From d0a80888a02cb82e4bfd91dbbf335e7696a504d5 Mon Sep 17 00:00:00 2001 From: Magnus Feuer Date: Thu, 2 Jul 2015 16:22:07 -0700 Subject: Updated token and initial certificate distribution mechanisms --- doc/rvi_services.md | 36 ++++++++++++++++++++++++++---------- 1 file changed, 26 insertions(+), 10 deletions(-) diff --git a/doc/rvi_services.md b/doc/rvi_services.md index f7e43ac..94ea011 100644 --- a/doc/rvi_services.md +++ b/doc/rvi_services.md @@ -138,21 +138,25 @@ The app is started for the first time and connects to the provisioning server. 2. Device sends authenticate to server
The command contains the auth cert (device public key) and the single, -pre-provisioned node certificate giving the device the right to invoke ```jlr.com/provisioning/setup``` - +pre-provisioned node certificate giving the device the right to +invoke ```jlr.com/provisioning/setup``` and the right to +register ```jlr.com/mobile/123456/dm/cert_provision```.
+See [Device Management](#Device Management) for details + 3. Server sends authenticate to device
The server's auth cert (server public key) is sent, but no node certificates, thus giving the server no rights to register or invoke services with the device. 4. Device sends a service announce to server
-The command is empty (and can be omitted) since the device has no -services to register. +The command contains the single service ```jlr.com/mobile/123456/dm/cert_provision```, +which can be invoked by the provisioning service to install a new +certificate on the device. 5. Server sends a service announce to device
The command contains the service ```jlr.com/provisioning/setup```. -6. Device invokes ```jlr.com/provisioning/setup on server```
+6. Device invokes ```jlr.com/provisioning/setup``` on server
The sole argument is the device ID, which is 1234. The command is validated by the server through the pre-provisioned cert. @@ -161,12 +165,24 @@ The created cert gives the holder the right to invoke ```jlr.com/vin/ABCD/unlock The certificate also gives the holder the right to register jlr.com/mobile/1234/status.
The certificate is signed by root cert and encrypted with device public key from step 2.
-8. Side band transmission of node certificate to device
-Server sends encrypted certificate to device through SMS or similar, -using the device ID from step 4 as the destination address. +8. Sideband token transmission from provisioning service to device
+The provsioning server transmits a 128 bit random token to the device +using a sideband channel such as SMS or similar. + +10. Device invokes ```jlr.com/provisioning/request_certificate``` on server
+The device provides its public key and the token received in step 9 as +arguments to the call. + +11. Provisioning service invokes ```jlr.com/mobile/123456/dm/cert_provision```
+The provisioning service invokes certificate provisioning service on +the device, announced by the device to the service in step 4, to +install the certificate created in step 7. + +12. Device unpacks and stores certificate
+The device decrypts the certificate using its private key, validates +the signature against a locally installed root certificate. + -9. Devices receives, decrypts, and stores certificate
-The device now has the certificate to present to the vehicle for lock/unlock.
#### Device authentication / authorization.
-- cgit v1.2.1