公开(公告)号：US20180332110A1

公开(公告)日：2018-11-15

申请号：US16035473

申请日：2018-07-13

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Swaminathan Sivasubramanian ,  Bradley Eugene Marshall ,  Tate Andrew Certain

IPC: H04L29/08 ,  H04L12/911 ,  H04L12/24 ,  H04L12/26

CPC classification number: H04L67/1095 ,  H04L41/0846 ,  H04L41/145 ,  H04L43/50 ,  H04L47/70

Abstract: A request to copy at least a portion of a first network that includes a first set of devices is received, the request including one or more filtering criteria, with at least one of the one or more filtering criteria specifying a tag assigned to a device of the first set of devices. At least the portion of the first network is copied by causing the system to create, according to the one or more filtering criteria, a second network by causing a second set of devices to be configured to be duplicative of devices of the first set of devices that are assigned the tag specified by the filtering criteria.

公开(公告)号：US10127389B1

公开(公告)日：2018-11-13

申请号：US14673350

申请日：2015-03-30

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: G06F21/60

Abstract: A storage device can include processing and cryptographic capability enabling the device to function as a hardware security module (HSM). This includes the ability to encrypt and decrypt data using a cryptographic key, as well as to perform processing using such a key, independent of whether that processing involves data stored on the device. An internal key can be provided to the drive, whether provided before customer software access or received wrapped in another key, etc. That key enables the device to perform secure processing on behalf of a user or entity, where that key is not exposed to other components in the network or environment. A key may have specified tasks that can be performed using that key, and can be discarded after use. In some embodiments, firmware is provided that can cause a storage device to function as an HSM and/or processing device with cryptographic capability.

公开(公告)号：US20180300489A1

公开(公告)日：2018-10-18

申请号：US15989493

申请日：2018-05-25

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: G06F21/60 ,  H04L29/08

CPC classification number: G06F21/602 ,  H04L63/0428 ,  H04L67/1097 ,  H04L67/2842

Abstract: A storage device can include processing and cryptographic capability enabling the device to function as a hardware security module (HSM). This includes the ability to encrypt and decrypt data using a cryptographic key, as well as to perform processing using such a key, independent of whether that processing involves data stored on the device. An internal key can be provided to the drive, whether provided before customer software access or received wrapped in another key, etc. That key enables the device to perform secure processing on behalf of a user or entity, where that key is not exposed to other components in the network or environment. A key may have specified tasks that can be performed using that key, and can be discarded after use. In some embodiments, firmware is provided that can cause a storage device to function as an HSM and/or processing device with cryptographic capability.

公开(公告)号：US10084851B1

公开(公告)日：2018-09-25

申请号：US14254780

申请日：2014-04-16

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Kevin Christopher Miller

IPC: G06F15/177 ,  H04L29/08

CPC classification number: H04L67/10 ,  H04L41/0893 ,  H04L41/12 ,  H04L41/5096 ,  H04L67/34 ,  H04L67/38

Abstract: Techniques are described for providing a managed computer network, such as for a managed virtual computer network overlaid on another substrate computer network, and including managing communications for computing nodes of the managed computer network by using one or more particular hardware devices connected to the substrate computer network to operate as a logical network node of the managed computer network that acts as an intermediate destination to provide one or more types of functionality for at least some communications that are sent by and/or directed to one or more computing nodes of the managed computer network. For example, a communication manager module associated with a source computing node for the managed computer network may determine to direct a communication from the source computing node over the substrate network to one or more substrate hardware devices that represent a particular intermediate destination network node of the managed computer network.

公开(公告)号：US10079842B1

公开(公告)日：2018-09-18

申请号：US15085708

申请日：2016-03-30

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Robert Eric Fitzgerald ,  Alexander Robin Gordon Lucas

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  G06F21/552 ,  G06F21/80 ,  H04L63/1425 ,  H04L63/1441

Abstract: A computing resource service provider may provide customers with a block-level forensics service. Logical volumes associated a customer may be used to instantiate computing resources provided by a computing resource service provide for use by the customer. The block-level forensics service or component thereof may monitor the logical volume based at least in part on a log generated as a result of the logical volume being implemented as a log-structured storage system. Operations to the log may be collected by the block-level forensics service and malicious activity may be detected based at least in part on operations to the log.

公开(公告)号：US10075305B2

公开(公告)日：2018-09-11

申请号：US15489529

申请日：2017-04-17

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Andrew Bruce Dickinson

IPC: H04L12/46 ,  H04L29/06 ,  H04W80/06 ,  H04L12/70

CPC classification number: H04L12/4641 ,  H04L12/4633 ,  H04L29/06095 ,  H04L61/2514 ,  H04L61/2592 ,  H04L63/0272 ,  H04L69/16 ,  H04L69/161 ,  H04L69/166 ,  H04L69/167 ,  H04L69/168 ,  H04L69/169 ,  H04L2012/5667 ,  H04W80/06

Abstract: Methods and apparatus for remapping IP addresses of a network to endpoints within a different network. A provider network may allocate IP addresses and resources to a customer. The provider network may allow the customer to remap an IP address to an endpoint on the customer's network. When a packet is received from a client addressed to the IP address, the provider network may determine that the IP address has been remapped to the endpoint. The provider network may translate the source and destination addresses of the packet and encode the packet for transmission over a private communications channel. The encoded packet may be sent to the endpoint via the private communications channel over an intermediate network. Response traffic may be routed to the client through the provider network, or may be directly routed to the client by the customer network.

