公开(公告)号：US09692757B1

公开(公告)日：2017-06-27

申请号：US14717937

申请日：2015-05-20

Applicant: Amazon Technologies, Inc.

Inventor： Andrew Paul Mikulski ,  Nicholas Alexander Allen ,  Gregory Branchek Roth

IPC: H04L29/06 ,  H04L9/32 ,  G06F7/04 ,  G06F15/16 ,  G06F17/30

CPC classification number: H04L63/0876 ,  H04L9/3234 ,  H04L9/3242 ,  H04L9/3247 ,  H04L9/3271 ,  H04L9/3297 ,  H04L63/061 ,  H04L63/0884 ,  H04L63/123 ,  H04L63/166 ,  H04L2463/121

Abstract: A server obtains a challenge from another computer system during a negotiation with a client according to a protocol. The server injects the challenge into a message of the protocol to the client. The client uses the challenge in an authentication request. The server submits the authentication request to the other computer system for verification. The other computer system verifies the authentication request using a key registered to the client. The server operates further dependent at least in part on whether verification of the authentication request was successful.

公开(公告)号：US09652604B1

公开(公告)日：2017-05-16

申请号：US14225331

申请日：2014-03-25

Applicant: Amazon Technologies, Inc.

Inventor： Jesper Mikael Johansson ,  Gregory Branchek Roth ,  David Matthew Platz ,  Rajendra Kumar Vippagunta

IPC: H04L29/06 ,  G06F21/36 ,  G06F3/0484

CPC classification number: G06F21/36 ,  G06F3/04842 ,  G06F3/0486 ,  G06F3/04886 ,  H04L63/0823 ,  H04W4/021 ,  H04W12/06

Abstract: Authentication objects are usable to generate other authentication objects. A user associated with a first authentication object has access to a system. The first authentication object is usable to generate a second authentication object that is usable by a second user for access to the system in accordance with access granted to the second user via the second authentication object. The second authentication object may have various restrictions so that the second user does not obtain all access available to the first user.

公开(公告)号：US09608813B1

公开(公告)日：2017-03-28

申请号：US13916999

申请日：2013-06-13

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L9/08

CPC classification number: H04L63/0428 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/083 ,  H04L9/0891 ,  H04L9/0894 ,  H04L9/14 ,  H04L9/16 ,  H04L9/3213 ,  H04L9/3234 ,  H04L9/3247 ,  H04L63/0435 ,  H04L63/0807

Abstract: A plurality of devices have common access to a cryptographic key. The cryptographic key is rotated by providing the devices simultaneous access to both the cryptographic key and a new cryptographic key and then revoking access to the cryptographic key. Keys stored externally and encrypted under the cryptographic key can be reencrypted under the new cryptographic key. Keys intended for electronic shredding can be left encrypted under the old cryptographic key.

公开(公告)号：US09590959B2

公开(公告)日：2017-03-07

申请号：US13764963

申请日：2013-02-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06 ,  G06F21/60 ,  G06F21/62 ,  H04L9/08 ,  H04L9/32 ,  H04L29/08

CPC classification number: H04L63/0471 ,  G06F21/602 ,  G06F21/6218 ,  G06F2221/2101 ,  H04L9/0894 ,  H04L9/3242 ,  H04L9/3247 ,  H04L63/045 ,  H04L63/08 ,  H04L67/1097 ,  H04L2209/76

Abstract: A distributed computing environment utilizes a cryptography service. The cryptography service manages keys securely on behalf of one or more entities. The cryptography service is configured to receive and respond to requests to perform cryptographic operations, such as encryption and decryption. The requests may originate from entities using the distributed computing environment and/or subsystems of the distributed computing environment.

