公开(公告)号：US09888041B2

公开(公告)日：2018-02-06

申请号：US15261069

申请日：2016-09-09

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer ,  Eric Jason Brandwine

IPC: H04L29/06

CPC classification number: H04L63/205 ,  G06F21/6218 ,  H04L63/0218 ,  H04L63/0272 ,  H04L63/08 ,  H04L63/083 ,  H04L63/0861 ,  H04L63/10 ,  H04L63/123 ,  H04L63/1458 ,  H04L63/168 ,  H04L67/10 ,  H04L67/1002

Abstract: Customers can utilize resources of a multi-tenant environment to provide one or more services available to various users. In order to simplify the process for these customers, the multi-tenant environment can include an infrastructure wherein a portion of the resources provide an authentication and/or authorization service that can be leveraged by the customer services. These resources can logically sit in front of the resources used to provide the customer services, such that a user request must pass through the authorization and authentication service before being directed to the customer service. Such resources can provide other functionality as well, such as load balancing and metering.

公开(公告)号：US20170324568A1

公开(公告)日：2017-11-09

申请号：US15652161

申请日：2017-07-17

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer

IPC: H04L9/32 ,  G06F21/31 ,  G06F21/33 ,  H04L9/08 ,  H04L29/08 ,  H04L29/06 ,  G06F9/455 ,  H04L9/30 ,  H04L9/14

CPC classification number: H04L9/3271 ,  G06F9/45533 ,  G06F21/31 ,  G06F21/335 ,  G06F21/602 ,  G06F2221/2115 ,  H04L9/08 ,  H04L9/0816 ,  H04L9/0894 ,  H04L9/14 ,  H04L9/302 ,  H04L9/3242 ,  H04L9/3247 ,  H04L9/3249 ,  H04L63/0807 ,  H04L63/0876 ,  H04L63/0884 ,  H04L63/126 ,  H04L63/20 ,  H04L67/02 ,  H04L2209/56 ,  H04L2209/76

Abstract: An escrow platform is described that can be used to enable access to devices. The escrow platform can be used to sign cryptographic network protocol challenges on behalf of clients so that the secrets used to sign cryptographic network protocol challenges do not have to be exposed to the clients. The escrow platform can store or control access to private keys, and the corresponding public keys can be stored on respective target platforms. A client can attempt to access a target platform and in response the target platform can issue a challenge. The client platform can send the challenge to the escrow platform, which can use the corresponding private key to sign the challenge. The signed challenge can be sent back to the client, which can forward it to the target platform. The target platform can verify the expected private key and grant access.

公开(公告)号：US09521000B1

公开(公告)日：2016-12-13

申请号：US13944579

申请日：2013-07-17

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer

IPC: H04L9/32

CPC classification number: H04L9/3247 ,  H04L9/14 ,  H04L9/3213 ,  H04L63/0807 ,  H04L2463/062

Abstract: A service provider manages access control to multiple services through an authentication system. One or more services are able to fulfill requests at least in part by submitting requests to other services of the service provider. Such a service is able to obtain, from the authentication system, information that can be passed on to one or more other services to enable the one or more other services to determine request validity without having to contact the authentication system. The information may include, for example, one or more responses that the one or more other services would have received had the one or more services contacted the authentication system themselves.

Abstract translation: 服务提供商通过身份验证系统管理对多个服务的访问控制。 一个或多个服务能够至少部分地通过向服务提供商的其他服务提交请求来满足请求。 这样的服务能够从认证系统获得可以传递到一个或多个其他服务的信息，以使一个或多个其他服务能够确定请求的有效性，而不必联系认证系统。 该信息可以包括例如一个或多个其他服务将一旦接收到认证系统本身就接收到的一个或多个响应。

公开(公告)号：US20160261415A1

公开(公告)日：2016-09-08

申请号：US15068814

申请日：2016-03-14

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer

IPC: H04L9/32 ,  H04L29/08 ,  H04L29/06 ,  G06F9/455 ,  H04L9/30 ,  H04L9/14

CPC classification number: H04L9/3271 ,  G06F9/45533 ,  G06F21/31 ,  G06F21/335 ,  H04L9/08 ,  H04L9/0816 ,  H04L9/0894 ,  H04L9/14 ,  H04L9/302 ,  H04L9/3242 ,  H04L9/3247 ,  H04L9/3249 ,  H04L63/0807 ,  H04L63/0876 ,  H04L63/0884 ,  H04L63/126 ,  H04L63/20 ,  H04L67/02 ,  H04L2209/56 ,  H04L2209/76

Abstract: An escrow platform is described that can be used to enable access to devices. The escrow platform can be used to sign cryptographic network protocol challenges on behalf of clients so that the secrets used to sign cryptographic network protocol challenges do not have to be exposed to the clients. The escrow platform can store or control access to private keys, and the corresponding public keys can be stored on respective target platforms. A client can attempt to access a target platform and in response the target platform can issue a challenge. The client platform can send the challenge to the escrow platform, which can use the corresponding private key to sign the challenge. The signed challenge can be sent back to the client, which can forward it to the target platform. The target platform can verify the expected private key and grant access.

