System and method for securely connecting network devices

What is claimed is: 1. A system comprising: a hardware Internet of Things (IoT) hub comprising a network interface to couple the IoT hub to an IoT service over a wide area network (WAN), and programming logic of the IoT hub to program an identification device with one or more encryption keys usable to establish encrypted communication with an IoT device; and the IoT device interfacing with the identification device following the programming of the identification device by the IoT hub; wherein once the identification device is programmed and interfaced with the IoT device, the IoT device uses the one or more keys to establish a secure communication channel with the IoT hub and the IoT service; wherein the programming of the identification device by the IoT hub comprises generating a public/private key pair and storing at least the private key of the public/private key pair on the identification device; wherein the programming of the identification device further comprises storing at least the public key in a secure storage on the IoT hub; the IoT hub securely forwarding the public key with a corresponding signature to the IoT service over the network interface and further securely forwarding an IoT hub public key with a corresponding signature associated with the IoT hub and corresponding to an IoT hub private key; and wherein to securely transmit a command or data to the IoT device, the IoT service encrypts the command or data and generates a first signature using the public key to generate an IoT device packet and then encrypts the IoT device packet and generates a second signature using the IoT hub public key to generate an IoT hub packet. 2. The system as in claim 1 wherein the identification device comprises a subscriber identity module (SIM). 3. The system as in claim 1 wherein the identification device is attached to the IoT device. 4. The system as in claim 1 wherein the IoT hub decrypts the IoT hub packet and validates the second signature using the IoT hub private key to generate the IoT device packet and forwards the IoT device packet to the IoT device, the IoT device using the private key to validate the first signature and decrypt the IoT device packet. 5. The system as in claim 1 wherein the identification device comprises a secure key storage for storing the private key. 6. A system comprising: a hardware Internet of Things (IoT) hub comprising a network interface to couple the IoT hub to an IoT service over a wide area network (WAN), and a local interface on the IoT hub to receive one or more encryption keys usable to establish a secure communication channel with an IoT device; wherein once the IoT hub has received the one or more encryption keys, the IoT hub and the IoT service use the one or more encryption keys to establish the secure communication channel with the IoT device; and wherein a first public/private key pair is associated with the IoT device and wherein the IoT hub receives at least the public key of the first public/private key pair and forwards the public key to the IoT service; wherein a second public/private key pair is associated with the IoT hub, and wherein the IoT hub provides at least the public key of the second public/private key pair to the IoT device and the IoT service; wherein the IoT device uses the public key of the second public/private key pair to encrypt communications directed to the IoT hub and wherein the IoT hub and the IoT service use the public key of the first public/private key pair to encrypt communications directed to the IoT device; and wherein to securely transmit a command or data to the IoT device, the IoT service encrypts the command or data and generates a first signature using the public key to generate an IoT device packet and then encrypts the IoT device packet and generates a second signature using the IoT hub public key to generate an IoT hub packet. 7. The system as in claim 6 wherein the local interface comprises a barcode or QR code reader for reading a barcode or QR code identifying the one or more encryption keys. 8. The system as in claim 6 wherein the IoT hub securely forwards the public keys of the first and second public/private key pairs to the IoT service. 9. The system as in claim 6 wherein the IoT service generates a signature to be transmitted with each command or data using the public key of the first public/private key pair and wherein the IoT device verifies the signature using the private key of the first public/private key pair. 10. The system as in claim 6 wherein the IoT service includes a sequence number or nonce with each command or data transmitted to the IoT device, the IoT device to verify the sequence number or nonce. 11. The system as in claim 6 wherein the IoT hub decrypts the IoT hub packet using the private key of the second public/private key pair to generate the IoT device packet and forwards the IoT device packet to the IoT device, wherein the IoT device uses the private key of the first public/private key pair to decrypt the IoT device packet. 12. The system as in claim 6 wherein the local interface comprises a BLUETOOTH Low Energy (LE) communication channel or a WIFI communication channel. 13. A method comprising: providing an Internet of Things (IoT) hub comprising a network interface to couple the IoT hub to an IoT service over a wide area network (WAN), and programming an identification device by the IoT hub to include one or more encryption keys usable to establish encrypted communication with an IoT device; and interfacing the IoT device with the identification device following the programming of the identification device by the IoT hub; wherein once the identification device is programmed and interfaced with the IoT device, the IoT device uses the one or more keys to establish a secure communication channel with the IoT hub and the IoT service; wherein the programming of the identification device by the IoT hub comprises generating a public/private key pair and storing at least the private key of the public/private key pair on the identification device; wherein the programming of the identification device further comprises storing at least the public key in a secure storage on the IoT hub; the IoT hub securely forwarding the public key with a corresponding signature to the IoT service over the network interface and further securely forwarding an IoT hub public key with a corresponding signature associated with the IoT hub and corresponding to an IoT hub private key; and wherein to securely transmit a command or data to the IoT device, the IoT service encrypts the command or data and generates a first signature using the public key to generate an IoT device packet and then encrypts the IoT device packet and generates a second signature using the IoT hub public key to generate an IoT hub packet. 14. The method as in claim 13 wherein the identification device comprises a subscriber identity module (SIM). 15. The method as in claim 13 wherein the identification device is attached to the IoT device.