公开(公告)号：US20230291556A1

公开(公告)日：2023-09-14

申请号：US18196750

申请日：2023-05-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L9/08 ,  H04L9/32 ,  H04L9/06 ,  H04L9/14 ,  H04L9/30

CPC classification number: H04L9/088 ,  H04L9/0891 ,  H04L9/321 ,  H04L9/3247 ,  H04L9/0618 ,  H04L9/0643 ,  H04L9/14 ,  H04L9/30

Abstract: A system uses information submitted in connection with a request to determine if and how to process the request. The information may be electronically signed by a requestor using a key such that the system processing the request can verify that the requestor has the key and that the information is authentic. The information may include information that identifies a holder of a key needed for processing the request, where the holder of the key can be the system or another, possibly third party, system. Requests to decrypt data may be processed to ensure that a certain amount of time passes before access to the decrypted data is provided, thereby providing an opportunity to cancel such requests and/or otherwise mitigate potential security breaches.

公开(公告)号：US10474829B2

公开(公告)日：2019-11-12

申请号：US15712043

申请日：2017-09-21

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Matthew James Wren

IPC: G06F21/60 ,  G06F21/62

Abstract: A service proxy services as an application programming interface proxy to a service, which may involve data storage. When a request to store data is received by the service proxy, the service proxy encrypts the data and stores the data in encrypted form at the service. Similarly, when a request to retrieve data is received by the service proxy, the service proxy obtains encrypted data from the service and decrypts the data. The data may be encrypted using a key that is kept inaccessible to the service.

公开(公告)号：US09912696B2

公开(公告)日：2018-03-06

申请号：US13932872

申请日：2013-07-01

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Matthew James Wren

IPC: H04L29/06 ,  H04L9/32

Abstract: Data received through a proxy for a service is analyzed for compliance with one or more data policies, such as one or more data loss prevention policies. When data satisfies the criteria of one or more data policies, the data is manipulated at the proxy prior to transmission of the data to the service. In some examples, the manipulation of the data includes encryption.

公开(公告)号：US09832171B1

公开(公告)日：2017-11-28

申请号：US13916964

申请日：2013-06-13

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06 ,  H04L9/32

CPC classification number: H04L63/0428 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/083 ,  H04L9/0891 ,  H04L9/0894 ,  H04L9/14 ,  H04L9/16 ,  H04L9/3213 ,  H04L9/3234 ,  H04L9/3247 ,  H04L63/0435 ,  H04L63/0807

Abstract: A plurality of devices are each operable to provide information that is usable for to prove authorization with any of the other devices. The devices may have common access to a cryptographic key. A device may use the cryptographic key to encrypt a session key and provide both the session key and the encrypted session key. Requests to any of the devices can include the encrypted session key and a digital signature generated using the session key. In this manner, a device that receives the request can decrypt the session key and use the decrypted session key to verify the digital signature.

公开(公告)号：US09608813B1

公开(公告)日：2017-03-28

申请号：US13916999

申请日：2013-06-13

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L9/08

CPC classification number: H04L63/0428 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/083 ,  H04L9/0891 ,  H04L9/0894 ,  H04L9/14 ,  H04L9/16 ,  H04L9/3213 ,  H04L9/3234 ,  H04L9/3247 ,  H04L63/0435 ,  H04L63/0807

Abstract: A plurality of devices have common access to a cryptographic key. The cryptographic key is rotated by providing the devices simultaneous access to both the cryptographic key and a new cryptographic key and then revoking access to the cryptographic key. Keys stored externally and encrypted under the cryptographic key can be reencrypted under the new cryptographic key. Keys intended for electronic shredding can be left encrypted under the old cryptographic key.

公开(公告)号：US09590959B2

公开(公告)日：2017-03-07

申请号：US13764963

申请日：2013-02-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06 ,  G06F21/60 ,  G06F21/62 ,  H04L9/08 ,  H04L9/32 ,  H04L29/08

CPC classification number: H04L63/0471 ,  G06F21/602 ,  G06F21/6218 ,  G06F2221/2101 ,  H04L9/0894 ,  H04L9/3242 ,  H04L9/3247 ,  H04L63/045 ,  H04L63/08 ,  H04L67/1097 ,  H04L2209/76

Abstract: A distributed computing environment utilizes a cryptography service. The cryptography service manages keys securely on behalf of one or more entities. The cryptography service is configured to receive and respond to requests to perform cryptographic operations, such as encryption and decryption. The requests may originate from entities using the distributed computing environment and/or subsystems of the distributed computing environment.

