SYSTEM AND METHOD FOR TRUSTED PROVISIONING AND AUTHENTICATION FOR NETWORKED DEVICES IN CLOUD-BASED IOT/M2M PLATFORMS

US 20160285628A1
Filed: 09/22/2015
Published: 09/29/2016
Est. Priority Date: 03/26/2015
Status: Active Grant

First Claim

Patent Images

1. Non-transitory computer storage medium storing computer-executable instructions that, when executed by a computing device, cause the computing device to:

establish a network connection with the networked device;

receive, from the networked device, a fully qualified domain name and a public key for the networked device;

register the fully qualified domain name and the public key with a domain name server that stores records mapping fully qualified device names to public keys for respective networked devices; and

transmit configuration data, including data corresponding to a username, to the networked device, where the username enables the networked device to establish an authorized connection with a data collection server that is accessible, via a network, to the networked device;

in response to receiving credentials from the networked device;

deducing, from the credentials, the username, the fully qualified domain name for the networked device, and an encrypted password, where the encrypted password was computed by the networked device using a private key of the networked device;

query the domain name server for a public key mapped to the fully qualified domain name;

receive, from the domain name server, the public key mapped to the fully qualified domain name;

decrypt the encrypted password based, at least in part, on the public key;

attempt to verify the decrypted password;

when a public key for the device is returned by the domain name server and the decrypted password is verified, providing the username to a data collection server to authorize a network connection between the computing device and the data collection server; and

when the domain name server does not have a record recording a public key for the fully qualified domain name or the decrypted password is not verified, refraining from providing the username to the data collection server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for trusted provisioning and authentication for networked devices in a cloud-based IoT/M2M platform is disclosed. In one embodiment, a fully qualified domain name and public key is registered in a domain name server for each networked device during device configuration. A network device establishes its trustworthiness to a data collection and processing server by providing credentials to the data collection and processing server. The data collection and processing server deduces the username, the device'"'"'s fully qualified domain name, and encrypted password from the credentials. The domain name server is queried for the fully qualified domain name and the public key is returned. The encrypted password is decrypted using the public key and an attempt is made to verify the password. When the password is verified, the username is provided to the data collection and processing server to authorize a network connection between the networked device and the data collection and processing server.

63 Citations

View as Search Results

20 Claims

1. Non-transitory computer storage medium storing computer-executable instructions that, when executed by a computing device, cause the computing device to:
- establish a network connection with the networked device;
  
  receive, from the networked device, a fully qualified domain name and a public key for the networked device;
  
  register the fully qualified domain name and the public key with a domain name server that stores records mapping fully qualified device names to public keys for respective networked devices; and
  
  transmit configuration data, including data corresponding to a username, to the networked device, where the username enables the networked device to establish an authorized connection with a data collection server that is accessible, via a network, to the networked device;
  
  in response to receiving credentials from the networked device;
  
  deducing, from the credentials, the username, the fully qualified domain name for the networked device, and an encrypted password, where the encrypted password was computed by the networked device using a private key of the networked device;
  
  query the domain name server for a public key mapped to the fully qualified domain name;
  
  receive, from the domain name server, the public key mapped to the fully qualified domain name;
  
  decrypt the encrypted password based, at least in part, on the public key;
  
  attempt to verify the decrypted password;
  
  when a public key for the device is returned by the domain name server and the decrypted password is verified, providing the username to a data collection server to authorize a network connection between the computing device and the data collection server; and
  
  when the domain name server does not have a record recording a public key for the fully qualified domain name or the decrypted password is not verified, refraining from providing the username to the data collection server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The non-transitory computer storage medium of claim 1 storing further instructions that, when executed by the computing device, cause the computing device to:
    - generate a shared secret key; and
      
      transmit the shared secret key to i) the networked device and ii) the data collection server, where the shared secret key enables the networked device to establish an authenticated connection with the data collection server.
  - 3. The non-transitory computer storage medium of claim 1 storing further instructions that, when executed by the computing device, cause the computing device to establish an authenticated connection with the networked device by transmitting a public key for the computing device to the networked device.
  - 4. The non-transitory computer storage medium of claim 1 storing further instructions that, when executed by the computing device, cause the computing device to:
    - access data corresponding to requests for provisioning for respective computing devices, where the requests for provisioning are received from a solution provider;
      
      when there is no request for provisioning for the computing device, refrain from transmitting the configuration data to the networked device.
  - 5. The non-transitory computer storage medium of claim 1 storing further instructions that, when executed by the computing device, cause the computing device to:
    - receive, from an installation device that is different than the networked device, a request to activate the networked device; and
      
      in response to the request, establish the network connection with the networked device such that the installation device does not receive data transmitted via the network connection.
  - 6. The non-transitory computer storage medium of claim 1 storing further instructions that, when executed by the computing device, cause the computing device to generate the shared secret by generating a random number.
  - 7. The non-transitory computer storage medium of claim 1 storing further instructions that, when executed by the computing device, cause the computing device to receive the shared secret from the networked device.
  - 8. The non-transitory computer storage medium of claim 1 storing further instructions that, when executed by the computing device, cause the computing device to deduce the fully qualified device name as a predetermined portion of the credentials, where the fully qualified domain name uniquely identifies the networked device.
  - 9. The non-transitory computer storage medium of claim 1 storing further instructions that, when executed by the computing device, cause the computing device to attempt to verify the decrypted password by:
    - extracting a first secret key from the decrypted password;
      
