1.3.2 Protocol Security

  • Article

The protocol has built-in security. All messages to the server except for the auto account code configuration message are encrypted and integrity-protected to ensure the confidentiality and integrity of the message. The auto account code configuration message uses HTTPS for securing its payload content.

The account configuration messages, key activation message, and account creation message from the bootstrap services enable the security.

The key activation message uses an account configuration code and a Uniform Resource Locator (URL) that the client obtains from the server using an out-of-band means (e-mail is one possibility). The client encrypts the request with a key derived from the account configuration code. The server, upon receiving the request, identifies a member associated with the configuration code, and sends back the member's identity template along with other policy information. The identity template specifies which management domain the identity belongs to and the domain's certificate.

The auto account code configuration message allows a user to configure an account with the management server without the need for an account configuration code. The client uses HTTPS to post an auto account code configuration message to an authenticated server endpoint. The server, upon receiving the request, identifies a member associated with the login name, and sends back the member's identity template along with other policy information. The identity template specifies which management domain the identity belongs to and the domain's certificate.

Once the client has obtained the domain certificate, the client uses the create account message to establish the shared secret key between the client and the server. To do so, the client generates a 192-bit secret key, encrypts it with the domain's encryption public key and signs the message with its own signature private key. The client sends the message along with its own public key information to the server. The server verifies the signature and decrypts the message to get the shared key.

On successful registration of the secret key, all subsequent requests are secured with this key. The responses are not always secured. For simple responses with just return codes, the responses are not secured. For responses with payload, they are secured unless HTTPS is used.

The auto activation message is used by a managed device that has already obtained a registry setting for the device management domain (which contains among other things, the device domain's certificate, the device domain GUID, the server URL). This message behaves slightly differently from the auto account code configuration message. The client first uses the create account message to create a client device account on the server and to establish a shared key between the client device and the server. The client then sends the auto activation message, encrypted with the shared device key to an authenticated server endpoint.  Upon receiving the request, the server decrypts the request, finds the matching account with the login name, and returns the account configuration code, again encrypted with the shared device key. The client then uses the key activation request to get the identity template, which contains the identity's management domain certificate. Finally it creates a shared account key by using the create account message with the identity's domain certificate.