公开(公告)号：US20200153831A1

公开(公告)日：2020-05-14

申请号：US16704985

申请日：2019-12-05

Applicant: Amazon Technologies, Inc.

Inventor： Graeme David Baer ,  Dmitry Frenkel ,  Marc R. Barbour

IPC: H04L29/06

Abstract: Security credentials issued by an entity, such as an identity broker, can have a limited lifetime. Access to resources or content under those credentials then can only be obtained for a limited period of time, limiting the ability of an unauthorized entity obtaining the credentials to utilize those credentials for access. Along with the credentials, a refresh token can be issued to a requesting client that can enable the limited lifetime of the credentials to be renewed up to a maximum lifetime of the credentials and/or the token. A service providing access can determine that the client has a valid copy of the refresh token when the credentials are about to expire, and if so can cause the lifetime of the credentials to be extended another credential lifetime. This renewal can be done transparent to a user and without again contacting the identity broker.

公开(公告)号：US09872067B2

公开(公告)日：2018-01-16

申请号：US15063331

申请日：2016-03-07

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Marc R. Barbour ,  Bradley Jeffery Behm ,  Cristian M. Ilac ,  Eric Jason Brandwine

IPC: G06F21/00 ,  H04N21/4405 ,  G06F21/60 ,  G06F21/62 ,  G06F21/64 ,  H04L9/08 ,  H04L9/32 ,  H04N21/4627

CPC classification number: H04N21/44055 ,  G06F21/60 ,  G06F21/602 ,  G06F21/6218 ,  G06F21/64 ,  H04L9/0819 ,  H04L9/088 ,  H04L9/3242 ,  H04L2209/24 ,  H04L2209/38 ,  H04N21/4627

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

公开(公告)号：US10951618B2

公开(公告)日：2021-03-16

申请号：US16704985

申请日：2019-12-05

Applicant: Amazon Technologies, Inc.

Inventor： Graeme David Baer ,  Dmitry Frenkel ,  Marc R. Barbour

IPC: H04L29/06

Abstract: Security credentials issued by an entity, such as an identity broker, can have a limited lifetime. Access to resources or content under those credentials then can only be obtained for a limited period of time, limiting the ability of an unauthorized entity obtaining the credentials to utilize those credentials for access. Along with the credentials, a refresh token can be issued to a requesting client that can enable the limited lifetime of the credentials to be renewed up to a maximum lifetime of the credentials and/or the token. A service providing access can determine that the client has a valid copy of the refresh token when the credentials are about to expire, and if so can cause the lifetime of the credentials to be extended another credential lifetime. This renewal can be done transparent to a user and without again contacting the identity broker.

公开(公告)号：US10680827B2

公开(公告)日：2020-06-09

申请号：US15875995

申请日：2018-01-19

Applicant: Amazon Technologies, Inc.

Inventor： Marc R. Barbour ,  Khaled Salah Sedky ,  Srikanth Mandadi ,  Slavka Praus

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/08

Abstract: Techniques for using short-term credentials using asymmetric session keys are described herein. A request for a short-term credential is received that is digitally signed with a different credential. In response to the request, short-term credential data is generated and populated with a public session key corresponding to a private session key. The short-term credential data is then encrypted with a session encryption key to produce the short-term credential token, which can then be used by the requester as a short-term credential for subsequent requests.

公开(公告)号：US10356062B2

公开(公告)日：2019-07-16

申请号：US14938403

申请日：2015-11-11

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Marc R. Barbour ,  Bradley Jeffrey Behm ,  Cristian M. Ilac ,  Eric Jason Brandwine

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/08 ,  G06F21/64

Abstract: A plurality of keys is obtained, with each obtained key of the plurality of keys being based at least in part on an information set for the plurality of keys and at least one other key distinct from the plurality of keys. A signing key is calculated by inputting a combination of the plurality of keys into a function with the information set for the plurality of keys, and the signing key is used to evaluate whether access to one or more computing resources is to be granted, with the information set preventing access from being granted when a request for the access is submitted out of compliance with the information set for the plurality of keys.

公开(公告)号：US10182044B1

公开(公告)日：2019-01-15

申请号：US14958892

申请日：2015-12-03

Applicant: Amazon Technologies, Inc.

