I have devices which need to communicate with a server over a mutually authenticated and encrypted channel. Authenticating the server is relatively easy, since I can embed the CA certificate in the device firmware and check the signature of the server's certificate. The problem is to authenticate the device to the server.
Normally I could sign the device's certificate as well, but there is no trusted environment from production until deployment, i.e. I don't want the production facility has access to our private key or any signature capability using our CA. Instead, we have a QR code on the device and trusted personnel in the field to work with. So, authentication will be done by the personnel by reading the QR code. However, during this operation the devices typically are not powered, so the usual TOTP, visual indicators, etc. are not applicable.
My idea is to put a random number and its encrypted form (by the AES key that is randomly generated by the device) on the QR code (or some sort of MAC is also possible, probably binding the device ID). When the personnel reads the QR code, these values are stored in the database. When the device authenticates and connects to the server, it will send its secret AES key over the encrypted channel. The server can now verify that the random number in the database is indeed encrypted by the device and it can now sign the device's certificate. The server then deletes the random value from the database and further connections can be authenticated with the signature.
I believe this is as secure as it can get with these restrictions. But I'm not comfortable with presenting the AES key to prove the identity, but I can't think of any other way. Is there any problems with this scheme assuming the personnel is not tricked into reading a malicious QR code? Is such an offline authentication a known problem, if so what are the keywords for further research? Is there a better way to achieve authentication with these restrictions?
Edit. I just realized that I can just put the public key of the device to the QR code and challange the device to prove that it has also the corresponding private key.