Abstract translation: 分布式计算环境利用加密服务。 密码服务代表一个或多个实体安全地管理密钥。 密码服务被配置为接收和响应执行密码操作（例如加密和解密）的请求。 请求可以来自使用分布式计算环境和/或分布式计算环境的子系统的实体。

公开(公告)号：US09577829B1

公开(公告)日：2017-02-21

申请号：US14476635

申请日：2014-09-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Aaron Douglas Dokey

IPC: G06F21/00 ,  H04L9/32 ,  G06F21/60 ,  G06F21/53 ,  G06F21/57 ,  G06F21/62

CPC classification number: G06F21/60 ,  G06F21/53 ,  G06F21/57 ,  G06F21/602 ,  G06F21/6218 ,  H04L9/3236 ,  H04L2209/46

Abstract: A system and method of performing a multi-party computation by determining a function for use in the multi-party computation, receiving a plurality of input values for the function, evaluating the function based at least in part on the plurality of input values to generate a result wherein the result is not usable to determine an input of the plurality of input values, and providing an output based at least in part on the result.

Abstract translation: 一种通过确定在多方计算中使用的功能来执行多方计算的系统和方法，接收所述功能的多个输入值，至少部分地基于所述多个输入值来评估所述功能以产生 其结果是其结果不能用于确定多个输入值的输入，并且至少部分地基于结果提供输出。

公开(公告)号：US09544292B2

公开(公告)日：2017-01-10

申请号：US14963760

申请日：2015-12-09

Applicant: Amazon Technologies, Inc.

Inventor： James Leon Irving, Jr. ,  Andrew Paul Mikulski ,  Gregory Branchek Roth ,  William Frederick Kruse

IPC: H04L29/00 ,  H04L29/06

CPC classification number: H04L63/08 ,  H04L63/10 ,  H04L63/102 ,  H04L63/108 ,  H04L63/12

Abstract: A credential management system is described that provides a way to disable and/or rotate credentials, such as when a credential is suspected to have been compromised, while minimizing potential impact to various systems that may depend on such credentials. The credentials may be disabled temporarily at first and the availability of various resources is monitored for changes. If no significant drop of availability in the resources has occurred, the credential may be disabled for a longer period of time. In this manner, the credentials may be disabled and re-enabled for increasingly longer time intervals until it is determined with sufficient confidence/certainty that disabling the credential will not adversely impact critical systems, at which point the credential can be rotated and/or permanently disabled. This process also enables the system to determine which systems are affected by a credential in cases where such information is not known.

Abstract translation: 描述了一种凭证管理系统，其提供了一种方法来禁用和/或转动凭证，例如当证书被怀疑已经被泄露时，同时最小化可能依赖于这些证书的各种系统的潜在影响。 首先可以临时禁用凭据，并监控各种资源的可用性以进行更改。 如果资源中的可用性没有明显下降，则该凭证可能会被禁用较长时间。 以这种方式，凭证可以被禁用并被重新启用，以便越来越长的时间间隔，直到以足够的置信/确定性确定，禁用证书将不会对关键系统产生不利影响，在该时刻可以转移和/或永久地证明证书 残疾人士 该过程还使系统能够确定在不知道这些信息的情况下哪些系统受到凭证的影响。

公开(公告)号：US20170006018A1

公开(公告)日：2017-01-05

申请号：US14675614

申请日：2015-03-31

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Gregory Branchek Roth

IPC: H04L29/06

Abstract: A computer system performs cryptographic operations as a service. The computer system is configured to allow users of the service to maintain control of their respective cryptographic material. The computer system uses inaccessible cryptographic material to encrypt a user's cryptographic material in a token that is then provided to the user. The user is unable to access a plaintext copy of the cryptographic material in the token, but can provide the token back to the service to cause the service to decrypt and use the cryptographic material.

