公开(公告)号：US10243939B2

公开(公告)日：2019-03-26

申请号：US15390214

申请日：2016-12-23

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Gregory Alan Rubin ,  Nicholas Alexander Allen ,  Andrew Kyle Driggs ,  Eric Jason Brandwine

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/08

Abstract: A key distribution service operated by a signature authority distributes one-time-use cryptographic keys to one or more delegates that generate digital signatures on behalf of the signature authority. The key distribution service uses a root seed value to generate subordinate seeds. The subordinate seeds are used to generate a set of cryptographic keys. Hashes are generated for each key, and the hashes are arranged into a Merkle tree with a root hash controlled by the signature authority. In response to a request from a delegate, the signature authority provides a subordinate seed to the delegate. The delegate uses the subordinate seed to generate one or more cryptographic keys. The cryptographic keys are used to generate digital signatures which are verifiable up to the root hash of the Merkle tree. Additional subordinate seeds may be distributed to entities by the signature authority when appropriate.

公开(公告)号：US10237249B2

公开(公告)日：2019-03-19

申请号：US15390205

申请日：2016-12-23

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Gregory Alan Rubin ,  Nicholas Alexander Allen ,  Andrew Kyle Driggs ,  Eric Jason Brandwine

IPC: H04L29/06 ,  H04L9/32

Abstract: A signature authority generates revocable one-time-use keys that are able to generate digital signatures. The signature authority generates a set of one-time-use keys, where each one-time-use key has a secret key and a public key derived from a hash of the secret key. The signature authority generates one or more revocation values that, when published, proves that the signature authority has the authority to revoke corresponding cryptographic keys. The signature authority hashes the public keys and the revocation values and arranges the hashes in a hash tree where the root of the hash tree acts as a public key of the signature authority. In some implementations, the one-time-use cryptographic keys are generated from a tree of seed values, and a particular revocation value is linked to a particular seed value, allowing for the revocation of a block of one-time-use cryptographic keys associated with the particular seed.

公开(公告)号：US10229270B2

公开(公告)日：2019-03-12

申请号：US15389771

申请日：2016-12-23

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Gregory Alan Rubin ,  Eric Jason Brandwine

IPC: G06F21/57 ,  H04L29/06 ,  H04L9/32 ,  H04L9/14 ,  H04L9/08

Abstract: A service provider provides virtual computing services using a fleet of one or more host computer systems. Each of the host computer systems may be equipped with a trusted platform module (“TPM”). The service provider, the host computer systems, and the virtual computing environments generate attestations that prove the integrity of the system. The attestations are signed with a one-time-use cryptographic key that is verifiable against the public keys of the service provider, a host computer system, and a virtual computing environment. The public key of the host computer system is integrated into a hash tree that links the public key of the host computer system to the public key of the service provider. The public key of the virtual computing environment is signed using a one-time-use graphic key issued to the host computer system that hosts the virtual computing environment.

公开(公告)号：US20190068560A1

公开(公告)日：2019-02-28

申请号：US16171227

申请日：2018-10-25

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: H04L29/06 ,  H04L29/08 ,  H04L9/32

Abstract: Requests are pre-generated to include a cryptographic key to be used in fulfilling the requests. The requests may be encoded in uniform resource locators and may include authentication information to enable a service provider to whom the requests are submitted to determine whether the requests are authorized. The requests may be passed to various entities who can then submit the requests to the service provider. The service provider, upon receipt of a request, can verify the authentication information and fulfill the request using a cryptographic key encoded in the request.

公开(公告)号：US10216921B1

公开(公告)日：2019-02-26

申请号：US15258980

申请日：2016-09-07

Applicant: Amazon Technologies, Inc.

Inventor： Cornelle Christiaan Pretorius Janse Van Rensburg ,  Mark Joseph Cavage ,  Marc John Brooker ,  David Everard Brown ,  Abhinav Agrawal ,  Matthew S. Garman ,  Kevin Ross O'Neill ,  Eric Jason Brandwine ,  Christopher Richard Jacques de Kadt

IPC: H04L29/06 ,  G06F21/45 ,  H04L29/08

Abstract: Systems and methods for attesting to information about a computing resource involve electronically signed documents. For a computing resource, a document containing information about the resource is generated and electronically signed. The document may be provided to one or more entities as an attestation to at least some of the information contained in the document. Attestation to information in the document may be a prerequisite for performance of one or more actions that may be taken in connection with the computing resource.

