公开(公告)号：US09961055B1

公开(公告)日：2018-05-01

申请号：US14576126

申请日：2014-12-18

Applicant: Amazon Technologies, Inc.

Inventor： Jesper Mikael Johansson ,  Darren Ernest Canavor ,  Jon Arron McClintock ,  Gregory Branchek Roth ,  Gregory Alan Rubin ,  Nima Sharifi Mehr

IPC: H04L9/32 ,  H04L29/06 ,  H04L9/08

CPC classification number: H04L63/061 ,  H04L9/0827 ,  H04L63/0823 ,  H04L2463/062

Abstract: A client negotiates multiple cryptographic keys with a server. One of the cryptographic keys is used to encrypt communications that the server can decrypt. Another of the cryptographic keys is used to encrypt communications that, while sent to the server, are not decryptable to the server. The server is configured to forward communications that it is unable to decrypt to another computer system having an ability to decrypt the communications.

公开(公告)号：US09904788B2

公开(公告)日：2018-02-27

申请号：US15004592

申请日：2016-01-22

Applicant: Amazon Technologies, Inc.

Inventor： Sandeep Kumar ,  Gregory Branchek Roth ,  Gregory Alan Rubin ,  Mark Christopher Seigle ,  Kamran Tirdad

IPC: G06F21/00 ,  G06F21/60 ,  G06F12/14 ,  G06F11/14 ,  H04L9/14 ,  G06F11/10 ,  G06F21/62

CPC classification number: G06F21/602 ,  G06F11/1076 ,  G06F11/1464 ,  G06F11/1469 ,  G06F12/1408 ,  G06F21/6209 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/14 ,  H04L2209/24

Abstract: A data storage service redundantly stores data and keys used to encrypt the data. Data objects are encrypted with first cryptographic keys. The first cryptographic keys are encrypted by second cryptographic keys. The first cryptographic keys and second cryptographic keys are redundantly stored in a data storage system to enable access of the data objects, such as to respond to requests to retrieve the data objects. The second cryptographic keys may be encrypted by third keys and redundantly stored in the event access to a second cryptographic key is lost.

公开(公告)号：US09882900B2

公开(公告)日：2018-01-30

申请号：US15003707

申请日：2016-01-21

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Gregory Alan Rubin

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/14 ,  H04L9/32

CPC classification number: H04L63/0869 ,  H04L9/0861 ,  H04L9/14 ,  H04L9/32 ,  H04L9/321 ,  H04L9/3247 ,  H04L9/3273 ,  H04L63/061 ,  H04L63/123 ,  H04L63/166

Abstract: A client and server negotiate a secure communication channel using a pre-shared key where the server, at the time the negotiation initiates, lacks access to the pre-shared key. The server obtains the pre-shared key from another server that shares a secret with the client. A digital signature or other authentication information generated by the client may be used to enable the other server to determine whether to provide the pre-shared key.

公开(公告)号：US11620387B2

公开(公告)日：2023-04-04

申请号：US17321356

申请日：2021-05-14

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Gregory Alan Rubin ,  Eric Jason Brandwine ,  Nicholas Alexander Allen ,  Andrew Kyle Driggs

IPC: G06F21/57 ,  H04L9/40 ,  H04L9/32 ,  H04L9/08 ,  G06F21/64 ,  H04L9/14 ,  H04L67/01

Abstract: A service provider provides virtual computing services using a fleet of one or more host computer systems. Each of the host computer systems may be equipped with a trusted platform module (“TPM”). The service provider, the host computer systems, and the virtual computing environments generate attestations that prove the integrity of the system. The attestations are signed with a one-time-use cryptographic key that is verifiable against the public keys of the service provider, a host computer system, and a virtual computing environment. The public key of the host computer system is integrated into a hash tree that links the public key of the host computer system to the public key of the service provider. The public key of the virtual computing environment is signed using a one-time-use graphic key issued to the host computer system that hosts the virtual computing environment.

