PROTECTION OF PRIVACY AND DATA ON SMART EDGE DEVICES

US 20200134230A1
Filed: 12/23/2019
Published: 04/30/2020
Est. Priority Date: 12/23/2019
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a sensor to produce a stream of sensor data;

an analytics mechanism; and

a trusted execution environment (TEE) including a plurality of keys for data security, wherein the apparatus is to;

exchange keys with a host server to establish one or more secure communication channels between the apparatus and a TEE of a host server,process the stream of sensor data utilizing the analytics mechanism to generate metadata,perform encryption and integrity protection of the metadata utilizing a key from the TEE for the sensor, and sign the metadata utilizing a private key for the analytics mechanism to generate a signature, andtransfer the encrypted and integrity protected metadata and the signature to the host server via the one or more secure communication channels.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to protection of privacy and data on smart edge devices. An embodiment of an apparatus includes a sensor to produce a stream of sensor data; an analytics mechanism; and a trusted execution environment (TEE) including multiple keys for data security, the apparatus to exchange keys with a host server to establish one or more secure communication channels between the apparatus and a TEE on a host server, process the stream of sensor data utilizing the analytics mechanism to generate metadata, perform encryption and integrity protection of the metadata utilizing a key from the TEE for the sensor, sign the metadata utilizing a private key for the analytics mechanism, and transfer the encrypted and integrity protected metadata and the signature to the host server via the one or more secure communication channels in a manner that prevents privileged users on the host from accessing the data.

Citations

19 Claims

1. An apparatus comprising:
- a sensor to produce a stream of sensor data;
  
  an analytics mechanism; and
  
  a trusted execution environment (TEE) including a plurality of keys for data security, wherein the apparatus is to;
  
  exchange keys with a host server to establish one or more secure communication channels between the apparatus and a TEE of a host server,process the stream of sensor data utilizing the analytics mechanism to generate metadata,perform encryption and integrity protection of the metadata utilizing a key from the TEE for the sensor, and sign the metadata utilizing a private key for the analytics mechanism to generate a signature, andtransfer the encrypted and integrity protected metadata and the signature to the host server via the one or more secure communication channels.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The apparatus of claim 1, wherein the apparatus further includes a hardware accelerator, wherein processing the stream of sensor data includes processing the stream of sensor data at least in part in the hardware accelerator.
  - 3. The apparatus of claim 1, wherein the sensor includes a camera, and the stream of sensor data includes a stream of video data generated by the camera.
  - 4. The apparatus of claim 1, further comprising a model decryption engine to decrypt an encrypted algorithm for use by the analytics mechanism.
  - 5. The apparatus of claim 4, wherein the apparatus is to receive the encrypted algorithm from the host server via the one or more secure communication channels.
  - 6. The apparatus of claim 1, further comprising an encryption engine, wherein the apparatus is further to:
    - perform encryption and integrity protection of the stream of sensor data utilizing a key from the TEE for the stream of sensor data;
      
      sign the stream of sensor data utilizing a private key for the sensor to generate a second signature; and
      
      transfer the encrypted and integrity protected sensor data and the second signature to the host server via the one or more secure communication channels.
  - 7. The apparatus of claim 1, wherein the apparatus is further to filter out or transform privacy sensitive content in the stream of sensor data.
  - 8. The apparatus of claim 1, wherein the apparatus is an edge device that is capable of providing entry to a network.

9. One or more non-transitory computer-readable storage mediums having stored thereon executable computer program instructions that, when executed by one or more processors, cause the one or more processors to perform operations comprising:
- receiving a stream of sensor data at an edge device from a sensor;
  
  processing the stream of sensor data at the edge device utilizing an analytics mechanism to generate metadata;
  
  exchanging keys with a host server to establish one or more secure communication channels between the edge device and a trusted execution environment (TEE) on the host server, the edge device including a TEE including the keys for data security;
  
  performing encryption and integrity protection of the metadata utilizing a key from the TEE for the sensor, and signing the metadata utilizing a private key for the analytics mechanism to generate a signature; and
  
  transferring the encrypted and integrity protected metadata and the signature to the host server via the one or more secure communication channels.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The one or more mediums of claim 9, wherein processing the stream of sensor data includes processing the stream of sensor data at least in part in a hardware accelerator.
  - 11. The one or more mediums of claim 9, wherein the sensor includes a camera, and the stream of sensor data includes a stream of video data generated by the camera.
  - 12. The one or more mediums of claim 9, further comprising instructions for:
    - decrypting an encrypted algorithm for use by the analytics mechanism in processing the stream of sensor data.
  - 13. The one or more mediums of claim 12, further comprising instructions for:
    - receiving the encrypted algorithm from the host server via the one or more secure communication channels.
  - 14. The one or more mediums of claim 9, further comprising instructions for:
    - performing encryption and integrity protection of the stream of sensor data utilizing a key from the TEE for the stream of sensor data;
      
      signing the stream of sensor data utilizing a private key for the sensor to generate a second signature; and
      
      transferring the encrypted and integrity protected sensor data and the second signature to the host server via the one or more secure communication channels.
  - 15. The one or more mediums of claim 9, further comprising instructions for:
    - filtering out or transforming privacy sensitive content in the stream of sensor data.

16. A system comprising:
- one or more processors including a central processing unit (CPU);
  
  a memory including host software; and
  
  s a trusted execution environment (TEE) including a secure enclave, the TEE including a second plurality of keys for data security; and
  
  wherein the system is to;
  
  exchange keys between the system and an edge device to establish one or more secure communication channels between the edge device and the TEE of the system,receive encrypted and integrity protected metadata and a signature from the edge device via the one or more secure communication channels, the metadata being generated from a stream of video data,authenticate the edge device as a source of the metadata using the signature, anddecrypt and check integrity of the metadata using a key from the TEE.
- View Dependent Claims (17, 18, 19)
- - 17. The system of claim 16, wherein the system is further to:
    - upon receiving attestation of an identify of the edge device, transfer an encrypted inference model from the host software to the edge device via the one or more secure communication channels.
  - 18. The system of claim 16, wherein the system is further to:
    - receive encrypted and integrity protected video data and a second signature from the edge device via the one or more secure communication channels;
      
      authenticate a camera of the edge device as a source of the video data using the second signature; and
      
      decrypt and check integrity of the video data using a key from the TEE.
  - 19. The system of claim 16, wherein the system is further to utilize the metadata in an operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Booth, JR., Lawrence A., Yitbarek, Salessawi Ferede, Lal, Reshma, Pappachan, Pradeep M., Thomas, Brent

Granted Patent

US 11,423,171 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/152   using file content signatur...

G06F 16/783   using metadata automaticall...

G06F 21/107   License processing; Key pro...

G06F 21/31   User authentication

G06F 21/44   Program or device authentic...

G06F 21/53   by executing in a restricte...

G06F 21/606   by securing the transmissio...

G06F 21/6245   Protecting personal data, e...

G06F 2221/2129   Authenticate client device ...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/123   received data contents, e.g...

H04L 67/12   specially adapted for propr...

H04W 12/02   Protecting privacy or anony...

H04W 12/0471   Key exchange

H04W 12/106   Packet or message integrity

H04W 4/38   for collecting sensor infor...

PROTECTION OF PRIVACY AND DATA ON SMART EDGE DEVICES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

PROTECTION OF PRIVACY AND DATA ON SMART EDGE DEVICES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links