-
公开(公告)号:US10685119B2
公开(公告)日:2020-06-16
申请号:US16195125
申请日:2018-11-19
Applicant: Amazon Technologies, Inc.
Inventor: Eric Jason Brandwine , Matthew John Campagna , Gregory Alan Rubin
Abstract: A trusted co-processor can provide a hardware-based observation point into the operation of a host machine owned by a resource provider or other such entity. The co-processor can be installed via a peripheral card on a fast bus, such as a PCI bus, on the host machine. The co-processor can execute malware detection software, and can use this software to analyze data and/or code obtained from the relevant resources of the host machine. The trusted co-processor can notify the customer or another appropriate entity of the results of the scan, such that an appropriate action can be taken if malware is detected. The results of the scan can be trusted, as malware will be unable to falsify such a notification or modify the operation of the trusted co-processor.
-
公开(公告)号:US10412191B1
公开(公告)日:2019-09-10
申请号:US15085787
申请日:2016-03-30
Applicant: Amazon Technologies, Inc.
Abstract: A trusted co-processor can provide a hardware-based observation point into the operation of a host machine owned by a resource provider or other such entity. The co-processor can be installed via a peripheral card on a fast bus, such as a PCI bus, on the host machine. The provider can provide the customer with expected information that the customer can verify through a request to an application programming interface (API) of the card, and after the customer verifies the information the customer can take logical ownership of the card and lock out the provider. The card can then function as a trusted but limited environment that is programmable by the customer. The customer can subsequently submit verification requests to the API to ensure that the host has not been unexpectedly modified or is otherwise operating as expected.
-
公开(公告)号:US10169591B2
公开(公告)日:2019-01-01
申请号:US14960553
申请日:2015-12-07
Applicant: Amazon Technologies, Inc.
Inventor: Matthew John Campagna , Gregory Alan Rubin , Eric Jason Brandwine , Matthew Shawn Wilson , Cristian M. Ilac
Abstract: A tiered credentialing approach provides assurance to customers having virtual machines running in a remote environment that the virtual images for these machines are in a pristine state and running in a trusted execution environment. The environment can be divided into multiple subsystems, each having its own cryptographic boundary, secure storage, and trusted computing capabilities. A trusted, limited subsystem can handle the administrative tasks for virtual machines running on the main system of a host computing device. The limited system can receive a certificate from a certificate authority, and can act as a certificate authority to provide credentials to the main system. Upon an attestation request, the subsystems can provide attestation information using the respective credentials as well as the certificate chain. An entity having the appropriate credentials can determine the state of the system from the response and verify the state is as expected.
-
公开(公告)号:US10142301B1
公开(公告)日:2018-11-27
申请号:US14489161
申请日:2014-09-17
Applicant: Amazon Technologies, Inc.
Inventor: Nima Sharifi Mehr , Darren Ernest Canavor , Jesper Mikael Johansson , Jon Arron McClintock , Gregory Branchek Roth , Gregory Alan Rubin
Abstract: Multiple communications that encode data are encrypted for transit from one entity to the other. An entity receiving the communications decrypts at least some of the communications to determine how to process the communications. As part of processing the communications, the entity receiving the communications provides at least some of the encrypted communications to a data storage system without reencrypting those communications.
-
公开(公告)号:US10110382B1
公开(公告)日:2018-10-23
申请号:US14475468
申请日:2014-09-02
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Branchek Roth , Gregory Alan Rubin
Abstract: Cryptographic keys are durably stored for an amount of time. A cryptographic key is encrypted so as to be decryptable using another cryptographic key that has a limited lifetime. The other cryptographic key can be used to decrypt the encrypted cryptographic key to restore the cryptographic key during the lifetime of the other cryptographic key. After the lifetime of the other cryptographic key, if a copy of the cryptographic key is lost (e.g., inadvertently and unrecoverably deleted from memory), the cryptographic key becomes irrecoverable.
-
Patent Agency Ranking
公开(公告)号:US10078687B2
公开(公告)日:2018-09-18
申请号:US14849481
申请日:2015-09-09
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Alan Rubin , Gregory Branchek Roth
IPC: G06F17/30
CPC classification number: G06F16/2255
Abstract: A computer system receives a request to remove an entry from a probabilistic data structure. In response to the request, the computer system queries the probabilistic data structure to determine a current iteration value for the entry within the probabilistic data structure. The current iteration value indicates a state of the entry such that a first state corresponds to the entry being a member of a set and a second state corresponds to the absence of the entry from the set. As a result of the current iteration value denoting that the entry is a member of the set, the computer system increments the current iteration value to generate a new iteration value that corresponds to the absence of the entry from the set. The computer system uses the new iteration value and the entry to generate a new output value that is then added to the probabilistic data structure.
