公开(公告)号：US09923923B1

公开(公告)日：2018-03-20

申请号：US14720625

申请日：2015-05-22

Applicant: Amazon Technologies, Inc.

Inventor： Nima Sharifi Mehr ,  Darren Ernest Canavor ,  Jesper Mikael Johansson ,  Jon Arron McClintock ,  Gregory Branchek Roth

IPC: H04L9/32 ,  H04L29/06

CPC classification number: H04L63/166 ,  H04L9/32 ,  H04L63/04 ,  H04L63/0428 ,  H04L63/205

Abstract: Cipher suites and/or other parameters for cryptographic protection of communications are dynamically selected to more closely match the intended uses of the sessions. A server selects and/or determines, for a cryptographically protected communications session, a plurality of supported cipher suites that may be used for communications with the server over an established protected communications session. A selected cipher suites may be a cipher suite that are selected from a plurality of acceptable cipher suites provided to the server, either implicitly or explicitly. The selection of a cipher suite may further require that the cipher suite be mutually acceptable to the server and one or more parties participating in the cryptographically protected communications session such as a client.

公开(公告)号：US09904788B2

公开(公告)日：2018-02-27

申请号：US15004592

申请日：2016-01-22

Applicant: Amazon Technologies, Inc.

Inventor： Sandeep Kumar ,  Gregory Branchek Roth ,  Gregory Alan Rubin ,  Mark Christopher Seigle ,  Kamran Tirdad

IPC: G06F21/00 ,  G06F21/60 ,  G06F12/14 ,  G06F11/14 ,  H04L9/14 ,  G06F11/10 ,  G06F21/62

CPC classification number: G06F21/602 ,  G06F11/1076 ,  G06F11/1464 ,  G06F11/1469 ,  G06F12/1408 ,  G06F21/6209 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/14 ,  H04L2209/24

Abstract: A data storage service redundantly stores data and keys used to encrypt the data. Data objects are encrypted with first cryptographic keys. The first cryptographic keys are encrypted by second cryptographic keys. The first cryptographic keys and second cryptographic keys are redundantly stored in a data storage system to enable access of the data objects, such as to respond to requests to retrieve the data objects. The second cryptographic keys may be encrypted by third keys and redundantly stored in the event access to a second cryptographic key is lost.

公开(公告)号：US09882956B1

公开(公告)日：2018-01-30

申请号：US13793054

申请日：2013-03-11

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Benjamin Elias Seidenberg

IPC: G06F15/16 ,  H04L29/08

CPC classification number: H04L67/02

Abstract: Techniques are disclosed for a device that presents a mass storage device to a computing environment, and which stores data written to the device by the computer in a network storage service. The device also presents files stored in the network storage service to the computer as though those files were stored on a mass storage device.

公开(公告)号：US09882900B2

公开(公告)日：2018-01-30

申请号：US15003707

申请日：2016-01-21

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Gregory Alan Rubin

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/14 ,  H04L9/32

CPC classification number: H04L63/0869 ,  H04L9/0861 ,  H04L9/14 ,  H04L9/32 ,  H04L9/321 ,  H04L9/3247 ,  H04L9/3273 ,  H04L63/061 ,  H04L63/123 ,  H04L63/166

Abstract: A client and server negotiate a secure communication channel using a pre-shared key where the server, at the time the negotiation initiates, lacks access to the pre-shared key. The server obtains the pre-shared key from another server that shares a secret with the client. A digital signature or other authentication information generated by the client may be used to enable the other server to determine whether to provide the pre-shared key.

公开(公告)号：US20180025168A1

公开(公告)日：2018-01-25

申请号：US15712043

申请日：2017-09-21

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Matthew James Wren

IPC: G06F21/60 ,  G06F21/62

Abstract: A service proxy services as an application programming interface proxy to a service, which may involve data storage. When a request to store data is received by the service proxy, the service proxy encrypts the data and stores the data in encrypted form at the service. Similarly, when a request to retrieve data is received by the service proxy, the service proxy obtains encrypted data from the service and decrypts the data. The data may be encrypted using a key that is kept inaccessible to the service.

