Zero-touch provisioning of IOT devices with multi-factor authentication

US 10,447,683 B1
Filed: 11/17/2016
Issued: 10/15/2019
Est. Priority Date: 11/17/2016
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable storage medium storing instructions executable to perform an operation for provisioning identifying credentials to an Internet of Things (loT) device, based on generic credentials provided by the loT device, the operation comprising:

receiving, from the loT device of a plurality of loT devices, a request to provision the loT device with identifying credentials for registering the loT device with a first loT service, wherein the first loT service is accessible via generic credentials, wherein the request is received by the first loT service, wherein the request specifies the generic credentials, which include a provisioning certificate stored in memory of each of the plurality of loT devices, wherein the request further specifies additional credentials for the loT device;

upon validating the request, authenticating the request via multi-factor authentication based at least in part on the generic credentials and the additional credentials specified in the request;

granting, to the loT device, access to a second loT service that is accessible via the identifying credentials, by generating the identifying credentials for the loT device based at least in part on the generic credentials and the additional credentials and by operation of one or more computer processors when executing the instructions, the identifying credentials comprising device-specific credentials uniquely identifying the loT device in the plurality of loT devices;

sending the identifying credentials to the loT device, wherein the loT device installs and activates the identifying credentials; and

associating the identifying credentials with the loT device in a registry of the first loT service, whereafter the loT device accesses the second loT service based on the identifying credentials.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for provisioning device-specific credentials to an Internet of Things device that accesses a cloud-based IoT service. The IoT service receives, from the IoT device, a request for device-specific credentials. The request comprises a provisioning certificate including information identifying a group of devices associated with the IoT device. The provisioning certificate is authenticated by evaluating the information with expected information. The device-specific credentials are generated based, at least in part, on the information provided in the provisioning certificate. The device-specific credentials are sent to the IoT device, and the IoT device installs and activates the device-specific credentials. The device-specific credentials are associated with the IoT device in a registry of the IoT service.

Citations

20 Claims

1. A non-transitory computer-readable storage medium storing instructions executable to perform an operation for provisioning identifying credentials to an Internet of Things (loT) device, based on generic credentials provided by the loT device, the operation comprising:
- receiving, from the loT device of a plurality of loT devices, a request to provision the loT device with identifying credentials for registering the loT device with a first loT service, wherein the first loT service is accessible via generic credentials, wherein the request is received by the first loT service, wherein the request specifies the generic credentials, which include a provisioning certificate stored in memory of each of the plurality of loT devices, wherein the request further specifies additional credentials for the loT device;
  
  upon validating the request, authenticating the request via multi-factor authentication based at least in part on the generic credentials and the additional credentials specified in the request;
  
  granting, to the loT device, access to a second loT service that is accessible via the identifying credentials, by generating the identifying credentials for the loT device based at least in part on the generic credentials and the additional credentials and by operation of one or more computer processors when executing the instructions, the identifying credentials comprising device-specific credentials uniquely identifying the loT device in the plurality of loT devices;
  
  sending the identifying credentials to the loT device, wherein the loT device installs and activates the identifying credentials; and
  
  associating the identifying credentials with the loT device in a registry of the first loT service, whereafter the loT device accesses the second loT service based on the identifying credentials.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The non-transitory computer-readable storage medium of claim 1, wherein the provisioning certificate is registered with the first loT service by a manufacturer of the plurality of loT devices.
  - 3. The non-transitory computer-readable storage medium of claim 2, wherein the additional credentials are provided by the manufacturer.
  - 4. The non-transitory computer-readable storage medium of claim 1, wherein the device-specific credentials include at least a digital certificate.
  - 5. The non-transitory computer-readable storage medium of claim 1, wherein:
    - the device-specific credentials include at least a digital certificate;
      
      the provisioning certificate and digital certificate comprise distinct certificates;
      
      the additional credentials for the loT device include at least one of a hardware identifier, a media access control (MAC) address, geolocation information, and user account credentials;
      
      the provisioning certificate is pre-registered with the first loT service without requiring end-user intervention; and
      
