公开(公告)号：US20190312851A1

公开(公告)日：2019-10-10

申请号：US16450801

申请日：2019-06-24

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Derek Del Miller ,  Nachiketh Rao Potlapally ,  Gregory Branchek Roth

IPC: H04L29/06 ,  H04L12/46

Abstract: A device is provisioned and authorized for use on a network. The device may generate a cryptographic key and provide a digital certificate the cryptographic key, a hardware identifier, and attribute information and provide such information to an authorization host as part of the provisioning process. The authorization host may use attribute information to determine whether to authorize the device for use on the network, and whether the generated cryptographic key should be trusted for use on the network.

公开(公告)号：US09930051B1

公开(公告)日：2018-03-27

申请号：US14935314

申请日：2015-11-06

Applicant: Amazon Technologies, Inc.

Inventor： Nachiketh Rao Potlapally ,  Jason Alexander Harland ,  Derek Del Miller ,  Christopher James BeSerra

IPC: H04L29/06 ,  G06F13/42 ,  H04L9/32

CPC classification number: H04L63/126 ,  G06F13/4282 ,  H04L9/3242 ,  H04L2209/24

Abstract: In a cloud environment, each host computer can have its own security service processor with an independent network interface for communicating with a remote server over a network. The security service processor can provide remote management and security functionalities for various devices connected using different buses on a platform in each host computer. The security service processor can provide a centralized mechanism to verify and authenticate firmware updates for various devices using different buses. A hardware interface can allow the security service processor to provide remote debugging and diagnostic capabilities. The security service processor can also provide some of the typical functionalities of a baseboard management controller or can be used in addition to the baseboard management controller.

公开(公告)号：US09893885B1

公开(公告)日：2018-02-13

申请号：US14658136

申请日：2015-03-13

Applicant: Amazon Technologies, Inc.

Inventor： Derek Del Miller ,  Nachiketh Rao Potlapally

IPC: H04L9/32 ,  H04L9/08 ,  H04L9/30

CPC classification number: H04L9/3066 ,  H04L9/0825 ,  H04L9/0891 ,  H04L9/0897 ,  H04L9/302

Abstract: A computing device has a processor and a persistent memory, e.g., a fuse-based memory, storing two or more reduced sets of information. The processor is configured to derive a first cryptographic key using a first reduced set of information, e.g., prime numbers, and to use the first cryptographic key for performing cryptographic operations. The processor is also configured to detect a trigger event and, in response to the detected trigger event, derive a second cryptographic key using a second reduced set of information. The processor can then use the second cryptographic key for performing cryptographic operations.

公开(公告)号：US10154013B1

公开(公告)日：2018-12-11

申请号：US15610509

申请日：2017-05-31

Applicant: Amazon Technologies, Inc.

Inventor： Derek Del Miller ,  Nachiketh Rao Potlapally

IPC: G06F21/00 ,  H04L29/06 ,  G06F12/14

Abstract: A computing device has a processor and a first memory, e.g., a fuse-based memory, storing a first cryptographic key. The processor is configured to receive information related to a second cryptographic key from a cryptographic key provisioning system. The processor derives the second cryptographic key from the information related to a second cryptographic key. The first cryptographic key has fewer bits than the second cryptographic key. The processor is also configured to encrypt the second cryptographic key using the first cryptographic key, and store the encrypted second cryptographic key in a second memory, e.g., a flash memory.

公开(公告)号：US10303879B1

公开(公告)日：2019-05-28

申请号：US14535056

申请日：2014-11-06

Applicant: Amazon Technologies, Inc.

Inventor： Nachiketh Rao Potlapally ,  Uwe Dannowski ,  Derek Del Miller ,  David James Borland ,  Rahul Gautam Patel ,  William John Earl

IPC: G06F9/44 ,  G06F9/445 ,  G06F21/57 ,  G06F9/455 ,  G06F8/65

Abstract: A multi-tenant trusted platform module (MTTPM) is attached to a communication bus of a virtualization host. The MTTPM includes a plurality of per-guest-virtual-machine (per-GVM) memory location sets. In response to an indication of a first trusted computing request (TCR) associated with a first GVM of a plurality of GVMs instantiated at the virtualization host, a first memory location of a first per-GVM memory location set is accessed to generate a first response indicative of a configuration of the first GVM. In response to an indication of a second TCR associated with a second GVM, a second memory location of a second-per-GVM memory location set is accessed to generate a second response, wherein the second response is indicative of a different configuration of the second GVM.

