manage keys, tokens, and digital certificates, such as private keys 105 (K PVT_105 ) and 107 (K PVT_107 ), of the device certificate 106 (and the corresponding public key K) PUB_106 ), the RA device certificate 108 (and the corresponding public key K PUB_108 ), of the CA certificate 138 (and the corresponding public key K) PUB_138), CRL 140 and CAL 142. However, in another embodiment of the present invention, the mobile device 200 may additionally or instead include a hardware security module (HSM) 208. The HSM 208 is a hardware-based encryption and key management device that can provide hardware-based cryptographic functions, such as cryptographic functions according to Suite B, and that can provide fraud protection for keys, tokens, and digital certificates, such as the device private keys 105 and 107, device certificates 106 and 108, the CA certificate 138, the CRL 140, and the CAL 142.From a practical standpoint, when the HSM 208 is used, the private device keys 105 and 106 are generated in the HSM 208 and are not exposed to any other component of the mobile device. However, the device certificate 106, the RA device certificate 108, the CA certificate 138, the CRL 140, and the CAL 142 can be copied to at least one storage device 204 for the sake of efficiency in cryptographic operations. For example, the HSM 208 could be a CRYPTR microchip, available from Motorola Solutions, Inc., Schaumburg, Illinois, which can be installed in a microSD slot of a mobile device. A CRYPTR-based PKI operation is more secure than a software-based key storage approach, as implemented by the encryption and key management module 206. This means that the CRYPTR generates and stores private keys in a tamper-proof hardware security module.For each PKI operation, data is sent to the CRYPTR, which then performs the signing and returns the signed data to the requesting application. Therefore, the private keys are never exposed to any application running on the mobile device.

[0029] The I / O interfaces 210 can include user interfaces that allow a user to input information into and receive information from the mobile device 200. For example, the user interfaces can include a keyboard, a touchscreen, a scroll ball, a scroll bar, buttons, a barcode scanner, and the like. Furthermore, the user interfaces can include a display device, such as a liquid crystal display (LCD), a touchscreen, and the like, for displaying system output. The I / O interfaces 212 can also include, for example, a serial port, a parallel port, a small computer system interface (SCSI), an infrared (IR) interface, a USB (universal serial bus) interface, a microSD slot, and the like, for communicating with or connecting to other external devices.

[0030] The one or more wireless interfaces 212, 214 enable wireless communication with other mobile devices and / or with the RAN 122. For example, the one or more wireless interfaces 212, 214 can include a first short-range wireless interface 212 for short-range communication, such as via the short-range wireless link 110. For example, the short-range wireless interface 212 can be a near-field communication (NFC) device containing an NFC transceiver and an antenna, a Bluetooth device containing a Bluetooth transceiver and an antenna, or a wireless local area network (WLAN) device containing a WLAN transceiver and an antenna.Furthermore, one or more wireless interfaces 212, 214 can include a second longer-range wireless interface 214, such as a radio transceiver of a wireless area network (WAN) with a corresponding antenna.

[0031] The one or more biometric data acquisition devices 216 collect biometric data from a user of a mobile device, for example, users 102 and 112 of mobile devices 104 and 114, and they store the collected biometric data in at least one storage device 204. For example, the one or more biometric data acquisition devices 216 may include an imaging device, such as a digital camera, which the user can use to take his or her picture, a fingerprint scanner, which the user can use to scan his or her fingerprint into the mobile device 200, or a microphone that captures audio data and identifies a user's voice pattern accordingly.The stored biometric data can then be made available by the mobile device 200 to another device of the communication system 100, such as another mobile device or the PKI devices 132 and 136, and can be used to verify the identity of the user associated with the biometric data.