      accessing memory storing respective secret keys mapped to respective networked devices;
      
      selecting from the memory a second secret key corresponding to a shared secret key mapped to the networked device;
      
      comparing the first secret key to the second secret key; and
      
      when the first secret key matches the second secret key, determining that the decrypted password is verified.
  - 10. The non-transitory computer storage medium of claim 9 storing further instructions that, when executed by the computing device, cause the computing device to attempt to verify the password by:
    - receiving, with the encrypted password, a signature computed by the networked device using a private key of the networked device and the password;
      
      attempt to verify the signature based on the public key; and
      
      when the signature verifies based on the public key, determining that the decrypted password is verified.
  - 11. The non-transitory computer storage medium of claim 9 where the password is one time password that is considered valid for a limited duration of time.
  - 12. The non-transitory computer storage medium of claim 1 storing further instructions that, when executed by the computing device, cause the computing device to, when the domain name server does not have a public key for the fully qualified domain name, invoke a certificate revocation policy to revoke a record associated with the fully qualified device name from the domain name server.
  - 13. The non-transitory computer storage medium of claim 1, wherein the querying of the domain name server, the registering of the fully qualified domain name and the public key, and the receiving of the public key are performed in accordance with DNSSEC protocol.

14. A computing system, comprising:
- a provisioning server comprising configuration logic configured to;
  
  establish a network connection with a networked device;
  
  receive, from the networked device, a fully qualified domain name and a public key for the networked device;
  
  register the fully qualified domain name and the public key with a domain name server that stores records mapping fully qualified device names to public keys for respective networked devices; and
  
  transmit configuration data, including data corresponding to a username, to the networked device, where the username enables the networked device to establish an authorized connection with a data collection server that is accessible, via a network, to the networked device; and
  
  a data collection server comprising authentication and authorization logic configured to, in response to receiving credentials from the networked device;
  
  deduce, from the credentials, the username, the fully qualified domain name, and an encrypted password, where the encrypted password was computed by the networked device using a private key of the networked device;
  
  query the domain name server for a public key mapped to the fully qualified domain name;
  
  when the domain name server does not have a record recording a public key for the fully qualified domain name, refraining from providing the username to the data collection server such that no network connection will be established between the computing device and data collection server;
  
  when a public key for the device is returned by the domain name server;
  
  decrypt the encrypted password, based at least in part, on the public key;
  
  attempt to verify the decrypted password;
  
  when the decrypted password is verified, provide the username to a data collection server to authorize a network connection between the computing device and the data collection server.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computing system of claim 14, where the configuration logic is further configured to:
    - generate a shared secret key; and
      
      transmit the shared secret key to i) the networked device and ii) the data collection server, where the shared secret key enables the networked device to establish an authenticated connection with the data collection server.
  - 16. The computing system of claim 14, where the configuration logic is further configured to establish an authenticated connection with the networked device by transmitting a public key for the provisioning server to the networked device.
  - 17. The computing system of claim 14, where the configuration logic is further configured to:
    - access data corresponding to requests for provisioning for respective computing devices, where the requests for provisioning are received from a solution provider;
      
      when there is no request for provisioning for the computing device, refrain from transmitting the configuration data to the networked device.
  - 18. The computing system of claim 14, where the authentication and authorization logic is further configured to attempt to verify the encrypted password by:
    - extracting a first secret key from the decrypted password;
      
      accessing memory storing respective secret keys mapped to respective networked devices;
      
      selecting from the memory a second secret key corresponding to a shared secret key mapped to the networked device;
      
      comparing the first secret key to the second secret key; and
      
      when the first secret key matches the second secret key, determining that the decrypted password is verified.
  - 19. The computing system of claim 18, where the authentication and authorization logic is further configured to attempt to verify the decrypted password by:
    - receiving, with the encrypted password, a signature computed by the networked device using a private key of the networked device and the password;
      
      attempting to verify the signature based on the public key; and
      
      when the signature verifies based on the public key, determining that the decrypted password is verified.
  - 20. The computing system of claim 14, where the password is one time password that is considered valid for a limited duration of time

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Eurotech S.p.A.
Original Assignee
Eurotech S.p.A.
Inventors
CARRER, Marco, De ALTI, Cristiano, RUGHETTI, Diego, ABRAMO, Antonio, ADAMI, Stefano

Granted Patent

US 9,762,392 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 9/321 involving a third party or ...

H04L 9/3228 One-time or temporary data,...

SYSTEM AND METHOD FOR TRUSTED PROVISIONING AND AUTHENTICATION FOR NETWORKED DEVICES IN CLOUD-BASED IOT/M2M PLATFORMS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

63 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR TRUSTED PROVISIONING AND AUTHENTICATION FOR NETWORKED DEVICES IN CLOUD-BASED IOT/M2M PLATFORMS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links