公开(公告)号：US12028443B2

公开(公告)日：2024-07-02

申请号：US16650439

申请日：2018-09-28

Applicant: Intel Corporation

Inventor： Eduardo Cabre ,  Nathan Heldt-Sheller ,  Ned M. Smith

IPC: H04L9/08 ,  G06F21/57

CPC classification number: H04L9/0825 ,  G06F21/575 ,  H04L9/0838 ,  H04L9/0866

Abstract: Various systems and methods for establishing security profiles for Internet of Things (IoT) devices and trusted platforms, including in OCF specification device deployments, are discussed herein. In an example, a technique for onboarding a subject device for use with a security profile, includes: receiving a request to perform an owner transfer method of a device associated with a device platform; verifying attestation evidence associated with the subject device, the attestation evidence being signed by a certificate produced using a manufacturer-embedded key, with the key provided from a trusted hardware component of the device platform; and performing device provisioning of the subject device, based on the attestation evidence, as the device provisioning causes the subject device to use a security profile tied to manufacturer-embedded keys.

公开(公告)号：US11310643B2

公开(公告)日：2022-04-19

申请号：US16608771

申请日：2017-05-09

Applicant: Intel Corporation

Inventor： Ned M. Smith ,  Nathan Heldt-Sheller

IPC: H04W4/70 ,  H04W12/08 ,  H04L29/06 ,  H04W12/06

Abstract: Various systems and methods for implementing an access control policy that provides subject matching in distributed access control scenarios, such as Internet of Things (IoT) device interconnection settings, are described. In an example, a determining an access control policy with an access evaluator includes: receiving a request from a subject to perform an operation with an object; evaluating the first type of access policy of the subject, and a second type of access policy of the object, to determine a first and second access scope for performing the requested operation; identifying an access control object that provides a mapping between the first access scope and the second access scope for performing the requested operation; and providing access from the subject to the object based on a security level determined from the mapping between the first access scope and the second access scope provided with the access control object.

公开(公告)号：US20220070267A1

公开(公告)日：2022-03-03

申请号：US17424116

申请日：2020-02-14

Applicant: Intel Corporation

Inventor： David J. McCall ,  Nathan Heldt-Sheller ,  Ned M. Smith

IPC: H04L29/08 ,  H04L29/06

Abstract: Systems and methods for device to device communications in an Internet of Things (IoT) setting, via associated cloud services, are described. In an example, a procedure performed by a first IoT device, associated with a first domain or ecosystem, to communicate with a second IoT device, associated with a second domain or ecosystem, includes: obtaining communication information to communicate with a second service associated with the second device; providing the communication information to a first service associated with the first device; obtain service validation information, in response to the first service initiating the validation procedure with the second service; and providing the service validation information to the first service. This service validation information is used to enable a validated connection between the first service and the second service, to then communicate data or commands between the first device and the second device via the first and second remote services.

公开(公告)号：US11184774B2

公开(公告)日：2021-11-23

申请号：US16608788

申请日：2017-05-09

Applicant: Intel Corporation

Inventor： Ned M. Smith ,  Nathan Heldt-Sheller

IPC: H04L29/06 ,  H04W12/00 ,  H04W12/02 ,  H04W12/04 ,  H04W12/06 ,  H04W76/10 ,  H04W12/75 ,  H04W12/71 ,  H04W12/0471

Abstract: Various systems and methods for discovery and onboarding in an interconnected network framework of Internet of Things (IoT) devices are described. In an example, a technique for onboarding and provisioning a device onto an interconnected network framework includes operations to: receive a unique temporary device identifier from a device instance, the device instance indicating availability for onboarding onto a network; onboard the device instance onto the network; establish a secure session with the device instance via the network; receive, in the secure session, a secure device identifier; and initiate provisioning of the device instance in a secure directory based on the secure device identifier. In a further example, techniques are provided to securely identify and provision a second device instance (a doppelganger device instance) operating on a physical device that hosts both the first device instance and the second device instance.

公开(公告)号：US20200275273A1

公开(公告)日：2020-08-27

申请号：US16647403

申请日：2018-09-28

Applicant: Intel Corporation

Inventor： Ned M. Smith ,  Mats Gustav Agerstam ,  Nathan Heldt-Sheller ,  Abhilasha Bhargav-Spantzel

IPC: H04W12/08 ,  H04W12/00 ,  H04W8/00 ,  H04L29/06

Abstract: Various systems and methods for establishing network connectivity and onboarding for Internet of Things (IoT) devices and trusted platforms, including in Open Connectivity Foundation (OCF) specification device deployments, are discussed. In an example, a zero touch owner transfer method includes operations of: receiving a first request from a new device for network access to begin an onboarding procedure with a network platform; transmitting credentials of a first network to the new device, the first network used to access a rendezvous server and obtain onboarding information associated with the network platform; receiving a second request from the new device for network access to continue the onboarding procedure; and transmitting credentials of a second network to the new device, as the new device uses the second network to access the onboarding server of the network platform and perform or complete the onboarding procedure with the network platform.

