公开(公告)号：US20200296108A1

公开(公告)日：2020-09-17

申请号：US16892197

申请日：2020-06-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Nathan R. Fitch ,  Cristian M. Ilac ,  Eric D. Crahen

IPC: H04L29/06 ,  G06F21/33 ,  H04L9/08 ,  H04L9/32

Abstract: A delegation request is submitted to a session-based authentication service, fulfillment of which involves granting an entity an access privilege to a computing resource. A session key is received from the session-based authentication service. The session key having been generated based at least in part on a restriction and a secret credential shared with the session-based authentication service and usable at least in part to prove possession of the access privilege to the computing resource. The session key is provided to the entity without providing the shared secret credential.

公开(公告)号：US20200213283A1

公开(公告)日：2020-07-02

申请号：US16811932

申请日：2020-03-06

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/16 ,  H04L9/08 ,  H04L9/14

Abstract: A key rotation that results in a first key version associated with a key being replaced by a second key version associated with the same key, wherein the first key version remains associated with the key for decrypting a previously generated ciphertext but not for future encryption requests. The first key version may be associated with a first cryptographic key material and the second key version may be associated with a second cryptographic key material different from the first cryptographic key material.

公开(公告)号：US10516667B1

公开(公告)日：2019-12-24

申请号：US14295108

申请日：2014-06-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Anders Samuelsson ,  Bradley Jeffery Behm

IPC: G06F17/00 ,  H04L29/06

Abstract: A service of a service provider can cause a compartment to be created in an account of a customer of the service provider. Computing resources are provisioned in the compartment and the service has administrative authority over the computing resources. The customer may have administrative authority over the compartment, but may lack authority over the computing resources inside of the compartment.

公开(公告)号：US10469477B2

公开(公告)日：2019-11-05

申请号：US14675614

申请日：2015-03-31

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Gregory Branchek Roth

IPC: H04L29/06 ,  G06F21/62 ,  H04L9/08

Abstract: A computer system performs cryptographic operations as a service. The computer system is configured to allow users of the service to maintain control of their respective cryptographic material. The computer system uses inaccessible cryptographic material to encrypt a user's cryptographic material in a token that is then provided to the user. The user is unable to access a plaintext copy of the cryptographic material in the token, but can provide the token back to the service to cause the service to decrypt and use the cryptographic material.

公开(公告)号：US20190312851A1

公开(公告)日：2019-10-10

申请号：US16450801

申请日：2019-06-24

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Derek Del Miller ,  Nachiketh Rao Potlapally ,  Gregory Branchek Roth

IPC: H04L29/06 ,  H04L12/46

Abstract: A device is provisioned and authorized for use on a network. The device may generate a cryptographic key and provide a digital certificate the cryptographic key, a hardware identifier, and attribute information and provide such information to an authorization host as part of the provisioning process. The authorization host may use attribute information to determine whether to authorize the device for use on the network, and whether the generated cryptographic key should be trusted for use on the network.

公开(公告)号：US20190286852A1

公开(公告)日：2019-09-19

申请号：US16372256

申请日：2019-04-01

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Alan Rubin ,  Gregory Branchek Roth

IPC: G06F21/64 ,  G06F16/23 ,  H04L29/06 ,  G06F16/22

Abstract: A computer system encodes a plurality of components of a data set into a probabilistic data structure and digitally signs the probabilistic data structure. The computer system provides the digital signature for the probabilistic data structure and the probabilistic data structure to various entities. An entity can verify an individual component of the data set within the probabilistic data structure by verifying the individual component against the probabilistic data structure and the digital signature of the probabilistic data structure.

公开(公告)号：US10412059B2

公开(公告)日：2019-09-10

申请号：US15786322

申请日：2017-10-17

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: H04L9/32 ,  H04L29/06 ,  H04L29/08

Abstract: Requests are pre-generated to include a cryptographic key to be used in fulfilling the requests. The requests may be encoded in uniform resource locators and may include authentication information to enable a service provider to whom the requests are submitted to determine whether the requests are authorized. The requests may be passed to various entities who can then submit the requests to the service provider. The service provider, upon receipt of a request, can verify the authentication information and fulfill the request using a cryptographic key encoded in the request.

公开(公告)号：US10404670B2

公开(公告)日：2019-09-03

申请号：US15410450

申请日：2017-01-19

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06 ,  G06F21/60 ,  G06F21/62 ,  H04L29/08 ,  H04L9/08 ,  H04L9/32

Abstract: A distributed computing environment utilizes a cryptography service. The cryptography service manages keys securely on behalf of one or more entities. The cryptography service is configured to receive and respond to requests to perform cryptographic operations, such as encryption and decryption. The requests may originate from entities using the distributed computing environment and/or subsystems of the distributed computing environment.

公开(公告)号：US20190268245A1

公开(公告)日：2019-08-29

申请号：US16406758

申请日：2019-05-08

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Daniel Stephen Popick ,  Derek Avery Lyon ,  John Michael Morkel ,  Graeme David Baer ,  Ajith Harshana Ranabahu ,  Khaled Salah Sedky

IPC: H04L12/24 ,  G06F21/62 ,  H04L29/06

Abstract: A method and apparatus for testing and simulating an access control policy are disclosed. Evaluating an access control policy may be performed by utilizing a deny statement that causes the access request to be rejected despite actions indicated in the access request being authorized. Further, an independent simulation environment may be utilized for testing access control policy evaluation.

公开(公告)号：US10382200B2

公开(公告)日：2019-08-13

申请号：US16126735

申请日：2018-09-10

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth

IPC: H04L9/08

Abstract: Information, such as a cryptographic key, is used repeatedly in the performance of operations, such as certain cryptographic operations. To prevent repeated use of the information from enabling security breaches, the information is rotated (replaced with other information). To avoid the resource costs of maintaining a counter on the number of operations performed, decisions of when to rotate the information are performed based at least in part on the output of stochastic processes.