-
公开(公告)号:US09847983B1
公开(公告)日:2017-12-19
申请号:US14264897
申请日:2014-04-29
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Branchek Roth , Benjamin Tillman Farley , Graeme David Baer
IPC: H04L29/06
CPC classification number: H04L63/08 , H04L63/0428 , H04L63/068
Abstract: Technologies are disclosed herein for epoch-based expiration of temporary security credentials. A temporary security credential is issued that identifies one or more epochs and that specifies one or more versions of the identified epochs during which the temporary security credential is valid. The temporary security credential may then be utilized to request access to another system, service or component. In order to determine whether such a request may be granted, current epoch versions for the epochs identified in the temporary security credential are obtained. The current epoch versions for the identified epochs are then compared to epoch versions specified in the temporary security credential to determine if the request can be granted. The current epoch versions may be periodically modified in order to expire previously issued temporary security credentials. A temporary security credential might also specify an expiration time after which the temporary security credential is no longer valid.
-
公开(公告)号:US20170359320A1
公开(公告)日:2017-12-14
申请号:US15665120
申请日:2017-07-31
Applicant: Amazon Technologies, Inc.
Inventor: Eric Jason Brandwine , Gregory Branchek Roth
CPC classification number: H04L63/0457 , H04L9/0894 , H04L9/3247 , H04L63/126
Abstract: Data storage operation commands are digitally signed to enhance data security in a distributed system. A data storage client and a compute-enabled data storage device may share access to a cryptographic key. The data storage client uses the cryptographic key to digitally sign commands transmitted to the data storage device, which can use its copy to verify a digital signature of a command before fulfilling the command. The storage device can also determine whether to perform a transformation, such that requests authenticated to a first identity might receive cleartext while a request authenticated to a second identity might receive ciphertext. The compute-enabled storage device can also receive unauthenticated calls and attempt to retrieve the appropriate key from a key management service or other such source.
-
公开(公告)号:US20170346819A1
公开(公告)日:2017-11-30
申请号:US15675605
申请日:2017-08-11
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Branchek Roth , Gregory Alan Rubin
CPC classification number: H04L63/0869 , H04L9/0861 , H04L9/14 , H04L9/32 , H04L9/321 , H04L9/3247 , H04L9/3273 , H04L63/061 , H04L63/123 , H04L63/166
Abstract: A client and server negotiate a secure communication channel using a pre-shared key where the server, at the time the negotiation initiates, lacks access to the pre-shared key. The server obtains the pre-shared key from another server that shares a secret with the client. A digital signature or other authentication information generated by the client may be used to enable the other server to determine whether to provide the pre-shared key.
-
公开(公告)号:US09800559B2
公开(公告)日:2017-10-24
申请号:US15344391
申请日:2016-11-04
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Branchek Roth , Aaron Douglas Dokey , Eric Jason Brandwine , Nathan Bartholomew Thomas
CPC classification number: H04L63/0428 , G06F21/53 , G06F21/6281 , G06F21/645 , H04L41/50 , H04L41/5054 , H04L47/70 , H04L63/083 , H04L67/02
Abstract: Techniques for hosting components of provider services within secure execution environments are described herein. Information associated with a request received at a control plane of a service is received at a secure execution environment and, based at least in part on that information, one or more tasks is determined that may be performed to respond to the request. A task of the one or more tasks is performed within the secure execution environment to generate a response to the request, the response is encrypted within the secure execution environment using a key stored within the secure execution environment and available to a component of a computer system, and the encrypted response is made available.
-
公开(公告)号:US20170242725A1
公开(公告)日:2017-08-24
申请号:US15589277
申请日:2017-05-08
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Branchek Roth
CPC classification number: G06F9/45558 , G06F9/45533 , G06F9/461 , G06F9/4868 , G06F9/505 , G06F9/52 , G06F2009/45575
Abstract: A plurality of virtual machines are each restored to a previous state, by, for each virtual machine of the plurality, obtaining a first snapshot of an exemplary virtual machine, obtaining a set of local changes of a virtual machine, deriving a snapshot of the virtual machine based at least in part on the first snapshot and the set of local changes, and restoring the virtual machine to a previous state based on the snapshot.
-
Patent Agency Ranking
公开(公告)号:US09729524B1
公开(公告)日:2017-08-08
申请号:US14569038
申请日:2014-12-12
Applicant: Amazon Technologies, Inc.
