Cryptographic key management for imported cryptographic keys

US 10,116,440 B1
Filed: 08/17/2016
Issued: 10/30/2018
Est. Priority Date: 08/09/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

under the control of one or more computer systems of a cryptographic key management service provided by a computing resource service provider, the one or more computer systems configured with executable instructions;

receiving, from a client device, a request to import a customer cryptographic key from the client device;

generating a cryptographic key pair, the cryptographic key pair comprising a public cryptographic key and a private cryptographic key;

utilizing a domain cryptographic key to encrypt the private cryptographic key, resulting in an import key token;

providing the import key token and the public cryptographic key to the client device;

receiving, from the client device, the import key token and an encrypted customer cryptographic key, the encrypted customer cryptographic key being the customer cryptographic key encrypted using the public cryptographic key;

using the domain cryptographic key to decrypt the import key token to obtain the private cryptographic key;

decrypting, using the private cryptographic key, the encrypted customer cryptographic key to obtain the customer cryptographic key;

encrypting, using the domain cryptographic key, the customer cryptographic key to generate an encrypted key token; and

causing one or more cryptographic operations to be performed using the encrypted key token.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cryptographic key management service receives a request to import a first cryptographic key. In response to the request, the service creates a public cryptographic key and a private cryptographic key. The private cryptographic key is encrypted using a second cryptographic key to create an import key token. The import key token and the public cryptographic key are provided in response to the request. The service receives an encrypted first cryptographic key, which the service decrypts using the private cryptographic key to obtain the first cryptographic key. The service stores the first cryptographic key and enables its use for the performance of cryptographic operations.

243 Citations

20 Claims

1. A computer-implemented method, comprising:
- under the control of one or more computer systems of a cryptographic key management service provided by a computing resource service provider, the one or more computer systems configured with executable instructions;
  
  receiving, from a client device, a request to import a customer cryptographic key from the client device;
  
  generating a cryptographic key pair, the cryptographic key pair comprising a public cryptographic key and a private cryptographic key;
  
  utilizing a domain cryptographic key to encrypt the private cryptographic key, resulting in an import key token;
  
  providing the import key token and the public cryptographic key to the client device;
  
  receiving, from the client device, the import key token and an encrypted customer cryptographic key, the encrypted customer cryptographic key being the customer cryptographic key encrypted using the public cryptographic key;
  
  using the domain cryptographic key to decrypt the import key token to obtain the private cryptographic key;
  
  decrypting, using the private cryptographic key, the encrypted customer cryptographic key to obtain the customer cryptographic key;
  
  encrypting, using the domain cryptographic key, the customer cryptographic key to generate an encrypted key token; and
  
  causing one or more cryptographic operations to be performed using the encrypted key token.
- View Dependent Claims (2, 3, 4, 20)
- - 2. The computer-implemented method of claim 1, wherein the method further comprises:
    - receiving, from the client device, a second request to import a second customer cryptographic key from the client device;
      
      providing the import key token and the public cryptographic key to the client device;
      
      receiving, from the client device, the import key token and a second encrypted customer cryptographic key, the second encrypted customer cryptographic key being the second customer cryptographic key encrypted using the public cryptographic key;
      
      determining that the import key token has expired; and
      
      denying the second request.
  - 3. The computer-implemented method of claim 1, wherein:
    - the request to import the customer cryptographic key from the client device specifies an expiration date for the customer cryptographic key; and
      
      the method further comprises removing the encrypted key token as a result of the expiration date for the customer cryptographic key having passed.
  - 4. The computer-implemented method of claim 1, wherein:
    - the method further comprises;
      
      receiving, from the client device, a request to create a customer master key for establishing access controls to the customer cryptographic key, the request specifying at least one or more access control policies defining the access controls to the customer cryptographic key; and
      
      associating the encrypted key token with the customer master key; and
      
      causing the one or more cryptographic operations to be performed occurs as a result of a request to use the customer master key for performance of the one or more cryptographic operations.
  - 20. The method of claim 1, wherein the domain cryptographic key is under control of the computing resource service provider.

5. A system, comprising:
- one or more processors of a cryptographic key management service; and
  
  memory including instructions that, as a result of being executed by the one or more processors of the cryptographic key management service, cause the system to;
  
  receive, from a client device, a request to import a first cryptographic key from the client device;
  
  create a cryptographic key pair comprising a public cryptographic key and a private cryptographic key;
  
  utilize a domain cryptographic key to encrypt the private cryptographic key to generate an import key token;
  
  provide the import key token and the public cryptographic key to the client device;
  
  receive, from the client device, the import key token and an encrypted first cryptographic key, the encrypted first cryptographic key being the first cryptographic key encrypted using the public cryptographic key;
  
  utilize the domain cryptographic key to decrypt the import key token and utilize the import key token to derive information for decrypting the encrypted first cryptographic key, the information for decrypting the encrypted first cryptographic key comprising the private cryptographic key;
  
  decrypt, using the private cryptographic key, the encrypted first cryptographic key to obtain the first cryptographic key;
  
