US 12,438,706 B2
Method and system for onboarding an IoT device
Andreas Furch, Freising (DE); Hans Aschauer, Munich (DE); Fabrizio De Santis, Munich (DE); Rainer Falk, Poing (DE); Malek Safieh, Bayern (DE); Daniel Schneider, Munich (DE); Florian Wilde, Munich (DE); and Thomas Zeschg, Munich (DE)
Assigned to SIEMENS AKTIENGESELLSCHAFT, Munich (DE)
Filed by Siemens Aktiengesellschaft, Munich (DE)
Filed on Mar. 28, 2023, as Appl. No. 18/191,432.
Claims priority of application No. 22164764 (EP), filed on Mar. 28, 2022.
Prior Publication US 2023/0308266 A1, Sep. 28, 2023
Int. Cl. H04L 29/06 (2006.01); H04L 9/08 (2006.01); H04L 9/32 (2006.01); H04L 9/40 (2022.01)
CPC H04L 9/0852 (2013.01) [H04L 9/3215 (2013.01); H04L 9/3265 (2013.01); H04L 9/3268 (2013.01); H04L 63/0823 (2013.01)] 15 Claims
OG exemplary drawing
 
1. A method for onboarding an Internet of Things (IoT) device of a manufacturer in an infrastructure of a customer using a first server of a manufacturer domain and a second server of a customer domain, the method comprising:
a) setting up an authenticated and encrypted first communication channel between the first server and the second server, comprising deriving a session key common to the first server and the second server;
b) providing an authenticated and encrypted second communication channel between the IoT device and the second server, comprising deriving a second session key common to the second server and the IoT device;
c) setting up an authenticated and encrypted third communication channel running via the second server between the IoT device and the first server, and assigning a third key common to the IoT device and the first server;
d) forming permission information using the IoT device;
e) cryptographically protecting the formed permission information using the third key;
f) transmitting the cryptographically protected permission information from the IoT device to the second server via the second communication channel;
g) transmitting the cryptographically protected permission information from the second server to the first server via the first communication channel;
h) decrypting the cryptographically protected permission information transmitted from the second server to the first server by way of the first server using the third key;
i) encrypting the decrypted permission information using the first server and the first session key;
j) transmitting the permission information encrypted with the first session key from the first server to the second server via the first communication channel;
k) decrypting the permission information encrypted with the first session key using the second server;
l) sending a request to obtain a device certificate associated with the IoT device of the customer domain from the second server to a certificate authority;
m) transmitting the obtained device certificate and the permission information decrypted by the second server from the second server to the IoT device via the second communication channel; and
n) accepting the device certificate transmitted by the second server using the IoT device if the permission information transmitted by the second server matches the formed permission information.