Inventor: Eric Jason Brandwine , Gregory Branchek Roth
CPC classification number: H04L63/0457 , H04L9/0894 , H04L9/3247 , H04L63/126
Abstract: Data storage operation commands are digitally signed to enhance data security in a distributed system. A data storage client and a compute-enabled data storage device may share access to a cryptographic key. The data storage client uses the cryptographic key to digitally sign commands transmitted to the data storage device, which can use its copy to verify a digital signature of a command before fulfilling the command. The storage device can also determine whether to perform a transformation, such that requests authenticated to a first identity might receive cleartext while a request authenticated to a second identity might receive ciphertext. The compute-enabled storage device can also receive unauthenticated calls and attempt to retrieve the appropriate key from a key management service or other such source.
-
公开(公告)号:US09667421B2
公开(公告)日:2017-05-30
申请号:US13765209
申请日:2013-02-12
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Branchek Roth , Matthew James Wren , Eric Jason Brandwine , Brian Irl Pratt
Abstract: A system uses information submitted in connection with a request to determine if and how to process the request. The information may be electronically signed by a requestor using a key such that the system processing the request can verify that the requestor has the key and that the information is authentic. The information may include information that identifies a holder of a key needed for processing the request, where the holder of the key can be the system or another, possibly third party, system. Requests to decrypt data may be processed to ensure that a certain amount of time passes before access to the decrypted data is provided, thereby providing an opportunity to cancel such requests and/or otherwise mitigate potential security breaches.
-
公开(公告)号:US20170126746A1
公开(公告)日:2017-05-04
申请号:US15261069
申请日:2016-09-09
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Branchek Roth , Graeme David Baer , Eric Jason Brandwine
IPC: H04L29/06
CPC classification number: H04L63/205 , G06F21/6218 , H04L63/0218 , H04L63/0272 , H04L63/08 , H04L63/083 , H04L63/0861 , H04L63/10 , H04L63/123 , H04L63/1458 , H04L63/168 , H04L67/10 , H04L67/1002
Abstract: Customers can utilize resources of a multi-tenant environment to provide one or more services available to various users. In order to simplify the process for these customers, the multi-tenant environment can include an infrastructure wherein a portion of the resources provide an authentication and/or authorization service that can be leveraged by the customer services. These resources can logically sit in front of the resources used to provide the customer services, such that a user request must pass through the authorization and authentication service before being directed to the customer service. Such resources can provide other functionality as well, such as load balancing and metering.
-
公开(公告)号:US09602482B1
公开(公告)日:2017-03-21
申请号:US14104986
申请日:2013-12-12
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Branchek Roth , William Frederick Kruse
CPC classification number: H04L63/08 , H04L63/0807 , H04L63/107
Abstract: Technology for managing an API request is described. In an example implementation, an authentication service may receive a request to access a service. The authentication service may be configured to determine a proximity of a client device from which the request originated to the service. The authentication service may be further configured to grant the request based in part on the determined proximity of the client device to the service with respect to a policy.
-
公开(公告)号:US09547771B2
公开(公告)日:2017-01-17
申请号:US13764995
申请日:2013-02-12
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Branchek Roth , Matthew James Wren , Eric Jason Brandwine , Brian Irl Pratt
CPC classification number: G06F21/6209 , G06F21/602 , H04L9/088 , H04L9/0891 , H04L9/3242 , H04L63/0428 , H04L63/20
Abstract: Requests submitted to a computer system are evaluated for compliance with policy to ensure data security. Plaintext and associated data are used as inputs into a cipher to produce ciphertext. Whether a result of decrypting the ciphertext can be provided in response to a request is determined based at least in part on evaluation of a policy that itself is based at least in part on the associated data. Other policies include automatic rotation of keys to prevent keys from being used in enough operations to enable cryptographic attacks intended to determine the keys.
Abstract translation: 对提交给计算机系统的请求进行评估,以符合政策以确保数据安全。 明文和相关数据用作密码的输入以产生密文。 至少部分地基于本身至少部分地基于相关数据的策略的评估来确定响应于请求而提供解密密文的结果。 其他策略包括自动旋转密钥,以防止在足够的操作中使用密钥来启用旨在确定密钥的加密攻击。
-
-
-
-
-
-
-
-
-
Search Results
385
records
(took 0.039 seconds)
