On Board Key Generation

What is On Board Key Generation?

On Board Key Generation in this industry means public key cryptography key pair generation, where the secret component along with its public counterpart is generated within the security module (SIM card) with the device user interactively entering supplementary information. The supplementary information contains at least the new access control sPIN (Signing PIN), which is invented by the user on the spot, and kept inside the security module.

After the key generation, the security module sends out the Public Key component of the generated key pair, which is then used in the service to prepare a certificate for the user. In Mobile Wireless PKI (WPKI) the user’s Certificate (Binding of the user’s Public Key and the certified data) is not stored at the security module, because the mobile operator services can do this storing without the limitation of narrow bandwidth communication links, and without the introduction of a trusted third party in the cryptography.

In Methics’ recommended procedures there is also an activation code token that gates access to key pair generation. The registration service shows that token to the registration agent via the agent’s tool (a web portal or a program running at a computer,) and the agent tells the user being registered in front of the agent what the code is when the device asks the user to enter it. Methics calls this on-the-spot generated and verified code “VerifyCode“, and it is a string of 4 to 8 number characters.

Depending on the requirements of the target environment, Methics developed technology is able to have each key pair with their own sPIN, or have multiple key pairs (up to all) under same sPIN.

Key Pair and sPIN Lifecycle

  1. A key pair is born during the generation inside the security module. The sPIN (Signing PIN) controlling access to the key pair is created during the generation by asking it from the user, and storing it inside the security module.
  2. All accesses to the key pair require the correct entry of that sPIN.
  3. Too many successive failures on sPIN entry (usually defined as 3) cause the sPIN and all keys under its control to be irrevocably destroyed. (Or at least marked as destroyed.)

To help a blocked sPIN user to return to the WPKI service, a security module with a blocked sPIN can always be unblocked by:

  1. Recycling all key pair storages under the control of the sPIN being recycled (destroying the key material if not previously destroyed.)
  2. Recycling the blocked sPIN storage.
  3. Running the key pair and sPIN initialization as described above – the destruction of previous values in those storage spaces happens at this phase, if not before.

If multiple key pairs are configured to be protected with same sPIN, the first key pair generation under it will ask for new sPIN value, and subsequent ones will ask to verify that the sPIN is known to the user operating the device.

Recommendation against sPUK

When the destruction and regeneration of previous sPIN and key material is not possible, some vendors supply special sPUK (Signing PIN Unblocking Code) for the sPIN, but the problem with those is that they have at least as high security sensitivity as the original registration process, and therefore storing them at the operator database and revealing them needs to be done with the same rigor as with the registration procedure, and it requires the same (or higher) level of audit as that registration procedure. Indeed, it is so much of completely avoidable and unnecessary trouble that Methics strongly recommends against having any sort of sPUK.