Data security using request-supplied keys

US 10,037,428 B2
Filed: 04/04/2016
Issued: 07/31/2018
Est. Priority Date: 09/25/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving a request over a network, the request specifying data and including an encrypted cryptographic key, wherein the data is not included in the request;

causing the encrypted cryptographic key to be decrypted by at least transmitting the encrypted cryptographic key to another entity for decryption, thereby resulting in a decrypted cryptographic key;

performing one or more cryptographic operations on the specified data using the decrypted cryptographic key to encrypt the specified data to fulfill the request; and

providing a result of performing the one or more cryptographic operations.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Requests are submitted to a request processing entity where the requests include a cryptographic key to be used in fulfilling the request. The request processing entity, upon receipt of the request, extracts the key from the request and uses the key to perform one or more cryptographic operations to fulfill the request. The one or more cryptographic operations may include encryption/decryption of data that to be/is stored, in encrypted form, by a subsystem of the request processing entity. Upon fulfillment of the request, the request processing entity may perform one or more operations to lose access to the key in the request, thereby losing the ability to use the key.

217 Citations

19 Claims

1. A computer-implemented method, comprising:
- receiving a request over a network, the request specifying data and including an encrypted cryptographic key, wherein the data is not included in the request;
  
  causing the encrypted cryptographic key to be decrypted by at least transmitting the encrypted cryptographic key to another entity for decryption, thereby resulting in a decrypted cryptographic key;
  
  performing one or more cryptographic operations on the specified data using the decrypted cryptographic key to encrypt the specified data to fulfill the request; and
  
  providing a result of performing the one or more cryptographic operations.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, wherein the request includes information usable to authenticate the request using the decrypted cryptographic key.
  - 3. The computer-implemented method of claim 1, wherein:
    - the decrypted cryptographic key is a symmetric cryptographic key.
  - 4. The computer-implemented method of claim 1, wherein:
    - the request is a request to store the specified data in encrypted form in a data storage system;
      
      the one or more cryptographic operations include encryption of the specified data using the decrypted cryptographic key; and
      
      providing the result of performing the one or more cryptographic operations includes transmitting the specified data in encrypted form to the data storage system for persistent storage.
  - 5. The computer-implemented method of claim 1, further comprising, at a time after performing the one or more cryptographic operations, performing one or more operations that cause a loss of access to the decrypted cryptographic key.
  - 6. The computer-implemented method of claim 1, wherein receipt of the decrypted cryptographic key from the other entity results in access to the decrypted cryptographic key that was lacked prior to the receipt.

7. A system, comprising:
- one or more processors; and
  
  memory including instructions that, as a result of execution by the one or more processors, cause the system to;
  
  receive, from a requestor over a network, a request whose fulfillment involves performance of one or more cryptographic operations on data specified in the request using information that comprises an encrypted cryptographic key supplied in the request, wherein the data is not included in the request;
  
  perform the one or more cryptographic operations on the specified data using the encrypted cryptographic key supplied in the request, including causing the encrypted cryptographic key supplied in the request to be decrypted by at least transmitting the encrypted cryptographic key to another entity for decryption, thereby resulting in a decrypted cryptographic key, and using the decrypted cryptographic key to encrypt the specified data; and
  
  provide a result of performing the one or more cryptographic operations.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The system of claim 7, wherein:
    - performing the one or more cryptographic operations on the specified data includes decrypting the specified data from a data storage system using the decrypted cryptographic key.
  - 9. The system of claim 7, wherein the information is usable to authenticate the request by including an electronic signature generated based at least in part on a second cryptographic key different from the encrypted cryptographic key.
  - 10. The system of claim 7, wherein:
    - the request is a request to store the specified data in encrypted form in a data storage system;
      
      the one or more cryptographic operations include encryption of the specified data; and
      
      providing the result of performing the one or more cryptographic operations includes transmitting the specified data in encrypted form to the data storage system for persistent storage.
  - 11. The system of claim 7, wherein the information further includes instructions that cause the system to perform one or more operations to lose access to the decrypted cryptographic key at a time after performing the one or more cryptographic operations.
  - 12. The system of claim 7, wherein the system lacks access to the decrypted cryptographic key for an amount of time until the request is received.
  - 13. The system of claim 7, wherein the request comprises the encrypted cryptographic key in a uniform resource locator.

14. A non-transitory computer-readable storage medium having stored thereon instructions that, if executed by one or more processors of a computer system, cause the computer system to:
- receive, from a requestor over a network, a request whose fulfillment involves performance of one or more cryptographic operations on data specified in the request using information that comprises an encrypted cryptographic key supplied in the request, wherein the data is not included in the request;
  
  perform the one or more cryptographic operations on the specified data, using the encrypted cryptographic key supplied in the request, including causing the encrypted cryptographic key supplied in the request to be decrypted by at least transmitting the encrypted cryptographic key to another entity for decryption, thereby resulting in a decrypted cryptographic key, and using the decrypted cryptographic key to encrypt the specified data; and
  
  provide a result of performing the one or more cryptographic operations.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The non-transitory computer-readable storage medium of claim 14, wherein:
    - performing the one or more cryptographic operations on the specified data includes decrypting the specified data from a data storage system using the decrypted cryptographic key.
  - 16. The non-transitory computer-readable storage medium of claim 14, wherein the information is usable to authenticate the request by using the decrypted cryptographic key to authenticate the request.
  - 17. The non-transitory computer-readable storage medium of claim 14, wherein:
    - the request is a request to store the specified data in encrypted form in a data storage system;
      
      the one or more cryptographic operations include encryption of the specified data; and
      
      providing the result of performing the one or more cryptographic operations includes transmitting the specified data in encrypted form to the data storage system for persistent storage.
  - 18. The non-transitory computer-readable storage medium of claim 14, wherein the decrypted cryptographic key is a symmetric cryptographic key.
  - 19. The non-transitory computer-readable storage medium of claim 14, wherein the encrypted cryptographic key is obtained from a uniform resource locator included in the request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Brandwine, Eric Jason
Primary Examiner(s)
Dinh, Minh

Application Number

US15/090,315
Publication Number

US 20160217290A1
Time in Patent Office

848 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6209   to a single file or object,...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 9/0819   Key transport or distributi...

H04L 9/0822   using key encryption key

H04L 9/3226   using a predetermined code,...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247   involving digital signatures

Data security using request-supplied keys

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

217 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Data security using request-supplied keys

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

217 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links