公开(公告)号：US10050787B1

公开(公告)日：2018-08-14

申请号：US14225302

申请日：2014-03-25

Applicant: Amazon Technologies, Inc.

Inventor： Jesper Mikael Johansson ,  Gregory Branchek Roth ,  David Matthew Platz ,  Rajendra Kumar Vippagunta

IPC: H04L9/32 ,  H04L29/06

Abstract: Representations of authentication objects are selectable through a user interface, such as through a drag and drop operation. When an authentication object is selected by a user, a corresponding authentication object (e.g., in the form of an authentication claim) is transmitted to s system for authentication. The authentication object may contain information that is sufficient for authentication with the system and the information may include an attestation to the state of a computing environment from which the authentication object is transmitted.

公开(公告)号：US10049202B1

公开(公告)日：2018-08-14

申请号：US14225320

申请日：2014-03-25

Applicant: Amazon Technologies, Inc.

Inventor： Jesper Mikael Johansson ,  Gregory Branchek Roth ,  David Matthew Platz ,  Rajendra Kumar Vippagunta

IPC: H04L29/06 ,  G06F21/36 ,  G06F3/0484

Abstract: Representations of authentication objects are provided for selection via an interface. An authentication object may be generated to include information proving possession of a user of an item, such as a one-time password token or a physical trait. A selected authentication object may contain information sufficient for authentication with a corresponding system. The interface may provide multiple representations of authentication objects that are usable with different service providers.

公开(公告)号：US10037428B2

公开(公告)日：2018-07-31

申请号：US15090315

申请日：2016-04-04

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: H04L9/08 ,  G06F21/60 ,  G06F21/62 ,  H04L29/06 ,  H04L9/32

Abstract: Requests are submitted to a request processing entity where the requests include a cryptographic key to be used in fulfilling the request. The request processing entity, upon receipt of the request, extracts the key from the request and uses the key to perform one or more cryptographic operations to fulfill the request. The one or more cryptographic operations may include encryption/decryption of data that to be/is stored, in encrypted form, by a subsystem of the request processing entity. Upon fulfillment of the request, the request processing entity may perform one or more operations to lose access to the key in the request, thereby losing the ability to use the key.

公开(公告)号：US20180167381A1

公开(公告)日：2018-06-14

申请号：US15878957

申请日：2018-01-24

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine

IPC: H04L29/06 ,  H04L9/08

CPC classification number: H04L63/0823 ,  H04L9/0822 ,  H04L9/0891 ,  H04L9/0894 ,  H04L63/06 ,  H04L63/061 ,  H04L2463/062

Abstract: Customers accessing resources and/or data in a multi-tenant environment can obtain assurance that a provider of that environment will honor only requests associated with the customer. A multi-tenant cryptographic service can be used to manage cryptographic key material and/or other security resources in the multi-tenant environment. The cryptographic service can provide a mechanism in which the service can receive requests to use the cryptographic key material to access encrypted customer data, export key material out of the cryptographic service, destroy key material managed by the cryptographic service, among others. Such an approach can enable a customer to manage key material without exposing the key material outside a secure environment.

公开(公告)号：US20180159891A1

公开(公告)日：2018-06-07

申请号：US15874771

申请日：2018-01-18

Applicant: Amazon Technologies, Inc.

Inventor： Hassan Sultan ,  John Schweitzer ,  Donald Lee Bailey, JR. ,  Gregory Branchek Roth ,  Nachiketh Rao Potlapally

IPC: H04L29/06 ,  G06F21/53 ,  G06F21/55

CPC classification number: H04L63/1433 ,  G06F21/53 ,  G06F21/554 ,  H04L63/1441 ,  H04L63/20

Abstract: A graph of a plurality of resources in a computing environment is generated, with the graph associating a first resource of the plurality with a second resource of the plurality. Based at least in part on measurements obtained at a point in a test computing environment that corresponds to a point in the computing environment, a graph representing the relationship between the first resource and the second resource is generated. A threat model identifying potential risks to the computing environment is created from the graph.

