• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    method for verifying authenticity, setting network credentials and cryptographic keys for IoT devices using proximity field (nfc) communication. A method of securely sending the cryptographic key and wireless LAN credentials to the device with an authenticity check to ensure that the device is secure to be added to the local network. These credentials are sent using an nfc (104) enabled device to the internal nfc interface eeprom embedded in the connected target device. The method enforces the configuration process to prevent critical vulnerabilities on iot devices, minimizing security and privacy issues for the end user and preventing any unauthorized devices from being added to the network. When a new iot device (103) is added, assuming that this new device has no built-in security key and no authentication credentials stored, a secure mobile application will send this information to the device using nfc. This app has an interface to configure the device in one step.
    公开号:BR102017001504A2
    申请号:R102017001504-1
    申请日:2017-01-24
    公开日:2018-06-19
    发明作者:Henrique Minatel Pedro;Hyuk Lee Sang;Silva Pinto Breno;Caye Batalha Boeira Felipe
    申请人:Samsung Eletrônica da Amazônia Ltda.;
    IPC主号:
    专利说明:

    (54) Title: METHOD FOR VERIFYING AUTHENTICITY, CONFIGURING NETWORK CREDENTIALS AND CRYPTOGRAPHIC KEYS FOR DEVICES WITH INTERNET OF THINGS (IOT) USING COMMUNICATION BY PROXIMITY FIELD (NFC) (51) Int. Cl .: H04W8 / 00; H04W 28/18; H04W 76/02; H04W12 / 04; H04W4 / 00 (30) Unionist Priority: 11/30/2016 US 15 / 365,069 (73) Holder (s): SAMSUNG ELETRÔNICA DA AMAZÔNIA LTDA.
    (72) Inventor (s): PEDRO HENRIQUE MINATEL; SANG HYUK LEE; BRENO SILVA PINTO; FELIPE CAYE BATALHA BOEIRA (74) Attorney (s): Dl BLASI, PARENTE & ASSOCIADOS ADVOGADOS (57) Summary: METHOD FOR VERIFYING AUTHENTICITY, CONFIGURING NETWORK CREDENTIALS AND CRYPTOGRAPHIC KEYS FOR DEVICES WITH INTERNET OF THINGS (loT) USING COMMUNITY USING COMMUNICATION PROXIMITY (NFC). A method for securely sending the cryptographic key and wireless LAN credentials to the device with an authenticity check to ensure that the device is secure to be added to the local network. These credentials are sent using an NFC-enabled device (104) to the internal EEPROM with an NFC interface built into the connected target device. The method imposes the configuration process to avoid critical vulnerabilities in loT devices, minimizing security and privacy problems for the end user and preventing any unauthorized device from being added to the network. When a new loT device (103) is added, assuming this new device has no built-in security key and no stored authentication credentials, a secure mobile app will send that information to the device using NFC. This application has an interface for co
    1010
    1/23
    METHOD FOR VERIFYING AUTHENTICITY, CONFIGURING NETWORK CREDENTIALS AND CRYPTOGRAPHIC KEYS FOR DEVICES WITH INTERNET OF THINGS (IoT) USING COMMUNICATION BY NEAR FIELD (NFC)
    TECHNICAL FIELD [0001] The present invention relates to a method for sending the cryptographic key and wireless LAN credentials and also verifying authenticity to a device, in a secure manner, ensuring that the device is safe to be added to the device. local network.
    [0002] Connected devices, also referred to as Internet of Things (IoT) devices, are expected to reach approximately 50 billion connected devices by 2020, according to Gartner reports (available at http: //www.gartner. com / newsroom / id / 3165317) and Cisco (available at http: / /www.cisco.com/c/en/us/solutions/Internet-ofthings/overview.html ). This high number of connected devices will potentially increase network attacks and put user privacy at risk.
    [0003] The security risks associated with connected devices can range from just obtaining data about the user's devices, such as the user's home temperature, without the user's consent (best scenario or minimum risk) to obtain sensitive information about the user's life and habits to be used against him / her (worst case scenario or maximum risk).
    [0004] Another critical scenario is devices that control other things (objects, devices), such as thermostats, lights, door locks, garage doors,
    Petition 870170004993, of 01/24/2017, p. 36/69
    2/23 animal feeders, alarm systems or any other actuator that could be remotely controlled by the attacker. This could be used to damage the user's stuff or even get easy access to the user's home.
    [0005] According to the Open Web Application Security Project, or OWASP {Open Web Application Security Project), the 10 biggest security vulnerabilities on devices with Internet of Things that were found in 2014 were published. Some critical issues were encountered such as insufficient authentication / authorization, lack of transport encryption, insufficient security configuration capacity and poor physical security.
    [0006] Therefore, it is clear that there is a need to prevent, minimize or prevent these security vulnerabilities. Solutions with strong security features allow users to protect themselves against attacks and ensure that their data is not analyzed or controlled by third parties, without prior authorization. This will be an important key feature for the growing IoT market, and would enable sales based on how strong security is on connected devices.