Inventor： Slavka Praus ,  Khaled Salah Sedky ,  Srikanth Mandadi ,  Marc R. Barbour

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32 ,  G06F21/33

Abstract: Techniques for personalizing short-term session credentials are described herein. A global session key is provided to a plurality of regions of a computing resource service provider and an account key is also provided to one or more of the plurality of regions based at least in part on those regions being trusted by a customer of the computing resource service provider. When a request for short-term session credentials is received at the trusted region by that customer, a session token is generated and encrypted with a combination of the global session key and the account key, thereby creating a session token that can be uniquely associated with the customer and that may only be used in regions that that customer has designated as trusted regions.

公开(公告)号：US10425223B2

公开(公告)日：2019-09-24

申请号：US15984198

申请日：2018-05-18

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Marc R. Barbour ,  Bradley Jeffrey Behm ,  Cristian M. Ilac ,  Eric Jason Brandwine

IPC: H04L9/08 ,  G06F21/60 ,  H04L29/06 ,  H04L9/14

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

公开(公告)号：US20180145835A1

公开(公告)日：2018-05-24

申请号：US15875995

申请日：2018-01-19

Applicant: Amazon Technologies, Inc.

Inventor： Marc R. Barbour ,  Khaled Salah Sedky ,  Srikanth Mandadi ,  Slavka Praus

IPC: H04L9/32 ,  H04L29/06 ,  H04L9/08

Abstract: Techniques for using short-term credentials using asymmetric session keys are described herein. A request for a short-term credential is received that is digitally signed with a different credential. In response to the request, short-term credential data is generated and populated with a public session key corresponding to a private session key. The short-term credential data is then encrypted with a session encryption key to produce the short-term credential token, which can then be used by the requester as a short-term credential for subsequent requests.

公开(公告)号：US20160065549A1

公开(公告)日：2016-03-03

申请号：US14938403

申请日：2015-11-11

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Marc R. Barbour ,  Bradley Jeffrey Behm ,  Cristian M. Ilac ,  Eric Jason Brandwine

IPC: H04L29/06

CPC classification number: H04L63/062 ,  G06F21/64 ,  H04L9/0836 ,  H04L9/321 ,  H04L9/3242 ,  H04L9/3247 ,  H04L63/06 ,  H04L63/08 ,  H04L2209/38 ,  H04L2209/60 ,  H04L2463/061

Abstract: A plurality of keys is obtained, with each obtained key of the plurality of keys being based at least in part on an information set for the plurality of keys and at least one other key distinct from the plurality of keys. A signing key is calculated by inputting a combination of the plurality of keys into a function with the information set for the plurality of keys, and the signing key is used to evaluate whether access to one or more computing resources is to be granted, with the information set preventing access from being granted when a request for the access is submitted out of compliance with the information set for the plurality of keys.

Abstract translation: 获得多个密钥，其中多个密钥的每个获得的密钥至少部分地基于针对多个密钥的信息集和至少一个与多个密钥不同的其他密钥。 通过将多个密钥的组合输入到具有为多个密钥设置的信息的功能中来计算签名密钥，并且使用签名密钥来评估是否允许对一个或多个计算资源的访问，其中 当不满足为多个密钥设置的信息而提交访问请求时阻止访问的信息设置。

公开(公告)号：US20140258732A1

公开(公告)日：2014-09-11

申请号：US14282386

申请日：2014-05-20

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Marc R. Barbour ,  Bradley Jeffery Behm ,  Cristian M. Ilac ,  Eric Jason Brandwine

IPC: G06F21/62

CPC classification number: H04N21/44055 ,  G06F21/60 ,  G06F21/602 ,  G06F21/6218 ,  G06F21/64 ,  H04L9/0819 ,  H04L9/088 ,  H04L9/3242 ,  H04L2209/24 ,  H04L2209/38 ,  H04N21/4627

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

Abstract translation: 用于认证的系统和方法从认证方和认证者之间共享的秘密凭证生成密钥。 密钥的生成可以涉及利用用于专门化密钥的参数形式的专门信息。 可以使用由多个机构保存的密钥导出的密钥和/或信息来生成其他密钥，使得可以在不访问密钥的情况下验证需要这样的密钥和/或信息的签名。 还可以导出密钥以形成分配的密钥的层次结构，使得密钥持有者解密数据的能力取决于密钥在层级中相对于用于加密数据的密钥的位置的位置。 密钥层次也可以用于将密钥集分配给内容处理设备，以使得设备能够解密内容，使得未经授权的内容的源或潜在来源可以从解密的内容中识别。