公开(公告)号：US20190028511A1

公开(公告)日：2019-01-24

申请号：US16126093

申请日：2018-09-10

Applicant: Amazon Technologies, Inc.

Inventor： Nicholas Howard Brown ,  Gregory Branchek Roth

IPC: H04L29/06 ,  H04L12/58

CPC classification number: H04L51/30 ,  H04L9/3263 ,  H04L63/0428 ,  H04L63/0823 ,  H04L63/168 ,  H04L63/20

Abstract: Information can be added to the headers of email messages to ensure the messages are delivered using encryption, without the user having to manage keys or perform the encryption. A user can select an option in an email program that causes a flag to be added to the message header. Each mail server along the delivery path can provide (or expose) information about the type(s) of encryption supported, and if the encryption is not sufficient then the message will not be delivered to that server. This ensures the transport will remain encrypted before delivering the message to the next hop along the path. If the message cannot be delivered encrypted then the message will not be transmitted past that point. An end user then only needs to click a button or perform another such action to ensure encrypted message delivery.

公开(公告)号：US10142111B2

公开(公告)日：2018-11-27

申请号：US15723003

申请日：2017-10-02

Applicant: Amazon Technologies, Inc.

Inventor： Bradley Jeffery Behm ,  Gregory Branchek Roth ,  Gregory Alan Rubin

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/08

Abstract: A client establishes an cryptographically protected communications session and determines information usable to distinguish the session from other sessions. The client digitally signs the information using a cryptographic key that is independent of the session to enable a server to check whether the information matches the session that it established and whether the digital signature is correct. The server may perform mitigating operations if either or both of the information or the digital signature is/are invalid.

公开(公告)号：US10121017B2

公开(公告)日：2018-11-06

申请号：US13765239

申请日：2013-02-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: G06F11/30 ,  G06F21/62 ,  H04L9/08 ,  H04L29/06 ,  G06F21/00

Abstract: A system uses information submitted in connection with a request to determine if and how to process the request. The information may be electronically signed by a requestor using a key such that the system processing the request can verify that the requestor has the key and that the information is authentic. The information may include information that identifies a holder of a key needed for processing the request, where the holder of the key can be the system or another, possibly third party, system. Requests to decrypt data may be processed to ensure that a certain amount of time passes before access to the decrypted data is provided, thereby providing an opportunity to cancel such requests and/or otherwise mitigate potential security breaches.

公开(公告)号：US10097558B2

公开(公告)日：2018-10-09

申请号：US15237352

申请日：2016-08-15

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Daniel Stephen Popick ,  Bradley Jeffery Behm

IPC: H04L29/06 ,  G06F21/31 ,  G06F21/33 ,  G06F21/62 ,  G06Q20/06

Abstract: Permissions can be delegated to enable access to resources associated with one or more different accounts, which might be associated with one or more different entities. Delegation profiles are established that are associated with at least one secured account of at least one customer. Each delegation profile includes information such as a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once a delegation profile is created, the profile can be available for external principals or services that provide a user credential delegated access under the account, where that credential is provided by a trusted identity service. Access can be provided across accounts using the user credential.

公开(公告)号：US10079681B1

公开(公告)日：2018-09-18

申请号：US14476533

申请日：2014-09-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Aaron Douglas Dokey ,  Eric Jason Brandwine ,  Nathan Bartholomew Thomas

IPC: H04L9/32 ,  H04L29/08 ,  H04L12/911 ,  H04L29/06

Abstract: Techniques for securely instantiating applications associated with computing resource service provider services on hardware that is controlled by third parties and/or customers of the computing resource service provider are described herein. A request to instantiate an application is received and fulfilled by selecting a computer system from computer systems that are controlled by a third party and/or a customer of the computing resource service provider. The computer system is selected based at least in part on the hardware capabilities of the computer system associated with instantiating a secure execution environment. The application is then instantiated within a secure execution environment operating on the computer system.