    [0007] Additionally, there is an important aspect to be considered: the counterpart between security and usability. As indicated by some studies (for example, see the document Security and Usability: Analysis and Evaluatíon - available online at http://citeseerx.ist.psu.edu/viewdoc/download doi=10.1.1.16 2.374 & rep = repl & type = pdf ), usability and security are not
    Petition 870170004993, of 01/24/2017, p. 37/69
    3/23 concepts included mutually. Most of the time, the easier it is to use a system, the less secure it can be. For the purposes of illustration, an authentication task is considered as an example: Imagine that there is no authentication procedure (registration) for a user to check his email (or authenticate himself in any system). This would be extremely easy for the user (that is, a high degree of functionality), but it would be extremely unsafe (little or no degree of security). On the other hand, imagine that to access your e-mail (or authenticate yourself on any system) the user has to enter a password, visually decipher an encrypted code and then enter a temporary password (Onetime Password - OTP) sent by SMS to your smart phone. This would provide a very secure authentication system (ie, a high degree of security), but it would be very difficult to use such a system (low degree of functionality).
    [0008] Therefore, there is a need to provide secure and easy to implement solutions for the IoT market. This is one of the main objectives of the present invention.
    [0009] This method of the present invention is well aligned to become an international standard due to the great opportunities of the Internet of Things market and investments in the development of technologies and services. This invention will add value to IoT solutions in the short term to the market.
    [0010] In the present state of the art, solutions are found that use the concept of enabling the connected device, such as Wi-Fi access point, using the standard
    Petition 870170004993, of 01/24/2017, p. 38/69
    4/23
    802.llx for a smart phone or any other device or computer with Wi-Fi capability to connect directly to the device and via an integrated web page or an installed application, be able to configure the device with the router's credentials and many other variations configuration.
    [0011] Additionally, some technologies use a specific router with pre-configured authentication credentials and security keys, in order to connect devices directly on the network or be visible for the detection and broadcasting process (the same as broadcast) for new devices on the network. This router is also connected via a wired connection to the Internet router. This specific router does not connect directly to the Internet, so the user must use two routers on the network.
    [0012] The main problem in broadcast detection is that the device will be using power and processing until the pairing process is performed / completed. This means that if the user does not configure the device, this broadcast will consume an amount of energy without any benefit to the user.
    [0013] In the security aspect, some of the current technologies use security keys and factory passwords (standard, default or pre-configured), which are used for all devices and add a security vulnerability / risk when the user maintains factory settings or in some cases the device does not provide the ability to modify the key or password.
    Petition 870170004993, of 01/24/2017, p. 39/69
    5/23 [0014] In this scenario, a solution is needed that can be easily used to configure all credentials and keys in a secure environment, without using factory settings, and that allows each user to have a specific security key.
    [0015] Intel published a presentation on June 3, 2016 [Intel: https://www.youtube.com/watch v=pQwhrRKDgO] showing a process using passive NFC tags / stickers and NFC adapters to provide provisioning information about the device connected to a provisioning device in order to transmit this provisioning information to the cloud service through the provisioning device. In this case, the connected device does not receive any information from the provisioning device and appears to be read-only.
    [0016] In addition, a second method is presented using an NFC adapter integrated in the device that reads the information from the provisioning device. In this case, the provisioning device acts as an NFC tag to provide the provisioning information for the device and the device must be powered on, since the NFC adapter does not collect power from the provisioning device.
    [0017] The Intel presentation is based on methods and protocols for provisioning the device when using an NFC tag or adapter to provide information to the cloud, and the configuration is unalterable. Anyone with an NFC reader could read that information.
    [0018] In terms of functionality, the present method that uses NFC tags needs two steps of
    Petition 870170004993, of 01/24/2017, p. 40/69
    6/23 scanning the NFC to complete the configuration, when using the NFC router, or only one when using the NFC router on the board tool or using the NFC adapter integrated in the device.
    [0019] The table below shows the differences between the Intel method and the present invention:
    Feature Difference Reading and writing The Intel solution does not mention of tag NFC whether the label is protected. THE is it protected this solution should check the authenticity of the device before writing in NFC. Device can Intel's solution must be be configured connected. The present solution can even if O be configured even when device is off. off 0 transceiver in In the Intel solution, the radio radio of it's always on. This device it is solution only turns on the radio turned off before in after setup. configured Configuration is The Intel solution provides the protected in keys and configuration on label reading NFC tag. This of NFC solution receives the keys and device credentials configuration. Configuration is The Intel solution does not mention encrypted if the configuration is encrypted on the
    Petition 870170004993, of 01/24/2017, p. 41/69
    7/23
    NFC. The present solutionencrypts the configuration on theinternal memory. Configuration The Intel solution uses a could be done cloud-based service for offline perform the procedureconfiguration. Thisinvention also uses the cloud tovalidate the device but thiscould be done offline, ifthere is at least one successful loginsuccessful in the cloud service. The method resists The Both solutions can withstand attack in to a spy attack espionage duringthe configuration 0 method checks The The Intel solution mentions authenticity of about the ownership of device device but does not check theauthenticity of the device. THEpresent invention implementsthis check before sendingthe configuration.