[0032] The components (202, 204, 208, 210, 212, 214, and 216) of the mobile device 200 are coupled to a local interface 220 for communication purposes. The local interface 220 can, for example, without limitation, be one or more buses or other wired or wireless connections as known in the art. The local interface 220 can include additional elements, omitted for the sake of simplicity, such as controllers, buffers (caches), drivers, repeaters, and receivers, among many others, to enable communication. Furthermore, the local interface 220 can include address, control, and / or data connections to enable appropriate communication between the aforementioned components.

[0033] It will now be on Fig. Reference is made to Figure 3, which provides a block diagram of a PKI device 300, such as PKI devices 132 and 136, in accordance with some embodiments of the present invention. The PKI device 300 operates under the control of a processor 302, such as one or more microprocessors, microcontrollers, digital signal processors (DSPs), combinations thereof, or other devices known to those skilled in the art. The processor 302 operates the PKI device according to data and instructions stored in at least one memory device 304, such as random access memory (RAM), dynamic random access memory (DRAM), and / or read-only memory (ROM), or equivalents thereof, which stores data and programs executed by the corresponding processor, enabling the server to perform the functions described herein.

[0034] The PKI device 300 further includes one or more network interfaces 306 for connecting to other elements of the infrastructure 120, such as a VPN gateway 126, and, via the gateway, to other devices of the communication system 100, such as the mobile devices 104 and 114. The one or more network interfaces 306 can include a wireless, a wired, and / or an optical interface capable of transmitting messages to and receiving messages, such as data packets, from the gateway 126.

[0035] The PKI device 300 also contains, or is connected to via one or more network interfaces 306, a certificate repository (CR) 310, such as the CR 144, which is typically implemented with a database, and is used to provide persistent storage of digital certificates 312, such as RA certificate 134, CA certificate 138 and digital certificates associated with mobile devices 104, 114, the digital certificates being used by the PKI device to validate the mobile devices and / or their users and thus to communicate securely.The CR 310 stores and provides public and private keys 314 associated with the PKI devices using the CR and the mobile devices served by the CR, such as a private key 133 of RA 132, a private key 137 of CA 136, private keys 105 and 107 of the mobile device 104, and their corresponding public keys. Additionally, the CR 310 stores a CRL 316, similar to CRL 140, and a CAL 318, similar to CAL 142. In various embodiments of the present invention, the CR 310 can be implemented by RA 132 or CA 136, it can be distributed between RA 132 and CA 136, or it can be implemented by a PKI device of the PKI infrastructure 130 that is separate from, but reachable by, both RA 132 and CA 136.

[0036] The components (302, 304, 306, 310) of the PKI device 300 are coupled to a local interface 308 for communication purposes. The local interface 306 can be, for example, but is not limited to, one or more buses or other wired or wireless connections as known in the art. The local interface 308 may include additional elements, omitted for the sake of simplicity, such as controllers, buffers (caches), drivers, repeaters, and receivers, among many others, to enable communication. Furthermore, the local interface 308 may include address, control, and / or data connections to enable appropriate communication between the aforementioned components.

[0037] Unless otherwise specified herein, the functionality here described as being performed by a mobile device, such as mobile devices 104 and 114, and by a PKI device, such as PKI devices 132 and 136, is implemented by or in software programs and instructions stored in the respective storage device 204, 304 of the mobile device and the PKI device, and executed by the associated processor 202, 302 of the mobile device and the PKI device.

[0038] The present teachings are directed to procedures for initial certificate registration for a newly registering mobile device, such as the mobile device 114. Initial certificate registration, as discussed here, is directed to a process aimed at obtaining a digital initial certificate for an end device, such as the mobile device 114, from a PKI device, such as the RA 132 and the CA 136. During certificate registration according to the prior art, an end device sends an initial certificate signing request (CSR) to one or more PKI devices to request a certificate from the PKI device(s).However, since this is the initial CSR, and the PKI device(s) have not yet issued any previous certificates to the end device, the end device typically lacks reliable means to cryptographically protect and bind the initial CSR before it is transmitted through a communication system. To prevent unauthorized access to the initial CSR, which could result in the CA issuing a legitimate certificate based on a compromised CSR, the initial CSR sent by the end device must be protected.