公开(公告)号：US09819654B2

公开(公告)日：2017-11-14

申请号：US14992599

申请日：2016-01-11

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: H04L9/32 ,  H04L29/06 ,  H04L29/08

CPC classification number: H04L63/0428 ,  H04L9/321 ,  H04L9/3247 ,  H04L63/10 ,  H04L63/102 ,  H04L63/123 ,  H04L63/168 ,  H04L67/02

Abstract: Requests are pre-generated to include a cryptographic key to be used in fulfilling the requests. The requests may be encoded in uniform resource locators and may include authentication information to enable a service provider to whom the requests are submitted to determine whether the requests are authorized. The requests may be passed to various entities who can then submit the requests to the service provider. The service provider, upon receipt of a request, can verify the authentication information and fulfill the request using a cryptographic key encoded in the request.

公开(公告)号：US09805190B1

公开(公告)日：2017-10-31

申请号：US15461136

申请日：2017-03-16

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Peter Zachary Bowen

IPC: G06F21/00 ,  G06F21/53 ,  G06F21/60

CPC classification number: G06F21/53 ,  G06F9/45533 ,  G06F9/45558 ,  G06F21/55 ,  G06F21/554 ,  G06F21/604 ,  G06F2009/45575 ,  G06F2009/45587 ,  G06F2009/45591 ,  G06F2221/034

Abstract: Functionality is disclosed herein for monitoring an execution environment to determine if the execution environment is in an approved configuration. Memory used by the execution environment may be scanned from outside of the execution environment to determine whether the execution environment is in an unapproved configuration. The scanning may include examining the memory for abnormalities or other irregular or unapproved data. When the execution environment is in the unapproved configuration, actions may be performed that change how the execution environment accesses resources or performing other types of functionality.

公开(公告)号：US20170279855A1

公开(公告)日：2017-09-28

申请号：US15619979

申请日：2017-06-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: H04L29/06 ,  G06F21/64 ,  H04L9/08 ,  H04L9/32

Abstract: Custom policies are definable for use in a system that enforces policies. A user, for example, may author a policy using a policy language and transmit the system through an application programming interface call. The custom policies may specify conditions for computing environment attestations that are provided with requests to the system. When a custom policy applies to a request, the system may determine whether information in the attestation is sufficient for the request to be fulfilled.

公开(公告)号：US09712329B2

公开(公告)日：2017-07-18

申请号：US15068814

申请日：2016-03-14

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer

IPC: G06F21/00 ,  H04L9/32 ,  H04L29/06 ,  H04L9/08 ,  G06F21/33 ,  G06F21/31 ,  G06F9/455 ,  H04L9/14 ,  H04L9/30 ,  H04L29/08

CPC classification number: H04L9/3271 ,  G06F9/45533 ,  G06F21/31 ,  G06F21/335 ,  H04L9/08 ,  H04L9/0816 ,  H04L9/0894 ,  H04L9/14 ,  H04L9/302 ,  H04L9/3242 ,  H04L9/3247 ,  H04L9/3249 ,  H04L63/0807 ,  H04L63/0876 ,  H04L63/0884 ,  H04L63/126 ,  H04L63/20 ,  H04L67/02 ,  H04L2209/56 ,  H04L2209/76

Abstract: An escrow platform is described that can be used to enable access to devices. The escrow platform can be used to sign cryptographic network protocol challenges on behalf of clients so that the secrets used to sign cryptographic network protocol challenges do not have to be exposed to the clients. The escrow platform can store or control access to private keys, and the corresponding public keys can be stored on respective target platforms. A client can attempt to access a target platform and in response the target platform can issue a challenge. The client platform can send the challenge to the escrow platform, which can use the corresponding private key to sign the challenge. The signed challenge can be sent back to the client, which can forward it to the target platform. The target platform can verify the expected private key and grant access.

公开(公告)号：US09705674B2

公开(公告)日：2017-07-11

申请号：US13765209

申请日：2013-02-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32

CPC classification number: H04L9/088 ,  H04L9/0618 ,  H04L9/0643 ,  H04L9/0891 ,  H04L9/14 ,  H04L9/30 ,  H04L9/321 ,  H04L9/3247

Abstract: A system uses information submitted in connection with a request to determine if and how to process the request. The information may be electronically signed by a requestor using a key such that the system processing the request can verify that the requestor has the key and that the information is authentic. The information may include information that identifies a holder of a key needed for processing the request, where the holder of the key can be the system or another, possibly third party, system. Requests to decrypt data may be processed to ensure that a certain amount of time passes before access to the decrypted data is provided, thereby providing an opportunity to cancel such requests and/or otherwise mitigate potential security breaches.