    * the configuration device application needs at least a valid login to obtain credentials from the cloud
    Table 1 [0020] The Intel Method uses the non-standard NFC Web specification (https://w3c.github.io/web-nfc/) for exchanging layer messages. On the other hand, the method proposed by the present invention does not cover or specify the
    Petition 870170004993, of 01/24/2017, p. 42/69
    8/23 protocol layer for sending messages and is transparent to use any message exchange protocol, public or private.
    [0021] Microsoft's provisioning at startup uses an XML file that is used during the startup process once or after a complete wipe of the device. This method uses an SD card with the provisioning file and is manually added to the root directory of the memory.
    [0022] Chinese patent document CN103916297A, published on July 9, 2014, entitled: “Internet of things Household. Appliance, System, Wireless Intelligent Terminal and Data Transmission and Configuration Method ”, describes a method for configuring home appliances using two NFC devices to list the available networks to which the devices can be connected. Chinese patent document CN 103916297A does not cover some security aspects, which are key features in the present invention, such as configuring cryptographic credentials and keeping the wireless radio turned off, until a successful configuration. This Chinese document also does not cover methods for verifying the authenticity and ownership of the device.
    [0023] US patent document US 7,970,350 B2, published on June 28, 2011, entitled Devices and Methods for Content Sharing, describes a method for sharing content between two or more devices using NFC, including Wi- Fi. Like the first Chinese document cited, this patent also does not cover some aspects of safety that are key features in the presented invention,
    Petition 870170004993, of 01/24/2017, p. 43/69
    9/23 including wireless radio control, verification of device authenticity and device ownership. The US patent 7,970,350 B2 also does not reveal how sensitive data is stored on the device after transmission via NFC (which could still be an attack vector that could reduce the security of the solution).
    [0024] The international application WO 2015/089318, published on June 18, 2015, entitled “Secure Communication Channel”, describes a method for a secure channel between two devices that grants an association between devices and users, for each device . The method describes the device's first communication with the server over a secure channel and then a second communication from the server with the cryptographic key associated with that specific device. According to the aforementioned international order, the device needs to connect to the server to exchange the cryptographic key, this scenario does not cover any other configuration, such as Wi-Fi or cloud service credentials.
    Summary of the Invention [0025] As mentioned above, the present invention relates to a method for securely sending the cryptographic key and wireless LAN credentials to the device with an authenticity check to ensure that the device it is safe to be added to the local network. These credentials are sent through an NFC-enabled device, such as a smart phone or tablet, to the programmable, electrically erasable internal read-only memory
    Petition 870170004993, of 01/24/2017, p. 44/69
    10/23 (EEPROM) with NFC interface (ISO / IEC 18092) integrated in the connected target device.
    [0026] The present invention implements the configuration process to avoid some of the vulnerabilities that are critical in IoT devices, minimizing security and privacy problems for the end user and preventing any unauthorized device from being added to the network and compromising security and privacy.
    [0027] When the user needs to add a new IoT device to the network, assuming that this new device has no integrated security key and no authentication credentials stored in its internal memory, the user will use a secure mobile application to send this information to the device via NFC. This application consists of an intuitive interface to easily configure the device in one step.
    [0028] After configuring the devices, sent via the NFC, the information will be available on the integrated EEPROM for the configured device to read it on the next startup using an internal communication channel for the EEPROM (ie Inter-Integrated Circuit or I 2 C). Once the connected device reads the information stored in the EEPROM, that information is moved to another integrated memory, in order to avoid any attempt to read using NFC.
    [0029] Once the security key and authentication credentials are configured, the device will turn on the radio transceiver (for example: Wi-Fi, ZigBee, Bluetooth ...) to start communicating with the cloud-based service using the configured credentials.
    Petition 870170004993, of 01/24/2017, p. 45/69
    11/23
    When the radio transceiver is turned off until the configuration is completed, the device is protected against overtaking attacks before the initial configuration (and additionally saves a little battery / energy). Some users just turn on the devices and then leave the device without configuration.
    [0030] The configured security key will be used for the encryption mechanism and authentication credentials to connect to the network and then to the cloud-based solution. If the user needs to reconfigure or change the security key or authentication credentials, the process will be similar to the operation of the new device.