公开(公告)号：US20180159684A1

公开(公告)日：2018-06-07

申请号：US15888765

申请日：2018-02-05

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth

IPC: H04L9/08

CPC classification number: H04L9/0822 ,  H04L9/0861 ,  H04L9/088 ,  H04L9/0897 ,  H04L2209/24

Abstract: A cryptography service allows for management of cryptographic keys in multiple environments. The service allows for specification of policies applicable to cryptographic keys, such as what cryptographic algorithms should be used in which contexts. The cryptography service, upon receiving a request for a key, may provide a referral to another system to obtain the key.

公开(公告)号：US09985975B2

公开(公告)日：2018-05-29

申请号：US15068446

申请日：2016-03-11

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Gregory Alan Rubin

IPC: H04L29/06 ,  G06F21/71 ,  G06F21/31 ,  G06F21/34 ,  G06F12/14

CPC classification number: H04L63/108 ,  G06F12/1408 ,  G06F21/31 ,  G06F21/34 ,  G06F21/71 ,  G06F2212/1052 ,  H04L63/0838 ,  H04L63/0853 ,  H04L63/0876

Abstract: A hardware secret is securely maintained in a computing device. The device operates in accordance with a usage limit corresponding to a limited number of operations using the hardware secret that the device is able to perform. Once the device reaches a usage limit, the device becomes temporarily or permanently unable to perform additional operations using the hardware secret.

公开(公告)号：US09954856B2

公开(公告)日：2018-04-24

申请号：US14976398

申请日：2015-12-21

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer ,  Brian Irl Pratt

IPC: G06F21/34 ,  H04L29/06

CPC classification number: H04L63/0838 ,  G06F21/34

Abstract: A one-time password (OTP) based security scheme is described, where a provider pre-generates a number of verification codes (e.g., OTP codes) which will be valid for a predetermined interval. The provider then encodes the verification codes (e.g., by hashing each code with a time value), and stores the verification codes into a data structure. The data structure can be provided to a verification system that can use the set of pre-generated OTP codes to authenticate requests received from users having personal security tokens.

公开(公告)号：US20180083929A1

公开(公告)日：2018-03-22

申请号：US15823450

申请日：2017-11-27

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06 ,  H04L9/32

Abstract: A plurality of devices are each operable to provide information that is usable for to prove authorization with any of the other devices. The devices may have common access to a cryptographic key. A device may use the cryptographic key to encrypt a session key and provide both the session key and the encrypted session key. Requests to any of the devices can include the encrypted session key and a digital signature generated using the session key. In this manner, a device that receives the request can decrypt the session key and use the decrypted session key to verify the digital signature.

公开(公告)号：US09864874B1

公开(公告)日：2018-01-09

申请号：US14622752

申请日：2015-02-13

Applicant: Amazon Technologies, Inc.

Inventor： Gautam Shanbhag ,  Gregory Branchek Roth ,  Gregory Alan Rubin ,  Christopher H. Fant

IPC: G06F21/62 ,  G06F9/455 ,  H04L29/06 ,  H04L9/08 ,  G06F21/60

CPC classification number: G06F21/6218 ,  G06F9/45558 ,  G06F21/53 ,  G06F21/602 ,  G06F2009/45579 ,  G06F2009/45587 ,  H04L9/088 ,  H04L9/0891 ,  H04L9/0894 ,  H04L63/10 ,  H04L63/20

Abstract: A data storage management process is directed to aspects of managing encrypted data via data storage volumes in conjunction with a service provider computer network that hosts virtual machine instances. A volume can be created and configured for managing encrypted data with an encrypted version of a volume key. The volume can be attached to a virtual machine instance such that the virtual machine instance accesses the volume in a transparent fashion based on the volume key. Encrypted data specific to the volume can be copied across multiple regions of data storage each associated with distinct encrypted versions of a volume key corresponding to the volume.