公开(公告)号：US09888041B2

公开(公告)日：2018-02-06

申请号：US15261069

申请日：2016-09-09

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer ,  Eric Jason Brandwine

IPC: H04L29/06

CPC classification number: H04L63/205 ,  G06F21/6218 ,  H04L63/0218 ,  H04L63/0272 ,  H04L63/08 ,  H04L63/083 ,  H04L63/0861 ,  H04L63/10 ,  H04L63/123 ,  H04L63/1458 ,  H04L63/168 ,  H04L67/10 ,  H04L67/1002

Abstract: Customers can utilize resources of a multi-tenant environment to provide one or more services available to various users. In order to simplify the process for these customers, the multi-tenant environment can include an infrastructure wherein a portion of the resources provide an authentication and/or authorization service that can be leveraged by the customer services. These resources can logically sit in front of the resources used to provide the customer services, such that a user request must pass through the authorization and authentication service before being directed to the customer service. Such resources can provide other functionality as well, such as load balancing and metering.

公开(公告)号：US09882888B2

公开(公告)日：2018-01-30

申请号：US14754321

申请日：2015-06-29

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine

IPC: H04L9/08 ,  H04L29/06

CPC classification number: H04L63/0823 ,  H04L9/0822 ,  H04L9/0891 ,  H04L9/0894 ,  H04L63/06 ,  H04L63/061 ,  H04L2463/062

Abstract: Customers accessing resources and/or data in a multi-tenant environment can obtain assurance that a provider of that environment will honor only requests associated with the customer. A multi-tenant cryptographic service can be used to manage cryptographic key material and/or other security resources in the multi-tenant environment. The cryptographic service can provide a mechanism in which the service can receive requests to use the cryptographic key material to access encrypted customer data, export key material out of the cryptographic service, destroy key material managed by the cryptographic service, among others. Such an approach can enable a customer to manage key material without exposing the key material outside a secure environment.

公开(公告)号：US09882720B1

公开(公告)日：2018-01-30

申请号：US14318422

申请日：2014-06-27

Applicant: Amazon Technologies, Inc.

Inventor： Marcel Andrew Levy ,  Darren Ernest Canavor ,  Zachary Ganwise Fewtrell ,  Andrew Alphus Kimbrough ,  Jonathan Kozolchyk ,  Darin Keith McAdams ,  Pradeep Ramarao ,  Gregory Branchek Roth

IPC: H04L9/32

CPC classification number: H04L9/3247 ,  H04L2209/72

Abstract: In a distributed system, a computer system responsible, at least in part, for complying with a cryptographic key usage limit for a cryptographic key, obtains results of cryptographic operations generated based at least in part on the cryptographic key and transmits the obtained results over a network. The computer system digitally signs the results and provides the results with digital signatures of the results. Another device intercepts the results and allows the results to proceed to their destination contingent on successful validation of the digital signature.

公开(公告)号：US20180026797A1

公开(公告)日：2018-01-25

申请号：US15723003

申请日：2017-10-02

Applicant: Amazon Technologies, Inc.

Inventor： Bradley Jeffery Behm ,  Gregory Branchek Roth ,  Gregory Alan Rubin

IPC: H04L9/32 ,  H04L29/06

CPC classification number: H04L9/3247 ,  H04L9/0841 ,  H04L9/3263 ,  H04L63/08 ,  H04L63/0823 ,  H04L63/1466 ,  H04L63/166

Abstract: A client establishes an cryptographically protected communications session and determines information usable to distinguish the session from other sessions. The client digitally signs the information using a cryptographic key that is independent of the session to enable a server to check whether the information matches the session that it established and whether the digital signature is correct. The server may perform mitigating operations if either or both of the information or the digital signature is/are invalid.

公开(公告)号：US09853811B1

公开(公告)日：2017-12-26

申请号：US14318411

申请日：2014-06-27

Applicant: Amazon Technologies, Inc.

Inventor： Marcel Andrew Levy ,  Darren Ernest Canavor ,  Zachary Ganwise Fewtrell ,  Andrew Alphus Kimbrough ,  Jonathan Kozolchyk ,  Darin Keith McAdams ,  Pradeep Ramarao ,  Gregory Branchek Roth

IPC: H04L9/08

CPC classification number: H04L9/088 ,  H04L9/0891

Abstract: Nodes in a distributed system utilize the same cryptographic key, where the cryptographic key is subject to a usage limit. The usage limit is allowed to be temporarily exceeded. When the usage limit is exceeded, results of exceeding the usage limit are corrected to mitigate the effects of exceeding the usage limit.

