Apparatus and method for sharing WiFi security data in an internet of things (IoT) system

US 9,843,929 B2
Filed: 08/21/2015
Issued: 12/12/2017
Est. Priority Date: 08/21/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing a secure communication channel between an Internet of Things (IoT) hub and an IoT service using a first secret, the secure communication channel being established through a client device;

generating a second secret on the client device and transmitting the second secret to the IoT hub;

encrypting a wireless key using the second secret on the client device to generate a first-encrypted key, the wireless key usable to establish a secure communication channel over a local wireless network;

transmitting the first-encrypted key to the IoT service;

encrypting the first-encrypted key at the IoT service using the first secret to generate a twice-encrypted key;

transmitting the twice-encrypted key to the IoT hub over the secure communication channel;

decrypting the twice-encrypted key at the IoT hub using the first secret to generate the first-encrypted key and decrypting the first-encrypted key at the IoT hub using the second secret to generate the wireless key; and

using the wireless key to establish a secure wireless connection between the IoT hub and the local wireless network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for connecting an Internet of Things (IoT) hub to a wireless network. One embodiment of the method includes establishing a secure communication channel between an IoT hub and an IoT service through a client device using a first secret; generating a second secret on the client device and transmitting it to the IoT hub; encrypting a wireless key using the second secret to generate a first-encrypted key and transmitting it to the IoT service; encrypting the first-encrypted key using the first secret to generate a twice-encrypted key and transmitting it to the IoT hub over the secure communication channel; decrypting the twice-encrypted key at the IoT hub using the first secret to generate the first-encrypted key and decrypting it using the second secret to generate the wireless key usable to establish a secure wireless connection between the IoT hub and the local wireless network.

Citations

26 Claims

1. A method comprising:
- establishing a secure communication channel between an Internet of Things (IoT) hub and an IoT service using a first secret, the secure communication channel being established through a client device;
  
  generating a second secret on the client device and transmitting the second secret to the IoT hub;
  
  encrypting a wireless key using the second secret on the client device to generate a first-encrypted key, the wireless key usable to establish a secure communication channel over a local wireless network;
  
  transmitting the first-encrypted key to the IoT service;
  
  encrypting the first-encrypted key at the IoT service using the first secret to generate a twice-encrypted key;
  
  transmitting the twice-encrypted key to the IoT hub over the secure communication channel;
  
  decrypting the twice-encrypted key at the IoT hub using the first secret to generate the first-encrypted key and decrypting the first-encrypted key at the IoT hub using the second secret to generate the wireless key; and
  
  using the wireless key to establish a secure wireless connection between the IoT hub and the local wireless network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method as in claim 1 wherein establishing the secure communication channel between the IoT hub and the IoT service comprises:
    - generating an IoT service public key and an IoT service private key by key generation logic of a first encryption engine on the IoT service;
      
      generating an IoT hub public key and an IoT hub private key by key generation logic of a second encryption engine on the IoT hub;
      
      transmitting the IoT service public key from the first encryption engine to the second encryption engine and transmitting the IoT hub public key from the second encryption engine to the first encryption engine;
      
      generating the first secret using a device public key and the lot service private key;
      
      generating the same first secret using the IoT service public key and a device private key; and
      