[0039] Accordingly, in the communication system 100, a newly registered mobile device, i.e., the second mobile device 140 (here also referred to as 'new mobile device 114'), uses the short-range wireless connection 110 to establish a secure channel (for example, secured by keys and / or by visual validation due to the close proximity of the users of the mobile devices) with an already registered trusted mobile device, i.e., the mobile device 104 (here also referred to as 'trusted mobile device 104'), by establishing a pair, for example, by using an encryption and key handling module 206 and / or a hardware security module (HSM) 208.The new mobile device 114 generates a certificate request and forwards it to the trusted mobile device 104, along with biometric data associated with the user 112 of the new mobile device 114. The trusted mobile device 104 acts as a registration authority (RA) and uses its own secure network connection to the infrastructure 120 to perform the initial certificate registration on behalf of the mobile device 114 with RA 132 and / or CA 136. Specifically, the trusted mobile device 104 validates the certificate request received from the mobile device 114 and assembles a message containing at least part of the received certificate request along with the biometric data of the user 112 of the new mobile device 114.The trusted mobile device 104 signs the message using its own private key and transmits the signed message to the PKI devices 132 and 136 via the trusted mobile device's secure network connection to the infrastructure 120. Upon receiving the signed message, the PKI devices 132 and 136 verify the identity of user 112 based on the received biometric data and issue a new certificate for the new mobile device 114. The PKI devices 132 and 136 then transmit the new certificate to the new mobile device 114 via the trusted mobile device 104 and the secure tunnel between the trusted mobile device and the infrastructure 120.

[0040] In various other embodiments of the present invention, this certificate registration method can be extended by additional authentication, for example, by using signatures generated and verified with key pairs from both mobile devices 104 and 114. An advantage of this method is that when multiple mobile devices are trusted through this method, it becomes easier to register the new mobile device remotely, thereby creating a cascading registration solution that allows a large number of mobile devices to be registered quickly.

[0041] It will now be referred to as Fig. 4A, Fig. 4B and Fig.Reference is made to Figure 4C, which provides a message flow diagram 400 illustrating a procedure performed by the communication system 100 when performing an initial certificate registration of a mobile device, in accordance with some embodiments of the present invention. The message flow diagram 400 begins when a first trusted mobile device, that is, the mobile device 104, establishes a first wireless connection, that is, a secure connection or a “tunnel”, with the infrastructure 120 via a second wireless interface 214 (402), and in particular establishes the secure connection or tunnel with the gateway 126 via the interface 116 and via the RAN 122.

[0042] Before, simultaneously with, or after the mobile device 104 establishes the secure connection or "tunnel" with the infrastructure 120, the trusted mobile device "pairs" (404) with a second new mobile device (i.e., one not yet registered with the PKI devices 132 and 136), that is, it establishes a second wireless connection with the mobile device 114, using their respective short-range wireless interfaces and via the short-range wireless link 110. Many short-range wireless technologies are available today, and most of them are standardized and implemented in small, low-cost integrated circuits or in complete drop-in modules.The short-range wireless connection provides a natural protection against hackers due to its limited range; for example, NFC pairing between two mobile devices can only take place when one mobile device touches the other mobile device.

[0043] For example, if mobile devices 104 and 114 are in close proximity, pairing can occur if two Bluetooth-enabled devices agree to communicate and establish a secure connection over the short-range wireless link 110 in accordance with the Bluetooth protocol. In some cases, Bluetooth can provide the necessary security association, and in other cases, a higher communication layer can provide the necessary security association. In some cases, a shared secret, sometimes called a link key, is verified by both mobile devices 104 and 114. Once a link key is verified by both sides, an authenticated ACL (Asynchronous Connection-Less) connection is encrypted between the mobile devices to protect the exchanged data.Experts recognize that once a security association exists between mobile devices, data can be securely transmitted between them using that security association.