公开(公告)号：US20170331822A1

公开(公告)日：2017-11-16

申请号：US15632787

申请日：2017-06-26

Applicant: Amazon Technologies, Inc.

Inventor： Andrew Paul Mikulski ,  Nicholas Alexander Allen ,  Gregory Branchek Roth

IPC: H04L29/06 ,  H04L9/32

CPC classification number: H04L63/0876 ,  H04L9/3234 ,  H04L9/3242 ,  H04L9/3247 ,  H04L9/3271 ,  H04L9/3297 ,  H04L63/061 ,  H04L63/0884 ,  H04L63/123 ,  H04L63/166 ,  H04L2463/121

Abstract: A server obtains a challenge from another computer system during a negotiation with a client according to a protocol. The server injects the challenge into a message of the protocol to the client. The client uses the challenge in an authentication request. The server submits the authentication request to the other computer system for verification. The other computer system verifies the authentication request using a key registered to the client. The server operates further dependent at least in part on whether verification of the authentication request was successful.

公开(公告)号：US20170324568A1

公开(公告)日：2017-11-09

申请号：US15652161

申请日：2017-07-17

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer

IPC: H04L9/32 ,  G06F21/31 ,  G06F21/33 ,  H04L9/08 ,  H04L29/08 ,  H04L29/06 ,  G06F9/455 ,  H04L9/30 ,  H04L9/14

CPC classification number: H04L9/3271 ,  G06F9/45533 ,  G06F21/31 ,  G06F21/335 ,  G06F21/602 ,  G06F2221/2115 ,  H04L9/08 ,  H04L9/0816 ,  H04L9/0894 ,  H04L9/14 ,  H04L9/302 ,  H04L9/3242 ,  H04L9/3247 ,  H04L9/3249 ,  H04L63/0807 ,  H04L63/0876 ,  H04L63/0884 ,  H04L63/126 ,  H04L63/20 ,  H04L67/02 ,  H04L2209/56 ,  H04L2209/76

Abstract: An escrow platform is described that can be used to enable access to devices. The escrow platform can be used to sign cryptographic network protocol challenges on behalf of clients so that the secrets used to sign cryptographic network protocol challenges do not have to be exposed to the clients. The escrow platform can store or control access to private keys, and the corresponding public keys can be stored on respective target platforms. A client can attempt to access a target platform and in response the target platform can issue a challenge. The client platform can send the challenge to the escrow platform, which can use the corresponding private key to sign the challenge. The signed challenge can be sent back to the client, which can forward it to the target platform. The target platform can verify the expected private key and grant access.

公开(公告)号：US09762577B2

公开(公告)日：2017-09-12

申请号：US15003707

申请日：2016-01-21

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Gregory Alan Rubin

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32 ,  H04L9/14

Abstract: A client and server negotiate a secure communication channel using a pre-shared key where the server, at the time the negotiation initiates, lacks access to the pre-shared key. The server obtains the pre-shared key from another server that shares a secret with the client. A digital signature or other authentication information generated by the client may be used to enable the other server to determine whether to provide the pre-shared key.

公开(公告)号：US09679274B1

公开(公告)日：2017-06-13

申请号：US13655355

申请日：2012-10-18

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth

IPC: G06Q10/10

CPC classification number: G06Q10/109 ,  G06Q10/1095

Abstract: Access to calendar data indicating the state of time blocks is varied according to visibility conditions associated with at least some of the time blocks. Parameters for a meeting are used to determine a state in which to indicate a block of time, which may conflict with the meeting. The state may be either an occupied or unoccupied state.

公开(公告)号：US09674170B2

公开(公告)日：2017-06-06

申请号：US14292404

申请日：2014-05-30

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Cristian M. Ilac

IPC: H04W12/06 ,  H04L29/06 ,  H04W12/04 ,  H04L9/08

CPC classification number: H04L63/08 ,  H04L9/0872 ,  H04L9/0891 ,  H04L63/061 ,  H04L63/0838 ,  H04W12/04 ,  H04W12/06

Abstract: Secret information, such as seeds, codes, and keys, can be automatically renegotiated between at least one sender and at least one recipient. Various mechanisms, such as counters, events, or challenges, can be used to trigger automatic renegotiations through various requests or communications. These changes can cause the current secret information to diverge from older copies of the secret information that might have been obtained by unintended third parties. In some embodiments, a secret can be configured to “decay” over time, or have small changes periodically introduced that can be determined to be valid by an authorized party, but can reduce the effectiveness of prior versions of the secret information.