公开(公告)号：US09325739B1

公开(公告)日：2016-04-26

申请号：US13873055

申请日：2013-04-29

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Daniel Stephen Popick ,  Jonathan Weiss

IPC: G06F17/00 ,  H04L29/06 ,  H04L12/24 ,  G06F21/60

CPC classification number: G06F21/6218 ,  G06F3/0482 ,  G06F3/04842 ,  G06F21/10 ,  G06F21/604 ,  G06F21/629 ,  H04L41/0893 ,  H04L63/0263 ,  H04L63/20

Abstract: A user interface is described, such as a graphical user interface (GUI), operable to receive a representation of a security policy expressed in a first policy language, where that security policy will be supported by policy evaluation engines (or other such components) that are configured to operate using security policies expressed using a second (different) policy language. The representation of the security policy is persisted in a data store in accordance with the first policy language. Subsequently, in response to receiving a request to access a resource, a second representation of the security policy is generated by translating the content of the security policy into a second policy language that is associated with the policy evaluation engine. The second representation of the security policy is then evaluated by the policy evaluation engine to grant or deny access to the resource.

Abstract translation: 描述了用户界面，诸如图形用户界面（GUI），其可操作以接收以第一策略语言表达的安全策略的表示，其中该策略评估引擎（或其他这样的组件）将支持安全策略， 被配置为使用使用第二（不同）策略语言表达的安全策略来操作。 安全策略的表示依照第一策略语言在数据存储中保留。 随后，响应于接收到访问资源的请求，通过将安全策略的内容翻译成与策略评估引擎相关联的第二策略语言来生成安全策略的第二表示。 然后策略评估引擎对安全策略的第二个表示进行评估，以授予或拒绝对资源的访问。

公开(公告)号：US09262642B1

公开(公告)日：2016-02-16

申请号：US14154048

申请日：2014-01-13

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Nicholas Alexander Allen

IPC: G06F21/62

CPC classification number: H04L63/1416 ,  G06F21/45 ,  G06F21/62 ,  G06F2221/2101 ,  G06F2221/2111 ,  H04L61/2007 ,  H04L63/08 ,  H04L63/105 ,  H04L63/1441

Abstract: Source information for requests submitted to a system are classified to enable differential handling of requests over a session whose source information changes over the session. For source information (e.g., an IP address) classified as fixed, stronger authentication may be required to fulfill requests when the source information changes during the session. Similarly, for source information classified as dynamic, source information may be allowed to change without requiring the stronger authentication.

Abstract translation: 提交给系统的请求的源信息被分类，以便能够通过会话的源信息更改的会话对请求进行差异处理。 对于分类为固定的源信息（例如，IP地址），当源信息在会话期间改变时，可能需要更强的认证来满足请求。 类似地，对于分类为动态的源信息，可以允许源信息改变而不需要更强的认证。

公开(公告)号：US09251097B1

公开(公告)日：2016-02-02

申请号：US13919701

申请日：2013-06-17

Applicant: Amazon Technologies, Inc.

Inventor： Sandeep Kumar ,  Gregory Branchek Roth ,  Gregory Alan Rubin ,  Mark Christopher Seigle ,  Kamran Tirdad

IPC: G06F21/00 ,  G06F12/14 ,  G06F11/14

CPC classification number: G06F21/602 ,  G06F11/1076 ,  G06F11/1464 ,  G06F11/1469 ,  G06F12/1408 ,  G06F21/6209 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/14 ,  H04L2209/24

Abstract: A data storage service redundantly stores data and keys used to encrypt the data. Data objects are encrypted with first cryptographic keys. The first cryptographic keys are encrypted by second cryptographic keys. The first cryptographic keys and second cryptographic keys are redundantly stored in a data storage system to enable access of the data objects, such as to respond to requests to retrieve the data objects. The second cryptographic keys may be encrypted by third keys and redundantly stored in the event access to a second cryptographic key is lost.

