公开(公告)号：US09537657B1

公开(公告)日：2017-01-03

申请号：US14290699

申请日：2014-05-29

Applicant: Amazon Technologies, Inc.

Inventor： Hanson Char ,  Matthew John Campagna ,  Gregory Alan Rubin

IPC: G06F21/00 ,  H04L9/32

CPC classification number: H04L9/3226 ,  H04L9/0637 ,  H04L9/3242

Abstract: Incremented authenticated encryption involves dividing a data stream to be encrypted into multiple data segments and encrypting each of the data segments. For each encrypted data segment, an authorization tag is generated. Each segment's authorization tag may be based on the corresponding segment's position in the sequence of data segments within the data stream. A segment authorization tag may be generated based on an segment initialization vector that may be incremented with each segment authorization tag. Each data segment may be encrypted independently of the others. Similarly, each encrypted data segment may be decrypted and authenticated independently of the others. Additionally, a final authentication tag may be generated. The final authentication tag may be used to authenticate all the data segments of the data stream as a whole.

Abstract translation: 递增的认证加密包括将要加密的数据流划分为多个数据段并对每个数据段进行加密。 对于每个加密的数据段，生成授权标签。 每个段的授权标签可以基于数据流内的数据段序列中相应段的位置。 可以基于可以与每个段授权标签递增的段初始化向量来生成段授权标签。 每个数据段可以独立于其他数据段进行加密。 类似地，每个加密的数据段可以被独立于其他加密的数据段解密和认证。 另外，可以生成最终认证标签。 最终的认证标签可用于对整个数据流的所有数据段进行认证。

公开(公告)号：US09405920B1

公开(公告)日：2016-08-02

申请号：US14284266

申请日：2014-05-21

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Gregory Alan Rubin ,  Matthew John Campagna ,  Petr Praus

IPC: G06F21/00 ,  G06F21/60 ,  G06F21/64

CPC classification number: H04L63/123 ,  G06F21/602 ,  G06F21/604 ,  G06F21/64 ,  G06F21/645 ,  H04L63/061

Abstract: A system performs cryptographic operations utilizing information usable to verify validity of plaintext. To prevent providing information about a plaintext by providing the information usable to verify the validity of the plaintext, the system provides the information usable to verify validity of the plaintext to an entity on a condition that the entity is authorized to access the plaintext. The information usable to verify validity of the plaintext may be persisted in ciphertext along with the plaintext to enable the plaintext to be verified when decrypted.

Abstract translation: 系统利用可用于验证明文有效性的信息来执行加密操作。 为了通过提供可用于验证明文有效性的信息来防止提供关于明文的信息，在实体被授权访问明文的条件下，系统提供可用于验证明文的有效性的信息给实体。 可用于验证明文有效性的信息可以与明文一起保持密文，以便在解密时能够验证明文。

公开(公告)号：US20160197937A1

公开(公告)日：2016-07-07

申请号：US15068446

申请日：2016-03-11

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Gregory Alan Rubin

IPC: H04L29/06 ,  G06F12/14

CPC classification number: H04L63/108 ,  G06F12/1408 ,  G06F21/31 ,  G06F21/34 ,  G06F21/71 ,  G06F2212/1052 ,  H04L63/0838 ,  H04L63/0853 ,  H04L63/0876

Abstract: A hardware secret is securely maintained in a computing device. The device operates in accordance with a usage limit corresponding to a limited number of operations using the hardware secret that the device is able to perform. Once the device reaches a usage limit, the device becomes temporarily or permanently unable to perform additional operations using the hardware secret.

Abstract translation: 安全地维护计算设备中的硬件秘密。 该设备根据使用设备能够执行的硬件密码的有限数量的操作的使用限制进行操作。 一旦设备达到使用限制，设备将暂时或永久地无法使用硬件密码执行其他操作。

公开(公告)号：US09374368B1

公开(公告)日：2016-06-21

申请号：US14149721

申请日：2014-01-07

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Gregory Alan Rubin

IPC: H04L29/06

CPC classification number: H04L63/083 ,  H04L63/0846 ,  H04L63/10 ,  H04L63/123

Abstract: A distributed passcode verification system includes devices that each have a hardware secret and that are each able to perform a limited number of verifications using their hardware secrets. Passcode verifiers receive passcode information from a passcode information manager. The passcode information provides information usable, with a hardware secret, to verify passcodes provided to a verifier.

Abstract translation: 分布式密码验证系统包括各自具有硬件秘密并且能够使用其硬件秘密来执行有限数量验证的设备。 密码验证器从密码信息管理器接收密码信息。 密码信息提供了具有硬件秘密的可用信息，以验证提供给验证者的密码。

公开(公告)号：US09369461B1

公开(公告)日：2016-06-14

申请号：US14149698

申请日：2014-01-07

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Gregory Alan Rubin ,  Nachiketh Rao Potlapally

IPC: H04L9/32 ,  H04L29/06

CPC classification number: H04L63/0838

Abstract: A hardware secret is securely maintained in a computing device. The hardware secret is used to generate a hash of a passcode that is persistently stored for later use in verification. When a passcode is received as part of an authentication attempt, the hardware secret is used to generate a reference hash of the received passcode that is then compared with the persistently stored hash to determine whether there is a match.

