AUTOMATING INTERNET OF THINGS SECURITY PROVISIONING

US 20160248746A1
Filed: 02/24/2016
Published: 08/25/2016
Est. Priority Date: 02/25/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for establishing trust in a device when provisioning the device, the method comprising:

receiving a provisioning request associated with the device;

determining a verification item based on the provisioning request;

determining, via a processor, that one or more provisioning operations are authorized based on the verification item; and

performing the one or more provisioning operations to establish a verifiable identification for the device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a security provisioning service automatically establishes trust in a device. Upon receiving a provisioning request, a security provisioning service identifies a verification item that is associated with the provisioning request. The security provisioning service performs one or more verification operations based on the provisioning request to determine whether the provisioning request is authorized. If the provisioning request is authorized, then the provisioning service establishes a verifiable identification for the device that is assured by the secure provisioning service and then executes the provisioning request. By automatically performing the verification operations to establish trust in the device, the provisioning service eliminates manual identification assurance operations that are performed as part of a conventional security provisioning process. Reducing the time and effort required to perform security provisioning increases the number of devices likely to implement security processes that increase the overall security of interacting using the Internet.

150 Citations

20 Claims

1. A computer-implemented method for establishing trust in a device when provisioning the device, the method comprising:
- receiving a provisioning request associated with the device;
  
  determining a verification item based on the provisioning request;
  
  determining, via a processor, that one or more provisioning operations are authorized based on the verification item; and
  
  performing the one or more provisioning operations to establish a verifiable identification for the device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein the verification item comprises a digital signature, and determining that one or more provisioning operations are authorized comprises:
    - identifying a public key that is associated with the digital signature; and
      
      validating the digital signature based on the public key.
  - 3. The computer-implemented method of claim 2, wherein the digital signature is generated using an Enhanced Privacy Identification (EPID) private key, and identifying the public key comprises selecting a EPID public key that is associated with the EPID private key.
  - 4. The computer-implemented method of claim 2, wherein the digital signature is generated using a private key, and identifying the public key comprises performing one or more look up operations on a device manifest based on a name of the device, wherein the device manifest includes a plurality of public keys.
  - 5. The computer-implemented method of claim 1, wherein determining that one or more provisioning operations are authorized comprises performing one or more look up operations on a device manifest based on the verification item.
  - 6. The computer-implemented method of claim 5, wherein the verification item comprises an Internet Protocol (IP) number, a domain name, or a certificate that includes a public key.
  - 7. The computer-implemented method of claim 1, wherein performing the one or more provisioning operations comprises storing the public key in a Domain Name System (DNS) based on a name of the device.
  - 8. The computer-implemented method of claim 1, wherein performing the one or more provisioning operations comprises:
    - signing a certificate that includes a public key to generate a signed certificate;
      
      storing the public key in a Domain Name System (DNS) based on a name of the device; and
      
      transmitting the signed certificate to the device.

9. A computer-readable storage medium including instructions that, when executed by a processor, cause the processor to perform the steps of:
- determining distinguishing information associated with a first device in response to a first provisioning request;
  
  selecting at least one authorization template included in a template database based on the distinguishing information; and
  
  generating a first authorization credential for the first device based on the at least one authorization template.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer-readable storage medium of claim 9, wherein the distinguishing information comprises an Internet Protocol (IP) number, a domain name, an Enhanced Privacy Identification (EPID) public key, or a device type.
  - 11. The computer-readable storage medium of claim 9, wherein the distinguishing information comprises a public key, and determining the distinguishing information comprises reading a public key infrastructure (PKI) certificate that includes the public key.
  - 12. The computer-readable storage medium of claim 9, further comprising:
    - signing the first authorization credential to generate a signed authorization credential; and
      
      transmitting the signed authorization credential to the first device.
  - 13. The computer-readable storage medium of claim 12, further comprising inserting the signed authorization credential into a Domain Name System (DNS).
  - 14. The computer-readable storage medium of claim 9, further comprising:
    - receiving a second provisioning request for a second device;
      
      performing one or more verification operations to determine whether an identification associated with the second device is reliable; and
      
      if the identification is reliable, then generating a second authorization credential for the second device based on a first template that is not included in the at least one authorization template, orif the identification is not reliable, then transmitting an error message to at least one of the first device and the second device.
  - 15. The computer-readable storage medium of claim 9, wherein selecting the at least one authorization template comprises performing one or more matching operations between the distinguishing information and a plurality of device profiles, wherein each device profile included in the plurality of device profiles is associated with one or more authorization templates included in the template database.
  - 16. The computer-readable storage medium of claim 9, wherein generating the first authorization credential comprises creating a union of all authorizations included in the at least one authorization template that are applicable to the first device.

17. A system comprising:
- a memory storing a provisioning engine; and
  
  a processor that is coupled to the memory and, when executing the provisioning engine, is configured to;
  
  receive a provisioning request associated with a device;
  
  determine a verification item based on the provisioning request;
  
  determine that one or more provisioning operations are authorized based on the verification item;
  
  perform the one or more provisioning operations to generate a provisioning item; and
  
  sign the provisioning item to generate a signed provisioning item.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the provisioning request comprises a public key infrastructure (PKI) certificate signing request or an authorization credential generation request.
  - 19. The system of claim 17, wherein the verification item comprises an Internet Protocol (IP) number, a domain name, a certificate that includes a public key, or a device type.
  - 20. The system of claim 17, wherein the device comprises a computing device, a smart phone, a wearable technology device, an appliance, or a sensor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VeriSign, Inc.
Original Assignee
VeriSign, Inc.
Inventors
JAMES, Stephen D., FREGLY, Andrew, CATHROW, Andrew

Granted Patent

US 10,083,291 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/45   Structures or tools for the...

H04L 2101/35   containing special prefixes

H04L 61/3025   Domain name generation or a...

H04L 61/4511   using domain name system [DNS]

H04L 61/5014   using dynamic host configur...

H04L 63/0823   using certificates cryptogr...

H04L 67/04   specially adapted for termi...

H04L 67/12   specially adapted for propr...

H04L 67/51   Discovery or management the...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

H04L 9/3268   using certificate validatio...

H04W 4/70   Services for machine-to-mac...

AUTOMATING INTERNET OF THINGS SECURITY PROVISIONING

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

150 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

AUTOMATING INTERNET OF THINGS SECURITY PROVISIONING

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

150 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links