Abstract translation: 计算机系统作为服务执行加密操作。 计算机系统被配置为允许服务的用户保持对它们各自的密码材料的控制。 计算机系统使用不可访问的加密材料来加密随后提供给用户的令牌中的用户的加密材料。 用户无法访问令牌中的加密材料的明文副本，但可以将令牌提供给服务以使服务解密并使用加密材料。

公开(公告)号：US09524389B1

公开(公告)日：2016-12-20

申请号：US14733748

申请日：2015-06-08

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth

IPC: G06F9/46 ,  G06F21/55 ,  G06F9/455 ,  G06F9/48

CPC classification number: G06F21/554 ,  G06F9/45533 ,  G06F9/45558 ,  G06F9/4843 ,  G06F21/53 ,  G06F2009/45575 ,  G06F2009/45587 ,  G06F2221/034

Abstract: A system and method for capturing forensic snapshots of virtual machines prior to terminating the virtual machine, the system and method including obtaining a configuration that specifies an event and running a virtual machine in accordance with the configuration. Upon detection of an occurrence of the specified event, the system and method further includes determining a state of the virtual machine, storing information based at least in part on the determined state of the virtual machine, the information usable at least in part to recreate the state of the virtual machine, terminating the virtual machine, and running another virtual machine in accordance with the configuration.

Abstract translation: 一种用于在终止虚拟机之前捕获虚拟机的取证快照的系统和方法，所述系统和方法包括根据配置获得指定事件和运行虚拟机的配置。 在检测到指定事件的发生时，系统和方法还包括确定虚拟机的状态，至少部分地基于所确定的虚拟机的状态来存储信息，所述信息至少部分地可用于重新创建 虚拟机的状态，终止虚拟机，并根据配置运行另一个虚拟机。

公开(公告)号：US09479492B1

公开(公告)日：2016-10-25

申请号：US14145654

申请日：2013-12-31

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Kevin Ross O'Neill

IPC: H04L29/06 ,  G06F21/10 ,  G06F21/31

CPC classification number: H04L63/08 ,  G06F21/10 ,  G06F21/31 ,  H04L63/0807 ,  H04L63/10 ,  H04L63/20

Abstract: Techniques are described for enabling principals to inject context information into a credential (e.g. session credential). Once the credential has been issued, any arbitrary principal is allowed to inject context information into the existing credential. The injected context is scoped to the principal that made the injection. Subsequently, at authentication time, when the credential is used to request access to a particular resource, the system can verify whether the principal that made the injection is trusted and if the principal is deemed trusted, the context information can be applied to a policy that controls access to one or more resources, or can alternatively be translated into some context residing in a different namespace which can then be applied to the policy. In addition, the system enables arbitrary users to insert additional deny statements into an existing credential, which further restrict the scope of permissions granted by the credential.

Abstract translation: 描述了使主体能够将上下文信息注入凭证（例如会话凭证）中的技术。 证书颁发后，允许任意任意的主体将上下文信息注入到现有证书中。 注入的上下文作用于进行注射的主体。 随后，在验证时，当凭证被用于请求对特定资源的访问时，系统可以验证进行注入的主体是否被信任，并且如果主体被认为是可信的，则该上下文信息可以应用于 控制对一个或多个资源的访问，或者可以将其转换为驻留在不同命名空间中的某些上下文，然后可以将其应用于该策略。 此外，系统允许任意用户将额外的拒绝语句插入到现有凭证中，这进一步限制了凭据授予的权限范围。

公开(公告)号：US20160283723A1

公开(公告)日：2016-09-29

申请号：US15173523

申请日：2016-06-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: G06F21/60 ,  H04L29/06

CPC classification number: G06F21/602 ,  H04L9/0897 ,  H04L63/1416 ,  H04L2209/76

Abstract: A security module securely manages keys. The security module is usable to implement a cryptography service that includes a request processing component. The request processing component responds to requests by causing the security module to perform cryptographic operations that the request processing component cannot perform due to a lack of access to appropriate keys. The security module may be a member of a group of security modules that securely manage keys. Techniques for passing secret information from one security module to the other prevent unauthorized access to secret information.

Abstract translation: 一个安全模块可以安全地管理密钥。 安全模块可用于实现包括请求处理组件的加密服务。 请求处理组件通过使安全模块执行密码操作来响应请求，请求处理组件由于缺乏对适当的密钥的访问而无法执行。 安全模块可以是安全管理密钥的一组安全模块的成员。 将秘密信息从一个安全模块传递到另一个安全模块的技术防止未经授权的访问秘密信息。