I have earlier asked a related question here. I have come up with a scheme which I shall describe below. I request experts out there to provide feedback.
Since the target application is a consumer application, implicit assumption is that the application won't be deployed on BES. If required, a separate application would be developed that is more suitable and integrates well with BES environment.
First, the build system of the application (including source code) is tied up with the user's registration. That is, when the user register, an application is built for that user only with a link being provided as soon as the registration is complete. The following sequence of steps are executed by the server, on behalf of an user.
Installation
- (Private Key, Public Key) called "Master Keys" for that user are generated.
- (Private Key, Public Key) called "Channel Keys" for that user are generated.
- Master Public Key would be signed by Server's code signing keys.
- Channel Public Key would be signed by Server's code signing keys
- (Channel Key, Master Key) would be packaged along with the application source code.
- An unique identifier for that application is generated and bundled along with the application.
- The above source code is compiled using RIM's tools and signed by RIM signer certificate.
- Any intermediate files that are generated for the above process are deleted immediately after the build is complete.
Master Keys are used to carry out sensitive operations such as (a) Reset the user's password on device (b) Reset application's password (c) Remote wipe when the device is lost (d) Turn on remote tracking when the device is lost.
Channel Keys are used to encrypt/ sign the data when client communicates with the server.
Creating Session Keys. Session keys are used for one time communication between client and server. They are exchanged over HTTPS between device and server, encrypted (perhaps using AES-256).
When the user downloads the application on to the phone and installs it successfully, on the first launch the user selects a password for the application. This password is known only to the user.
Application sends (user id, application id) encrypted with session key to the server over HTTPS
Application generates a 128 bit UUID called "Rescue Code" and prompts the user for an E-mail id. An E-mail would be sent to this E-mail id that contains this "Rescue Code". The user is required to keep this safely and produce it when any the user loses the phone or forgets the password.
This rescue code is stored on the device.
- Once started, the application ALWAYS runs in the background and starts up as the phone boots.
Recovery
When he user forgets the password or losses the phone.
- The user proves identity by producing valid identity card (provided by Government, perhaps) to appropriate authority.
- Server requests the client to create a secure channel. The client re-connects to the server by presenting a token that is encrypted by the Master Key.
- The clients presents the server with a challenge, requesting a "Rescue Code". This can be shown on Web UI.
- The user presents the "Rescue Code" to the server
- Client matches the rescue code presented by the server against the one that is stored and then a success code is sent to server.
- Now client can perform sensitive operations on behalf of user.