Abstract translation: 描述了可用于启用对设备的访问的托管平台。 托管平台可以用于代表客户端签署加密网络协议挑战，以便用于签署加密网络协议挑战的秘密不必暴露给客户端。 托管平台可以存储或控制对私钥的访问，相应的公钥可以存储在各自的目标平台上。 客户端可以尝试访问目标平台，并且响应目标平台可以发出挑战。 客户端平台可将挑战发送到托管平台，该平台可以使用相应的私钥来签署挑战。 签署的挑战可以发送回客户端，可以将其转发到目标平台。 目标平台可以验证预期的私钥并授予访问权限。

公开(公告)号：US09231930B1

公开(公告)日：2016-01-05

申请号：US13682318

申请日：2012-11-20

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer ,  Eric Jason Brandwine

IPC: H04L21/00 ,  H04L29/06

CPC classification number: H04L63/08 ,  H04L63/126

Abstract: Customers can utilize resources of a multi-tenant environment to provide one or more services available to various users. In order to simplify the process for these customers, the multi-tenant environment can include an infrastructure wherein a portion of the resources provide an authentication and/or authorization service that can be leveraged by the customer services. These resources can logically sit in front of the resources used to provide the customer services, such that a user request must pass through the authorization and authentication service before being directed to the customer service. Such resources can provide other functionality as well, such as load balancing and metering.

Abstract translation: 客户可以利用多租户环境的资源来提供一个或多个可用于各种用户的服务。 为了简化这些客户的过程，多租户环境可以包括基础设施，其中一部分资源提供可由客户服务利用的认证和/或授权服务。 这些资源可以逻辑地坐在用于提供客户服务的资源之前，使得用户请求必须在被指示到客户服务之前通过授权和认证服务。 这样的资源也可以提供其他功能，例如负载平衡和计量。

公开(公告)号：US12160519B2

公开(公告)日：2024-12-03

申请号：US17465481

申请日：2021-09-02

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer

IPC: H04L9/32 ,  H04L9/14 ,  H04L9/40

Abstract: A service provider manages access control to multiple services through an authentication system. One or more services are able to fulfill requests at least in part by submitting requests to other services of the service provider. Such a service is able to obtain, from the authentication system, information that can be passed on to one or more other services to enable the one or more other services to determine request validity without having to contact the authentication system. The information may include, for example, one or more responses that the one or more other services would have received had the one or more services contacted the authentication system themselves.

公开(公告)号：US20220166631A1

公开(公告)日：2022-05-26

申请号：US17465481

申请日：2021-09-02

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer

IPC: H04L9/32 ,  H04L9/14 ,  H04L9/40

Abstract: A service provider manages access control to multiple services through an authentication system. One or more services are able to fulfill requests at least in part by submitting requests to other services of the service provider. Such a service is able to obtain, from the authentication system, information that can be passed on to one or more other services to enable the one or more other services to determine request validity without having to contact the authentication system. The information may include, for example, one or more responses that the one or more other services would have received had the one or more services contacted the authentication system themselves.

公开(公告)号：US11108777B1

公开(公告)日：2021-08-31

申请号：US16431609

申请日：2019-06-04

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer ,  Jacques Daniel Thomas ,  Nicholas Andrew Gochenaur

IPC: G06F21/62 ,  G06F21/71 ,  H04L29/06 ,  G06Q40/00 ,  G06Q30/06 ,  G06F21/45

Abstract: Functionality is disclosed herein for providing temporary access to a resource. A software product that is executing in response to a request from a customer may access one or more resources of a software provider. The resources that may be accessed by a software product may be identified within an access policy. The customer is prevented from accessing the resource when the software product is not executing.

公开(公告)号：US10951618B2

公开(公告)日：2021-03-16

申请号：US16704985

申请日：2019-12-05

Applicant: Amazon Technologies, Inc.

Inventor： Graeme David Baer ,  Dmitry Frenkel ,  Marc R. Barbour

IPC: H04L29/06

Abstract: Security credentials issued by an entity, such as an identity broker, can have a limited lifetime. Access to resources or content under those credentials then can only be obtained for a limited period of time, limiting the ability of an unauthorized entity obtaining the credentials to utilize those credentials for access. Along with the credentials, a refresh token can be issued to a requesting client that can enable the limited lifetime of the credentials to be renewed up to a maximum lifetime of the credentials and/or the token. A service providing access can determine that the client has a valid copy of the refresh token when the credentials are about to expire, and if so can cause the lifetime of the credentials to be extended another credential lifetime. This renewal can be done transparent to a user and without again contacting the identity broker.

公开(公告)号：US10771456B2

公开(公告)日：2020-09-08

申请号：US15958655

申请日：2018-04-20

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer ,  Brian Irl Pratt

IPC: H04L29/06 ,  G06F21/34

Abstract: A one-time password (OTP) based security scheme is described, where a provider pre-generates a number of verification codes (e.g., OTP codes) which will be valid for a predetermined interval. The provider then encodes the verification codes (e.g., by hashing each code with a time value), and stores the verification codes into a data structure. The data structure can be provided to a verification system that can use the set of pre-generated OTP codes to authenticate requests received from users having personal security tokens.