    [0031] The use of factory passwords (default, default, predefined) or security keys is a common behavior when installing a new IoT device, because it is an easier way (plug and play), but it represents a critical vulnerability and an attack vector (it would be easy for an attacker to find / steal this information and misuse it as used by the Mirai attack (https://techcrunch.com/2016/10/25/the-mirai-botnetsInternet-takedown- opens-up-a-new-market-for-attackers-anddef enders /)). In this sense, the present invention goes beyond state-of-the-art solutions and adds value to existing IoT solutions (for example, SmartThings, Google Nest, Philips Hue, WeMo ...) providing a safe, yet easy to use solution for configuring a IoT device.
    [0032] The scope of use of the present invention is very large, since it is possible to apply the present method in multiple types of IoT devices, sensors, smart devices, etc. It would be easier to detect any
    Petition 870170004993, of 01/24/2017, p. 46/69
    12/23 offenses for offensive solutions (Very difficult to design) observing the method that users are enabling and configuring IoT devices, more specifically if a new IoT device is added to the network, upon receiving the initial configuration / adjustment (security keys and network credentials) for short-range communication (via NFC, for example, touching / approaching a mobile device with the proposed application to the new IoT device).
    [0033] Finally, we consider that there is a high probability of use by all companies, since the present invention provides a very simple, intuitive and secure way to configure connected devices, being more secure against some attacks and helping to maintain security and privacy on connected devices. Considering that the implementation of this method will offer an easy way to configure connected devices, it could become a standard for the entire Internet of Things industry.
    [0034] The present invention brings to the market a new method for secure configuration that avoids attacks and eliminates some well-known vulnerabilities and weaknesses in connected devices. This method allows the user to configure, in a secure environment, the keys and credentials for each connected device on their network in a single step using NFC technology to send the configuration device information to the connected device.
    [0035] The method of the present invention also adds the functionality of configuring the device before turning it on, using the NFC technology that is activated by the
    Petition 870170004993, of 01/24/2017, p. 47/69
    13/23 magnetic field generated by the configuration device. This means that the user can configure the connected device before installing it; for example, the user can configure a smart light switch before plugging it into the wall, making the process easier to replicate to other devices.
    [0036] The present method also increases the speed of implantation of any connected device, and is not limited to devices with Internet of Things and residential use.
    Advantages of the Invention [0037] Based on the above mentioned drawbacks of the mentioned prior art solutions, we can enumerate below the advantages of the present invention.
    [0038] The present invention simplifies the configuration process for any device with Internet of Things, using NFC technology for the initial configuration. The present invention eliminates the need for a detection process or any other broadcasting functionality to identify any new device on the network.
    [0039] The present invention also provides the ability to easily configure and update security credentials using NFC technology in a secure manner.
    [0040] The present invention also adds a security feature to the connected device in order to configure the new device with the security / encryption key in the first configuration, using a new key for each user, avoiding predefined keys or
    Petition 870170004993, of 01/24/2017, p. 48/69
    Standard 14/23. This method also aims to prevent replication and key leak attacks.
    [0041] The present invention defines that the radio transceiver will only be turned on after all the configuration is completed, in order to avoid man-in-the-middle attacks or to lose communication during the configuration process.
    [0042] If the device is not properly configured, the radio transceiver will remain disabled without any communication feature, until its
    configuration Final. In that case, only the NFC will be enabled as a transceiver of data. [0043] This invention also eliminate The need of a web interface to configure O device, transforming the device in a Score in access. [0044] This invention also prevents The reverse engineering the code to recover the keys in
    security, since the new device does not have a key until the first configuration is completed.
    [0045] The present invention verifies the authenticity of the device to prevent fake devices or attacks from emulating tags. The present invention also allows the user to replicate the configuration across multiple devices in order to configure all devices in the same easy way using the mobile device.
    Disadvantages of the Invention [0046] A main limitation of the present method is based on the fact that the user can only configure the connected device, using NFC technology. Therefore, the user must have a device, such as a
    Petition 870170004993, of 01/24/2017, p. 49/69
    15/23 smartphone, a tablet, a notebook or an NFC resources to set up properly connected.
    Brief Description of the Drawings (router) with the device [0047] The objectives and advantages of the present invention will become clearer from the following detailed description of a preferred, but not limiting embodiment, and its accompanying figures, in which:
    [0048] Figure 1a is a flow chart of the present method to configure, in a safe and easy way, devices connected using NFC technology for transmission of sensitive data.
    [0049] Figure 1b is a data flow chart complementary to the present method.
    [0050] Figure 2a is a scenario of the present method for configuring a new connected device using a mobile phone with NFC technology.
    [0051] Figure 2b shows the communication flow of the new device with the network and the cloud service.
    [0052] Figure 3 is a scenario of the present method for configuring a new device connected alternatively using a router with NFC adapter.
    [0053] Figure 4 is a scenario of the present method to show how to change / update the configuration of the connected device.
    [0054] Figure 5 is a description of the internal EEPROM with dual interface and shows how it is connected internally to the microcontroller unit of the device.