      encrypting and decrypting data packets transmitted between the first encryption engine and the second encryption engine using the first secret or using data structures derived from the first secret.
  - 3. The method as in claim 2 wherein the key generation logic comprises a hardware security module (HSM).
  - 4. The method as in claim 2 wherein the data structures derived from the first secret comprise a first key stream generated by the first encryption engine and a second key stream generated by the second encryption engine.
  - 5. The method as in claim 4 wherein a first counter is associated with the first encryption engine and a second counter is associated with the second encryption engine, the first encryption engine incrementing the first counter responsive to each data packet transmitted to the second encryption engine and the second encryption engine incrementing the second counter responsive to each data packet transmitted to the first encryption engine.
  - 6. The method as in claim 5 wherein the first encryption engine generates the first key stream using a current counter value of the first counter and the first secret and the second encryption engine generates the second key stream using a current counter value of the second counter and the first secret.
  - 7. The method as in claim 6 wherein the first encryption engine comprises an elliptic curve method (ECM) module to generate the first key stream using the current counter value of the first counter and the first secret and the second encryption engine comprises an ECM module to generate the second key stream using the current counter value of the second counter and the first secret.
  - 8. The method as in claim 6 wherein the first encryption engine encrypts a first data packet using the first key stream to generate a first encrypted data packet and transmits the first encrypted data packet to the second encryption engine along with the current counter value of the first counter.
  - 9. The method as in claim 8 wherein the second encryption engine uses the current counter value of the first counter and the first secret to generate the first key stream and uses the first key stream to decrypt the encrypted data packet.
  - 10. The method as in claim 8 wherein encrypting the first data packet comprises XORing the first key stream with the first data packet to generate the first encrypted data packet.
  - 11. The method as in claim 1 wherein the IoT hub comprises a Bluetooth Low Energy (BTLE) communication interface to communicatively couple the IoT hub to the client device, the client device communicatively coupled to the IoT service over the Internet.
  - 12. The method as in claim 1 wherein the local wireless network comprises a WiFi network and wherein the wireless key comprises a WiFi security key.
  - 13. The method as in claim 12 further comprising:
    - encrypting additional data related to the WiFi network using the second secret, including an SSID of the WiFi network, to generate first-encrypted additional data;
      
      transmitting the first-encrypted additional data to the IoT service;
      
      encrypting the first-encrypted additional data at the IoT service using the first secret to generate twice-encrypted additional data;
      
      transmitting the twice-encrypted additional data to the IoT hub over the secure communication channel;
      
      decrypting the twice-encrypted additional data at the IoT hub using the first secret to generate the first-encrypted additional data and decrypting the first-encrypted additional data at the IoT hub using the second secret to generate the additional data including the SSID; and
      
      using the SSID and the WiFi key to establish a secure wireless connection between the IoT hub and the WiFi network.

14. A system comprising:
- an Internet of Things (IoT) hub to communicatively couple a plurality of IoT devices;
  
  an IoT service to establish a secure communication channel with the IoT hub using a first secret, the secure communication channel being established through a client device;
  
  the client device including a security module to generate a second secret, the client device to transmit the second secret to the IoT hub;
  
  the security module to encrypt a wireless key using the second secret on the client device to generate a first-encrypted key, the wireless key usable to establish a secure communication channel over a local wireless network;
  
  the client device to transmit the first-encrypted key to the IoT service;
  
  the IoT service to encrypt the first-encrypted key using the first secret to generate a twice-encrypted key and to transmit the twice-encrypted key to the IoT hub over the secure communication channel;
  
  the IoT hub to decrypt the twice-encrypted key using the first secret to generate the first-encrypted key and to decrypt the first-encrypted key at the IoT hub using the second secret to generate the wireless key; and
  
  the IoT hub using the wireless key to establish a secure wireless connection over the local wireless network.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The system as in claim 14 wherein establishing the secure communication channel between the IoT hub and the IoT service comprises:
    - generating an IoT service public key and an IoT service private key by key generation logic of a first encryption engine on the IoT service;
      
      generating an IoT hub public key and an IoT hub private key by key generation logic of a second encryption engine on the IoT hub;
      
      transmitting the IoT service public key from the first encryption engine to the second encryption engine and transmitting the IoT hub public key from the second encryption engine to the first encryption engine;
      
      generating the first secret using a device public key and the IoT service private key;
      
      generating the same first secret using the IoT service public key and a device private key; and
      
