Multiple authority data security and access

US 10,090,998 B2
Filed: 06/10/2016
Issued: 10/02/2018
Est. Priority Date: 06/20/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

under the control of one or more computer systems that execute instructions,receiving, from a customer of a computing resource service provider, a request to perform one or more operations using a managed key that is inaccessible to the customer, the request including information that enables the computing resource service provider to select the managed key from other keys managed on behalf of customers of the computing resource service provider;

providing to the customer;

a data key; and

in addition to the data key, an encrypted data key;

receiving, from the customer, data encrypted under the data key; and

storing, in persistent storage, the encrypted data key and the data encrypted under the data key, wherein a customer key and the managed key that is inaccessible to the customer are collectively sufficient, but individually insufficient, to access the data in plaintext form from the persistent storage.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A request to perform one or more operations using a second key that is inaccessible to a customer of a computing resource service provider is received from the customer, with the request including information that enables the computing resource service provider to select the second key from other keys managed on behalf of customers of the computing resource service provider. A first key, and in addition to the first key, an encrypted first key, is provided to the customer. Data encrypted under the first key is received from the customer. The encrypted first key and the data encrypted under the first key is caused to be stored in persistent storage, such that accessing the data, in plaintext form, from the persistent storage requires use of both a third key and the second key that is inaccessible to the customer.

214 Citations

20 Claims

1. A computer-implemented method, comprising:
- under the control of one or more computer systems that execute instructions,receiving, from a customer of a computing resource service provider, a request to perform one or more operations using a managed key that is inaccessible to the customer, the request including information that enables the computing resource service provider to select the managed key from other keys managed on behalf of customers of the computing resource service provider;
  
  providing to the customer;
  
  a data key; and
  
  in addition to the data key, an encrypted data key;
  
  receiving, from the customer, data encrypted under the data key; and
  
  storing, in persistent storage, the encrypted data key and the data encrypted under the data key, wherein a customer key and the managed key that is inaccessible to the customer are collectively sufficient, but individually insufficient, to access the data in plaintext form from the persistent storage.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein:
    - the customer key is inaccessible to the one or more computer systems; and
      
      the encrypted data key is encrypted at least in part under the managed key.
  - 3. The computer-implemented method of claim 1, storing the encrypted data key and the data encrypted under the data key is performed as a result of receiving an instruction via a file system interface to perform a storage operation.
  - 4. The computer-implemented method of claim 1, wherein:
    - the one or more operations include utilizing a cryptographic algorithm that supports additional authenticated data; and
      
      the request includes metadata usable by the computing resource service provider as the additional authenticated data, wherein the computing resource service provider enforces one or more policies based at least in part on the metadata.
  - 5. The computer-implemented method of claim 1, wherein storing the encrypted data key and the data encrypted under the data key includes transmitting, to a data storage service operated by the computing resource service provider, the encrypted data key and the data encrypted under the data key.
  - 6. The computer-implemented method of claim 1, further comprising:
    - encrypting the data encrypted under the data key a second time to form doubly encrypted data, the data encrypted the second time under a second managed key;
      
      providing, to the customer, the doubly encrypted data; and
      
      storing the encrypted data key and the data encrypted under the data key includes storing the encrypted data key in association with the doubly encrypted data.
  - 7. The computer-implemented method of claim 1, wherein:
    - the data key is based at least in part on a first data key component and a second data key component;
      
      the request received from the customer includes the first data key component;
      
      the encrypted data key is a first encrypted data key component; and
      
      the method further comprises;
      
      encrypting the first data key component under the managed key to form the encrypted data key component;
      
      receiving, from the customer, a second encrypted data key component, the second encrypted data key component encrypted under the customer key; and
      
      storing, in persistent storage, the second encrypted data key component in association with the data encrypted under the data key.