    DETAILED DESCRIPTION OF THE INVENTION [0055] to allow
    The following description is presented to a person versed in the perform and
    Petition 870170004993, of 01/24/2017, p. 50/69
    16/23 use the embodiments, and is provided in the context of a particular application and its requirements. Various modifications to the disclosed embodiments will be readily apparent to those skilled in the art and the general principles defined herein can be applied to other embodiments and applications without departing from the spirit and scope of the present description. Thus, the present invention is not limited to the illustrated embodiments, but the broadest scope compatible with the principles and characteristics disclosed herein must be granted.
    [0056] Figure 1a is the flowchart that represents each step of the method described in the present invention, from the complete configuration process Safe method to enable and configure devices with Internet of Things using proximity field communication.
    [0057] Initially, in Figure 1a, the configuration method (1000) is initiated by a mobile application (1001). Once the mobile application has started, the user needs to authenticate to the cloud service; if the user is a new user (1002), the user will create an account (providing profile information), select a standard network access (Wi-Fi) and create a security key, which will be used for cryptographic methods (1003 ). This initial configuration step is performed only once, unless the user changes the network or cloud credentials (as will be detailed, the application provides a configuration panel to change it). At the next launch of the application, the user can reuse the same information. All of this data is stored in a secure area, protected from unauthorized access and both,
    Petition 870170004993, of 01/24/2017, p. 51/69
    17/23 cloud and network authentication are stored as hashes.
    [0058] Once the login (or new account created) is completed, the user's security key and predefined network credentials are recovered (1004). Then, the present method continuously tries to establish a connection with the network (1005, 1006).
    [0059] After retrieving user information (security key, default network credentials) and successful network connection, the user is able to configure / add the new IoT device (to the network) by touching his device mobile on said IoT device (1007).
    [0060] The mobile device's NFC reader will detect the IoT device's NFC EEPROM and will read / scan (1008) the read-only memory region to capture the IoT device information, such as the serial number and model , etc. This method will validate the serial number (or the unique ID information available) to ensure that the device is authentic (1008, 1009). This authentication can be local or use a cloud database, provided by the device manufacturer. The purposes of this authentication are to prevent the attack of tag emulation (when an NFC device emulates a device to intercept data content), to prevent counterfeit devices produced by unauthorized manufacturers and to block, for whatever reason, a device from being added to the network .
    [0061] Authenticity is verified using the unique ID, stored on the NFC device that was collected by the smart phone (1007) and verified against
    Petition 870170004993, of 01/24/2017, p. 52/69
    18/23 manufacturer's database system. Once verified in the database, the system will inform you if this device is known.
    [0062] If the device cannot be validated (1009), the configuration process will be terminated (1013), without adding the IoT device to the network.
    [0063] When the authenticity check is successful (1008, 1009), the IoT device is configured / added as a new device on the network (1010).
    [0064] The present method (via mobile application) will write all the necessary information (security key, network credentials, etc.) in the NFC tag memory of the IoT device using a password protected area. This password protected area is used only for data transfer and this data will be erased after the IoT device has successfully initialized and the password is stored in the mobile application.
    [0065] The IoT device will read this area whenever started, in order to update the credentials in case of reconfiguration from the same defined owner.
    [0066] Finally, the present method (via mobile application) will send an activation command (1011) to the IoT device, which is stored in a write-protected memory area, which enables the radio hardware (Wi-Fi) of the IoT device . Note that the device's radio (for example, Wi-Fi) is disabled until the device is properly configured with credentials (steps 1010, 1011). This is an important safety feature of the present invention, since it avoids a common attack vector, if the device's radio is turned on before the configuration process, an attacker
    Petition 870170004993, of 01/24/2017, p. 53/69
    19/23 could access the device without authorization, using predefined passwords, for example, to attack the devices, becoming a serious risk if the device is a connected security camera.
    [0067] Once fully configured and activated, the IoT device is properly added to the network, and the present method of configuration is completed (1012). This IoT device will only accept new NFC configuration of devices with the same security credentials. If the user wants to change the device to another network or user, using another security key, he must revoke ownership of the device before transferring to a new user or network using the original security key.
    [0068] The method of the present invention (1000) improves security and avoids unauthorized reconfiguration. In addition, it is easy to use (user friendly) as most user efforts are made on first login (new user), when the user has to create a new account, a new security key and select the default network / default (Wi-Fi) (step 1003). In subsequent times, for regular / common use of the method (1000), the user only needs to log in to the mobile application (step 1001) and then touch the new mobile device on the IoT device to be configured (step 1007); all other steps (1004-1006 and 1008-1013) are automatically performed by the present method (via mobile application), as illustrated in Figure 1b.
