公开(公告)号：US20180262530A1

公开(公告)日：2018-09-13

申请号：US15925470

申请日：2018-03-19

Applicant: Amazon Technologies, Inc.

Inventor： Nima Sharifi Mehr ,  Darren Ernest Canavor ,  Jesper Mikael Johansson ,  Jon Arron McClintock ,  Gregory Branchek Roth

IPC: H04L29/06 ,  H04L9/32

Abstract: A plurality of cipher suites is negotiated as part of a handshake process to establish a cryptographically protected communications session. The handshake process is completed to establish the cryptographically protected communications session. A message is communicated over the established cryptographically protected communications session using at least two cipher suites of the plurality of cipher suites.

公开(公告)号：US10075471B2

公开(公告)日：2018-09-11

申请号：US13932872

申请日：2013-07-01

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Matthew James Wren

IPC: H04L29/06 ,  H04L9/32

CPC classification number: H04L63/20 ,  H04L63/0471 ,  H04L63/06

Abstract: Data received through a proxy for a service is analyzed for compliance with one or more data policies, such as one or more data loss prevention policies. When data satisfies the criteria of one or more data policies, the data is manipulated at the proxy prior to transmission of the data to the service. In some examples, the manipulation of the data includes encryption.

公开(公告)号：US10075469B1

公开(公告)日：2018-09-11

申请号：US14841463

申请日：2015-08-31

Applicant: Amazon Technologies, Inc.

Inventor： Nicholas Howard Brown ,  Gregory Branchek Roth

IPC: H04L29/00 ,  H04L29/06 ,  H04L12/58

CPC classification number: H04L51/30 ,  H04L9/3263 ,  H04L63/0428 ,  H04L63/0823 ,  H04L63/168 ,  H04L63/20

Abstract: Information can be added to the headers of email messages to ensure the messages are delivered using encryption, without the user having to manage keys or perform the encryption. A user can select an option in an email program that causes a flag to be added to the message header. Each mail server along the delivery path can provide (or expose) information about the type(s) of encryption supported, and if the encryption is not sufficient then the message will not be delivered to that server. This ensures the transport will remain encrypted before delivering the message to the next hop along the path. If the message cannot be delivered encrypted then the message will not be transmitted past that point. An end user then only needs to click a button or perform another such action to ensure encrypted message delivery.

公开(公告)号：US10075295B2

公开(公告)日：2018-09-11

申请号：US15060487

申请日：2016-03-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth

IPC: H04L9/08

CPC classification number: H04L9/0891

Abstract: Information, such as a cryptographic key, is used repeatedly in the performance of operations, such as certain cryptographic operations. To prevent repeated use of the information from enabling security breaches, the information is rotated (replaced with other information). To avoid the resource costs of maintaining a counter on the number of operations performed, decisions of when to rotate the information are performed based at least in part on the output of stochastic processes.

公开(公告)号：US20180227124A1

公开(公告)日：2018-08-09

申请号：US15947690

申请日：2018-04-06

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew John Campagna ,  Benjamin Elias Seidenberg

IPC: H04L9/08 ,  H04L9/14 ,  H04L29/06

CPC classification number: H04L9/0891 ,  H04L9/088 ,  H04L9/14 ,  H04L63/065

Abstract: A request a request to perform a cryptographic operation is received, the request including a first identifier assigned to a key group, the key group comprising a plurality of second identifiers, with the plurality of second identifiers corresponding to a plurality of cryptographic keys. A second identifier is determined, according to a distribution scheme, from the plurality of second identifiers, and the cryptographic operation is performed using a cryptographic key of the plurality of cryptographic keys that corresponds to the second identifier that was determined.

公开(公告)号：US20180183837A1

公开(公告)日：2018-06-28

申请号：US15900465

申请日：2018-02-20

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Brian Irl Pratt

IPC: H04L29/06 ,  H04L9/32 ,  G06F21/60

Abstract: A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.

公开(公告)号：US09992027B1

公开(公告)日：2018-06-05

申请号：US14853605

申请日：2015-09-14

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Alan Rubin ,  Gregory Branchek Roth

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/08

CPC classification number: H04L9/3247 ,  G06F21/64 ,  H04L9/0819 ,  H04L2209/24 ,  H04L2209/72

Abstract: Cryptographic keys can include logging properties that enable those keys to be used only if the properties can be enforced by the cryptographic system requested to perform one or more actions using the keys. The logging property can specify how to log use of a respective key. A key can also include a mutability property for specifying whether the logging property can be changed, and if so under what circumstances or in which way(s). The ability to specify and automatically enforce logging can be important for environments where audit logs are essential. These can include, for example, public certificate authorities that must provide accurate and complete audit trails. In cases where the data is not to be provided outside a determined secure environment, the key can be generated with a property indicating not to log any of the usage.

公开(公告)号：US09961055B1

公开(公告)日：2018-05-01

申请号：US14576126

申请日：2014-12-18

Applicant: Amazon Technologies, Inc.

Inventor： Jesper Mikael Johansson ,  Darren Ernest Canavor ,  Jon Arron McClintock ,  Gregory Branchek Roth ,  Gregory Alan Rubin ,  Nima Sharifi Mehr

IPC: H04L9/32 ,  H04L29/06 ,  H04L9/08

CPC classification number: H04L63/061 ,  H04L9/0827 ,  H04L63/0823 ,  H04L2463/062

Abstract: A client negotiates multiple cryptographic keys with a server. One of the cryptographic keys is used to encrypt communications that the server can decrypt. Another of the cryptographic keys is used to encrypt communications that, while sent to the server, are not decryptable to the server. The server is configured to forward communications that it is unable to decrypt to another computer system having an ability to decrypt the communications.

公开(公告)号：US09935940B1

公开(公告)日：2018-04-03

申请号：US14481798

申请日：2014-09-09

Applicant: Amazon Technologies, Inc.

Inventor： Matthew Daniel DeMoss ,  Gregory Branchek Roth ,  Andrew Paul Mikulski

IPC: H04L29/06 ,  G06F17/30

CPC classification number: H04L63/083 ,  G06F17/30864 ,  H04L63/20

Abstract: Techniques are disclosed for increasing the security of a database. A database is coupled with an access manager to limit certain applications that use the database to store user password information to queries that return at most one row. Additionally, returning a record may be limited to a case where the query includes the hash of the user name and password that is stored in the database. Other techniques may be implemented for other user account operations, such as password resets.

公开(公告)号：US09934399B2

公开(公告)日：2018-04-03

申请号：US15138028

申请日：2016-04-25

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Daniel Stephen Popick ,  Jonathan Weiss

IPC: G06F17/00 ,  H04L29/06 ,  G06F21/62 ,  H04L12/24 ,  G06F21/60 ,  G06F3/0482 ,  G06F3/0484 ,  G06F21/10

CPC classification number: G06F21/6218 ,  G06F3/0482 ,  G06F3/04842 ,  G06F21/10 ,  G06F21/604 ,  G06F21/629 ,  H04L41/0893 ,  H04L63/0263 ,  H04L63/20

Abstract: A user interface is described, such as a graphical user interface (GUI), operable to receive a representation of a security policy expressed in a first policy language, where that security policy will be supported by policy evaluation engines (or other such components) that are configured to operate using security policies expressed using a second (different) policy language. The representation of the security policy is persisted in a data store in accordance with the first policy language. Subsequently, in response to receiving a request to access a resource, a second representation of the security policy is generated by translating the content of the security policy into a second policy language that is associated with the policy evaluation engine. The second representation of the security policy is then evaluated by the policy evaluation engine to grant or deny access to the resource.