Connecting Devices

Connect once and secure

Connecting a device to a personal profile means making that personal profile a trusted source for all configuration settings, credentials, etc. required to access information in the user's personal digital environment.

The two serious security error a users of the Mesh could make is to allow the wrong device to connect to their profile or connect a device to the wrong profile.

The Mesh mitigates these risks as follows:

  • The ability to connect devices is limited to administration devices.
  • The connection protocols require strong mutual authentication.

Different devices have different user interface capabilities. In the usability field, such capabilities are known as affordances. A mechanism that requires use of a keyboard and a display is not going to be appropriate for a device that has neither.

The Mesh protocols currently support three different connection modes:

Basic Connection
The usual mechanism used to connect a device with display and keyboard capability.
PIN Code Connection
A variation of the basic connection mode suited to enterprise use in which the device being connected is authenticated by means of a PIN code generated by the administrator and provisioned out of band.
Bar Code Connection
Supports connection of devices that lack keyboard or display capabilities. The device to be connected is marked with a bar code that is read by the admnistration device and used as the basis for authentication.
Bootstrap Profile Connection
Supports connection of devices that are pre-populated with a generic software image that is customised during initialization. The generic software image is prepopulated with a device profile that is used to authenticate the request for a permanent profile.

In each case, the connection request must be approved by a device that is authorized as an administration device for the personal profile the new device is attempting to connect to. Since the administration device is used to approve requests, a means of input and output is required in every case. In the Bar Code Connection mode, a means of scanning the bar code is also required.

Basic Connection

The basic connection mechanism is the usual means of connecting a new device. There are four steps:

  1. Make a connection request from the new device.
  2. Fetch pennding connection requests on the administration device.
  3. Approve the connection request on the administration device.
  4. Synchronize the new device.

Make a connection request from the new device:

connect start alice@cryptomesh.org
Connect Request  MBDLN-XX7CD-FWP5F-OMDF6-HLW4S-JALCN
    Device       MCBW7-LTIMR-YGL4K-UYVTR-DTSJW-F6LMZ
    Profile  MA6E4-GYIM6-PTSJ4-QGR7W-OZQFE-H5VAC

Fetch pennding connection requests on the administration device.

connect pending
Connect Request  MBDLN-XX7CD-FWP5F-OMDF6-HLW4S-JALCN
    Device       MCBW7-LTIMR-YGL4K-UYVTR-DTSJW-F6LMZ
    Profile  MA6E4-GYIM6-PTSJ4-QGR7W-OZQFE-H5VAC

Approve the connection request on the administration device.

connect accept MBDLN-XX7CD-FWP5F-OMDF6-HLW4S-JALCN
Connect Request  MBDLN-XX7CD-FWP5F-OMDF6-HLW4S-JALCN
    Device       MCBW7-LTIMR-YGL4K-UYVTR-DTSJW-F6LMZ
    Profile  MA6E4-GYIM6-PTSJ4-QGR7W-OZQFE-H5VAC

Synchronize the new device.

connect complete
Accepted

PIN Code Connection

Use of a PIN code is convenient in circumstances in which the new device being connected and the administration device are being operated by different people at different times.

  1. Generate a PIN authorization code on the administration device.
  2. Provision the PIN code to the new device out of band
  3. Make the connection request from the new device.
  4. Approve the connection request on the administration device.
  5. Synchronize the new device.

Generate a PIN authorization code on the administration device.

connect generate

Provision the PIN code to the new device out of band Make the connection request from the new device.

connect start alice@cryptomesh.org /pin=[Code]

Approve the connection request on the administration device.

connect accept /pre

Synchronize the new device.

connect complete

Bar Code Connection

The Bar Code Connection mode requires that a device profile be pre-loaded into the device and registered with a Mesh portal. The device address of the portal and a device connection code are used to form the connection URI:

device /barcode=example.net

The connection URI is encoded as a bar code. The QR code format is preferred:

[QR code of connection URI]

The device does not know the device connection code, only the digest of the device connection code is known to the device. This is known as the device digest.

When connected to a network, the device attempts to establish a network connection via DHCP. It then attempts to connect to the following Mesh portal services in order:

  1. _mmm._tcp.[Default Domain]
  2. _mmm._tcp.local
  3. _mmm._tcp.[Connection URI Domain]

The device registers itself as available for connection under the device identifier which is the digest of the device digest.

To complete the connection, the user scans the barcode with an administrative device equipped with a scanner. The scanner converts the barcode back to the the connection URI form which is used to complete the connection:

connect accept [barcode]

The tool calculates the device digest and the device identifier. The device identifier is user to tell the service which device it is attempting to connect to and the device digest is used to derive keys used to authenticate the device connection request.

Bootstrap Profile Connection

The bootstrap profile connection mode is intended for use with virtual machines, containers and IoT devices running code developed locally rather than by a third party provider.

The device image is configured with a bootstrap profile. This may be generated using the meshman tool as follows:

connect bootstrap

On initialization, the bootstrap profile is used to authenticate a request for an individual device profile:

connect start alice@cryptomesh.org /reboot

This device profile is then accepted using the administration device in the normal fashion:

connect accept /pre