    [0069] Figure 2a shows a preferred use of the present method (1000) to configure a new IoT device (103), using a mobile phone (100) with an application that implements the method (1000). After
    Petition 870170004993, of 01/24/2017, p. 54/69
    20/23 start the session in step 1001, the user's security key and network credentials are retrieved in step 1004 and then the connection is established with the network in steps 1005-1006, the user activates his device mobile (100) on the new IoT device 103), using an NFC connection (104) in step 1007. The mobile application of the present method will verify the authenticity of the new device (103) in steps 1008-1009 (locally on mobile phone 100 or remotely on cloud server 101). After confirming the authenticity of the new device (103), the mobile application of the present method will communicate with the cloud server (101), using secure communication (such as SSL / TLS, properly configured to prevent main-Internet attacks). the-middle (102)), to retrieve and then record the security key on the new device (103) using the NFC connection (104) in step 1010. Then, the mobile application of this method will send an activation command to the new device (103) [step 1011], which enables the radio hardware (Wi-Fi) of the device (103) and makes it finally available to the network in step 1012.
    [0070] After the device is added to the network, as shown in Figure 2b, the new device (103) will connect to the network router (104), using secure communication (105) protected by network credentials and the router (104) will connect to the cloud service (101) using also secure communication (106).
    [0071] Another possible scenario for configuring the new connected device is shown in Figure 3, and uses a network router (200) with integrated NFC (201), as an alternative or a complementary way to configure / add a new device (202 ). In this
    Petition 870170004993, of 01/24/2017, p. 55/69
    21/23 alternative / complementary way, the user does not need to use his mobile device (203) to configure the new device (202). Instead, the user can touch / approach the new device (202) on the network router (200) via the NFC connection (201). In this scenario, the cloud server (204) can remotely check for authenticity. In this case, if authenticity is confirmed, the network router (202) has an NFC adapter to record / store the security key and network credentials on the new device (202), configuring it to be available on the network.
    [0072] Figure 4 illustrates a scenario for updating the security and connection credentials of a connected device (300) directly from a smart phone application (301), which implements the method (1000) of the present invention. The smart phone application (301) provides a configuration panel, in which the user is able to update network credentials (302), device credentials (security credentials) (303) and cloud service credentials (304 ) for all devices connected to the same network (305) or select them individually (306). The change request is made by the cloud service (307) and replicated to the device (300) through an Internet connection from any location.
    [0073] Figure 5 shows the writing process by NFC when a smart phone (400) is ready to send the configuration to the device using NFC. The mobile device (400) sends the data packet with the configuration to the internal EEPROM (401) through NFC technology, which will store the information in a protected area for
    Petition 870170004993, of 01/24/2017, p. 56/69
    22/23 avoid reading through NFC. This information will be kept in the EEPROM until the first device boot, when the internal processor (402) will read the EEPROM using a communication channel (403), other than RF / NFC, so this information can be encrypted using an internal cryptographic mechanism ( 404) to save it to the internal memory of the device (405). After the information is transferred from the EEPROM / NFC memory to the device's internal memory, it can be deleted from the EEPROM (401). Although the cryptographic mechanism (404) is optional, according to the preferred embodiment of the present invention, it can be used to avoid reverse engineering the hardware to retrieve sensitive content by reading memory.
    [0074] According to the preferred embodiment of the present invention, to avoid configuring the device prior to purchasing from the buyer, an aluminized adhesive can be placed in front of the NFC antenna to block any attempt to configure it out of the box, so cover the antenna area. This solution acts as a shield, blocking any electromagnetic field in the configuration device, preventing the generation of current in the antenna loop. Before configuration, the user must remove this aluminized adhesive.
    [0075] Although the present invention has been described in connection with a certain preferred embodiment, it should be understood that the invention is not intended to be limited to that particular embodiment. Instead, it is intended to cover all alternatives, modifications and equivalents
    Petition 870170004993, of 01/24/2017, p. 57/69
    23/23 possible within the spirit and scope of the invention as defined by the appended claims.
    Petition 870170004993, of 01/24/2017, p. 58/69
    1/4
    权利要求:
    Claims (11)
    [1]
    1. Method for verifying authenticity, configuring network credentials and cryptographic keys for devices with Internet of Things (IoT) using proximity field communication (NFC) characterized by the fact that it comprises:
    Start (1001) session to start;
    Authenticate (1004) the user, retrieving the user's security key and standard network credentials;
    Continuously try to establish (1005) a connection to the network, where:
    After the user turns on the IoT device using an NFC connection, check (1008) the IoT device and read its unique identification information stored in the EEPROM with NFC interface, in order to verify the authenticity of the IoT device;
    If the IoT device is authentic, write (1010) all the necessary information in the IoT device's NFC EEPROM to be used to configure / add it to the network; and
    Send (1011) an activation command to activate / connect the radio transceiver of the IoT device, making the IoT device available to the network.
    [2]
    2. Method for verifying authenticity, configuring network credentials and cryptographic keys for devices with Internet of Things (IoT) using proximity field communication (NFC), according to claim 1, characterized by the fact that the IoT device will read the NFC EEPROM during the boot process, to collect the data transferred in the NFC configuration so that sensitive data is transferred to
    Petition 870170004993, of 01/24/2017, p. 59/69
    2/4 the internal memory of the device and then after deleting them from the NFC EEPROM.
