公开(公告)号：US11146541B2

公开(公告)日：2021-10-12

申请号：US16512207

申请日：2019-07-15

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Marc R. Barbour ,  Bradley Jeffery Behm ,  Cristian M. Ilac ,  Eric Jason Brandwine

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/08 ,  G06F21/64

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

公开(公告)号：US20200329041A1

公开(公告)日：2020-10-15

申请号：US16912490

申请日：2020-06-25

Applicant: Amazon Technologies, Inc.

Inventor： Srikanth Mandadi ,  Khaled Salah Sedky ,  Slavka Praus ,  Marc R. Barbour

IPC: H04L29/06 ,  H04L9/32

Abstract: A request is obtained for accessing a resource in a different region from a region indicated by a session token included with the request. The session token is re-encrypted using secret information of the second region. The request to access the resource in the different region can be fulfilled using the re-encrypted session token.

公开(公告)号：US10701071B2

公开(公告)日：2020-06-30

申请号：US15890978

申请日：2018-02-07

Applicant: Amazon Technologies, Inc.

Inventor： Srikanth Mandadi ,  Khaled Salah Sedky ,  Slavka Praus ,  Marc R. Barbour

IPC: H04L29/06 ,  H04L9/32

Abstract: A request is received by a user in a second region. The request, which is digitally signed with credential associated with the user in the second region causes the generation of a session credential that includes a session key. The user in the second region can use the session credentials to access the resources in the first region.

公开(公告)号：US20180270051A1

公开(公告)日：2018-09-20

申请号：US15984198

申请日：2018-05-18

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Marc R. Barbour ,  Bradley Jeffrey Behm ,  Cristian M. Ilac ,  Eric Jason Brandwine

IPC: H04L9/08 ,  H04L9/14

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

公开(公告)号：US20180183793A1

公开(公告)日：2018-06-28

申请号：US15890978

申请日：2018-02-07

Applicant: Amazon Technologies, Inc.

Inventor： Srikanth Mandadi ,  Khaled Salah Sedky ,  Slavka Praus ,  Marc R. Barbour

IPC: H04L29/06 ,  H04L9/32

CPC classification number: H04L63/0876 ,  H04L9/3247 ,  H04L63/0435 ,  H04L63/061 ,  H04L63/0807 ,  H04L63/20

Abstract: A request is received by a user in a second region. The request, which is digitally signed with credential associated with the user in the second region causes the generation of a session credential that includes a session key. The user in the second region can use the session credentials to access the resources in the first region.

公开(公告)号：US09900160B1

公开(公告)日：2018-02-20

申请号：US14958872

申请日：2015-12-03

Applicant: Amazon Technologies, Inc.

Inventor： Marc R. Barbour ,  Khaled Salah Sedky ,  Srikanth Mandadi ,  Slavka Praus

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/08

CPC classification number: H04L9/3247 ,  H04L9/0861 ,  H04L63/0442 ,  H04L63/045 ,  H04L63/062 ,  H04L63/068 ,  H04L63/126

Abstract: Techniques for using short-term credentials using asymmetric session keys are described herein. A request for a short-term credential is received that is digitally signed with a different credential. In response to the request, short-term credential data is generated and populated with a public session key corresponding to a private session key. The short-term credential data is then encrypted with a session encryption key to produce the short-term credential token, which can then be used by the requester as a short-term credential for subsequent requests.

公开(公告)号：US09894067B1

公开(公告)日：2018-02-13

申请号：US14958887

申请日：2015-12-03

Applicant: Amazon Technologies, Inc.

Inventor： Srikanth Mandadi ,  Khaled Salah Sedky ,  Slavka Praus ,  Marc R. Barbour

IPC: H04L29/06 ,  H04L9/32

CPC classification number: H04L63/0876 ,  H04L9/3247 ,  H04L63/0435 ,  H04L63/061 ,  H04L63/0807 ,  H04L63/20

Abstract: Techniques for using short-term credentials with access roles across regions are described herein. A request to assume a role associated with resources in a first region is received by a user in a second region. The request, which is digitally signed with credential associated with the user in the second region causes the generation of a short-term session credential that includes a session key and that can be used to assume the role. The user in the second region then assumes the role and, accordingly, can use the short-term session credentials to access the resources in the first region.

公开(公告)号：US11671425B2

公开(公告)日：2023-06-06

申请号：US16912490

申请日：2020-06-25

Applicant: Amazon Technologies, Inc.

Inventor： Srikanth Mandadi ,  Khaled Salah Sedky ,  Slavka Praus ,  Marc R. Barbour

IPC: H04L9/40 ,  H04L9/32

CPC classification number: H04L63/0876 ,  H04L9/3247 ,  H04L63/0435 ,  H04L63/061 ,  H04L63/0807 ,  H04L63/20

Abstract: A request is obtained for accessing a resource in a different region from a region indicated by a session token included with the request. The session token is re-encrypted using secret information of the second region. The request to access the resource in the different region can be fulfilled using the re-encrypted session token.

公开(公告)号：US10567381B1

公开(公告)日：2020-02-18

申请号：US14972676

申请日：2015-12-17

Applicant: Amazon Technologies, Inc.

Inventor： Graeme David Baer ,  Dmitry Frenkel ,  Marc R. Barbour

IPC: H04L29/06

Abstract: Security credentials issued by an entity, such as an identity broker, can have a limited lifetime. Access to resources or content under those credentials then can only be obtained for a limited period of time, limiting the ability of an unauthorized entity obtaining the credentials to utilize those credentials for access. Along with the credentials, a refresh token can be issued to a requesting client that can enable the limited lifetime of the credentials to be renewed up to a maximum lifetime of the credentials and/or the token. A service providing access can determine that the client has a valid copy of the refresh token when the credentials are about to expire, and if so can cause the lifetime of the credentials to be extended another credential lifetime. This renewal can be done transparent to a user and without again contacting the identity broker.

公开(公告)号：US10536436B1

公开(公告)日：2020-01-14

申请号：US15192744

申请日：2016-06-24

Applicant: Amazon Technologies, Inc.

Inventor： Marc R. Barbour ,  Ruchith Udayanga Fernando

IPC: H04L9/00 ,  H04L29/06

Abstract: A computer-implemented service uses information associated with a client device to generate a first shared secret. The service receives, from the client, a claim of access to a second shared secret and determines whether the first shared secret and the second shared secret match. If the shared secrets match, the service uses the first shared secret to encrypt a one-time password. The service provides the encrypted one-time password to the client device. The client device transmits a claim of access to the one-time password, which the service uses to determine whether the claim of access to the one-time password indicates access to the one-time password. If the claim of access to the one-time password indicates that the client device has access to the one-time password, the service allows the client device to access the service.