| CPC H04L 63/0428 (2013.01) [H04L 9/0825 (2013.01); H04L 9/0841 (2013.01); H04L 9/085 (2013.01); H04L 9/3268 (2013.01); H04L 9/3273 (2013.01); H04W 12/069 (2021.01)] | 20 Claims |
|
1. A method of establishing secured communication interface between a first managed device and a second managed device, the method comprising:
initiating, by a second managed device, an authentication request of a first managed device on a wireless channel, wherein the wireless channel includes a wireless communication channel that is not natively secure, and a single user is registered with the first managed device and the second managed device;
responsive to the authentication request, starting, by the first managed device a mutual authentication process over the wireless channel, wherein the mutual authentication process includes a communication of a certificate message having a mobile signing key that includes public key of the first managed device assigned during a passwordless authentication registration process, and wherein the public key of the first managed device is self-signed;
requesting, by the first managed device, a certificate of the second managed device;
verifying by the second managed device, the public key of the first managed device, wherein verifying the public key of the first managed device is based on availability of the public key of the first managed device on the second managed device which is fetched by the second managed device from a unified endpoint management (UEM) management device following the passwordless authentication registration process and the public key of the first managed device being self-signed;
after the public key of the first managed device is verified by the second managed device, communicating by the second managed device a certificate message to the first managed device, wherein the certificate message includes a public key of the second managed device and is self-signed by the second managed device;
verifying, by the first managed device, the public key of the second managed device, wherein verifying the public key of the second managed device is based on availability of the public key of the second managed device on the first managed device which is fetched by the first managed device from the UEM management device following the passwordless authentication registration process and the public key of the second managed device being self-signed;
after the public key of the second managed device is verified by the first managed device, communicating, by the first managed device a finished message to the second managed device; and
starting, by the first managed device a key exchange during which a shared secret encryption key agreed upon between the first managed device and the second managed device, wherein the shared secret encryption key is used to encrypt and decrypt data communication messages between the first and second managed devices.
|