公开(公告)号：US11159554B2

公开(公告)日：2021-10-26

申请号：US16449280

申请日：2019-06-21

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Alexander Robin Gordon Lucas ,  Robert Eric Fitzgerald

IPC: H04L29/06

Abstract: Customers of a computing resource service provider may operate computing resources provided by the computing resource service provider. Operational information from customer operated computing resources may be correlated with operational information from computing resources operated by the computing resource service provider or other entities, and correlated threat information may be generated.

公开(公告)号：US11146541B2

公开(公告)日：2021-10-12

申请号：US16512207

申请日：2019-07-15

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Marc R. Barbour ,  Bradley Jeffery Behm ,  Cristian M. Ilac ,  Eric Jason Brandwine

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/08 ,  G06F21/64

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

公开(公告)号：US11064017B2

公开(公告)日：2021-07-13

申请号：US16581646

申请日：2019-09-24

Applicant: Amazon Technologies, Inc.

Inventor： Anthony Nicholas Liguori ,  Eric Jason Brandwine

IPC: H04L29/08 ,  H04L12/46 ,  H04L29/12

Abstract: A peripheral device includes one or more processors and a memory storing program instructions that when executed implement an extension manager of a virtualized computing service. The extension manager establishes a secure network channel for communications between the peripheral device, which is located at a premise external to a provider network, and a data center of the provider network. The extension manager assigns a network address of the substrate network of the service to a hardware server at the external premise. The substrate address is also assigned to an extension traffic intermediary at the data center. In response to a command directed to the virtualized computing service, one or more compute instance configuration operations are performed at the hardware server.

公开(公告)号：US11050844B2

公开(公告)日：2021-06-29

申请号：US16518455

申请日：2019-07-22

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Gregory Alan Rubin ,  Matthew John Campagna ,  Matthew Shawn Wilson

IPC: G06F9/50 ,  G06F9/455 ,  H04L29/08 ,  G06F21/57

Abstract: A trusted co-processor can provide a hardware-based observation point into the operation of a host machine owned by a resource provider or other such entity. The co-processor can be installed via a peripheral card on a fast bus, such as a PCI bus, on the host machine. The provider can provide the customer with expected information that the customer can verify through a request to an application programming interface (API) of the card, and after the customer verifies the information the customer can take logical ownership of the card and lock out the provider. The card can then function as a trusted but limited environment that is programmable by the customer. The customer can subsequently submit verification requests to the API to ensure that the host has not been unexpectedly modified or is otherwise operating as expected.

公开(公告)号：US11036861B2

公开(公告)日：2021-06-15

申请号：US16298867

申请日：2019-03-11

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Gregory Alan Rubin ,  Eric Jason Brandwine

IPC: G06F21/57 ,  H04L29/06 ,  H04L9/32 ,  H04L9/08 ,  G06F21/64 ,  H04L9/14

Abstract: A service provider provides virtual computing services using a fleet of one or more host computer systems. Each of the host computer systems may be equipped with a trusted platform module (“TPM”). The service provider, the host computer systems, and the virtual computing environments generate attestations that prove the integrity of the system. The attestations are signed with a one-time-use cryptographic key that is verifiable against the public keys of the service provider, a host computer system, and a virtual computing environment. The public key of the host computer system is integrated into a hash tree that links the public key of the host computer system to the public key of the service provider. The public key of the virtual computing environment is signed using a one-time-use graphic key issued to the host computer system that hosts the virtual computing environment.

公开(公告)号：US10887348B1

公开(公告)日：2021-01-05

申请号：US15669812

申请日：2017-08-04

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Peter Zachary Bowen

IPC: H04L29/06

Abstract: A network security service is provided to detect various intermediaries to a network connection between a client and a destination service, such as a man-in-the-middle (MITM). The network security service may obtain session feature information indicating attributes of the network connection. Based at least in part on the session feature information the network security service may detect an intermediary and perform a security measure.

公开(公告)号：US10834139B2

公开(公告)日：2020-11-10

申请号：US16140393

申请日：2018-09-24

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Graeme D. Baer ,  Eric Jason Brandwine

IPC: H04L29/06 ,  G06F15/173

Abstract: Techniques for processing data according to customer-defined rules are disclosed. In particular, methods and systems for implementing a data alteration service using one or resources of a distributed computing system are described. The data alteration service is flexibly configurable by entities using the distributed computing system, and may be used to augment, compress, filter or otherwise modify data crossing a customer boundary.

公开(公告)号：US20200296108A1

公开(公告)日：2020-09-17

申请号：US16892197

申请日：2020-06-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Nathan R. Fitch ,  Cristian M. Ilac ,  Eric D. Crahen

IPC: H04L29/06 ,  G06F21/33 ,  H04L9/08 ,  H04L9/32

Abstract: A delegation request is submitted to a session-based authentication service, fulfillment of which involves granting an entity an access privilege to a computing resource. A session key is received from the session-based authentication service. The session key having been generated based at least in part on a restriction and a secret credential shared with the session-based authentication service and usable at least in part to prove possession of the access privilege to the computing resource. The session key is provided to the entity without providing the shared secret credential.

公开(公告)号：US10740466B1

公开(公告)日：2020-08-11

申请号：US15280897

申请日：2016-09-29

Applicant: Amazon Technologies, Inc.

Inventor： Nafea Bshara ,  Matthew Shawn Wilson ,  Eric Jason Brandwine ,  Anthony Nicholas Liguori ,  Yaniv Shapira ,  Mark Bradley Davis ,  Adi Habusha

IPC: G06F15/177 ,  G06F21/57 ,  G06F9/4401 ,  G06F21/72 ,  H04L9/06

Abstract: Interfaces of a compute node on a printed circuit board can be secured by obfuscating the information communicated over the interfaces. Data to be communicated between the compute node and a device on the printed circuit board using an interface can be encrypted, and an address corresponding to the data to be communicated can be scrambled. In addition, the compute node can be the root of trust which can provide secure boot of different components using an on-chip mechanism, and without relying on external devices.

公开(公告)号：US10728089B2

公开(公告)日：2020-07-28

申请号：US13829721

申请日：2013-03-14

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Clarissa Loree Cook Brandwine ,  Daniel T. Cohn ,  Andrew J. Doane ,  Carl J. Moses ,  Stephen E. Schmidt

IPC: H04L12/24 ,  H04L12/46 ,  H04L12/713 ,  H04L29/06

Abstract: Techniques are described for providing users with access to computer networks, such as to enable users to interact with a remote configurable network service in order to create and configure computer networks that are provided by the configurable network service for use by the users. Computer networks provided by the configurable network service may be configured to be private computer networks that are accessible only by the users who create them, and may each be created and configured by a client of the configurable network service to be an extension to an existing computer network of the client, such as a private computer network extension to an existing private computer network of the client. If so, secure private access between an existing computer network and new computer network extension that is being provided may be enabled using one or more VPN connections or other private access mechanisms.