Apparatus and method for establishing secure communication channels in an internet of things (IoT) system

US 10,375,044 B2
Filed: 08/07/2017
Issued: 08/06/2019
Est. Priority Date: 07/03/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

establishing communication between an Internet of Things (IoT) service and an IoT device through an IoT hub;

generating, by the IoT service, a first packet comprising an IoT service serial number and an IoT service public key, and signing the first packet using a factory private key of a factory public/private key pair implemented by a manufacturer of the IoT service and/or the IoT device;

transmitting the signed first packet from the IoT service to the IoT device;

verifying, by the IoT device, the signed first packet using a factory public key of the factory public/private key pair;

generating, by the IoT device, a second packet comprising an IoT device serial number and an IoT device public key, and signing the second packet using the factory private key;

transmitting the signed second packet from the IoT device to the IoT service; and

verifying, by the IoT service, the signed second packet using the factory public key.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and method are described for secure communication between IoT devices and an IoT service. For example, one embodiment of a system comprises: an Internet of Things (IoT) service to establish communication with an IoT device through an IoT hub or a mobile user device; a first encryption engine on the IoT service comprising key generation logic to generate a service public key and a service private key; a second encryption engine on the IoT device comprising key generation logic to generate a device public key and a device private key; the first encryption engine to transmit the service public key to the second encryption engine and the second encryption engine to transmit the device public key to the first encryption engine; the first encryption engine to use the device public key and the service private key to generate a secret; the second encryption engine to use the service public key and the device private key to generate the same secret; and wherein once the secret is generated, the first encryption engine and the second encryption engine encrypt and decrypt data packets transmitted between the first encryption engine and the second encryption engine using the secret or using a data structure derived from the secret.

173 Citations

10 Claims

1. A computer-implemented method comprising:
- establishing communication between an Internet of Things (IoT) service and an IoT device through an IoT hub;
  
  generating, by the IoT service, a first packet comprising an IoT service serial number and an IoT service public key, and signing the first packet using a factory private key of a factory public/private key pair implemented by a manufacturer of the IoT service and/or the IoT device;
  
  transmitting the signed first packet from the IoT service to the IoT device;
  
  verifying, by the IoT device, the signed first packet using a factory public key of the factory public/private key pair;
  
  generating, by the IoT device, a second packet comprising an IoT device serial number and an IoT device public key, and signing the second packet using the factory private key;
  
  transmitting the signed second packet from the IoT device to the IoT service; and
  
  verifying, by the IoT service, the signed second packet using the factory public key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method of claim 1, further comprising:
    - generating, by the IoT service, a third packet comprising an IoT service session public key of a IoT service session public/private key pair generated by a key generation logic of the IoT service, and signing the third packet using an IoT service private key;
      
      transmitting the signed third packet from the IoT service to the IoT device;
      
      verifying, by the IoT device, the signed third packet using the IoT service public key from the first signed packet;
      
      generating, by the IoT device, a fourth packet comprising an IoT device session public key of an IoT device session public/private key pair generated by a key generation logic of the IoT device, and signing the fourth packet using an IoT device private key;
      
      transmitting the signed fourth packet from the IoT device to the IoT service; and
      
      verifying, by the IoT service, the signed fourth packet using the IoT device public key from the second signed packet.
  - 3. The computer-implemented method of claim 2, further comprising:
    - generating, by the IoT service, a first session secret using the IoT service session private key and the IoT device session public key from the signed third packet;
      
      generating, by the IoT device, a second session secret using the IoT device session private key and the IoT service session public key from the signed fourth packet, the first session secret and the second session secret having a same value;
      
      encrypting, by the IoT service, a first random number using the first session secret to generate a first encrypted packet;
      
      transmitting the first encrypted packet from the IoT service to the IoT device; and
      
      decrypting, by the IoT device, the first encrypted packet using the second session secret to retrieve the first random number.
  - 4. The computer-implemented method of claim 3, further comprising:
    - encrypting, by the IoT device, the retrieved first random number using the second session secret to generate a second encrypted packet;
      
      transmitting the second encrypted packet from the IoT device to the IoT service;
      
      decrypting, by the IoT service, the second encrypted packet using the first session secret to retrieve a second random number;
      
      verifying, by the IoT service, that the second random number retrieved from the second encrypted packet is the same as the first random number; and
      
      wherein upon a positive verification, the IoT service is to send a successful pairing notification to the IoT device, and wherein all subsequent message between the IoT service and IoT device are encrypted using either the first session secret or the second session secret.
  - 5. The computer-implemented method of claim 1, wherein communications between the IoT service and the IoT hub are over an encrypted channel.
  - 6. The computer-implemented method of claim 1, wherein communications between the IoT device and the IoT hub are over an unencrypted channel.
  - 7. The computer-implemented method of claim 1, wherein the key generation logic comprises a hardware security module (HSM).
  - 8. The computer-implemented method of claim 1, wherein the IoT service comprises a first counter which is incremented each time a data packet is transmitted from the IoT service to the IoT device.
  - 9. The computer-implemented method of claim 8, wherein the IoT device comprises a second counter which is incremented each time a data packet is transmitted from the IoT device to the IoT service.
  - 10. The computer-implemented method of claim 5, wherein the encrypted channel between the IoT service and the IoT hub is created using elliptic curve digital signature algorithm (ECDSA) certificates.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Afero, Inc.
Original Assignee
Afero, Inc.
Inventors
Zakaria, Omar, Britt, Joe, Zimmerman, Scott
Primary Examiner(s)
Rahim, Monjur

Application Number

US15/670,306
Publication Number

US 20170339120A1
Time in Patent Office

729 Days
Field of Search

380283
US Class Current
CPC Class Codes

H04L 63/0442   wherein the sending and rec...

H04L 63/0492   by using a location-limited...

H04L 63/061   for key exchange, e.g. in p...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/0861   Generation of secret inform...

H04L 9/0877   using additional device, e....

Apparatus and method for establishing secure communication channels in an internet of things (IoT) system

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

173 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for establishing secure communication channels in an internet of things (IoT) system

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

173 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links