    [3]
    3. Method for verifying authenticity, configuring network credentials and cryptographic keys for devices with Internet of Things (IoT) using proximity field communication (NFC), according to claim 1, characterized by the fact that if the IoT device not authentic, method operations are interrupted (1013) and the IoT device is not added / configured on the network.
    [4]
    4. Method to verify authenticity, configure network credentials and cryptographic keys for devices with Internet of Things (IoT) using proximity field communication (NFC), according to claim 1, characterized by the fact that all the necessary information comprises security key and network credentials.
    [5]
    5. Method for verifying authenticity, configuring network credentials and cryptographic keys for devices with Internet of Things (IoT) using proximity field communication (NFC), according to claim 1, characterized by the fact that, after the user login (1001), if you are a new user (1002), a new account is created, receiving profile information from the user, selecting a standard network access and creating a security key for the new user (1003).
    [6]
    6. Method for verifying authenticity, configuring network credentials and cryptographic keys for devices with Internet of Things (IoT) using proximity field communication (NFC), according to
    Petition 870170004993, of 01/24/2017, p. 60/69
    3/4 claim 1, characterized by the fact that the radio transceiver will be activated and available to the network only after the complete configuration (1010) of the IoT device, by the activation command.
    [7]
    7. Method for verifying authenticity, configuring network credentials and cryptographic keys for devices with Internet of Things (IoT) using proximity field communication (NFC), according to claim 1, characterized by the fact that the activation command it is a beacon that is sent using the EEPROM exchange area for NFC and the internal microcontroller / processor unit will read it to activate the radio transceiver.
    [8]
    8. Method for verifying authenticity, configuring network credentials and cryptographic keys for devices with Internet of Things (IoT) using proximity field communication (NFC), according to claim 1, characterized by the fact that it comprises a mobile application (301) with a graphical user interface that provides a registration / authentication screen and a configuration panel that allow the user to select the settings to be sent to the connected device.
    [9]
    9. Method for verifying authenticity, configuring network credentials and cryptographic keys for devices with Internet of Things (IoT) using proximity field communication (NFC), according to claim 1, characterized by the fact that it is preferably installed on a mobile device (100) with NFC communication / reader / writer so that the user can configure / add a new IoT device (103)
    Petition 870170004993, of 01/24/2017, p. 61/69
    4/4 by simply touching / bringing the mobile device closer to this new IoT device.
    [10]
    10. Method for verifying authenticity, configuring network credentials and cryptographic keys for devices with Internet of Things (IoT) using proximity field communication (NFC), according to claim 1, characterized by the fact that a router is used (200) network with a communication / reader / writer to configure / add a new IoT device (202) simply by touching / approaching the router.
    [11]
    11. Method for verifying authenticity, configuring network credentials and cryptographic keys for devices with Internet of Things (IoT) using proximity field communication (NFC), according to claim 1, characterized by the fact that when the device IoT is configured correctly (1010) and the device is turned on, the internal microcontroller / processor unit will read the swap area in memory via NFC and then transfer the data to another memory and then erase the entire swap memory area in memory for NFC.
    Petition 870170004993, of 01/24/2017, p. 62/69
    1/6
    FIGURE 1a
    Petition 870170004993, of 01/24/2017, p. 64/69
    2/6
    FIGURE 1b
    Petition 870170004993, of 01/24/2017, p. 65/69
    3/6
    Connected device A (loT device)
    Connected device B (loT device)
    FIGURE 2a
    104
    105
    103
    r Device A Device Bconnected connected(Device (DeviceloT) loT) Connected C device (LoT device)
    FIGURE 2b
    Petition 870170004993, of 01/24/2017, p. 66/69
    4/6
    Connected device A (loT device)
    Connected device B (loT device)
    FIGURE 3
    Petition 870170004993, of 01/24/2017, p. 67/69
    5/6 <- ·>
    loT Config Αρρ
    Change network credentials
    Change device credentials
    Change cloud credentials) Apply to everyone |
    Select devices |
    300
    Connected device A (loT device)
    Connected device B (loT device)
    Connected C device (LoT device)
    FIGURE 4
    Petition 870170004993, of 01/24/2017, p. 68/69
    6/6
    Petition 870170004993, of 01/24/2017, p. 69/69
    1/1
    类似技术:
    公开号 | 公开日 | 专利标题