[0044] In another embodiment of the present invention, the pairing can be generated using NFC. As is known in the art, an NFC pairing includes an elliptic curve Diffie-Hellman negotiation (ECDH) between the mobile devices 104 and 114 to generate a shared session key, which is stored by the encryption and key management functionality of each mobile device, such as the encryption and key management module 206 or the HSM 208. After the ECDH negotiation, the messages exchanged between the mobile devices 104 and 114 over the short-range connection 110 using NFC are encrypted by the shared session key.

[0045] After pairing the trusted mobile device 104 and the new mobile device 114, (406) transfers the trusted mobile device 104 to the mobile device 114 via the connection established over the short-range wireless link 110, transmitting the RA device certificate 108 and the CA certificate 138, with the RA and CA certificates being managed by the trusted mobile device. In response to receiving the RA device certificate 108 and the CA certificate 138, (408) the new mobile device 114 generates a private / public key pair, that is, a first private key 'K'. PVT_114 ' and a corresponding first public key 'K' PUB_114 ', for example an ECDSA key pair, and stores the generated public / private key pair in its encryption and key handling module 206 and / or the HSM 208. Subsequently, (410) the new mobile device 114 transfers the public key 'K PUB_114' to the trusted device 104 via their respective short-range wireless interfaces 212 and via the short-range wireless link 110. In response to receiving the public key 'K PUB_114 'The trusted mobile device 104 stores the public key in its encryption and key management module 106 and / or the HSM 208.

[0046] Furthermore, in response to receiving the RA device certificate 108 and the CA certificate 138, (412) the new mobile device 114 receives initial biometric data and stores it in at least one storage device 204 of the mobile device 114, the initial biometric data being biometric data associated with the user of the trusted mobile device 104. For example, a fingerprint scanner of one or more biometric data capture devices 216 of the mobile device 114 can scan a fingerprint of user 102. In another example, the user 112 of the new mobile device 114 can take a picture of user 102 using a digital camera of one or more biometric data capture devices 216 of the new mobile device 114.The new mobile device 114 then assembles an initial certification request, whereby the certification request asks for a digital certificate for the new mobile device 114 and requests identity information as well as the public key (K. PUB_114) contains the data associated with the requesting party (i.e., user 112 / mobile device 114), as well as the initial biometric data (i.e., the biometric data associated with user 102). For example, the initial certificate request can be a modified version of a PKI Certificate Management Protocol (CMP) certificate request, as described in Internet Engineering Task Force (IETF) Request for Comments (RFC) 4201, where the CMP certificate request is modified by including the initial biometric data and a CMP extension field. Furthermore, the new mobile device 114 signs the initial certificate request using its private key, i.e., the initial private key K. PVT_114(also referred to here as the 'popo' signature) to generate a signed initial certificate request, and it transfers (414) the signed initial certificate request to the trusted mobile device 104 via their respective short-range wireless interfaces 212 and the short-range wireless link 110. For example, sample instructions for assembling the signed initial certificate request may include the code listed in Table 1:

[0047] In response to receiving the signed first certificate request, (416) the trusted mobile device 104 validates the signature of the new mobile device 114 (that is, the 'popo' signature) of the first certificate request by using the first public key K PUB_114 , where the key corresponds to the private key K PVT_114corresponds to the one used to sign the initial certification request. Furthermore, (418) the trusted mobile device 104 receives second biometric data and stores it in at least one storage device 204 of the mobile device 104, wherein the second biometric data is biometric data associated with the user 112 of the new mobile device 114. For example, a fingerprint scanner of one or more biometric data collection devices 216 of the trusted mobile device 104 can scan a fingerprint of the user 112, or the user 102 can take a picture of the user 112 using a digital camera of one or more biometric data capture devices 216 of the trusted mobile device 104.

