公开(公告)号：US20170063811A1

公开(公告)日：2017-03-02

申请号：US14831341

申请日：2015-08-20

Applicant: Amazon Technologies, Inc.

Inventor： Daniel W. Hitchcock ,  Darren Ernest Canavor ,  Tushaar Sethi

IPC: H04L29/06 ,  H04L9/32

CPC classification number: H04L63/0435 ,  G06F21/10 ,  G06F21/62 ,  H04L9/0825 ,  H04L9/0877 ,  H04L9/0891 ,  H04L9/0897 ,  H04L9/14 ,  H04L9/3234 ,  H04L9/3268 ,  H04L63/0823

Abstract: Aspects related to the secure transfer and use of secret material are described. In one embodiment, public vendor and provider keys are provided to a customer and encrypted secret material is received in return. The encrypted secret material may include a customer secret material encrypted by the public vendor and provider keys. The encrypted secret material is imported into a trusted execution environment and decrypted with private provider and vendor keys. In this manner, a provider of cryptographic processes is not exposed to the secret material of the customer, as the customer secret material is decrypted and stored within the trusted execution environment but is not accessed by the provider in an unencrypted form. In turn, the provider may receive various instructions to perform cryptographic operations on behalf of the customer, and those instructions may be performed by the trusted execution environment.

Abstract translation: 描述与秘密材料的安全转移和使用相关的方面。 在一个实施例中，公共供应商和供应商密钥被提供给客户，并且收到加密的秘密材料。 加密的秘密材料可以包括由公共供应商加密的客户秘密材料和提供商密钥。 加密的秘密资料被导入到受信任的执行环境中，并用专用提供商和供应商密钥进行解密。 以这种方式，密码处理提供者不会暴露给客户的秘密资料，因为客户秘密资料被解密并存储在受信任的执行环境中，但未被提供者以未加密形式访问。 反过来，提供商可以接收代表客户执行密码操作的各种指令，并且这些指令可以由可信执行环境执行。