8. A system, comprising:
- a first service that includes one or more first processors and first memory including first instructions that, as a result of execution by the one or more first processors, cause the first service to;
  
  receive a first request, from a customer of a computing resource service provider, to perform one or more operations using first information that is inaccessible to the customer, the request including information that enables the computing resource service provider to select the first information from other keys managed on behalf of customers of the computing resource service provider;
  
  provide to the customer;
  
  a first cryptographic key; and
  
  in addition to the first cryptographic key, an encrypted first cryptographic key; and
  
  a second service that includes one or more second processors and second memory including second instructions that, as a result of execution by the one or more second processors, cause the second service to;
  
  receive a second request, from the customer, to store data encrypted under the first cryptographic key; and
  
  store, in persistent storage, the encrypted first cryptographic key and the data encrypted under the first cryptographic key wherein second information and the first information that is inaccessible to the customer are individually insufficient for accessing the data in plaintext form from the persistent storage.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The system of claim 8, wherein:
    - the first request is received via a first application programming interface provided by the first service; and
      
      the second request is received via a second application programming interface provided by the second service.
  - 10. The system of claim 8, wherein:
    - the first cryptographic key is determinable from a plurality of key components that include;
      
      a first key component; and
      
      a second key component; and
      
      the encrypted first cryptographic key includes;
      
      the first key component encrypted using the second information; and
      
      the second key component encrypted using the first information.
  - 11. The system of claim 8, wherein the second information is:
    - accessible to the customer; and
      
      inaccessible to the system.
  - 12. The system of claim 8, wherein:
    - the first information includes a second cryptographic key; and
      
      the second information includes a third cryptographic key.
  - 13. The system of claim 8, wherein:
    - the first cryptographic key is based at least in part on a first key component and a second key component;
      
      the first request includes the first key component;
      
      the first instructions include instructions that cause the first service to encrypt the first key component using the first information to form a first encrypted key component;
      
      the first instructions that cause the service to provide the encrypted first cryptographic key to the customer include instructions that cause the service to provide the first encrypted key component;
      
      the second request includes the second key component encrypted using the second information to form a second encrypted key component; and
      
      the second instructions that cause the second service to store the encrypted first cryptographic key include instructions that cause the second service to store, in association with the data encrypted under the first cryptographic key, both the first encrypted key component and the second key component.
  - 14. The system of claim 8, wherein:
    - a third service that includes one or more third processors and third memory including third instructions that, as a result of execution by the one or more third processors, cause the third service to;
      
      receive a third request, from the customer, to perform one or more second operations on the data encrypted under the first cryptographic key;
      
      encrypt the data encrypted under the first cryptographic key a second time to form doubly encrypted data, the data encrypted the second time using fourth information; and
      
      provide to the customer, the doubly encrypted data; and
      
      the second instructions that cause the second service to store the encrypted first cryptographic key and the data encrypted under the first cryptographic key include instructions that cause the second service to store the encrypted first cryptographic key in association with the doubly encrypted data.
  - 15. The system of claim 14, wherein:
    - the first information includes a first managed key that is accessible to the first service and inaccessible to the second service; and
      
      the fourth information includes a second managed key is accessible to the second service and inaccessible to the first service.

16. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
- receive, from a customer of a computing resource service provider, a request to perform one or more operations using a second key that is inaccessible to the customer, the request including information that enables the computing resource service provider to select the second key from other keys managed on behalf of customers of the computing resource service provider;
  
  provide to the customer;
  
  a first key; and
  
  in addition to the first key, an encrypted first key;
  
  receive, from the customer, data encrypted under the first key; and
  
  cause the encrypted first key and the data encrypted under the first key to be stored in persistent storage, wherein accessing the data in plaintext form from the persistent storage involves a collective use of both;
  
  the second key that is inaccessible to the customer; and
  
  a third key.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer-readable storage medium of claim 16, wherein the executable instructions that cause the computer system to provide the encrypted first key include executable instructions that cause the computer system to encrypt the first key under the second key to form the encrypted first key.
  - 18. The non-transitory computer-readable storage medium of claim 16, wherein the request is received through a web service interface of a service of the computing resource service provider.
  - 19. The non-transitory computer-readable storage medium of claim 16, wherein the executable instructions that cause the encrypted first key and the data encrypted under the first key to be stored include executable instructions that cause a second computer system to store the encrypted first key and the data encrypted under the first key.
  - 20. The non-transitory computer-readable storage medium of claim 16, wherein the third key is inaccessible to the computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Wren, Matthew James
Primary Examiner(s)
Rahman, Shawnchoy

Application Number

US15/179,827
Publication Number

US 20160285625A1
Time in Patent Office

844 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6209   to a single file or object,...

H04L 63/0435   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/083   involving central third par...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

Multiple authority data security and access

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

214 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Multiple authority data security and access

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

214 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others