      encrypting and decrypting data packets transmitted between the first encryption engine and the second encryption engine using the first secret or using data structures derived from the first secret.
  - 16. The system as in claim 15 wherein the key generation logic comprises a hardware security module (HSM).
  - 17. The system as in claim 15 wherein the data structures derived from the first secret comprise a first key stream generated by the first encryption engine and a second key stream generated by the second encryption engine.
  - 18. The system as in claim 17 wherein a first counter is associated with the first encryption engine and a second counter is associated with the second encryption engine, the first encryption engine incrementing the first counter responsive to each data packet transmitted to the second encryption engine and the second encryption engine incrementing the second counter responsive to each data packet transmitted to the first encryption engine.
  - 19. The system as in claim 18 wherein the first encryption engine generates the first key stream using a current counter value of the first counter and the first secret and the second encryption engine generates the second key stream using a current counter value of the second counter and the first secret.
  - 20. The system as in claim 19 wherein the first encryption engine comprises an elliptic curve method (ECM) module to generate the first key stream using the first counter value and the first secret and the second encryption engine comprises an ECM module to generate the second key stream using the first counter value and the first secret.
  - 21. The system as in claim 19 wherein the first encryption engine encrypts a first data packet using the first key stream to generate a first encrypted data packet and transmits the first encrypted data packet to the second encryption engine along with a current counter value of the first counter.
  - 22. The system as in claim 21 wherein the second encryption engine uses the current counter value of the first counter and the first secret to generate the first key stream and uses the first key stream to decrypt the encrypted data packet.
  - 23. The system as in claim 21 wherein encrypting the first data packet comprises XORing the first key stream with the first data packet to generate the first encrypted data packet.
  - 24. The system as in claim 14 wherein the IoT hub comprises a Bluetooth Low Energy (BTLE) communication interface to communicatively couple the IoT hub to the client device, the client device communicatively coupled to the IoT service over the Internet.
  - 25. The system as in claim 14 wherein the local wireless network comprises a WiFi network and wherein the wireless key comprises a WiFi security key.
  - 26. The system as in claim 25 further comprising:
    - the security module to encrypt additional data related to the WiFi network using the second secret, including an SSID of the WiFi network, to generate first-encrypted additional data;
      
      the client device to transmit the first-encrypted additional data to the IoT service;
      
      the IoT service to encrypt the first-encrypted additional data using the first secret to generate twice-encrypted additional data;
      
      the IoT service to transmit the twice-encrypted additional data to the IoT hub over the secure communication channel;
      
      the IoT hub to decrypt the twice-encrypted additional data at the IoT hub using the first secret to generate the first-encrypted additional data and to decrypt the first-encrypted additional data at the IoT hub using the second secret to generate the additional data including the SSID; and
      
      the IoT hub to use the SSID and the WiFi key to establish a secure wireless connection between the IoT hub and the WiFi network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Afero, Inc.
Original Assignee
Afero, Inc.
Inventors
Zimmerman, Scott, Jeng, Evan, Holland, Shannon, Liu, Clif, Aiuto, Chris
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
Almamun, Abdullah

Application Number

US14/832,905
Publication Number

US 20170055148A1
Time in Patent Office

844 Days
Field of Search
US Class Current
CPC Class Codes

H04L 12/2803   Home automation networks

H04L 2209/80   Wireless

H04L 2463/062   applying encryption of the ...

H04L 63/0428   wherein the data content is...

H04L 63/0457   wherein the sending and rec...

H04L 9/065   Encryption by serially and ...

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0827   involving distinctive inter...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/0861   Generation of secret inform...

H04L 9/0877   using additional device, e....

H04L 9/3066   involving algebraic varieti...

H04W 12/041   Key generation or derivation

H04W 12/0431   Key distribution or pre-dis...

H04W 12/0433   Key management protocols

H04W 4/70   Services for machine-to-mac...

H04W 76/10   Connection setup

Apparatus and method for sharing WiFi security data in an internet of things (IoT) system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for sharing WiFi security data in an internet of things (IoT) system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links