Many machine to machine (M2M) users require IPSec, SSL or other Virtual Private Networks (VPN) to be established between distributed M2M devices and their company premises (where there is typically a server called a VPN concentrator). Setting up a VPN involves a complex (and often manual) process of distributing pre-shared keys or certificates both to all the relevant M2M devices and to the VPN Server. Sending pre-shared keys to M2M devices remotely is difficult due to a lack of an end-to-end secure connection to distribute the keys.
The most widely used solution is manual distribution of a shared secret. For deployments with more than two peer devices, this is typically a group key, or sometimes individual device keys may be derived from a group key and device identifier. These solutions are cumbersome and have security limitations.
One solution from Microsoft Corp. involves automatically enrolling devices into a PKI and issuing the devices with device certificates so that they can then subsequently connect into a VPN. However, this has limitations. This system requires an enterprise PKI (certification authority (CA) hierarchy) to be established and for the enterprise to integrate into Microsoft Active Directory (to support automated certificate enrolment). Devices typically need to be joined to the domain at build time (e.g. by a Domain administrator) and this joining operation needs to be carried out within company premises. Support for devices which do not have a Microsoft Operating System can be problematic
However, this system is not suitable for M2M devices as such devices do not typically have any form of Active Directory support and/or are activated in the field away from an enterprise's premises. The cost and overheads required for an enterprise to establish PKI for this purpose are also considerable.
Therefore, there is required a method and system that overcomes these problems.