公开(公告)号：US11924247B1

公开(公告)日：2024-03-05

申请号：US17839289

申请日：2022-06-13

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Daniel Stephen Popick ,  Derek Avery Lyon ,  John Michael Morkel ,  Graeme David Baer ,  Ajith Harshana Ranabahu ,  Khaled Salah Sedky

IPC: H04L9/40 ,  G06F16/93 ,  G06F21/33 ,  G06F21/60 ,  G06F21/62 ,  H04L43/55 ,  G06F3/06 ,  G06F21/12 ,  G06F21/31 ,  G06F21/52 ,  G06F21/57

CPC classification number: H04L63/164 ,  G06F16/93 ,  G06F21/33 ,  G06F21/604 ,  G06F21/6218 ,  H04L43/55 ,  H04L63/102 ,  G06F3/0601 ,  G06F21/125 ,  G06F21/31 ,  G06F21/316 ,  G06F21/52 ,  G06F21/577 ,  H04L63/08 ,  H04L63/1441

Abstract: A method and apparatus for testing and simulating an access control policy are disclosed. Evaluating an access control policy may be performed by utilizing a deny statement that causes the access request to be rejected despite actions indicated in the access request being authorized. Further, an independent simulation environment may be utilized for testing access control policy evaluation.

公开(公告)号：US11115220B2

公开(公告)日：2021-09-07

申请号：US15146836

申请日：2016-05-04

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer

IPC: H04L9/32 ,  H04L9/14 ,  H04L29/06

Abstract: A system and method wherein an authentication request to verify authentication information submitted to a first system in connection with a first request submitted to the first system is received from the first system. A response to the authentication request is generated that includes information usable by a second system to make, without communicating with the authentication system, based at least in part on the information and one or more cryptographic processes, a determination whether fulfillment of a second request from the first system is allowable under authority of the authentication system, with the determination being based at least in part on policy information included in the information that specifies one or more policies applicable to an identity that is associated with the first request. The response generated is provided to the first system.

公开(公告)号：US20200153831A1

公开(公告)日：2020-05-14

申请号：US16704985

申请日：2019-12-05

Applicant: Amazon Technologies, Inc.

Inventor： Graeme David Baer ,  Dmitry Frenkel ,  Marc R. Barbour

IPC: H04L29/06

Abstract: Security credentials issued by an entity, such as an identity broker, can have a limited lifetime. Access to resources or content under those credentials then can only be obtained for a limited period of time, limiting the ability of an unauthorized entity obtaining the credentials to utilize those credentials for access. Along with the credentials, a refresh token can be issued to a requesting client that can enable the limited lifetime of the credentials to be renewed up to a maximum lifetime of the credentials and/or the token. A service providing access can determine that the client has a valid copy of the refresh token when the credentials are about to expire, and if so can cause the lifetime of the credentials to be extended another credential lifetime. This renewal can be done transparent to a user and without again contacting the identity broker.

公开(公告)号：US10484433B2

公开(公告)日：2019-11-19

申请号：US15888722

申请日：2018-02-05

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer ,  Eric Jason Brandwine

IPC: H04L29/00 ,  H04L29/06 ,  H04L29/08 ,  G06F21/62

Abstract: Customers can utilize resources of a multi-tenant environment to provide one or more services available to various users. In order to simplify the process for these customers, the multi-tenant environment can include an infrastructure wherein a portion of the resources provide an authentication and/or authorization service that can be leveraged by the customer services. These resources can logically sit in front of the resources used to provide the customer services, such that a user request must pass through the authorization and authentication service before being directed to the customer service. Such resources can provide other functionality as well, such as load balancing and metering.

公开(公告)号：US10110578B1

公开(公告)日：2018-10-23

申请号：US13797886

申请日：2013-03-12

Applicant: Amazon Technologies, Inc.

Inventor： Graeme David Baer ,  Gregory Branchek Roth

IPC: G06F7/04 ,  H04L29/06

Abstract: Access to resources or data can be managed based at least in part upon a validation of credentials. A customer can have customer credentials, such as a username and password pair, that can be used to obtain access according to terms of a customer account. A computing device used to gain the access can also have device credentials, which can be based upon identifying information from the device or provided to the device upon a successful login. The customer account might be locked for a period of time if a number of unsuccessful login attempts are received over a designated period of time. If, however, a request is received with device credentials for a trusted and/or recognized device, at least one additional login attempt might be granted in order to prevent a customer from being locked out of the account due to actions of other persons and/or devices.

公开(公告)号：US09218476B1

公开(公告)日：2015-12-22

申请号：US13671304

申请日：2012-11-07

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer ,  Brian Irl Pratt

IPC: G06F21/34

CPC classification number: H04L63/0838 ,  G06F21/34

Abstract: A one-time password (OTP) based security scheme is described, where a provider pre-generates a number of verification codes (e.g., OTP codes) which will be valid for a predetermined interval. The provider then encodes the verification codes (e.g., by hashing each code with a time value), and stores the verification codes into a data structure. The data structure can be provided to a verification system that can use the set of pre-generated OTP codes to authenticate requests received from users having personal security tokens.