[0048] If the trusted mobile device 104 determines that the first certificate request is valid, the trusted mobile device constructs a second certificate request. This second request requests a digital certificate for the new mobile device 114 and includes the first biometric data (that is, the biometric data associated with user 102) as well as the second biometric data (that is, the biometric data associated with user 112). For example, the second certificate request could also be a modified CMP certificate request, where the modified CMP certificate request includes at least some (that is, some, most, or all) of the first certificate request, including the identity information and the public key (K). PUB_114), which are associated with user 112 / mobile device 114, and the first biometric data, furthermore including the second biometric data in a CMP extension field of the second certificate request. Furthermore, the trusted mobile device 104 signs the second certificate request using a second private key, namely the private key K. PVT_107 of the public / private key pair (that is, K) PUB_108 / K PVT_107), associated with the RA device certificate 108 of the trusted device 104 to generate a signed second certificate request. The trusted mobile device 104 transfers (418, 420) the signed second certificate request to the PKI infrastructure 130, and specifically to the RA 132, via the secure connection, or "tunnel," established with the gateway 126. For example, sample instructions executed by the trusted mobile device to validate the signature of the new mobile device 114 and to assemble the signed second certificate request might include the code listed in Table 2:

[0049] In response to receiving the signed second certificate request, (422) RA 132 validates the second certificate request by validating the signature of the trusted mobile device 104 from the second certificate request using a second public key, namely the public key K PUB_108 of the public / private key pair associated with the RA device certificate 108 of the trusted device 104, and by validating using the public key K PUB_114the signature of the new mobile device 114 from at least part of the first certification request. (It should be noted that the RA device certificate 108 of the trusted device 104 is also stored in CR 306, which is accessible by both RA 132 and CA 136.) Furthermore, RA 132 verifies (424) the identities of users 102 and 112 by referencing the biometric database 150 and based on the first and second biometric data included in the second certification request. For example, RA 132 can query the biometric database 150 for a subscriber identifier associated with both the first and second biometric data, with the query including the first and second biometric data.In response to receiving the first and second biometric data, the biometric database returns 150 subscriber identifiers associated with both users 102 and 112, and it can further return identifiers of their respective mobile devices, that is, mobile devices 104 and 114.

[0050] In response to the validation of the signatures of the trusted mobile device 104 and the new mobile device 114, and the verification of the identities of users 102 and 112, RA 132 forwards to CA 136 at least part of the first certificate request, which is contained in the second certificate request. In response to receiving at least part of the first certificate request, CA 136 issues a new digital certificate for the new mobile device 114 (428), wherein the new digital certificate, as is known, for example, in the art, contains an identifier of the new mobile device 114, a certificate serial number, one or more expiration dates, and the public key (K). PUB_114) of the mobile device 114. Furthermore, the new digital certificate contains a digital signature generated by CA 136, meaning that CA 136 signs a certificate data portion of the new digital certificate with the private key 137 (K PVT_137 ) of CA 136, where the private key corresponds to the public key K PUB_138 corresponds to the one contained in CA certificate 138.

[0051] Either CA 136 or RA 132 then generates an initial certificate response, such as a CMP certificate response, containing the new digital certificate for the new mobile device 114. For example, CA 136 can generate the initial certificate response, or CA 136 can transfer a new digital certificate for the new mobile device 114 to RA 132 (430), and RA 132 can then generate the initial certificate response. RA 132 signs the initial certificate response using a third private key, namely private key 133 (K). PVT_133 ) the RA 132, and it contains its RA certificate 134 in the response, where the RA certificate contains the public key K PUB_134contains the private key 133. RA 132 transfers (432, 434) the signed first certificate response to the trusted mobile device 104 via the gateway 126, the RAN 122, and the secure connection between the RAN and the trusted mobile device. For example, sample instructions for assembling the signed first certificate response might include the code listed in Table 3:

