公开(公告)号：US20180083929A1

公开(公告)日：2018-03-22

申请号：US15823450

申请日：2017-11-27

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06 ,  H04L9/32

Abstract: A plurality of devices are each operable to provide information that is usable for to prove authorization with any of the other devices. The devices may have common access to a cryptographic key. A device may use the cryptographic key to encrypt a session key and provide both the session key and the encrypted session key. Requests to any of the devices can include the encrypted session key and a digital signature generated using the session key. In this manner, a device that receives the request can decrypt the session key and use the decrypted session key to verify the digital signature.

公开(公告)号：US09667421B2

公开(公告)日：2017-05-30

申请号：US13765209

申请日：2013-02-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32

Abstract: A system uses information submitted in connection with a request to determine if and how to process the request. The information may be electronically signed by a requestor using a key such that the system processing the request can verify that the requestor has the key and that the information is authentic. The information may include information that identifies a holder of a key needed for processing the request, where the holder of the key can be the system or another, possibly third party, system. Requests to decrypt data may be processed to ensure that a certain amount of time passes before access to the decrypted data is provided, thereby providing an opportunity to cancel such requests and/or otherwise mitigate potential security breaches.

公开(公告)号：US09547771B2

公开(公告)日：2017-01-17

申请号：US13764995

申请日：2013-02-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: G06F17/00 ,  H04L29/06 ,  G06F21/62 ,  G06F21/60 ,  H04L9/08

CPC classification number: G06F21/6209 ,  G06F21/602 ,  H04L9/088 ,  H04L9/0891 ,  H04L9/3242 ,  H04L63/0428 ,  H04L63/20

Abstract: Requests submitted to a computer system are evaluated for compliance with policy to ensure data security. Plaintext and associated data are used as inputs into a cipher to produce ciphertext. Whether a result of decrypting the ciphertext can be provided in response to a request is determined based at least in part on evaluation of a policy that itself is based at least in part on the associated data. Other policies include automatic rotation of keys to prevent keys from being used in enough operations to enable cryptographic attacks intended to determine the keys.

Abstract translation: 对提交给计算机系统的请求进行评估，以符合政策以确保数据安全。 明文和相关数据用作密码的输入以产生密文。 至少部分地基于本身至少部分地基于相关数据的策略的评估来确定响应于请求而提供解密密文的结果。 其他策略包括自动旋转密钥，以防止在足够的操作中使用密钥来启用旨在确定密钥的加密攻击。

公开(公告)号：US20140230007A1

公开(公告)日：2014-08-14

申请号：US13764995

申请日：2013-02-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: G06F21/62

CPC classification number: G06F21/6209 ,  G06F21/602 ,  H04L9/088 ,  H04L9/0891 ,  H04L9/3242 ,  H04L63/0428 ,  H04L63/20

Abstract: Requests submitted to a computer system are evaluated for compliance with policy to ensure data security. Plaintext and associated data are used as inputs into a cipher to produce ciphertext. Whether a result of decrypting the ciphertext can be provided in response to a request is determined based at least in part on evaluation of a policy that itself is based at least in part on the associated data. Other policies include automatic rotation of keys to prevent keys from being used in enough operations to enable cryptographic attacks intended to determine the keys.

Abstract translation: 对提交给计算机系统的请求进行评估，以符合政策以确保数据安全。 明文和相关数据用作密码的输入以产生密文。 至少部分地基于本身至少部分地基于相关数据的策略的评估来确定响应于请求而提供解密密文的结果。 其他策略包括自动旋转密钥，以防止在足够的操作中使用密钥来启用旨在确定密钥的加密攻击。

公开(公告)号：US11621954B2

公开(公告)日：2023-04-04

申请号：US16921172

申请日：2020-07-06

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer ,  Brian Irl Pratt

IPC: H04L9/40 ,  G06F21/34

Abstract: A one-time password (OTP) based security scheme is described, where a provider pre-generates a number of verification codes (e.g., OTP codes) which will be valid for a predetermined interval. The provider then encodes the verification codes (e.g., by hashing each code with a time value), and stores the verification codes into a data structure. The data structure can be provided to a verification system that can use the set of pre-generated OTP codes to authenticate requests received from users having personal security tokens.

公开(公告)号：US11470054B2

公开(公告)日：2022-10-11

申请号：US16811932

申请日：2020-03-06

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L9/40 ,  H04L9/08 ,  H04L9/14 ,  H04L9/32 ,  H04L9/16

Abstract: A key rotation that results in a first key version associated with a key being replaced by a second key version associated with the same key, wherein the first key version remains associated with the key for decrypting a previously generated ciphertext but not for future encryption requests. The first key version may be associated with a first cryptographic key material and the second key version may be associated with a second cryptographic key material different from the first cryptographic key material.

公开(公告)号：US20200336479A1

公开(公告)日：2020-10-22

申请号：US16921172

申请日：2020-07-06

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer ,  Brian Irl Pratt

IPC: H04L29/06 ,  G06F21/34

Abstract: A one-time password (OTP) based security scheme is described, where a provider pre-generates a number of verification codes (e.g., OTP codes) which will be valid for a predetermined interval. The provider then encodes the verification codes (e.g., by hashing each code with a time value), and stores the verification codes into a data structure. The data structure can be provided to a verification system that can use the set of pre-generated OTP codes to authenticate requests received from users having personal security tokens.

公开(公告)号：US20200213283A1

公开(公告)日：2020-07-02

申请号：US16811932

申请日：2020-03-06

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/16 ,  H04L9/08 ,  H04L9/14

Abstract: A key rotation that results in a first key version associated with a key being replaced by a second key version associated with the same key, wherein the first key version remains associated with the key for decrypting a previously generated ciphertext but not for future encryption requests. The first key version may be associated with a first cryptographic key material and the second key version may be associated with a second cryptographic key material different from the first cryptographic key material.

公开(公告)号：US10404670B2

公开(公告)日：2019-09-03

申请号：US15410450

申请日：2017-01-19

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06 ,  G06F21/60 ,  G06F21/62 ,  H04L29/08 ,  H04L9/08 ,  H04L9/32

Abstract: A distributed computing environment utilizes a cryptography service. The cryptography service manages keys securely on behalf of one or more entities. The cryptography service is configured to receive and respond to requests to perform cryptographic operations, such as encryption and decryption. The requests may originate from entities using the distributed computing environment and/or subsystems of the distributed computing environment.

公开(公告)号：US10313312B2

公开(公告)日：2019-06-04

申请号：US15462604

申请日：2017-03-17

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/14 ,  H04L9/32 ,  H04L9/16

Abstract: A plurality of devices, having common access to a first key under which a set of data objects used by the plurality of devices are encrypted, is caused to replace the first key with a second key by at least causing a device of the plurality of devices to encrypt a subset of the set of data objects that are not selected for electronic shredding, allow access to a data object of the subset regardless of whether the data object is encrypted using the first key or the second key. At a time after the data object becomes accessible by using the second key, each of the plurality of devices is verified have common access to the second key, and the plurality of devices is caused to lose access to the first key.