Abstract translation: 描述了基于一次密码（OTP）的安全方案，其中提供商预先生成将在预定间隔内有效的许多验证码（例如，OTP码）。 然后，提供商对验证码进行编码（例如，通过用时间值对每个代码进行散列），并将验证码存储到数据结构中。 可以将数据结构提供给可以使用一组预先生成的OTP代码来验证从具有个人安全令牌的用户接收的请求的验证系统。

公开(公告)号：US12101417B1

公开(公告)日：2024-09-24

申请号：US16827563

申请日：2020-03-23

Applicant: Amazon Technologies, Inc.

Inventor： Michael S Slaughter ,  Marcel Andrew Levy ,  Trevoli Ponds-White ,  Derek Bronson ,  Jonathan Kozolchyk ,  Georgy Sebastian ,  Brandonn Gorman ,  Graeme David Baer ,  Israel Galvez ,  Kenneth Lawler

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/40 ,  H04L61/4511

CPC classification number: H04L9/3268 ,  H04L9/321 ,  H04L9/3247 ,  H04L9/3265 ,  H04L61/4511 ,  H04L63/105

Abstract: An interface of a certificate management system acts as a target for management of digital authentication certificates from a group of candidate certificate authorities. Entities make certificate signing requests on behalf of subjects. The requests are received at an interface that appears to the requesting entities as a sole source of the signed certificates. But a certificate management component that processes the requests received by the interface applies a selection technique to select a particular certificate authority from a group of candidate certificate authorities available to sign the certificates. The certificate management component forwards the request to the particular certificate authority, receives back the signed certificate, and responds to the certificate signing request with the signed certificate. Although the certificate signing requests were all made via a same interface, the signed certificates can have different chains of trust. Various criteria may be used for the selection.

公开(公告)号：US20220029993A1

公开(公告)日：2022-01-27

申请号：US17173584

申请日：2021-02-11

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Graeme David Baer

IPC: H04L29/06

Abstract: A computing resource service provides flexible configuration of authorization rules. A set of authorization rules which define whether fulfillment of requests. The set of authorization rules are applied to a request of a first type which is mapped to a request of a second type. The request of the second type is used for fulfillment of the request of the first type when the authorization rules so allow.

公开(公告)号：US10567381B1

公开(公告)日：2020-02-18

申请号：US14972676

申请日：2015-12-17

Applicant: Amazon Technologies, Inc.

Inventor： Graeme David Baer ,  Dmitry Frenkel ,  Marc R. Barbour

IPC: H04L29/06

Abstract: Security credentials issued by an entity, such as an identity broker, can have a limited lifetime. Access to resources or content under those credentials then can only be obtained for a limited period of time, limiting the ability of an unauthorized entity obtaining the credentials to utilize those credentials for access. Along with the credentials, a refresh token can be issued to a requesting client that can enable the limited lifetime of the credentials to be renewed up to a maximum lifetime of the credentials and/or the token. A service providing access can determine that the client has a valid copy of the refresh token when the credentials are about to expire, and if so can cause the lifetime of the credentials to be extended another credential lifetime. This renewal can be done transparent to a user and without again contacting the identity broker.

公开(公告)号：US09712329B2

公开(公告)日：2017-07-18

申请号：US15068814

申请日：2016-03-14

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer

IPC: G06F21/00 ,  H04L9/32 ,  H04L29/06 ,  H04L9/08 ,  G06F21/33 ,  G06F21/31 ,  G06F9/455 ,  H04L9/14 ,  H04L9/30 ,  H04L29/08

CPC classification number: H04L9/3271 ,  G06F9/45533 ,  G06F21/31 ,  G06F21/335 ,  H04L9/08 ,  H04L9/0816 ,  H04L9/0894 ,  H04L9/14 ,  H04L9/302 ,  H04L9/3242 ,  H04L9/3247 ,  H04L9/3249 ,  H04L63/0807 ,  H04L63/0876 ,  H04L63/0884 ,  H04L63/126 ,  H04L63/20 ,  H04L67/02 ,  H04L2209/56 ,  H04L2209/76

Abstract: An escrow platform is described that can be used to enable access to devices. The escrow platform can be used to sign cryptographic network protocol challenges on behalf of clients so that the secrets used to sign cryptographic network protocol challenges do not have to be exposed to the clients. The escrow platform can store or control access to private keys, and the corresponding public keys can be stored on respective target platforms. A client can attempt to access a target platform and in response the target platform can issue a challenge. The client platform can send the challenge to the escrow platform, which can use the corresponding private key to sign the challenge. The signed challenge can be sent back to the client, which can forward it to the target platform. The target platform can verify the expected private key and grant access.