公开(公告)号：US20180341756A1

公开(公告)日：2018-11-29

申请号：US15982209

申请日：2018-05-17

Applicant: Intel Corporation

Inventor： Ned M. Smith ,  Nathan Heldt-Sheller ,  Micah J. Sheller ,  Kevin C. Wells ,  Hannah L. Scurfield ,  Nathaniel J. Goss ,  Sindhu Pandian ,  Brad H. Needham

IPC: G06F21/31 ,  H04L9/32 ,  G06F21/53 ,  H04W12/06 ,  H04L29/06 ,  G06F21/41 ,  H04W88/02 ,  G06F21/88

Abstract: Technologies for authenticating a user of a computing device based on an authentication context state includes generating context state outputs indicative of various context states of a mobile computing device based on sensor data generated by sensors of the mobile computing device. An authentication manager of the computing device implements an authentication state machine to authenticate a user of the computing device. The authentication state machine includes a number of authentication states, and each authentication state includes one or more transitions to another authentication state. Each of the transitions is dependent upon a context state output. The computing device may also include a device security manager, which implements a security state machine that includes a number of security states. Transition between security states is dependent upon the present authentication state of the user. The device security manager may implement a different security function in each security state.

公开(公告)号：US20180218548A1

公开(公告)日：2018-08-02

申请号：US15928557

申请日：2018-03-22

Applicant: Intel Corporation

Inventor： Ned M. Smith ,  Thomas G. Willis ,  Nathan Heldt-Sheller

IPC: G07C5/00 ,  G07C5/08 ,  H04W12/02 ,  H04W4/40 ,  H04W4/60

CPC classification number: G07C5/008 ,  G07C5/085 ,  H04W4/40 ,  H04W4/60 ,  H04W12/02

Abstract: The present disclosure is directed to secure vehicular data management with enhanced privacy. A vehicle may comprise at least a vehicular control architecture (VCA) for controlling operation of the vehicle and a device. The VCA may record operational data identifying at least one vehicle operator and vehicular operational data recorded during operation of the vehicle by the at least one vehicle operator. The device may include at least a communication module and a trusted execution environment (TEE) including a privacy enforcement module (PEM). The PEM may receive the operational data from the VCA via the communication module, may generate filtered data by filtering the operational data based on privacy settings and may cause the filtered data to be transmitted via the communication module. The filtered data may be transmitted to at least one data consumer. The privacy settings may be configured in the PEM by the at least one operator.

公开(公告)号：US09930121B2

公开(公告)日：2018-03-27

申请号：US14757750

申请日：2015-12-23

Applicant: Intel Corporation

Inventor： Ned M. Smith ,  Mats G. Agerstam ,  Nathan Heldt-Sheller

IPC: H04L9/32 ,  H04L29/08 ,  H04L29/06 ,  H04L9/14 ,  H04L9/08

CPC classification number: H04L67/141 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/0833 ,  H04L9/14 ,  H04L9/321 ,  H04L9/3213 ,  H04L9/3247 ,  H04L9/3263 ,  H04L9/3268 ,  H04L9/3297 ,  H04L63/061 ,  H04L63/062 ,  H04L63/0807

Abstract: In one embodiment, a method includes establishing a first session between a first computing device and a second computing device, when the first computing device does not have connectivity to a credential manager; proxying a request to the credential manager from the second computing device on behalf of the first computing device and receive in the second computing device a first keyless ticket encrypted to the first device and a second keyless ticket encrypted to the second device; providing the second keyless ticket from the second computing device to the first computing device; and enabling communication between the first and second computing devices according to the first and second keyless tickets. Other embodiments are described and claimed.

公开(公告)号：US09781113B2

公开(公告)日：2017-10-03

申请号：US14360161

申请日：2013-12-19

Applicant: INTEL CORPORATION

Inventor： Ned M. Smith ,  Nathan Heldt-Sheller ,  Reshma Lal ,  Micah J. Sheller ,  Matthew E. Hoekstra

IPC: H04L29/06 ,  G06F21/10

CPC classification number: H04L63/10 ,  G06F21/10 ,  G06F2221/0708 ,  H04L67/42

Abstract: Technologies for supporting and implementing multiple digital rights management protocols on a client device are described. In some embodiments, the technologies include a client device having an architectural enclave which may function to identify one of a plurality of digital rights management protocols for protecting digital information to be received from a content provider or a sensor. The architectural enclave select a preexisting secure information processing environment (SIPE) to process said digital information, if a preexisting SIPE supporting the DRM protocol is present on the client. If a preexisting SIPE supporting the DRM protocol is not present on the client, the architectural enclave may general a new SIPE that supports the DRM protocol on the client. Transmission of the digital information may then be directed to the selected preexisting SIPE or the new SIPE, as appropriate.

公开(公告)号：US20170180340A1

公开(公告)日：2017-06-22

申请号：US14977742

申请日：2015-12-22

Applicant: Intel Corporation

Inventor： Ned M. Smith ,  Rajesh Poornachandran ,  Nathan Heldt-Sheller

IPC: H04L29/06

CPC classification number: H04L63/08 ,  H04L9/0847 ,  H04L9/3255 ,  H04L63/0838 ,  H04L63/0853 ,  H04L63/102 ,  H04W4/70

Abstract: In one embodiment, a device includes: at least one processor; at least one sensor to sense an environmental condition; and a storage to store instructions that, when executed by the at least one processor, enable the device to: receive an encrypted nonce from a safety controller; decrypt the encrypted nonce using a value obtained from an entropy multiplexing seed tree generated by the device based at least in part on an initialization seed value received from the safety controller; responsive to decryption of the nonce, update a portion of a shared memory associated with the device to identify a safety state of the device; and encrypt a second nonce using the value obtained from the entropy multiplexing seed tree and send the encrypted second nonce to the safety controller. Other embodiments are described and claimed.