Created and last modified by lissensj on May 26, 2014

Purpose

The main purpose of Registration in Qeo is to ensure that only authorized Qeo identities (users and devices) get access to the information in the Qeo Realm.

Qeo identity

As a recap, the SMS manages a realm to contain users, where each user can have one or more devices attached. A Qeo "identity" must have a certificate, such it can be authenticated and authorized, and is assigned to the user and the device :

  • A multi-user device will be given a certificate for every user that uses that device.
  • If a user owns multiple devices, each device will be given another certificate.

For registration in Qeo we use 'signed' certificates.  A certificate based mechanism has some advantages : it allows fine-grained management, contains user and device information, and allows mutual authentication between Qeo identities without the need of a central authority or distribution of credentials.

Prerequisite

While Qeo can function without an Internet connection, it is required for the registration process to complete successfully. During the process, the User's device and the Realm Administrator need to be able to access the Security Management Server.

Registration Approaches

There are two approaches to authenticating devices:

  • Direct Registration: 
    In this case you have direct access to the device you want to register. There are two ways of doing this:

    • The Easy Install feature of the Qeo Service for Android allows you to create a home Realm (QeoHome) and automatically add your device to it. 

    • Advanced direct registration where you can select the name of the Realm, generate an OTC and register devices. You will either need the assistance of the Realm Administrator or be one yourself. 
       
  • Remote Registration:
    In this case you have no direct contact with the device to register or it ia a so called "headless"  device, which means it has no direct user interface. Typically, the device will approve or reject subscription to a certain Qeo Realm, or is programmed to do so when certain conditions occur (e.g. a registration button is pressed).

A special case of the latter is registration of headless devices. A  headless device  is a computer system or device that has been configured to operate without a monitor (the missing "head"), keyboard, and mouse. A headless system is typically controlled via a network connection, although some headless system devices require a physical connection to be made for administration of the device. Typically, users do not interact with these devices or use proprietary software on a dedicated system. Qeo allows interaction with these devices over any platform. In this case, approval is implicit and no Qeo user interaction is needed to confirm registration. 

Actors

The following actors participate in this procedure:

  • Realm Administrator: creates a Realm on the SMS, adds Users to his Realm, adds device(s) to a user and distributes One Time Codes to a User to register a device to his Realm.
  • User: registers a device using a One Time Code generated by the SMS and obtained via the Realm Administrator.
  • SMS, RA, CA : the Security Management Server hosting a web service, the Registration Authority and Certificate Authority.

Concepts

This process introduces the following concepts:

  • One Time Code (OTC): a code that is generated by the SMS, provided by the Realm Administrator to the user and that can be used by that User to register a device (for a user) to that Realm. This code is only valid for a short period of time.

  • (User) Device Certificate: a certificate that is used to verify whether a particular device for a particular user is a member of a Realm.

Notes

Take note of the following:

  • A device needs to be registered only once for a particular User. Installing additional applications will not require any additional registration effort. 

Attachments:

process.jpg (image/jpeg)