Abstract translation: 数据存储服务冗余地存储用于加密数据的数据和密钥。 数据对象使用第一加密密钥进行加密。 第一加密密钥由第二加密密钥加密。 第一加密密钥和第二加密密钥被冗余地存储在数据存储系统中，以使数据对象能够访问，例如响应检索数据对象的请求。 可以通过第三密钥来加密第二加密密钥，并且在丢失对第二加密密钥的访问的情况下被冗余地存储。

公开(公告)号：US09246690B1

公开(公告)日：2016-01-26

申请号：US14476569

申请日：2014-09-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Aaron Douglas Dokey ,  Eric Jason Brandwine ,  Nathan Bartholomew Thomas

IPC: H04L9/32 ,  H04L29/06

CPC classification number: H04L63/0823 ,  G06F21/53 ,  G06F21/56 ,  G06F21/575 ,  H04L9/3268 ,  H04L63/062 ,  H04L63/123

Abstract: Techniques for managing secure execution environments provided as a service to computing resource service provider customers are described herein. A request to launch a secure execution environment is received from a customer and fulfilled by launching a secure execution environment on a selected computer system. The secure execution environment is then validated and upon a successful validation, one or more applications are provided to the secure execution environment to be executed within the secure execution environment. As additional requests relating to managing the secure execution environment are received, operations are performed based on the requests.

Abstract translation: 本文描述了用于管理作为服务提供给计算资源服务提供商客户的安全执行环境的技术。 从客户接收到启动安全执行环境的请求，并通过在选定的计算机系统上启动安全执行环境来实现。 然后验证安全执行环境，并且在成功验证之后，将一个或多个应用程序提供给要在安全执行环境中执行的安全执行环境。 当接收到与管理安全执行环境有关的附加请求时，根据请求执行操作。

公开(公告)号：US09218474B1

公开(公告)日：2015-12-22

申请号：US14154001

申请日：2014-01-13

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth

IPC: G06F21/32

CPC classification number: G06F21/32 ,  G06F2221/2111 ,  G06F2221/2137

Abstract: Functionality is disclosed for enhancing the security of a computing device equipped with a fingerprint input device. A pre-unlock operation is performed when a duress fingerprint is used to access a locked device. The pre-unlock operation may include one or more computer-implemented mechanisms to secure, hide, remove, move, encrypt, disassociate, communicate or modify data stored on the device and/or remote locations. In some embodiments, the pre-unlock operation may direct a device to capture information and communicate such information to remote computers contemporaneously with the receipt of a duress fingerprint.

Abstract translation: 公开了用于增强配备有指纹输入装置的计算装置的安全性的功能。 当使用胁迫指纹来访问锁定的设备时，执行预解锁操作。 预解锁操作可以包括一个或多个计算机实现的机制来保护，隐藏，移除，移动，加密，取消关联，通信或修改存储在设备和/或远程位置上的数据。 在一些实施例中，预解锁操作可以指示设备捕获信息并且在收到胁迫指纹的同时同时将这些信息传送到远程计算机。

公开(公告)号：US20150089244A1

公开(公告)日：2015-03-26

申请号：US14037292

申请日：2013-09-25

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: G06F21/60

CPC classification number: G06F21/602 ,  G06F21/6209 ,  H04L9/0819 ,  H04L9/0822 ,  H04L9/3226 ,  H04L9/3242 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/06 ,  H04L2209/76

Abstract: Requests are submitted to a request processing entity where the requests include a cryptographic key to be used in fulfilling the request. The request processing entity, upon receipt of the request, extracts the key from the request and uses the key to perform one or more cryptographic operations to fulfill the request. The one or more cryptographic operations may include encryption/decryption of data that to be/is stored, in encrypted form, by a subsystem of the request processing entity. Upon fulfillment of the request, the request processing entity may perform one or more operations to lose access to the key in the request, thereby losing the ability to use the key.

Abstract translation: 请求被提交给请求处理实体，其中请求包括用于满足请求的加密密钥。 所述请求处理实体在接收到所述请求时从所述请求中提取所述密钥，并且使用所述密钥来执行一个或多个密码操作以完成所述请求。 一个或多个加密操作可以包括以加密的形式由请求处理实体的子系统加载/解密要存储的数据。 在请求完成时，请求处理实体可以执行一个或多个操作以失去对请求中的密钥的访问，从而失去使用该密钥的能力。

公开(公告)号：US20140230007A1

公开(公告)日：2014-08-14

申请号：US13764995

申请日：2013-02-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: G06F21/62

CPC classification number: G06F21/6209 ,  G06F21/602 ,  H04L9/088 ,  H04L9/0891 ,  H04L9/3242 ,  H04L63/0428 ,  H04L63/20

Abstract: Requests submitted to a computer system are evaluated for compliance with policy to ensure data security. Plaintext and associated data are used as inputs into a cipher to produce ciphertext. Whether a result of decrypting the ciphertext can be provided in response to a request is determined based at least in part on evaluation of a policy that itself is based at least in part on the associated data. Other policies include automatic rotation of keys to prevent keys from being used in enough operations to enable cryptographic attacks intended to determine the keys.

Abstract translation: 对提交给计算机系统的请求进行评估，以符合政策以确保数据安全。 明文和相关数据用作密码的输入以产生密文。 至少部分地基于本身至少部分地基于相关数据的策略的评估来确定响应于请求而提供解密密文的结果。 其他策略包括自动旋转密钥，以防止在足够的操作中使用密钥来启用旨在确定密钥的加密攻击。

公开(公告)号：US11870816B1

公开(公告)日：2024-01-09

申请号：US17953123

申请日：2022-09-26

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: H04L9/40 ,  H04L9/08 ,  G06F21/64 ,  H04L9/32 ,  G06F21/33 ,  G06F21/44 ,  G06F21/57

CPC classification number: H04L63/20 ,  G06F21/33 ,  G06F21/44 ,  G06F21/57 ,  G06F21/64 ,  H04L9/0825 ,  H04L9/0897 ,  H04L9/3213 ,  H04L9/3263 ,  H04L63/0823 ,  H04L9/32 ,  H04L63/205

Abstract: Custom policies are definable for use in a system that enforces policies. A user, for example, may author a policy using a policy language and transmit the system through an application programming interface call. The custom policies may specify conditions for computing environment attestations that are provided with requests to the system. When a custom policy applies to a request, the system may determine whether information in the attestation is sufficient for the request to be fulfilled.

公开(公告)号：US11777911B1

公开(公告)日：2023-10-03

申请号：US17476300

申请日：2021-09-15

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: H04L9/40 ,  H04L9/32 ,  H04L67/02

CPC classification number: H04L63/0428 ,  H04L9/321 ,  H04L9/3247 ,  H04L63/10 ,  H04L63/102 ,  H04L63/108 ,  H04L63/123 ,  H04L67/02 ,  H04L63/168

Abstract: Requests are pre-generated to include a cryptographic key to be used in fulfilling the requests. The requests may be encoded in uniform resource locators and may include authentication information to enable a service provider to whom the requests are submitted to determine whether the requests are authorized. The requests may be passed to various entities who can then submit the requests to the service provider. The service provider, upon receipt of a request, can verify the authentication information and fulfill the request using a cryptographic key encoded in the request.

公开(公告)号：US11372993B2

公开(公告)日：2022-06-28

申请号：US16673753

申请日：2019-11-04

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: G06F11/30 ,  G06F21/62 ,  G06F12/14

Abstract: Requests submitted to a computer system are evaluated for compliance with policy to ensure data security. Plaintext and associated data are used as inputs into a cipher to produce ciphertext. Whether a result of decrypting the ciphertext can be provided in response to a request is determined based at least in part on evaluation of a policy that itself is based at least in part on the associated data. Other policies include automatic rotation of keys to prevent keys from being used in enough operations to enable cryptographic attacks intended to determine the keys.