公开(公告)号：US20190044979A1

公开(公告)日：2019-02-07

申请号：US15888722

申请日：2018-02-05

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer ,  Eric Jason Brandwine

IPC: H04L29/06 ,  H04L29/08 ,  G06F21/62

CPC classification number: H04L63/205 ,  G06F21/6218 ,  H04L63/0218 ,  H04L63/0272 ,  H04L63/08 ,  H04L63/083 ,  H04L63/0861 ,  H04L63/10 ,  H04L63/123 ,  H04L63/1458 ,  H04L63/168 ,  H04L67/10 ,  H04L67/1002

Abstract: Customers can utilize resources of a multi-tenant environment to provide one or more services available to various users. In order to simplify the process for these customers, the multi-tenant environment can include an infrastructure wherein a portion of the resources provide an authentication and/or authorization service that can be leveraged by the customer services. These resources can logically sit in front of the resources used to provide the customer services, such that a user request must pass through the authorization and authentication service before being directed to the customer service. Such resources can provide other functionality as well, such as load balancing and metering.

公开(公告)号：US10198297B1

公开(公告)日：2019-02-05

申请号：US15256125

申请日：2016-09-02

Applicant: Amazon Technologies, Inc.

Inventor： Marvin Michael Theimer ,  Eric Jason Brandwine

IPC: G06F9/46 ,  G06F9/50 ,  G06F9/455

Abstract: Virtual resource provisioning may be enhanced by coloring virtual resource instances and/or underlying implementation resources. Particular resource colors may be associated with particular treatments during allocation of implementation resources to virtual resources. There may be different types of colors corresponding to different types of allocation treatment. Exclusory colors may be utilized to reduce clustering of virtual resources with respect to implementation resources. Assignment of exclusory colors to virtual resources can help strike a balance between lower costs through efficient implementation resource utilization and higher fault tolerance through spreading across an available implementation resource pool. Inclusive colors may be utilized to require and/or prefer allocation of virtual resources to implementation resources painted with the inclusive color. Proximity colors may be utilized to enhance a computational performance of a set of virtual resources. Proximity colors may be associated with proximity specifications that define proximity in implementation resource networks.

公开(公告)号：US20190036973A1

公开(公告)日：2019-01-31

申请号：US16140393

申请日：2018-09-24

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Graeme D. Baer ,  Eric Jason Brandwine

IPC: H04L29/06 ,  G06F15/173

Abstract: Techniques for processing data according to customer-defined rules are disclosed. In particular, methods and systems for implementing a data alteration service using one or resources of a distributed computing system are described. The data alteration service is flexibly configurable by entities using the distributed computing system, and may be used to augment, compress, filter or otherwise modify data crossing a customer boundary.

公开(公告)号：US20190034644A1

公开(公告)日：2019-01-31

申请号：US16048126

申请日：2018-07-27

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: G06F21/60 ,  H04L29/06 ,  H04L9/32 ,  H04L9/08 ,  G06F21/62

Abstract: An encoding of a cryptographic key is obtained in a form of an encrypted key. Request is provided to a service provider including a fulfillment involving performing a cryptographic operation on data. Upon fulfillment of the request, a response is then received which indicates the fulfillment of the request.

公开(公告)号：US10142290B1

公开(公告)日：2018-11-27

申请号：US15085608

申请日：2016-03-30

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Robert Eric Fitzgerald ,  Alexander Robin Gordon Lucas

IPC: H04L9/00 ,  H04L29/06 ,  G06F9/455

Abstract: Customers of a computing resource service provider may utilize computing resources of the computing resources service provided to implement one or more computer systems. Furthermore, the customer may cause a host-based firewall to be executed by the one or more computer systems. The host-based firewall may collect network traffic information. The customer may then be provided with the network traffic information and be prompted to provide decisions associated with the network traffic information. The decisions may be used to generate a set of rules which may be enforced by the host-based firewall.