公开(公告)号：US20190319963A1

公开(公告)日：2019-10-17

申请号：US16453929

申请日：2019-06-26

Applicant: Amazon Technologies, Inc.

Inventor： Jonathan Kozolchyk ,  Darin Keith McAdams ,  Jeffrey J. Fielding ,  Vaibhav Mallya ,  Darren E. Canavor

IPC: H04L29/06

Abstract: A security service enables service providers to register available services. Prospective service consumers may register with the security service to access a particular registered service, and may specify conditions for access that are subject to approval by the corresponding service provider. Based on the registrations of the service provider and the service consumer, the security service can define access policies that may be enforced to control the conditions under which a service consumer accesses or utilizes the particular service. Additionally, changes to the access policies may be propagated to running services in near real time. Some implementations enable masking of information provided to particular service consumers based on determined needs of each service consumer for access to particular information. In some instances, the service providers may provide log information to the security service, which may be monitored to identify anomalies, security breaches or the like.

公开(公告)号：US20180316501A1

公开(公告)日：2018-11-01

申请号：US16029358

申请日：2018-07-06

Applicant: Amazon Technologies, Inc.

Inventor： Jonathan Kozolchyk ,  Darren E. Canavor ,  Jeffrey J. Fielding ,  Vaibhav Mallya ,  Darin Keith McAdams

IPC: H04L9/32 ,  H04L29/08 ,  H04L29/06

CPC classification number: H04L9/3213 ,  H04L9/3239 ,  H04L29/06 ,  H04L63/0428 ,  H04L63/102 ,  H04L67/1097

Abstract: In some implementations, tokens that are representative of sensitive data may be used in place of the sensitive data to maintain the security of the sensitive data. For example, data may be separated into sensitive data and nonsensitive data, and at least the sensitive data is securely delivered to a data storage service. The data storage service generates a token that is representative of the sensitive data and stores the sensitive data as secure data. The data storage service may deliver the token to an entity that also receives the nonsensitive data, and the entity may use the token in place of the sensitive data. In some implementations, different tokens are generated each time the same piece of sensitive data is submitted for storage as secure data. Further, in some implementations, An expiration time may be assigned to sensitive data, and expired data and associated tokens may be deleted.

公开(公告)号：US20180167220A1

公开(公告)日：2018-06-14

申请号：US15881550

申请日：2018-01-26

Applicant: Amazon Technologies, Inc.

Inventor： Marcel Andrew Levy ,  Darren Ernest Canavor ,  Zachary Ganwise Fewtrell ,  Andrew Alphus Kimbrough ,  Jonathan Kozolchyk ,  Darin Keith McAdams ,  Pradeep Ramarao ,  Gregory Branchek Roth

IPC: H04L9/32

CPC classification number: H04L9/3247 ,  H04L2209/72

Abstract: In a distributed system, a computer system responsible, at least in part, for complying with a cryptographic key usage limit for a cryptographic key, obtains results of cryptographic operations generated based at least in part on the cryptographic key and transmits the obtained results over a network. The computer system digitally signs the results and provides the results with digital signatures of the results. Another device intercepts the results and allows the results to proceed to their destination contingent on successful validation of the digital signature.

公开(公告)号：US09882720B1

公开(公告)日：2018-01-30

申请号：US14318422

申请日：2014-06-27

Applicant: Amazon Technologies, Inc.

Inventor： Marcel Andrew Levy ,  Darren Ernest Canavor ,  Zachary Ganwise Fewtrell ,  Andrew Alphus Kimbrough ,  Jonathan Kozolchyk ,  Darin Keith McAdams ,  Pradeep Ramarao ,  Gregory Branchek Roth

IPC: H04L9/32

CPC classification number: H04L9/3247 ,  H04L2209/72

Abstract: In a distributed system, a computer system responsible, at least in part, for complying with a cryptographic key usage limit for a cryptographic key, obtains results of cryptographic operations generated based at least in part on the cryptographic key and transmits the obtained results over a network. The computer system digitally signs the results and provides the results with digital signatures of the results. Another device intercepts the results and allows the results to proceed to their destination contingent on successful validation of the digital signature.

公开(公告)号：US09853811B1

公开(公告)日：2017-12-26

申请号：US14318411

申请日：2014-06-27

Applicant: Amazon Technologies, Inc.

Inventor： Marcel Andrew Levy ,  Darren Ernest Canavor ,  Zachary Ganwise Fewtrell ,  Andrew Alphus Kimbrough ,  Jonathan Kozolchyk ,  Darin Keith McAdams ,  Pradeep Ramarao ,  Gregory Branchek Roth

IPC: H04L9/08

CPC classification number: H04L9/088 ,  H04L9/0891

Abstract: Nodes in a distributed system utilize the same cryptographic key, where the cryptographic key is subject to a usage limit. The usage limit is allowed to be temporarily exceeded. When the usage limit is exceeded, results of exceeding the usage limit are corrected to mitigate the effects of exceeding the usage limit.

公开(公告)号：US09129118B1

公开(公告)日：2015-09-08

申请号：US13887143

申请日：2013-05-03

Applicant: Amazon Technologies, Inc.

Inventor： Jesper Mikael Johansson ,  Dominique Imjya Brezinski ,  Darren Ernest Canavor ,  Darin Keith McAdams ,  Jon Arron McClintock ,  Brandon William Porter

IPC: G06F21/62 ,  G06F21/60

CPC classification number: G06F21/6245 ,  G06F21/6227 ,  H04L67/42

Abstract: A technology is described for making a decision based on identifying without disclosing the identifying information. The method may include receiving a mapping value that represents identifying information that has been converted into a mapping value. A request for data associated with the identifying information may be made by providing the mapping value as a proxy for the identifying information whereby the data associated with the identifying information may be located using the mapping value and returned to a requesting client or service.

Abstract translation: 描述了一种基于识别而不公开识别信息进行决策的技术。 该方法可以包括接收表示已被转换成映射值的标识信息的映射值。 可以通过提供映射值作为识​​别信息的代理来进行与识别信息相关联的数据的请求，从而可以使用映射值将与识别信息相关联的数据定位并返回到请求的客户端或服务。