System, Apparatus And Method For Scalable Internet Of Things (IOT) Device On-Boarding With Quarantine Capabilities

US 20170346848A1
Filed: 05/31/2016
Published: 11/30/2017
Est. Priority Date: 05/31/2016
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

an access point having at least one first hardware processor, the access point comprising a first layer of a remediation network, the remediation network to prevent network access by unknown devices;

a first server coupled to the access point, the first server having at least one second hardware processor, the first server to verify that a first unknown device is trusted based at least in part on a manufacturer credential of the first unknown device, the manufacturer credential to indicate a type of device; and

a domain controller coupled to the first server, the domain controller having at least one third hardware processor, the domain controller to manage a domain, the domain controller to communicate with the first server to provision the first unknown device into the domain, wherein the domain controller comprises a second layer of the remediation network and responsive to the provisioning of the first unknown device into the domain, the first unknown device is to be released from the first layer of the remediation network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a domain controller includes: a quarantine logic to quarantine unknown devices from unrestricted network access, the quarantine logic comprising a first quarantine point at a first layer of a multi-layer communication model; a first logic to communicate with a domain name system (DNS) service to self-allocate and register a domain name with the DNS service, the domain name associated with a domain to be managed by the domain controller; a second logic to manage a group of devices of the domain; and a third logic to receive a provisioning request for a first device via an access point, wherein the access point comprises a second quarantine point at a second layer of the multi-level communication model. Other embodiments are described and claimed.

43 Citations

View as Search Results

20 Claims

1. A system comprising:
- an access point having at least one first hardware processor, the access point comprising a first layer of a remediation network, the remediation network to prevent network access by unknown devices;
  
  a first server coupled to the access point, the first server having at least one second hardware processor, the first server to verify that a first unknown device is trusted based at least in part on a manufacturer credential of the first unknown device, the manufacturer credential to indicate a type of device; and
  
  a domain controller coupled to the first server, the domain controller having at least one third hardware processor, the domain controller to manage a domain, the domain controller to communicate with the first server to provision the first unknown device into the domain, wherein the domain controller comprises a second layer of the remediation network and responsive to the provisioning of the first unknown device into the domain, the first unknown device is to be released from the first layer of the remediation network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the domain controller is further to communicate with the first server to verify a set of credentials, to enable the first unknown device to join the domain and establish the first unknown device as a known device.
  - 3. The system of claim 2, wherein the domain controller is, responsive to verification of the set of credentials, to issue a second credential to the first unknown device, the second credential comprising a group private key, wherein a message signed by the group private key is to be verified by a group public key for the domain.
  - 4. The system of claim 1, wherein responsive to establishment of an association between the first unknown device and the access point, the access point is to enable communication of a provisioning request to a domain name system (DNS) server to enable the first unknown device to obtain an identification of the domain controller.
  - 5. The system of claim 4, wherein the DNS server is to maintain a registry of active domains including the domain, and to indicate, responsive to a request from a device, whether another device is a member of an active domain.
  - 6. The system of claim 1, wherein the system further comprises a gateway device coupled to the access point, the gateway device comprising a third layer of the remediation network, wherein the gateway device is to enable the first unknown device to communicate with the access point, wherein the first unknown device comprises a non-Internet protocol device.
  - 7. The system of claim 1, wherein the domain controller is to register the first device with the DNS server, to indicate that the first device is a member of the domain and, responsive to registration of the first device with the DNS server, remove the first device from the second quarantine point.
  - 8. The system of claim 1, wherein the domain controller comprises a trusted execution environment including a provisioning logic, a quarantine logic and a management logic.

9. At least one computer readable storage medium comprising instructions that when executed enable a system to:
- receive, in a domain controller of a domain managed by the domain controller, a request from a first device to join the domain, the domain controller comprising a first quarantine point at a first layer of a multi-layer communication model;
  
  communicate with a domain name system (DNS) server to determine whether the first device is a first device type, based at least in part on a manufacturer certificate for the first device; and
  
  based on the determination, verify that the first device is authorized to be a member of the domain and communicate the verification to a second server coupled to the domain controller, wherein responsive to an authentication protocol performed between the second server and the first device, the first device is to be removed from a second quarantine point at a second layer of the multi-layer communication model, wherein the second layer is a lower layer of the multi-layer communication model than the first layer, the second quarantine point more restrictive than the first quarantine point.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The at least one computer readable medium of claim 9, further comprising instructions that when executed enable the domain controller to self-assert a name for the domain and register the domain with the DNS server based at least in part on a group public key, the name independent of an Internet protocol network naming convention.
  - 11. The at least one computer readable medium of claim 10, further comprising instructions that when executed enable the domain controller to provision a group private key for the first device responsive to removal of the first device from the second quarantine point.
  - 12. The at least one computer readable medium of claim 9, further comprising instructions that when executed enable the domain controller to register the first device with the DNS server, to indicate that the first device is a member of the domain.
  - 13. The at least one computer readable medium of claim 12, further comprising instructions that when executed enable the domain controller to, responsive to registration of the first device with the DNS server, remove the first device from the second quarantine point.
  - 14. The at least one computer readable medium of claim 9, further comprising instructions that when executed enable the domain controller to provide a public key for the domain to a block chain service, the block chain service comprising a ledger for transfer of ownership of one or more devices including the first device to the domain.

15. A domain controller comprising:
- a quarantine logic to quarantine unknown devices from unrestricted network access, the quarantine logic comprising a first quarantine point at a first layer of a multi-layer communication model;
  
  a first logic to communicate with a domain name system (DNS) service to self-allocate and register a domain name with the DNS service, the domain name associated with a domain to be managed by the domain controller;
  
  a second logic to manage a group of devices of the domain; and
  
  a third logic to receive a provisioning request for a first device via an access point, wherein the access point comprises a second quarantine point at a second layer of the multi-level communication model.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The domain controller of claim 15, wherein the third logic is to verify a device type of the first device with the DNS service.
  - 17. The domain controller of claim 16, wherein the third logic is, responsive to verification that the first device is of a first device type, to provision the first device into the domain.
  - 18. The domain controller of claim 17, wherein the third logic is to send a provisioning response to the access point to enable the first device to be removed from the second quarantine point, to enable the first device to communicate with the domain controller.
  - 19. The domain controller of claim 17, wherein the third logic is to provision a first group private key for the first device and provide the first group private key to the first device, the first group private key associated with a group public key for the domain, the group public key further provided from the domain controller to a block chain provider for storage in a block chain ledger.
  - 20. The domain controller of claim 17, further comprising a fourth logic to provide a public key for the domain to a block chain service, the block chain service comprising a ledger for transfer of ownership of one or more devices including the first device to the domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Smith, Ned M., Subramaniam, Ravi S., Grawrock, David W.

Granted Patent

US 10,856,122 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/1441   Countermeasures against mal...

H04W 12/069   using certificates or pre-s...

H04W 4/00   Services specially adapted ...

H04W 4/70   Services for machine-to-mac...

System, Apparatus And Method For Scalable Internet Of Things (IOT) Device On-Boarding With Quarantine Capabilities

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

43 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System, Apparatus And Method For Scalable Internet Of Things (IOT) Device On-Boarding With Quarantine Capabilities

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links