[0052] In response to receiving the signed first certification response, (436) the trusted mobile device 104 validates the signature of RA 132 from the first certification response using a third public key, namely K. PUB_134 , corresponding to the third private key (K PVT_133), which was used to sign the first certification response. The trusted mobile device 104 then assembles a second certification response, such as a CMP certification response, containing the new digital certificate for the new mobile device 114, and transfers (438) the second certification response to the new mobile device 114 via their respective short-range wireless interfaces 212 and short-range wireless link 110. For example, sample instructions for assembling the signed second certification response might include the code listed in Table 4:

[0053] In response to the validation of the first certification response, the trusted mobile device 104 grazes the signature of RA 132 (that is, K). PVT_133) from the first certification response and assembles a new certification response into which the trusted mobile device includes the new digital certificate, and signs the new certification response with the private RA device key 107 of the mobile device 104, that is, K PVT_107 .

[0054] In response to receiving the signed second certification response, (440) the new mobile device 114 validates the signed second certification response using the public key that corresponds to the private key that was used to sign the second certification response, that is, using the public key K PUB_108 of the RA device certificate 108 of the K PVT_107 corresponds. Furthermore, (442) the new mobile device 114 authenticates the new digital certificate using the public key of the CA certificate 138, that is, K PUB_138 , which corresponds to the private key K PVT_137the CA 136, which was used to sign the new digital certificate. In response to successful validation of the signed second certification response and authentication of the new digital certificate, (444) the new mobile device 114 stores the new digital certificate in its encryption and key management module 206 and / or the HSM 208.

[0055] At this point, the certificate registration of the new mobile device 114 can be considered complete, and the message flow diagram 400 can end. However, in another embodiment of the present invention, the new mobile device 114 and the trusted mobile device 104 can still terminate their connection via the short-range data connection 110 (454), and the new mobile device can establish a secure connection, or tunnel, with the infrastructure 120 using its new digital certificate, without a connection through the trusted mobile device 104.

[0056] In other embodiments of the present invention, in response to the validation of the signed second certificate response and the authentication of the new digital certificate, the new mobile device 114 can also confirm the receipt and authentication of the new digital certificate by transmitting (446, 448, 450, 452) a certificate acknowledgment, such as a CMP certificate acknowledgment, to the PKI infrastructure 130 and one or more PKI devices 132 and 136 via the short-range wireless connection 110, the trusted mobile device 114 and the secure connection between the trusted mobile device and the RAN 122, RAN 122 and gateway 126.

[0057] Thus, by providing a registration for the newly registering mobile device 114 using a secure connection with an already registered trusted mobile device 104 and by piggybacking on the secure connection established by the trusted mobile device with the PKI infrastructure 130, the communication system 100 provides a reliable means for cryptographically protecting and binding an initial certification request before the initial certification request is sent by the communication system.By continuing to provide biometric data associated with a user of the other mobile device for each of the mobile devices 104 and 114, the communication system 100 provides confirmation of the identities of the user 102, 112 from each mobile device 104, 114, and better ensures that a hacker will not be able to use the trusted mobile device 104 to illegally obtain a digital certificate.

[0058] Specific embodiments have been described in the preceding specification. However, it is clear to those skilled in the art that various modifications and changes can be made without departing from the spirit of the invention, as set out in the claims below. Accordingly, the specification and the figures are to be understood in an illustrative rather than a restrictive sense, and all such modifications are intended to be in keeping with the spirit of the present teachings.

[0059] The benefits, advantages, problem solutions, and any conceivable element that leads to or enhances any benefit, advantage, or solution shall not be construed as critical, necessary, or essential features or elements of any claim or all claims. The invention is defined exclusively by the attached claims, including any amendment made during the pendency of the present application and all equivalents of such claims as published.