Abstract translation: 安全地维护计算设备中的硬件秘密。 硬件秘密用于生成密码的哈希值，该密码将被永久存储以供以后用于验证。 当作为认证尝试的一部分接收到密码时，硬件秘密用于生成接收到的密码的参考散列，然后与持久存储的散列进行比较以确定是否存在匹配。

公开(公告)号：US09251097B1

公开(公告)日：2016-02-02

申请号：US13919701

申请日：2013-06-17

Applicant: Amazon Technologies, Inc.

Inventor： Sandeep Kumar ,  Gregory Branchek Roth ,  Gregory Alan Rubin ,  Mark Christopher Seigle ,  Kamran Tirdad

IPC: G06F21/00 ,  G06F12/14 ,  G06F11/14

CPC classification number: G06F21/602 ,  G06F11/1076 ,  G06F11/1464 ,  G06F11/1469 ,  G06F12/1408 ,  G06F21/6209 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/14 ,  H04L2209/24

Abstract: A data storage service redundantly stores data and keys used to encrypt the data. Data objects are encrypted with first cryptographic keys. The first cryptographic keys are encrypted by second cryptographic keys. The first cryptographic keys and second cryptographic keys are redundantly stored in a data storage system to enable access of the data objects, such as to respond to requests to retrieve the data objects. The second cryptographic keys may be encrypted by third keys and redundantly stored in the event access to a second cryptographic key is lost.

Abstract translation: 数据存储服务冗余地存储用于加密数据的数据和密钥。 数据对象使用第一加密密钥进行加密。 第一加密密钥由第二加密密钥加密。 第一加密密钥和第二加密密钥被冗余地存储在数据存储系统中，以使数据对象能够访问，例如响应检索数据对象的请求。 可以通过第三密钥来加密第二加密密钥，并且在丢失对第二加密密钥的访问的情况下被冗余地存储。

公开(公告)号：US11240023B1

公开(公告)日：2022-02-01

申请号：US16446500

申请日：2019-06-19

Applicant: Amazon Technologies, Inc.

Inventor： Bryan James Donlan ,  Gregory Alan Rubin

IPC: H04L9/08 ,  H04L9/14

Abstract: Techniques described herein enhance information security in contexts that utilize key management systems and cryptographic keys. A cryptographic structure is utilized to maintain cryptographic keys with associated expiration times such that after an expiration time associated with a cryptographic key has passed, the cryptographic key is no longer accessible.

公开(公告)号：US11184155B2

公开(公告)日：2021-11-23

申请号：US16174033

申请日：2018-10-29

Applicant: Amazon Technologies, Inc.

Inventor： Aleksandrs J. Rudzitis ,  Alexis Lynn Carlough ,  Gregory Alan Rubin ,  Matthew John Campagna

IPC: H04L9/08

Abstract: A cryptographic key management service receives a request to import a first cryptographic key. In response to the request, the service creates a public cryptographic key and a private cryptographic key. The private cryptographic key is encrypted using a second cryptographic key to create an import key token. The import key token and the public cryptographic key are provided in response to the request. The service receives an encrypted first cryptographic key, which the service decrypts using the private cryptographic key to obtain the first cryptographic key. The service stores the first cryptographic key and enables its use for the performance of cryptographic operations.

公开(公告)号：US20210326442A1

公开(公告)日：2021-10-21

申请号：US17321356

申请日：2021-05-14

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Gregory Alan Rubin ,  Eric Jason Brandwine ,  Nicholas Alexander Allen ,  Andrew Kyle Driggs

IPC: G06F21/57 ,  H04L29/06 ,  H04L9/32 ,  H04L9/08 ,  G06F21/64 ,  H04L9/14

Abstract: A service provider provides virtual computing services using a fleet of one or more host computer systems. Each of the host computer systems may be equipped with a trusted platform module (“TPM”). The service provider, the host computer systems, and the virtual computing environments generate attestations that prove the integrity of the system. The attestations are signed with a one-time-use cryptographic key that is verifiable against the public keys of the service provider, a host computer system, and a virtual computing environment. The public key of the host computer system is integrated into a hash tree that links the public key of the host computer system to the public key of the service provider. The public key of the virtual computing environment is signed using a one-time-use graphic key issued to the host computer system that hosts the virtual computing environment.

公开(公告)号：US10785261B2

公开(公告)日：2020-09-22

申请号：US15917471

申请日：2018-03-09

Applicant: Amazon Technologies, Inc.

Inventor： Jesper Mikael Johansson ,  Darren Ernest Canavor ,  Jon Arron McClintock ,  Gregory Branchek Roth ,  Gregory Alan Rubin ,  Nima Sharifi Mehr

IPC: H04L29/06

Abstract: A client establishes a network session with a server. The network session is used to establish an encrypted communications session. The client establishes another network session with another server, such as after terminating the first network session. The client resumes the encrypted communications session over the network session with the other server. The other server is configured to receive encrypted communications from the client and forward them to the appropriate server.