公开(公告)号：US20180167219A1

公开(公告)日：2018-06-14

申请号：US15865016

申请日：2018-01-08

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Gregory Branchek Roth

IPC: H04L9/32 ,  H04L9/14

CPC classification number: H04L9/3247 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/0891 ,  H04L9/14 ,  H04L9/3234 ,  H04L9/3265 ,  H04L2209/38

Abstract: A web of trust in a distributed system is established. A root of trust for at least two components in the distributed system validates information for the distributed system. The validated information is then used to create additional information for the distributed system. Versions of the information are usable to validate subsequent versions of the information such that validation of a version of the information can be performed by using one or more previous versions to verify that the version is a valid successor of a previously validated previous version.

公开(公告)号：US20180157853A1

公开(公告)日：2018-06-07

申请号：US15889053

申请日：2018-02-05

Applicant: Amazon Technologies, Inc.

Inventor： Sandeep Kumar ,  Gregory Branchek Roth ,  Gregory Alan Rubin ,  Mark Christopher Seigle ,  Kamran Tirdad

IPC: G06F21/60 ,  G06F21/62 ,  H04L9/14 ,  H04L9/08 ,  G06F11/10 ,  G06F12/14 ,  G06F11/14

Abstract: A data storage service redundantly stores data and keys used to encrypt the data. Data objects are encrypted with first cryptographic keys. The first cryptographic keys are encrypted by second cryptographic keys. The first cryptographic keys and second cryptographic keys are redundantly stored in a data storage system to enable access of the data objects, such as to respond to requests to retrieve the data objects. The second cryptographic keys may be encrypted by third keys and redundantly stored in the event access to a second cryptographic key is lost.

公开(公告)号：US09984238B1

公开(公告)日：2018-05-29

申请号：US14673311

申请日：2015-03-30

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: G06F21/00 ,  G06F21/60 ,  H04L29/08 ,  H04L29/06

CPC classification number: G06F21/602 ,  H04L63/0428 ,  H04L67/1097 ,  H04L67/2842

Abstract: A storage device can include processing and cryptographic capability enabling the device to function as a hardware security module (HSM). This includes the ability to encrypt and decrypt data using a cryptographic key, as well as to perform processing using such a key, independent of whether that processing involves data stored on the device. An internal key can be provided to the drive, whether provided before customer software access or received wrapped in another key, etc. That key enables the device to perform secure processing on behalf of a user or entity, where that key is not exposed to other components in the network or environment. A key may have specified tasks that can be performed using that key, and can be discarded after use. In some embodiments, firmware is provided that can cause a storage device to function as an HSM and/or processing device with cryptographic capability.

公开(公告)号：US20180124056A1

公开(公告)日：2018-05-03

申请号：US15851564

申请日：2017-12-21

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren

IPC: H04L29/06

CPC classification number: H04L63/10 ,  H04L63/0428 ,  H04L63/08 ,  H04L63/108 ,  H04L63/20

Abstract: Policy changes are propagated to access control devices of a distributed system. The policy changes are given immediate effect without having to wait for the changes to propagate through the system. A token encodes the policy change and can be provided in connection with access requests. Before an access control device has received a propagated policy change, the access control device can evaluate a token provided in connection with a request to determine, consistent with the policy change, whether to fulfill the request.

公开(公告)号：US09946869B1

公开(公告)日：2018-04-17

申请号：US14476593

申请日：2014-09-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Aaron Douglas Dokey ,  Eric Jason Brandwine ,  Nathan Bartholomew Thomas

IPC: G06F21/00 ,  G06F21/50 ,  H04L29/08 ,  H04L29/06 ,  G06F9/455

CPC classification number: G06F21/50 ,  G06F9/4401 ,  G06F9/45558 ,  G06F2009/45591 ,  H04L63/10 ,  H04L63/12 ,  H04L67/10

Abstract: Systems and methods for providing computer system monitoring as a service of a computing resource service provider, monitoring capacity computer system of a customer of the computing resource service provider, and based on the request, launching a monitoring agent in a protected execution environment in which the monitoring agent is configured to generate an assessment of the computer system and provide the assessment of the computer system.