      the provisioning certificate is pre-registered with the first loT service by a manufacturer of the plurality of loT devices.
  - 6. The non-transitory computer-readable storage medium of claim 5, wherein:
    - the first loT service comprises a plurality of components, the plurality of components including a rules engine component, a registry component, and an identity manager component;
      
      the registry component comprises the registry;
      
      the identity manager component includes a plurality of subcomponents including a provisioning service subcomponent, an authentication service subcomponent, a certificate authority subcomponent, and an authorization service subcomponent; and
      
      the rules engine component is configured to evaluate inbound messages published to the first loT service, transform the inbound messages, and route the transformed messages to a plurality of endpoint services of a networked computing environment, the plurality of endpoint services including an event-driven computing service, a database service, and a storage service.
  - 7. The non-transitory computer-readable storage medium of claim 6, wherein:
    - associating the identifying credentials with the loT device comprises associating the digital certificate with the loT device in the registry;
      
      the loT device accesses the second loT service based on the digital certificate;
      
      the provisioning service subcomponent is configured to receive the request to provision the loT device with the identifying credentials;
      
      the authentication service subcomponent is configured to authenticate the provisioning certificate by evaluating the information identifying the plurality of loT devices with the expected information;
      
      the certificate authority subcomponent is configured to generate the digital certificate based, at least in part, on the generic credentials; and
      
      the authorization service subcomponent is configured to associate the identifying credentials with the loT device in the registry component of the first loT service.
  - 8. The non-transitory computer-readable storage medium of claim 7, wherein:
    - the provisioning certificate is authenticated by initiating a first workflow comprising an authentication workflow;
      
      the identifying credentials are generated by initiating a second workflow comprising a provisioning workflow;
      
      the request further includes information identifying the loT device;
      
      the authentication workflow includes;
      
      validating the information identifying the plurality of loT devices; and
      
      authenticating the loT device based on the provisioning certificate and based further on the information identifying the loT device;
      
      the information identifying the loT device includes a geolocation of the loT device, a hardware device identifier, and a data source name;
      
      the authentication workflow comprises a custom authentication workflow defined by the manufacturer; and
      
      the provisioning workflow comprises a custom provisioning workflow defined by the manufacturer.
  - 9. The non-transitory computer-readable storage medium of claim 8, wherein:
    - the provisioning workflow includes;
      
      validating the digital certificate;
      
      registering the digital certificate with the loT device in the registry;
      
      generating a confirmation of the registration of the digital certificate, wherein the confirmation is output;
      
      obtaining a profile for the loT device, wherein the profile includes one or more attributes defining permissions for the loT device;
      
      generating a device policy from the one or more attributes; and
      
      associating the device policy with the device-specific credentials; and
      
      upon determining that the provisioning certificate is compromised, a plurality of digital certificates generated for the provisioning certificate is added to a certificate revocation list maintained by a certificate authority, in order to cause any subsequent authentication attempts based on any of the plurality of digital certificates to fail due to being recognized as being from an attacker spoofing information in the provisioning certificate.
  - 10. The non-transitory computer-readable storage medium of claim 9, wherein:
    - generating the identifying credentials comprises;
      
      generating a certificate signing request (CSR) based, at least in part, on the generic credentials; and
      
      generating the digital certificate based on the CSR;
      
      associating the device policy with the device-specific credentials comprises attaching the device policy to the digital certificate;
      
      the operation further comprises receiving, from the manufacturer of the loT device, an indication of the provisioning certificate;
      
      the request is validated by determining that a count of provisioning digital certificates previously claimed for the provisioning certificate is less than a count of digital certificates to be provided for the provisioning certificate; and
      
      the additional credentials for the loT device include the hardware identifier, the MAC address, the geolocation information, and the user account credentials.