公开(公告)号：US10924286B2

公开(公告)日：2021-02-16

申请号：US15942039

申请日：2018-03-30

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Alan Rubin ,  Gregory Branchek Roth

IPC: H04L9/32 ,  H04L9/08 ,  G06F21/64 ,  G06F21/00

Abstract: Cryptographic keys can include logging properties that enable those keys to be used only if the properties can be enforced by the cryptographic system requested to perform one or more actions using the keys. The logging property can specify how to log use of a respective key. A key can also include a mutability property for specifying whether the logging property can be changed, and if so under what circumstances or in which way(s). The ability to specify and automatically enforce logging can be important for environments where audit logs are essential. These can include, for example, public certificate authorities that must provide accurate and complete audit trails. In cases where the data is not to be provided outside a determined secure environment, the key can be generated with a property indicating not to log any of the usage.

公开(公告)号：US10855690B2

公开(公告)日：2020-12-01

申请号：US15987308

申请日：2018-05-23

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Gregory Alan Rubin

IPC: H04L29/06 ,  G06F21/71 ,  G06F21/31 ,  G06F21/34 ,  G06F12/14

Abstract: A secret is stored in a computing device. The device generates a value determined based at least in part on a substantially random process. As a result of the value satisfying a condition, the device causes the secret to be unusable to perform cryptographic operations such that the device is unable to cause the secret to be restored. The secret may be programmatically unexportable from the device.

公开(公告)号：US10728041B2

公开(公告)日：2020-07-28

申请号：US16410859

申请日：2019-05-13

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Nicholas Alexander Allen ,  Gregory Alan Rubin

IPC: H04L9/32 ,  G06F21/60 ,  H04L29/06

Abstract: A proof-of-work system where a first party (e.g., a client computer system) may request access to a computing resource. A second party (e.g., a service provider) may determine a challenge that may be provided to the first party. A valid solution to the challenge may be generated and provided for the request to be fulfilled. The challenge may include a message and a seed, such that the seed may be used at least in part to cryptographically derive information that may be used to generate a solution to the challenge. A hash tree may be generated as of generating the solution.

公开(公告)号：US10560441B2

公开(公告)日：2020-02-11

申请号：US14574337

申请日：2014-12-17

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Alan Rubin ,  Gregory Branchek Roth

IPC: H04L29/06

Abstract: A cryptography service allows for management of cryptographic keys and for the evaluation of security expectations when processing incoming requests. In some contexts, the cryptography service, upon receiving a request to perform a cryptographic operation, evaluates a set of security expectations to determine whether the cryptographic key or keys usable to perform the cryptographic operation should be trusted. A response to the request is dependent on evaluation of the security expectations.

公开(公告)号：US10298404B1

公开(公告)日：2019-05-21

申请号：US14569608

申请日：2014-12-12

Applicant: Amazon Technologies, Inc.

Inventor： Bradley Jeffery Behm ,  Gregory Branchek Roth ,  Gregory Alan Rubin

IPC: H04L9/32

Abstract: A client establishes a cryptographically protected communications session with a server. To detect a man-in-the-middle, the client echoes information about a certificate purportedly received from the server. The information echoed by the client is digitally signed so as to be verifiable by the server without any cryptographic key used in the cryptographically protected communications session or its establishment, thereby rendering the echoed information unmodifiable by a man-in-the-middle without invalidating the signature. The server can therefore verify both the echoed information and the digital signature to determine whether it has established a cryptographically protected communications session with the client or with a man-in-the-middle purporting to be the client.

公开(公告)号：US10263997B2

公开(公告)日：2019-04-16

申请号：US15217624

申请日：2016-07-22

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Gregory Alan Rubin ,  Matthew John Campagna ,  Petr Praus

IPC: G06F21/00 ,  H04L29/06 ,  G06F21/60 ,  G06F21/64

Abstract: A system performs cryptographic operations utilizing information usable to verify validity of plaintext. To prevent providing information about a plaintext by providing the information usable to verify the validity of the plaintext, the system provides the information usable to verify validity of the plaintext to an entity on a condition that the entity is authorized to access the plaintext. The information usable to verify validity of the plaintext may be persisted in ciphertext along with the plaintext to enable the plaintext to be verified when decrypted.