Activation of mobile devices in enterprise mobile management

US 10,142,323 B2
Filed: 04/11/2016
Issued: 11/27/2018
Est. Priority Date: 04/11/2016
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

generating, at a mobile device, a first device security certificate, the first device security certificate including a representation of an identifier of the mobile device and a representation of a device key in a signature of the first device security certificate;

transmitting, by the mobile device, the first device security certificate to an authentication server;

receiving, at the mobile device, a server security certificate from the authentication server in response to a successful authentication by the authentication server, the server security certificate including a representation of a server key in a signature of the server security certificate, the server key corresponding to the device key and to a representation of a shared secret stored on the mobile device and known by the authentication server;

validating, at the mobile device, the server security certificate based on the signature of the server security certificate that includes the representation of the server key;

establishing, by the mobile device, a secure connection with the authentication server based on the first device security certificate and the server security certificate; and

enrolling, at the mobile device, at least one second device security certificate for formal communication over the secure connection.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure is drawn to systems and methods for activating a mobile device in an enterprise mobile management context. The mobile device is configured to generate a first device security certificate which comprises a device key and an identifier of the mobile device. The device key corresponds to a shared secret known to the mobile device and to an authentication server. The mobile device sends the first device security certificate to the authentication server. The authentication server validates the mobile device by comparing the device key to a server key and by locating the identifier in a list of known identifiers. When the mobile device is validated, the authentication server sends a first server security certificate to the mobile device. The first device and server security certificates may then be used to establish a secure connection, over which a second set of device and server certificates may be enrolled.

Citations

18 Claims

1. A method, comprising:
- generating, at a mobile device, a first device security certificate, the first device security certificate including a representation of an identifier of the mobile device and a representation of a device key in a signature of the first device security certificate;
  
  transmitting, by the mobile device, the first device security certificate to an authentication server;
  
  receiving, at the mobile device, a server security certificate from the authentication server in response to a successful authentication by the authentication server, the server security certificate including a representation of a server key in a signature of the server security certificate, the server key corresponding to the device key and to a representation of a shared secret stored on the mobile device and known by the authentication server;
  
  validating, at the mobile device, the server security certificate based on the signature of the server security certificate that includes the representation of the server key;
  
  establishing, by the mobile device, a secure connection with the authentication server based on the first device security certificate and the server security certificate; and
  
  enrolling, at the mobile device, at least one second device security certificate for formal communication over the secure connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein generating the first device security certificate comprises:
    - generating a root certificate based on the device key; and
      
      signing the first device security certificate with the root certificate.
  - 3. The method of claim 1, wherein generating the first device security certificate including the representation of the identifier of the mobile device comprises providing at least part of an International Mobile Station Equipment Identity (IMEI) of the mobile device in the first device security certificate.
  - 4. The method of claim 3, wherein generating the first device security certificate including the representation of the identifier of the mobile device comprises providing a hash of the IMEI of the mobile device in the first device security certificate.
  - 5. The method of claim 1, wherein establishing the secure connection comprises establishing a transport layer security tunnel.
  - 6. The method of claim 1, wherein enrolling the at least one second server security certificate comprises receiving, from the authentication server, over the secure connection, the at least one second device security certificate signed by a certification authority of the authentication server.
  - 7. The method of claim 1, further comprising deleting the first device security certificate and the server security certificate after the at least one second device security certificate has been enrolled.
  - 8. The method of claim 1, wherein the secure connection is a temporary secure connection, and further comprising establishing at least one formal secure connection, separate from the temporary secure connection, with the authentication server, based on the at least one second device security certificate.
  - 9. The method of claim 8, wherein establishing the at least one formal secure connection comprises terminating the temporary secure connection after establishing the at least one formal secure connection.

10. A mobile device, comprising:
- a processing unit; and
  
  a memory, communicatively coupled to the processing unit and comprising computer-readable program instructions executable by the processing unit for;
  
  generating, at a mobile device, a first device security certificate, the first device security certificate including a representation of an identifier of the mobile device and a representation of a device key in a signature of the first device security certificate;
  
  transmitting, by the mobile device, the first device security certificate to an authentication server;
  
  receiving, at the mobile device, a server security certificate from the authentication server in response to a successful authentication by the authentication server, the server security certificate including a representation of a server key in a signature of the server security certificate, the server key corresponding to the device key and to a representation of a shared secret stored on the mobile device and known by the authentication server;
  
  validating, at the mobile device, the server security certificate based on the signature of the server security certificate that includes the representation of the server key;
  
  establishing, by the mobile device, a secure connection with the authentication server based on the first device security certificate and the server security certificate; and
  
  enrolling, at the mobile device, at least one second device security certificate for formal communication over the secure connection.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The mobile device of claim 10, wherein generating the first device security certificate comprises:
    - generating a root certificate based on the device key; and
      
      signing the first device security certificate with the root certificate.
  - 12. The mobile device of claim 10, wherein generating the first device security certificate including the representation of the identifier of the mobile device comprises providing at least part of an International Mobile Station Equipment Identity (IMEI) of the mobile device in the first device security certificate.
  - 13. The mobile device of claim 12, wherein generating the first device security certificate including the representation of the identifier of the mobile device comprises providing a hash of the IMEI of the mobile device in the first device security certificate.
  - 14. The mobile device of claim 10, wherein establishing the secure connection comprises establishing a transport layer security tunnel.
  - 15. The mobile device of claim 10, wherein enrolling the at least one second server security certificate comprises receiving, from the authentication server, over the secure connection, the at least one second device security certificate signed by a certification authority of the authentication server.
  - 16. The mobile device of claim 10, further comprising deleting the first device security certificate and the server security certificate after the at least one second device security certificate has been enrolled.
  - 17. The mobile device of claim 10, wherein the secure connection is a temporary secure connection, and wherein the program instructions are further executable by the processing unit for establishing at least one formal secure connection, separate from the temporary connection, with the authentication server based on the at least one second device security certificate.
  - 18. The mobile device of claim 17, wherein establishing the at least one formal secure connection comprises terminating the temporary secure connection after establishing the at least one formal secure connection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Inventors
Wan, Tao
Primary Examiner(s)
Lwin, Maung T
Assistant Examiner(s)
Bucknor, Olanrewaju J.

Application Number

US15/095,887
Publication Number

US 20170295168A1
Time in Patent Office

960 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/0876   based on the identity of th...

H04L 63/166   at the transport layer

H04W 12/06   Authentication

H04W 12/71   Hardware identity

Activation of mobile devices in enterprise mobile management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Activation of mobile devices in enterprise mobile management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links