11. A system to provision identifying credentials to an Internet of Things (loT) device, based on generic credentials provided by the loT device, the system comprising:
- one or more computer processors; and
  
  one or more memories storing instructions, which, when executed on the one or more computer processors, cause the one or more computer processors to perform an operation comprising;
  
  receiving, from the loT device of a plurality of loT devices, a request to provision the loT device with identifying credentials, wherein the request is received by a first loT service that is accessible via generic credentials, wherein the request specifies the generic credentials in the form of a provisioning certificate stored in memory of each of the plurality of loT devices, wherein the request further specifies additional credentials for the loT device;
  
  upon validating the request, initiating a first workflow, wherein the first workflow is configured to authenticate the loT device with the first loT service via multi-factor authentication based at least in part on the generic credentials and the additional credentials specified in the request;
  
  initiating a second workflow, wherein the second workflow is configured to grant, to the loT device, access to a second IoT service that is accessible via the identifying credentials, by generating the identifying credentials for the loT device based at least in part on the generic credentials and the additional credentials, the identifying credentials comprising device-specific credentials uniquely identifying the loT device in the plurality of loT devices; and
  
  sending the identifying credentials to the loT device, whereafter the loT device accesses the second loT service based on the identifying credentials.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The system of claim 11, wherein the request further includes information identifying the IoT device.
  - 13. The system of claim 11, wherein the second workflow comprises:
    - receiving a digital certificate from the IoT device;
      
      validating the digital certificate;
      
      registering the digital certificate with the IoT device in a registry providing device information for the first IoT service; and
      
      generating a confirmation of the registration of the digital certificate.
  - 14. The system of claim 11, wherein the second workflow comprises:
    - obtaining a profile for the loT device, wherein the profile includes one or more attributes defining permissions for the loT device;
      
      generating a device policy from the one or more attributes; and
      
      associating the device policy with the device-specific credentials.
  - 15. The system of claim 11, wherein the operation further comprises:
    - receiving, from a manufacturer of the loT device, an indication of the provisioning certificate stored in memory of each of the plurality of loT devices.
  - 16. The system of claim 15, wherein the first and second workflows are defined by the manufacturer of the IoT device.

17. A computer-implemented method for provisioning identifying credentials to an Internet of Things (loT) device, based on generic credentials provided by the loT device, the computer-implemented method comprising:
- receiving, from the loT device of a plurality of loT devices, a request to provision the loT device with identifying credentials in the form of a digital certificate, wherein the request is received by a first loT service that is accessible via generic credentials, wherein the request specifies the generic credentials, which include a provisioning certificate stored in memory of each of the plurality of loT devices, wherein the request further specifies additional credentials for the loT device;
  
  validating the request by determining that a count of digital certificates previously claimed for the provisioning certificate is less than a count of a plurality of digital certificates generated for the provisioning certificate; and
  
  upon authenticating the provisioning certificate via multi-factor authentication based at least in part on the generic credentials and the additional credentials, associating the digital certificate, comprising a first digital certificate of the plurality of generated digital certificates, by operation of one or more computer processors, with the loT device in a registry of the first loT service and issuing the digital certificate to the loT device, whereafter the loT device accesses a second loT service based on the digital certificate.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-implemented method of claim 17, further comprising:
    - incrementing the count of provisioning certificates previously claimed.
  - 19. The computer-implemented method of claim 17, wherein authenticating the provisioning certificate further comprises:
    - evaluating the provisioning certificate relative to information identifying the IoT device.
  - 20. The computer-implemented method of claim 17, further comprising:
    - receiving an indication that the provisioning certificate is compromised;
      
      identifying one or more IoT devices that are associated with digital certificates issued based on the provisioning certificate; and
      
      revoking the corresponding digital certificate associated with each of the identified IoT devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Loladia, Rameez, Bhattacharyya, Ramkishore, Thakur, Ashutosh, Beheray, Atulya S.
Primary Examiner(s)
Li, Meng

Application Number

US15/354,869
Time in Patent Office

1,062 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 63/0823   using certificates cryptogr...

H04W 12/069   using certificates or pre-s...

H04W 12/63   Location-dependent; Proximi...

H04W 12/71   Hardware identity

H04W 12/72   Subscriber identity

H04W 4/50   Service provisioning or rec...

H04W 4/70   Services for machine-to-mac...

Zero-touch provisioning of IOT devices with multi-factor authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Zero-touch provisioning of IOT devices with multi-factor authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links