[0060] Furthermore, in this document, relational expressions such as first and second, above and below, and the like are to be used solely to distinguish one entity or action from another, without necessarily requiring or implying any actual relationship or order between such entities or actions. The expressions "includes," "comprising," "has," "having," "include," "containing," "containing," or any variation thereof are to cover non-exclusive inclusion, so that a process, procedure, article, or device that includes, has, includes, or contains a list of elements may not only include such elements but may also include other elements not expressly listed or inherent in such processes, procedures, articles, or devices. An element that continues with "includes... a," "has..."The terms "one," "includes... one," and "contains... one" do not, without further stipulations, exclude the existence of additional identical elements in the process, method, article, or apparatus that comprise, have, include, or contain the element. The terms "one" and "a" are defined as one or more unless explicitly stated otherwise herein. The terms "essentially," "essentially," "approximately," "about," or any other version thereof are defined as "being close to" as is clear to those skilled in the art, and in one non-limiting embodiment, the term is defined as being within 10%, in another embodiment within 5%, in another embodiment within 1%, and in yet another embodiment within 0.5%. The term "coupled," as used herein, is defined as "connected," although not necessarily directly and not necessarily mechanically.A device or structure that is “configured” in a certain way is configured at least in that way, but may also be configured in at least one other way not listed.

[0061] It is desired that some embodiments include one or more generic or specialized processors (or “processing devices”), such as microprocessors, digital signal processors, custom processors, and freely programmable field-gate arrays (FPGAs), and unique stored program instructions (comprising both software and firmware) that control the one or more processors to implement, in conjunction with certain non-processor circuitry, some, most, or all of the functions of the method and / or device described herein.Alternatively, some or all functions can be implemented by a state machine that has no stored program instructions, or in one or more application-specific integrated circuits (ASICs) in which each function, or some combinations of certain functions, are implemented as custom logic. Naturally, a combination of the two approaches can be used. Both the state machine and the ASIC are understood here as a "processing device" for the purposes of the above discussion and claim formulation.

[0062] Furthermore, an embodiment can be implemented as a computer-readable storage medium containing computer-readable code stored thereon for programming a computer (which, for example, includes a processor) to perform a method described and claimed herein. Examples of such computer-readable storage media include, but are not limited to: a hard disk, a CD-ROM, an optical storage device, a magnetic storage device, a ROM (read-only memory), a PROM (programmable read memory), an EPROM (erasable programmable read memory), an EEPROM (electrically erasable programmable read memory), and flash memory.Furthermore, it can be expected that a person skilled in the art, regardless of possible considerable effort and a large selection of designs, which is justified, for example, by available time, current technology and economic considerations, guided by the concepts and principles disclosed herein, will be able to produce such software instructions, programs and ICs with minimal experimental effort.

[0063] The summary of the disclosure is provided to allow the reader to quickly grasp the nature of the technical disclosure. It is submitted with the understanding that it is not intended to interpret or limit the spirit or meaning of the claims. Furthermore, it is clear from the preceding detailed description that various features in different embodiments are grouped together to streamline the disclosure. This method of disclosure should not be interpreted as reflecting an intention that the claimed embodiments require more features than are expressly stated in each claim. Rather, as is evident from the following claims, an inventive subject matter is present in fewer than all the features of any single disclosed embodiment.Thus, the following claims are integrated into the detailed description, with each claim standing alone as a separately claimed subject matter.