公开(公告)号：US10063380B2

公开(公告)日：2018-08-28

申请号：US13746737

申请日：2013-01-22

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Matthew Shawn Wilson

IPC: G06F21/00 ,  H04L9/32 ,  G06F21/60 ,  G06F21/33 ,  G06F21/51 ,  G06F21/53 ,  G06F21/62 ,  G06F9/455 ,  H04L29/06

CPC classification number: H04L9/3263 ,  G06F9/45558 ,  G06F21/335 ,  G06F21/51 ,  G06F21/53 ,  G06F21/602 ,  G06F21/629 ,  G06F2009/45587 ,  G06F2221/033 ,  G06F2221/2107 ,  G06F2221/2115 ,  G06F2221/2141 ,  G06F2221/2149 ,  H04L63/0823

Abstract: A formalized set of interfaces (e.g., application programming interfaces (APIs)) is described, that uses a security scheme, such as asymmetric (or symmetric) cryptography, in order authorize and authenticate requests sent to a virtualization later. The interfaces can be invoked to perform security monitoring, forensic capture, and/or patch software systems at runtime. In addition to the foregoing, other aspects are described in the claims, detailed description, and figures.

公开(公告)号：US10038558B2

公开(公告)日：2018-07-31

申请号：US15046349

申请日：2016-02-17

Applicant: Amazon Technologies, Inc.

Inventor： Nachiketh Rao Potlapally ,  Eric Jason Brandwine ,  Deepak Singh

IPC: H04L29/06 ,  H04L9/32 ,  G06F21/64

CPC classification number: H04L9/3242 ,  G06F21/64 ,  H04L9/3234 ,  H04L9/3236 ,  H04L9/3247

Abstract: A virtualized system that is capable of executing a computation that has been identified as a repeatable computation and recording various representations of the state of the computing environment throughout the execution of the repeatable computation, where the state of the computing environment can be cryptographically signed and/or verified using a trusted platform module (TPM), or other cryptographic module. For example, a TPM embedded in the host computing device may generate a hash measurement that captures the state of the repeatable computation at the time of the computation. This measurement can be digitally signed using one or more cryptographic keys of the TPM and recorded for future use. The recorded state can subsequently be used to repeat the computation and/or determine whether the computation was repeated successfully according to certain defined criteria.

公开(公告)号：US20180183774A1

公开(公告)日：2018-06-28

申请号：US15390214

申请日：2016-12-23

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Gregory Alan Rubin ,  Nicholas Alexander Allen ,  Andrew Kyle Driggs ,  Eric Jason Brandwine

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/08

CPC classification number: H04L63/067 ,  H04L9/0819 ,  H04L9/0869 ,  H04L9/0891 ,  H04L9/3236 ,  H04L9/3247 ,  H04L63/0884

Abstract: A key distribution service operated by a signature authority distributes one-time-use cryptographic keys to one or more delegates that generate digital signatures on behalf of the signature authority. The key distribution service uses a root seed value to generate subordinate seeds. The subordinate seeds are used to generate a set of cryptographic keys. Hashes are generated for each key, and the hashes are arranged into a Merkle tree with a root hash controlled by the signature authority. In response to a request from a delegate, the signature authority provides a subordinate seed to the delegate. The delegate uses the subordinate seed to generate one or more cryptographic keys. The cryptographic keys are used to generate digital signatures which are verifiable up to the root hash of the Merkle tree. Additional subordinate seeds may be distributed to entities by the signature authority when appropriate.

公开(公告)号：US20180183771A1

公开(公告)日：2018-06-28

申请号：US15390205

申请日：2016-12-23

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Gregory Alan Rubin ,  Nicholas Alexander Allen ,  Andrew Kyle Driggs ,  Eric Jason Brandwine

IPC: H04L29/06 ,  H04L9/32

CPC classification number: H04L63/0442 ,  H04L9/3239 ,  H04L9/3247 ,  H04L9/3268 ,  H04L63/062 ,  H04L2209/38

Abstract: A signature authority generates revocable one-time-use keys that are able to generate digital signatures. The signature authority generates a set of one-time-use keys, where each one-time-use key has a secret key and a public key derived from a hash of the secret key. The signature authority generates one or more revocation values that, when published, proves that the signature authority has the authority to revoke corresponding cryptographic keys. The signature authority hashes the public keys and the revocation values and arranges the hashes in a hash tree where the root of the hash tree acts as a public key of the signature authority. In some implementations, the one-time-use cryptographic keys are generated from a tree of seed values, and a particular revocation value is linked to a particular seed value, allowing for the revocation of a block of one-time-use cryptographic keys associated with the particular seed.