  encrypt, using the domain cryptographic key, the first cryptographic key to generate an encrypted key token; and
  
  cause one or more cryptographic operations to be performed using the first cryptographic key.
- View Dependent Claims (6, 7, 8, 9, 10, 11)
- - 6. The system of claim 5, wherein:
    - the request to import the first cryptographic key specifies a public cryptographic key cryptosystem utilized by the client device that is providing the first cryptographic key; and
      
      the instructions further cause the system to use the public cryptographic key cryptosystem specified in the request to generate the cryptographic key pair.
  - 7. The system of claim 5, wherein the instructions further cause the system to:
    - determine that the import key token has expired; and
      
      reject the encrypted first cryptographic key.
  - 8. The system of claim 5, wherein:
    - the request to import the first cryptographic key specifies an expiration date for the first cryptographic key; and
      
      the instructions further cause the system to delete the first cryptographic key if the expiration date has passed.
  - 9. The system of claim 5, wherein the instructions further cause the system to:
    - associate the first cryptographic key with a customer master key, the customer master key specifying one or more access control policies for controlling access to the first cryptographic key;
      
      receive a request to perform a cryptographic operation, the request specifying an identifier of the customer master key; and
      
      use the first cryptographic key to perform the cryptographic operation.
  - 10. The system of claim 9, wherein the instructions further cause the system to:
    - determine that the first cryptographic key has expired;
      
      disassociate the first cryptographic key from the customer master key; and
      
      delete the first cryptographic key.
  - 11. The system of claim 5, wherein the instructions further cause the system to obtain, by decrypting the import key token using the domain cryptographic key, the private cryptographic key usable to decrypt the encrypted first cryptographic key.

12. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system of a cryptographic key management service, cause the computer system to at least:
- generate, in response to a request from a client device to import a customer key from the client device, first cryptographic information and second cryptographic information, the first cryptographic information comprising a private cryptographic key and the second cryptographic information comprising a public cryptographic key;
  
  generate, based at least in part on the first cryptographic information and a domain cryptographic key, an import key token by utilizing the domain cryptographic key to encrypt the first cryptographic information;
  
  provide the import key token and the second cryptographic information to the client device in response to the request;
  
  obtain, from the client device, an encrypted customer key and the import key token, the encrypted customer key being the customer key encrypted using the second cryptographic information;
  
  derive, from the import key token, the first cryptographic information to obtain at least the private cryptographic key by using the domain cryptographic key to decrypt the import key token;
  
  use the first cryptographic information to decrypt the encrypted customer key to obtain the customer key;
  
  use the domain cryptographic key to obtain an encrypted key token by encrypting the customer key with the domain cryptographic key; and
  
  store the encrypted key token for performance of cryptographic operations using the customer key.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The non-transitory computer-readable storage medium of claim 12, wherein the instructions further cause the computer system to:
    - receive a request to utilize the customer key to perform one or more cryptographic operations;
      
      deny the request on a condition that the customer key has expired; and
      
      perform the one or more cryptographic operations on a condition that the customer key has not expired.
  - 14. The non-transitory computer-readable storage medium of claim 12, wherein the instructions further cause the computer system to use a Rivest-Shamir-Adleman algorithm to generate the first cryptographic information and the second cryptographic information.
  - 15. The non-transitory computer-readable storage medium of claim 12, wherein the instructions further cause the computer system to, based at least in part on a determination that the import key token has expired, reject the encrypted customer key.
  - 16. The non-transitory computer-readable storage medium of claim 12, wherein the instructions that cause the system to store the encrypted key token further cause the system to:
    - obtain the domain cryptographic key; and
      
      use the domain cryptographic key to encrypt the customer key to generate the encrypted key token.
  - 17. The non-transitory computer-readable storage medium of claim 12, wherein:
    - the request to import the customer key specifies an expiration date for the customer key; and
      
      the instructions further cause the computer system to delete the customer key as a result of the expiration date having passed.
  - 18. The non-transitory computer-readable storage medium of claim 12, wherein the instructions further cause the computer system to:
    - associate the customer key with a customer master key;
      
      receive a request to perform a cryptographic operation, the request specifying an identifier of the customer master key;
      
      determine, depending at least in part on one or more policies of the customer master key, that the request can be fulfilled; and
      
      use the customer key to fulfill the request based at least in part on the one or more policies.
  - 19. The non-transitory computer-readable storage medium of claim 18, wherein the instructions further cause the computer system to disassociate the customer key from the customer master key if the customer key has expired.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Rudzitis, Aleksandrs J., Carlough, Alexis Lynn, Rubin, Gregory Alan, Campagna, Matthew John
Primary Examiner(s)
Giddins, Nelson

Application Number

US15/239,725
Time in Patent Office

804 Days
Field of Search
US Class Current
CPC Class Codes

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/083   involving central third par...

H04L 9/0891   Revocation or update of sec...

Cryptographic key management for imported cryptographic keys

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

243 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Cryptographic key management for imported cryptographic keys

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

243 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links