公开(公告)号：US20180262485A1

公开(公告)日：2018-09-13

申请号：US15977069

申请日：2018-05-11

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Bradley Jeffrey Behm

IPC: H04L29/06

CPC classification number: H04L63/0807 ,  H04L63/083

Abstract: Techniques are described for enabling a Kerberos-based authentication system to provide a client with access to a plurality of unmodifiable components that require plain text passwords. Such an approach enables a user to sign into a distributed computer system using a single password, and access multiple components that require different passwords without the need to enter a second password. By using Kerberos based authentication, passwords are not unnecessarily sent throughout distributed computing system where they may be vulnerable. A proxy key distribution center can be used to manage passwords or other credentials on behalf of various clients, which can be used with various processes discussed herein.

公开(公告)号：US10038718B2

公开(公告)日：2018-07-31

申请号：US13932872

申请日：2013-07-01

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Matthew James Wren

IPC: H04L29/06 ,  H04L9/32

Abstract: Data received through a proxy for a service is analyzed for compliance with one or more data policies, such as one or more data loss prevention policies. When data satisfies the criteria of one or more data policies, the data is manipulated at the proxy prior to transmission of the data to the service. In some examples, the manipulation of the data includes encryption.

公开(公告)号：US20180205738A1

公开(公告)日：2018-07-19

申请号：US15924038

申请日：2018-03-16

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Nathan R. Fitch ,  Cristian M. Ilac ,  Eric D. Crahen

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32 ,  G06F21/33

CPC classification number: H04L63/102 ,  G06F21/335 ,  G06F2221/2137 ,  H04L9/083 ,  H04L9/0861 ,  H04L9/088 ,  H04L9/32 ,  H04L9/3242 ,  H04L9/3247 ,  H04L63/06 ,  H04L63/08 ,  H04L2209/38

Abstract: A delegation request is submitted to a session-based authentication service, fulfilment of which involves granting an entity an access privilege to a computing resource. A session key is received from the session-based authentication service. The session key having been generated based at least in part on a restriction and a secret credential shared with the session-based authentication service and usable at least in part to prove possession of the access privilege to the computing resource. The session key is provided to the entity without providing the shared secret credential.

公开(公告)号：US20180198823A1

公开(公告)日：2018-07-12

申请号：US15917471

申请日：2018-03-09

Applicant: Amazon Technologies, Inc.

Inventor： Jesper Mikael Johansson ,  Darren Ernest Canavor ,  Jon Arron McClintock ,  Gregory Branchek Roth ,  Gregory Alan Rubin ,  Nima Sharifi Mehr

IPC: H04L29/06

Abstract: A client establishes a network session with a server. The network session is used to establish an encrypted communications session. The client establishes another network session with another server, such as after terminating the first network session. The client resumes the encrypted communications session over the network session with the other server. The other server is configured to receive encrypted communications from the client and forward them to the appropriate server.

公开(公告)号：US20180167220A1

公开(公告)日：2018-06-14

申请号：US15881550

申请日：2018-01-26

Applicant: Amazon Technologies, Inc.

Inventor： Marcel Andrew Levy ,  Darren Ernest Canavor ,  Zachary Ganwise Fewtrell ,  Andrew Alphus Kimbrough ,  Jonathan Kozolchyk ,  Darin Keith McAdams ,  Pradeep Ramarao ,  Gregory Branchek Roth

IPC: H04L9/32

CPC classification number: H04L9/3247 ,  H04L2209/72

Abstract: In a distributed system, a computer system responsible, at least in part, for complying with a cryptographic key usage limit for a cryptographic key, obtains results of cryptographic operations generated based at least in part on the cryptographic key and transmits the obtained results over a network. The computer system digitally signs the results and provides the results with digital signatures of the results. Another device intercepts the results and allows the results to proceed to their destination contingent on successful validation of the digital signature.