In a highly secured wireless communication system, employees may be required to use at least one layer of security tunnels to access their corporate or enterprise applications or data remotely. The most commonly used secure tunnel technology is an Internet Protocol Security (IPsec) Virtual Private Network (VPN), which typically uses a public key infrastructure (PKI) certificate-based Internet Key Exchange protocol (IKE or IKEv2) to establish a secure tunnel.
A PKI scheme uses a digital certificate to verify that a particular public key belongs to a certain end entity and may be used for access control. The certificate is an electronic document that is issued by a trusted party and that is used to prove ownership of a public key. The certificate includes information about the key and an identity of the key owner, and further includes a digital signature of a Certificate Authority (CA), that is, an entity that has verified that the certificate's contents are correct. In order to obtain a certificate, a user, that is, a mobile device of a user, has to go through a PKI enrollment process with a PKI infrastructure that was set up by his or her organization. In most cases, the PKI infrastructure contains at least one CA, which issues and controls the life cycle of all certificates, and a Registration Authority (RA) that performs the user/mobile device authentication for the CA before any certificate can be generated for the user/mobile device. The authentication of a new user/mobile device as part of an initial certificate enrollment often involves a lot of manual operations, as the mobile device does not have any credential that can authenticate the mobile device to the organization's network before the initial certificate enrollment.
A typical solution for the initial certificate enrollment involves use of a personal computer (PC) that is trusted by the organization's network. The user needs to generate a certificate signing request (CSR) file on the user's mobile device and then transfer the CSR file to the PC using a wired connection, such as universal serial bus (USB) interface. The user then uses the PC to submit the CSR to the RA or CA in order to obtain a certificate over the organization's network. In highly secured systems such as government and defense networks, the user may have to give the user's mobile device to a system administrator, who would perform the initial enrollment using a PC that is located in a controlled environment.
Another approach for initial certificate enrollment involves use of a Trusted Platform Module (TPM) chip. Based on the current TPM 2.0 standards, a manufacturer of the TPM chip puts in a unique root key pair (usually RSA) in each TPM during the manufacturing process. A mobile device with a TPM can ask the TPM to sign/encrypt messages sent to the network during initial enrollment. However, the keys are generated outside of the control of the organization/enterprise that operates the wireless system and this approach works only if the organization/enterprise that operates the wireless system trusts the keys trusts the TPM manufacturer. This kind of inter-organization trust is generally not permitted in highly secured government and public safety systems.
Skilled artisans will appreciate that elements in the figures are illustrated for simplicity and clarity and have not necessarily been drawn to scale. For example, the dimensions and/or relative positioning of some of the elements in the figures may be exaggerated relative to other elements to help to improve understanding of various embodiments of the present invention. Also, common but well-understood elements that are useful or necessary in a commercially feasible embodiment are often not depicted in order to facilitate a less obstructed view of these various embodiments of the present invention. It will further be appreciated that certain actions and/or steps may be described or depicted in a particular order of occurrence while those skilled in the art will understand that such specificity with respect to sequence is not actually required. Those skilled in the art will further recognize that references to specific implementation embodiments such as “circuitry” may equally be accomplished via replacement with software instruction executions either on general purpose computing apparatus (e.g., CPU) or specialized processing apparatus (e.g., DSP). It will also be understood that the terms and expressions used herein have the ordinary technical meaning as is accorded to such terms and expressions by persons skilled in the technical field as set forth above except where different specific meanings have otherwise been set forth herein.