公开(公告)号：US10003467B1

公开(公告)日：2018-06-19

申请号：US14673570

申请日：2015-03-30

Applicant: Amazon Technologies, Inc.

Inventor： Derek Del Miller ,  Nachiketh Rao Potlapally ,  Rahul Gautam Patel

IPC: H04L29/06 ,  H04L9/32 ,  G06F21/57 ,  H04L9/30

CPC classification number: H04L9/3268 ,  G06F21/57 ,  G06F21/575 ,  H04L9/0877 ,  H04L9/0891

Abstract: A computing device includes a processor and a persistent memory for storing information about a first public key associated with a first asymmetric key pair for authenticating the source of a digital certificate. The computing device also includes a second memory for storing one or more current certificate version indicators, each associated with a corresponding digital certificate, and the version indicator is used by the processor to determine the trust of the corresponding digital certificate.

公开(公告)号：US09674162B1

公开(公告)日：2017-06-06

申请号：US14658137

申请日：2015-03-13

Applicant: Amazon Technologies, Inc.

Inventor： Derek Del Miller ,  Nachiketh Rao Potlapally

IPC: H04L29/00 ,  H04L29/06 ,  G06F12/14

CPC classification number: H04L63/0435 ,  G06F12/1408 ,  G06F2212/1052 ,  H04L63/0442 ,  H04L63/06 ,  H04L2463/061 ,  H04L2463/062

Abstract: A computing device has a processor and a first memory, e.g., a fuse-based memory, storing a first cryptographic key. The processor is configured to receive information related to a second cryptographic key from a cryptographic key provisioning system. The processor derives the second cryptographic key from the information related to a second cryptographic key. The first cryptographic key has fewer bits than the second cryptographic key. The processor is also configured to encrypt the second cryptographic key using the first cryptographic key, and store the encrypted second cryptographic key in a second memory, e.g., a flash memory.

公开(公告)号：US09479340B1

公开(公告)日：2016-10-25

申请号：US14673585

申请日：2015-03-30

Applicant: Amazon Technologies, Inc.

Inventor： Derek Del Miller ,  Nachiketh Rao Potlapally ,  Rahul Gautam Patel

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/30 ,  G06F21/57

CPC classification number: H04L9/3268 ,  G06F21/33 ,  G06F21/44 ,  G06F2221/034 ,  G06F2221/0771 ,  G09C1/00

Abstract: A computing device includes a processor and a persistent memory for storing information about a first public key associated with a first asymmetric key pair for authenticating the source of a digital certificate. The computing device also includes a second memory for storing one or more current key version indicators. Each of the current key version indicators is associated with a corresponding secondary public key, and the one or more current key version indicators are used by the processor to determine the trust of the corresponding secondary public key.

Abstract translation: 计算设备包括处理器和持久存储器，用于存储关于与用于认证数字证书的来源的第一非对称密钥对相关联的第一公共密钥的信息。 计算设备还包括用于存储一个或多个当前密钥版本指示符的第二存储器。 当前密钥版本指示符中的每一个与相应的次级公钥相关联，并且处理器使用一个或多个当前密钥版本指示符来确定对应的次级公钥的信任。

公开(公告)号：US11258769B2

公开(公告)日：2022-02-22

申请号：US16450801

申请日：2019-06-24

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Derek Del Miller ,  Nachiketh Rao Potlapally ,  Gregory Branchek Roth

IPC: H04L29/06 ,  H04L12/46

Abstract: A device is provisioned and authorized for use on a network. The device may generate a cryptographic key and provide a digital certificate the cryptographic key, a hardware identifier, and attribute information and provide such information to an authorization host as part of the provisioning process. The authorization host may use attribute information to determine whether to authorize the device for use on the network, and whether the generated cryptographic key should be trusted for use on the network.

公开(公告)号：US10333903B1

公开(公告)日：2019-06-25

申请号：US14741375

申请日：2015-06-16

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Derek Del Miller ,  Nachiketh Rao Potlapally ,  Gregory Branchek Roth

IPC: H04L29/06 ,  H04L12/46

Abstract: A device is provisioned and authorized for use on a network. The device may be required to generate a cryptographic key and provide a digital certificate the cryptographic key, a hardware identifier, and attribute information to an authorization host as part of the provisioning process. The authorization host may use attribute information to determine whether to authorize the device for use on the network, and whether the generated cryptographic key should be trusted for use on the network.