SYSTEM AND METHOD FOR TRUSTED PROVISIONING AND AUTHENTICATION FOR NETWORKED DEVICES IN CLOUD-BASED IOT/M2M PLATFORMS
First Claim
1. Non-transitory computer storage medium storing computer-executable instructions that, when executed by a computing device, cause the computing device to:
- establish a network connection with the networked device;
receive, from the networked device, a fully qualified domain name and a public key for the networked device;
register the fully qualified domain name and the public key with a domain name server that stores records mapping fully qualified device names to public keys for respective networked devices; and
transmit configuration data, including data corresponding to a username, to the networked device, where the username enables the networked device to establish an authorized connection with a data collection server that is accessible, via a network, to the networked device;
in response to receiving credentials from the networked device;
deducing, from the credentials, the username, the fully qualified domain name for the networked device, and an encrypted password, where the encrypted password was computed by the networked device using a private key of the networked device;
query the domain name server for a public key mapped to the fully qualified domain name;
receive, from the domain name server, the public key mapped to the fully qualified domain name;
decrypt the encrypted password based, at least in part, on the public key;
attempt to verify the decrypted password;
when a public key for the device is returned by the domain name server and the decrypted password is verified, providing the username to a data collection server to authorize a network connection between the computing device and the data collection server; and
when the domain name server does not have a record recording a public key for the fully qualified domain name or the decrypted password is not verified, refraining from providing the username to the data collection server.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for trusted provisioning and authentication for networked devices in a cloud-based IoT/M2M platform is disclosed. In one embodiment, a fully qualified domain name and public key is registered in a domain name server for each networked device during device configuration. A network device establishes its trustworthiness to a data collection and processing server by providing credentials to the data collection and processing server. The data collection and processing server deduces the username, the device'"'"'s fully qualified domain name, and encrypted password from the credentials. The domain name server is queried for the fully qualified domain name and the public key is returned. The encrypted password is decrypted using the public key and an attempt is made to verify the password. When the password is verified, the username is provided to the data collection and processing server to authorize a network connection between the networked device and the data collection and processing server.
63 Citations
20 Claims
-
1. Non-transitory computer storage medium storing computer-executable instructions that, when executed by a computing device, cause the computing device to:
-
establish a network connection with the networked device; receive, from the networked device, a fully qualified domain name and a public key for the networked device; register the fully qualified domain name and the public key with a domain name server that stores records mapping fully qualified device names to public keys for respective networked devices; and transmit configuration data, including data corresponding to a username, to the networked device, where the username enables the networked device to establish an authorized connection with a data collection server that is accessible, via a network, to the networked device; in response to receiving credentials from the networked device; deducing, from the credentials, the username, the fully qualified domain name for the networked device, and an encrypted password, where the encrypted password was computed by the networked device using a private key of the networked device; query the domain name server for a public key mapped to the fully qualified domain name; receive, from the domain name server, the public key mapped to the fully qualified domain name; decrypt the encrypted password based, at least in part, on the public key; attempt to verify the decrypted password; when a public key for the device is returned by the domain name server and the decrypted password is verified, providing the username to a data collection server to authorize a network connection between the computing device and the data collection server; and when the domain name server does not have a record recording a public key for the fully qualified domain name or the decrypted password is not verified, refraining from providing the username to the data collection server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computing system, comprising:
-
a provisioning server comprising configuration logic configured to; establish a network connection with a networked device; receive, from the networked device, a fully qualified domain name and a public key for the networked device; register the fully qualified domain name and the public key with a domain name server that stores records mapping fully qualified device names to public keys for respective networked devices; and transmit configuration data, including data corresponding to a username, to the networked device, where the username enables the networked device to establish an authorized connection with a data collection server that is accessible, via a network, to the networked device; and a data collection server comprising authentication and authorization logic configured to, in response to receiving credentials from the networked device; deduce, from the credentials, the username, the fully qualified domain name, and an encrypted password, where the encrypted password was computed by the networked device using a private key of the networked device; query the domain name server for a public key mapped to the fully qualified domain name; when the domain name server does not have a record recording a public key for the fully qualified domain name, refraining from providing the username to the data collection server such that no network connection will be established between the computing device and data collection server; when a public key for the device is returned by the domain name server; decrypt the encrypted password, based at least in part, on the public key; attempt to verify the decrypted password; when the decrypted password is verified, provide the username to a data collection server to authorize a network connection between the computing device and the data collection server. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification