公开(公告)号：US11805109B1

公开(公告)日：2023-10-31

申请号：US16285086

申请日：2019-02-25

Applicant: Amazon Technologies, Inc.

Inventor： Atul Khare ,  Ravi Akundi Murty ,  Hassan Sultan

IPC: H04L9/40 ,  H04L29/06 ,  H04L9/08 ,  H04L67/14 ,  G06F12/14

CPC classification number: H04L63/0485 ,  H04L63/0435 ,  H04L63/0471 ,  H04L63/166

Abstract: A computing device includes one or more processors, a memory and an encryption accelerator. The memory includes instructions that when executed on the processors cause a first networking session to be established between a pair of communication peers. Encryption of messages of the first session is enabled by a parameter of a security protocol of the session. The encryption accelerator obtains a key determined in the first session, and uses the key to encrypt messages of a second networking session established between the peers.

公开(公告)号：US11374745B1

公开(公告)日：2022-06-28

申请号：US15826491

申请日：2017-11-29

Applicant: Amazon Technologies, Inc.

Inventor： Atul Khare

IPC: H04L9/08 ,  H04L9/06

Abstract: Disclosed systems and methods implement a tracking system that tracks accesses to a TPM-secured key. In embodiments, the key may be encrypted using an encryption key, which is sealed using the TPM. A first value indicating an initial access state of the key is stored in a PCR of the TPM, and the encryption key is sealed against the PCR, so that it can be unsealed when contents of PCR match a next value derived from the first value. When the key is accessed, contents of the PCR is verified against an expected access state. If successfully verified, the PCR is extended hold the next value, the encryption key is unsealed, and the key decrypted. With each access, the encryption key is repeatedly resealed against the successive states stored in PCR. In this manner, the PCR may be used to track accesses and detect unauthorized accesses to the key.

公开(公告)号：US11924336B1

公开(公告)日：2024-03-05

申请号：US17359240

申请日：2021-06-25

Applicant: Amazon Technologies, Inc.

Inventor： Atul Khare ,  Deepak Gupta ,  Petre Eftime ,  Madalin Razvan Nastase

IPC: H04L9/08 ,  G06F9/455

CPC classification number: H04L9/0861 ,  G06F9/45558 ,  G06F2009/45587

Abstract: A pair of virtualized security device initialization data sets are received at a first virtualization server from respective sources prior to a launch of a compute instance at the server. A first virtualized security device is initialized using the data sets, and used to generate cryptographic artifacts used by the compute instance. A data item which was included in one of the data sets is modified after the cryptographic artifacts are generated. Additional cryptographic artifacts are generated by a second virtualized security device at a second virtualization server to which the compute instance has been migrated. The second virtualized security device is initialized using at least the modified data item.

公开(公告)号：US10735190B1

公开(公告)日：2020-08-04

申请号：US15815665

申请日：2017-11-16

Applicant: Amazon Technologies, Inc.

Inventor： Atul Khare

IPC: G06F21/57 ,  G06F21/60 ,  H04L9/08 ,  H04L9/32

Abstract: Systems and methods are disclosed to generate a persistent identifier for a device using a trusted platform module (TPM) of the device, so that the identifier is persistent during the lifetime of the TPM. In embodiments, during an initialization of the TPM, the system obtains an entropy value from the TPM used to generate the device's persistent identifier. The identifier is written to a non-volatile storage of the TPM so that it cannot be erased during the lifetime of the TPM. In embodiments, a persistent keys pair is generated based on the identifier, and also permanently written to the non-volatile storage. In embodiments, the persistent identifier may be measured and verified via TPM quotes. In embodiments, the persistent private key may be used to sign a nonce to prove the identity of the device.