-
公开(公告)号:US20180227129A1
公开(公告)日:2018-08-09
申请号:US15946614
申请日:2018-04-05
Applicant: Amazon Technologies, Inc.
Inventor: Matthew John Campagna , Gregory Alan Rubin , Nicholas Alexander Allen , Andrew Kyle Driggs , Eric Jason Brandwine
CPC classification number: H04L9/3247 , H04L9/0643 , H04L9/0861 , H04L9/14 , H04L9/30
Abstract: A signature authority generates a master seed value that is used to generate a seed tree of subordinate nodes. Each subordinate node of the seed tree is generated from the value of its parent node using a cryptographic hash or one-way function. The signature authority selects subordinate seed values from the seed tree which are distributed to one or more subordinates, each of which generates a set of one-time-use cryptographic keys from the provided seed. Each subordinate generates a hash tree from its set of one-time-use cryptographic keys, and returns the root of its hash tree to the signature authority. The signature authority integrates the hashes provided by the key generators into a comprehensive hash tree, and the root of the hash tree acts as a public key for the signature authority.
-
公开(公告)号:US20180183601A1
公开(公告)日:2018-06-28
申请号:US15389991
申请日:2016-12-23
Applicant: Amazon Technologies, Inc.
Inventor: Matthew John Campagna , Nicholas Alexander Allen , Gregory Alan Rubin
CPC classification number: H04L9/3247 , G06F21/602 , G06F2221/2103 , H04L9/3239 , H04L63/1441
Abstract: A proof-of-work system where a first party (e.g., a client computer system) may request access to a computing resource. A second party (e.g., a service provider) may determine a challenge that may be provided to the first party. A valid solution to the challenge may be generated and provided for the request to be fulfilled. The challenge may include a message and a seed, such that the seed may be used at least in part to cryptographically derive information that may be used to generate a solution to the challenge. A hash tree may be generated as of generating the solution.
-
公开(公告)号:US20180181756A1
公开(公告)日:2018-06-28
申请号:US15389771
申请日:2016-12-23
Applicant: Amazon Technologies, Inc.
Inventor: Matthew John Campagna , Gregory Alan Rubin , Eric Jason Brandwine
CPC classification number: G06F21/57 , G06F21/64 , H04L9/0877 , H04L9/088 , H04L9/3247 , H04L63/067 , H04L63/0823 , H04L2209/30
Abstract: A service provider provides virtual computing services using a fleet of one or more host computer systems. Each of the host computer systems may be equipped with a trusted platform module (“TPM”). The service provider, the host computer systems, and the virtual computing environments generate attestations that prove the integrity of the system. The attestations are signed with a one-time-use cryptographic key that is verifiable against the public keys of the service provider, a host computer system, and a virtual computing environment. The public key of the host computer system is integrated into a hash tree that links the public key of the host computer system to the public key of the service provider. The public key of the virtual computing environment is signed using a one-time-use graphic key issued to the host computer system that hosts the virtual computing environment.
-
公开(公告)号:US09992027B1
公开(公告)日:2018-06-05
申请号:US14853605
申请日:2015-09-14
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Alan Rubin , Gregory Branchek Roth
CPC classification number: H04L9/3247 , G06F21/64 , H04L9/0819 , H04L2209/24 , H04L2209/72
Abstract: Cryptographic keys can include logging properties that enable those keys to be used only if the properties can be enforced by the cryptographic system requested to perform one or more actions using the keys. The logging property can specify how to log use of a respective key. A key can also include a mutability property for specifying whether the logging property can be changed, and if so under what circumstances or in which way(s). The ability to specify and automatically enforce logging can be important for environments where audit logs are essential. These can include, for example, public certificate authorities that must provide accurate and complete audit trails. In cases where the data is not to be provided outside a determined secure environment, the key can be generated with a property indicating not to log any of the usage.
-
-
-
-
-
-
-
-
-
Search Results
102
records
(took 0.045 seconds)