Claims

[1] Method for providing an initial certification registration in a wireless communication system, the method comprising: Establishing an initial wireless connection to an infrastructure using an initial mobile device; Establishing a second wireless connection with a second mobile device through the first mobile device; Receiving an initial certification request by the first mobile device from the second mobile device and via the second wireless connection, wherein the initial certification request includes a request for a digital certificate for the second mobile device and for initial biometric data associated with a user of the first mobile device; Obtaining second biometric data, where the second biometric data is associated with a user of the second mobile device; Transmitting a second certification request to the infrastructure and over the first wireless connection, wherein the second certification request includes the request for the digital certificate for the second mobile device, the first biometric data, and the second biometric data; in response to the transmission of the second certification request to the infrastructure, receiving the digital certificate for the second mobile device from the infrastructure and via the first wireless connection, wherein a certification response includes the digital certificate for the second mobile device, wherein the certification response is signed with a third private key; Transferring the digital certificate to the second mobile device via the second wireless connection; Transferring a digital certificate associated with the first mobile device from the first mobile device to the second mobile device; in response to the transfer of the digital certificate associated with the first mobile device to the second mobile device, receiving a public key from the second mobile device; where receiving the first certification request includes receiving the first certification request signed by a private key that corresponds to the public key; where the private key includes a first private key and where the process involves submitting a second certification request to the infrastructure: Signing the second certificate request using a second private key to generate a signed second certificate request; and Transferring the signed second certification request to the infrastructure; the process still includes validating the initial certification request based on the public key. [2] Method according to claim 1, wherein the digital certificate associated with the first mobile device is a registration authority certificate of the first mobile device. [3] Method according to claim 1, wherein the second private key is a private key associated with a registration authority certificate of the first mobile device. [4] Method according to claim 3, further comprising validating the signed second certification request based on a first public key associated with the first private key and a second public key associated with the second private key. [5] The method of claim 4, further comprising: Issuance of the digital certificate for the second mobile device in response to the validation of the signed second certification request. [6] Method according to claim 1, wherein the transfer of the digital certificate comprises: Transmitting a certification response to the second mobile device over the second wireless connection, which includes the digital certificate, wherein the certification response is signed by a private key associated with the first mobile device. [7] The method of claim 1, further comprising: Verifying the identity of the user of the first mobile device and the identity of the user of the second mobile device, based on the first biometric data and the second biometric data; and Issuance of the digital certificate in response to verification of the identity of the user of the first mobile device and the identity of the user of the second mobile device. [8] Mobile device capable of enabling initial certification registration in a wireless communication system, the mobile device comprising: a processor; at least one storage device configured to store instructions which, when executed by the processor, cause the processor to do the following: Establishing an initial wireless connection; Establish a second wireless connection with another mobile device; Receiving an initial certification request from the other mobile device and via the second wireless connection, wherein the initial certification request includes a request for a digital certificate for the other mobile device and for initial biometric data associated with a user of the mobile device; Obtaining second biometric data, where the second biometric data is associated with a user of the other mobile device; Transmitting a second certification request to the infrastructure and over the first wireless connection, the second certification request comprising the request for the digital certificate for the other mobile device, the first biometric data, and the second biometric data; in response to the transmission of the second certification request to the infrastructure, receiving the digital certificate for the other mobile device from the infrastructure and via the first wireless connection; and Transferring the digital certificate to the other mobile device via the second wireless connection; wherein at least one storage device is configured to store instructions which, when executed by the processor, cause the processor to do the following: Transferring a digital certificate associated with one mobile device to another mobile device; in response to the transfer of the digital certificate associated with the mobile device to the other mobile device, receiving a public key from the other mobile device by receiving a certification response from the infrastructure and via the first wireless connection that includes the digital certificate for the other mobile device, the certification response being signed by a third private key. where receiving the first certification request includes receiving the first certification request signed by a private key that corresponds to the public key; and where the private key includes a first private key and where at least one storage device is configured to forward a second certification request to the infrastructure, by: Signing the first certificate request using a second private key to generate a signed second certificate request; and Transferring the signed second certification request to the infrastructure; wherein at least one storage device is configured to store instructions which, when executed by the processor, cause the processor to validate the first certification request based on the public key. [9] Mobile device according to claim 8, wherein the at least one storage device is configured to hold a registration authority certificate of the mobile device, and wherein the digital certificate associated with the mobile device is the registration authority certificate. [10] Mobile device according to claim 8, wherein the second private key is a private key associated with a registration authority certificate of the mobile device. [11] Mobile device according to claim 8, wherein the at least one storage device is configured to transfer the digital certificate by: Transferring a certification response to the other mobile device via the second wireless connection, which includes the digital certificate for the other mobile device, wherein the certification response is signed by a private key associated with a mobile device.