    BR102017001504A2|2018-06-19|METHOD FOR VERIFYING AUTHENTICITY, CONFIGURING NETWORK CREDENTIALS AND CRYPTOGRAPHIC KEYS FOR THING INTERNET | DEVICES USING NEAR FIELD COMMUNICATION
    Ling et al.2017|Security vulnerabilities of internet of things: A case study of the smart plug system
    JP6218841B2|2017-10-25|Wireless communication system
    CN105915502B|2019-11-15|The method and system being added conducive to network
    US9953145B2|2018-04-24|Configuration method, configuration device, computer program product and control system
    US20110265151A1|2011-10-27|Method of adding a client device or service to a wireless network
    US20080148350A1|2008-06-19|System and method for implementing security features and policies between paired computing devices
    De Luca et al.2013|The use of NFC and Android technologies to enable a KNX-based smart home
    KR100881938B1|2009-02-06|System and method for managing multiple smart card sessions
    US20090260071A1|2009-10-15|Smart module provisioning of local network devices
    BRPI1100749A2|2012-10-02|network and device authentication method to implement the same
    JP2006114010A|2006-04-27|System for home network and method for authentication between remote terminal and home network using smart card
    BRPI0419244B1|2018-04-24|“REMOTE ACCESS METHOD AND SYSTEM TO ENABLE A USER TO REMOTELY ACCESS A TERMINAL EQUIPMENT”
    WO2018000834A1|2018-01-04|Wifi hotspot information modification method and device
    BR102018074209A2|2020-06-02|SAFE METHOD FOR CONFIGURING DEALS OF INTERNET OF THINGS | THROUGH WIRELESS TECHNOLOGIES
    US20200259667A1|2020-08-13|Distributed management system for remote devices and methods thereof
    US10211979B2|2019-02-19|Systems and methods securing an autonomous device
    Bannis et al.2015|Creating a secure, integrated home network of things with Named Data Networking
    US20200287726A1|2020-09-10|Remote device control
    US9668132B2|2017-05-30|Communication control device, method and system
    CN105814834B|2019-12-20|Push-based trust model for public cloud applications
    US10411894B1|2019-09-10|Authentication based on unique encoded codes
    CN110266651B|2021-07-13|Internet of things equipment and method for same
    US20210243188A1|2021-08-05|Methods and apparatus for authenticating devices
    KR20100053537A|2010-05-20|System and method of tamper-resistant control
    同族专利:
    公开号 | 公开日
    US20180152443A1|2018-05-31|
    US10506642B2|2019-12-10|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    FR2817102B1|2000-11-22|2003-01-24|France Telecom|CALLING FROM A RADIOTELEPHONE TERMINAL WITH BIOMETRIC AUTHENTICATION|
    JP4506856B2|2008-03-10|2010-07-21|ソニー株式会社|Communication apparatus and communication method|
    JP5984625B2|2012-10-31|2016-09-06|ルネサスエレクトロニクス株式会社|Semiconductor device and encryption key writing method|
    US9760697B1|2013-06-27|2017-09-12|Interacvault Inc.|Secure interactive electronic vault with dynamic access controls|
    KR20160132302A|2015-05-09|2016-11-17|삼성전자주식회사|Method for sharing key between devices using physical access restriction|US10742653B2|2018-03-23|2020-08-11|International Business Machines Corporation|Automated individualized network security controls for internet of thingsdevices|
    CN109068304A|2018-08-07|2018-12-21|佛山市苔藓云链科技有限公司|It is a kind of to verify the true method of internet of things equipment using near-field communication|
    US11089475B2|2018-11-06|2021-08-10|Red Hat, Inc.|Booting and operating computing devices at designated locations|
    US10693633B2|2018-11-19|2020-06-23|Cypress Semiconductor Corporation|Timestamp based onboarding process for wireless devices|
    KR20200074732A|2018-12-17|2020-06-25|삼성전자주식회사|Electronic device and method for controlling electronic device|
    US10812286B2|2019-01-15|2020-10-20|Vmware, Inc.|Device scenario management|
    KR20200102678A|2019-02-22|2020-09-01|삼성전자주식회사|Apparatus and method for controlling signal related to external device|
    CN111865569A|2019-04-28|2020-10-30|华为技术有限公司|Key negotiation method and device|
    WO2021132817A1|2019-12-23|2021-07-01|Samsung Electronics Co., Ltd.|System and method for securing pairing process and ownership transfer of iot devices|
    US11240670B2|2020-02-27|2022-02-01|Haier Us Appliance Solutions, Inc.|Domestic appliance commissioning|
    EP3913559A1|2020-05-20|2021-11-24|Accenture Global Solutions Limited|Controlling and monitoring devices using near field communication|
    US11245438B1|2021-03-26|2022-02-08|Capital One Services, Llc|Network-enabled smart apparatus and systems and methods for activating and provisioning same|
    法律状态:
    2018-06-19| B03A| Publication of a patent application or of a certificate of addition of invention [chapter 3.1 patent gazette]|
    优先权:
    申请号 | 申请日 | 专利标题
    US15/365,069|2016-11-30|
    US15/365,069|US10506642B2|2016-11-30|2016-11-30|Method for verifying authenticity, configuring network credentials and cryptographic keys for internet of thingsdevices using near field communication |
    [返回顶部]