Abstract translation: 分布式计算环境利用加密服务。 密码服务代表一个或多个实体安全地管理密钥。 密码服务被配置为接收和响应执行密码操作（例如加密和解密）的请求。 请求可以来自使用分布式计算环境和/或分布式计算环境的子系统的实体。

公开(公告)号：US20160283723A1

公开(公告)日：2016-09-29

申请号：US15173523

申请日：2016-06-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: G06F21/60 ,  H04L29/06

CPC classification number: G06F21/602 ,  H04L9/0897 ,  H04L63/1416 ,  H04L2209/76

Abstract: A security module securely manages keys. The security module is usable to implement a cryptography service that includes a request processing component. The request processing component responds to requests by causing the security module to perform cryptographic operations that the request processing component cannot perform due to a lack of access to appropriate keys. The security module may be a member of a group of security modules that securely manage keys. Techniques for passing secret information from one security module to the other prevent unauthorized access to secret information.

Abstract translation: 一个安全模块可以安全地管理密钥。 安全模块可用于实现包括请求处理组件的加密服务。 请求处理组件通过使安全模块执行密码操作来响应请求，请求处理组件由于缺乏对适当的密钥的访问而无法执行。 安全模块可以是安全管理密钥的一组安全模块的成员。 将秘密信息从一个安全模块传递到另一个安全模块的技术防止未经授权的访问秘密信息。

公开(公告)号：US09367697B1

公开(公告)日：2016-06-14

申请号：US13765020

申请日：2013-02-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: G06F21/00 ,  G06F21/60

CPC classification number: G06F21/602 ,  H04L9/0897 ,  H04L63/1416 ,  H04L2209/76

Abstract: A security module securely manages keys. The security module is usable to implement a cryptography service that includes a request processing component. The request processing component responds to requests by causing the security module to perform cryptographic operations that the request processing component cannot perform due to a lack of access to appropriate keys. The security module may be a member of a group of security modules that securely manage keys. Techniques for passing secret information from one security module to the other prevent unauthorized access to secret information.

Abstract translation: 一个安全模块可以安全地管理密钥。 安全模块可用于实现包括请求处理组件的加密服务。 请求处理组件通过使安全模块执行密码操作来响应请求，请求处理组件由于缺乏对适当的密钥的访问而无法执行。 安全模块可以是安全管理密钥的一组安全模块的成员。 将秘密信息从一个安全模块传递到另一个安全模块的技术防止未经授权的访问秘密信息。

公开(公告)号：US09071429B1

公开(公告)日：2015-06-30

申请号：US13873083

申请日：2013-04-29

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine

IPC: H04L9/08 ,  H04L29/06 ,  H04L9/32

CPC classification number: H04L63/0823 ,  H04L9/0822 ,  H04L9/0891 ,  H04L9/0894 ,  H04L63/06 ,  H04L63/061 ,  H04L2463/062

Abstract: Customers accessing resources and/or data in a multi-tenant environment can obtain assurance that a provider of that environment will honor only requests associated with the customer. A multi-tenant cryptographic service can be used to manage cryptographic key material and/or other security resources in the multi-tenant environment. The cryptographic service can provide a mechanism in which the service can receive requests to use the cryptographic key material to access encrypted customer data, export key material out of the cryptographic service, destroy key material managed by the cryptographic service, among others. Such an approach can enable a customer to manage key material without exposing the key material outside a secure environment.

Abstract translation: 在多租户环境中访问资源和/或数据的客户可以确保该环境的提供商只会履行与客户相关的请求。 可以使用多租户加密服务来管理多租户环境中的加密密钥资料和/或其他安全资源。 加密服务可以提供一种机制，其中服务可以接收使用加密密钥材料的访问加密客户数据的请求，从密码服务导出密钥材料，销毁密码服务管理的密钥材料等。 这种方法可以使客户能够管理关键材料，而不会将密钥材料暴露在安全环境之外。

公开(公告)号：US20140380054A1

公开(公告)日：2014-12-25

申请号：US13922875

申请日：2013-06-20

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren

IPC: H04L9/32

CPC classification number: H04L9/083 ,  G06F21/6209 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/0894 ,  H04L9/14 ,  H04L63/0435 ,  H04L63/06

Abstract: Data is encrypted such that multiple keys are needed to decrypt the data. The keys are accessible to different entities so that no single entity has access to all the keys. At least one key is managed by a service provider. A customer computer system of the service provider may be configured with executable instructions directing the orchestration of communications between the various entities having access to the keys. As a result, security compromise in connection with a key does not, by itself, render the data decryptable.

Abstract translation: 数据被加密，使得需要多个密钥来解密数据。 密钥可以访问不同的实体，以便没有一个实体可以访问所有的密钥。 至少一个密钥由服务提供商管理。 服务提供商的客户计算机系统可以配置有指导在具有访问密钥的各种实体之间的通信协调的可执行指令。 因此，与密钥相关的安全性妥协本身不会使数据可解密。