公开(公告)号：US09946863B1

公开(公告)日：2018-04-17

申请号：US14225320

申请日：2014-03-25

Applicant: Amazon Technologies, Inc.

Inventor： Jesper Mikael Johansson ,  Gregory Branchek Roth ,  David Matthew Platz ,  Rajendra Kumar Vippagunta

IPC: H04L29/06 ,  G06F21/36 ,  G06F3/0484

CPC classification number: G06F21/36 ,  G06F3/04842

Abstract: Representations of authentication objects are provided for selection via an interface. An authentication object may be generated to include information proving possession of a user of an item, such as a one-time password token or a physical trait. A selected authentication object may contain information sufficient for authentication with a corresponding system. The interface may provide multiple representations of authentication objects that are usable with different service providers.

公开(公告)号：US09942041B1

公开(公告)日：2018-04-10

申请号：US14476533

申请日：2014-09-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Aaron Douglas Dokey ,  Eric Jason Brandwine ,  Nathan Bartholomew Thomas

IPC: H04L9/32 ,  H04L29/08 ,  H04L12/911 ,  H04L29/06

CPC classification number: H04L9/32 ,  H04L9/3263 ,  H04L47/70 ,  H04L63/061 ,  H04L67/10

Abstract: Techniques for securely instantiating applications associated with computing resource service provider services on hardware that is controlled by third parties and/or customers of the computing resource service provider are described herein. A request to instantiate an application is received and fulfilled by selecting a computer system from computer systems that are controlled by a third party and/or a customer of the computing resource service provider. The computer system is selected based at least in part on the hardware capabilities of the computer system associated with instantiating a secure execution environment. The application is then instantiated within a secure execution environment operating on the computer system.

公开(公告)号：US09930067B1

公开(公告)日：2018-03-27

申请号：US14576146

申请日：2014-12-18

Applicant: Amazon Technologies, Inc.

Inventor： Jesper Mikael Johansson ,  Darren Ernest Canavor ,  Jon Arron McClintock ,  Gregory Branchek Roth ,  Gregory Alan Rubin ,  Nima Sharifi Mehr

IPC: H04L29/00 ,  H04L29/06

CPC classification number: H04L63/166 ,  H04L63/0281 ,  H04L63/0428 ,  H04L63/0478 ,  H04L63/06 ,  H04L63/123 ,  H04L2463/061

Abstract: A client establishes a network session with a server. The network session is used to establish an encrypted communications session. The client establishes another network session with another server, such as after terminating the first network session. The client resumes the encrypted communications session over the network session with the other server. The other server is configured to receive encrypted communications from the client and forward them to the appropriate server.

公开(公告)号：US09906564B2

公开(公告)日：2018-02-27

申请号：US15638227

申请日：2017-06-29

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Brian Irl Pratt

IPC: H04L29/06 ,  G06F21/60 ,  H04L9/32

CPC classification number: H04L63/205 ,  G06F21/60 ,  G06F21/602 ,  H04L9/3247 ,  H04L63/126 ,  H04L63/18 ,  H04L63/20 ,  H04L2463/062

Abstract: A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.

公开(公告)号：US20180041480A1

公开(公告)日：2018-02-08

申请号：US15786322

申请日：2017-10-17

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: H04L29/06 ,  H04L9/32 ,  H04L29/08

CPC classification number: H04L63/0428 ,  H04L9/321 ,  H04L9/3247 ,  H04L63/10 ,  H04L63/102 ,  H04L63/108 ,  H04L63/123 ,  H04L63/168 ,  H04L67/02

Abstract: Requests are pre-generated to include a cryptographic key to be used in fulfilling the requests. The requests may be encoded in uniform resource locators and may include authentication information to enable a service provider to whom the requests are submitted to determine whether the requests are authorized. The requests may be passed to various entities who can then submit the requests to the service provider. The service provider, upon receipt of a request, can verify the authentication information and fulfill the request using a cryptographic key encoded in the request.