Personalizing global session identifiers

US 10,182,044 B1
Filed: 12/03/2015
Issued: 01/15/2019
Est. Priority Date: 12/03/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

generating a session token that includes a first key;

encrypting the session token with an encryption key, the encryption key generated from a combination of a second key and a third key, the second key associated with and available to a set of servers, the third key associated with a customer account, and the third key available to a proper subset of the set of servers, the proper subset specified by a policy service that identifies the proper subset of servers where the session token is allowed to be used;

providing the encrypted token and the first key to a device associated with the customer account; and

in response to receiving a request to establish a session, the request including the token, and the request signed with the first key;

recovering the first key from the token using the encryption key to acquire a recovered first key;

verifying that the request is validly signed using the recovered first key; and

as a result of verifying that the request is validly signed using the recovered first key, fulfilling the request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for personalizing short-term session credentials are described herein. A global session key is provided to a plurality of regions of a computing resource service provider and an account key is also provided to one or more of the plurality of regions based at least in part on those regions being trusted by a customer of the computing resource service provider. When a request for short-term session credentials is received at the trusted region by that customer, a session token is generated and encrypted with a combination of the global session key and the account key, thereby creating a session token that can be uniquely associated with the customer and that may only be used in regions that that customer has designated as trusted regions.

Citations

20 Claims

1. A computer-implemented method, comprising:
- generating a session token that includes a first key;
  
  encrypting the session token with an encryption key, the encryption key generated from a combination of a second key and a third key, the second key associated with and available to a set of servers, the third key associated with a customer account, and the third key available to a proper subset of the set of servers, the proper subset specified by a policy service that identifies the proper subset of servers where the session token is allowed to be used;
  
  providing the encrypted token and the first key to a device associated with the customer account; and
  
  in response to receiving a request to establish a session, the request including the token, and the request signed with the first key;
  
  recovering the first key from the token using the encryption key to acquire a recovered first key;
  
  verifying that the request is validly signed using the recovered first key; and
  
  as a result of verifying that the request is validly signed using the recovered first key, fulfilling the request.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein the set of servers is a group of trusted servers in a region of a computing resource service provider.
  - 3. The computer-implemented method of claim 1, wherein recovering the first key from the token is accomplished by at least:
    - decrypting the encrypted token using the encryption key to acquire a decrypted token; and
      
      extracting the first key from the decrypted token.
  - 4. The computer-implemented method of claim 1, further comprising:
    - invalidating the second key; and
      
      causing the session token to become unusable to fulfill resource requests as a result of the second key being invalid.

5. A system, comprising at least one computing device that includes a processor and memory, the memory storing instructions that, as a result of being executed by the processor cause the system to:
- generate a session token that includes a first key;
  
  encrypt the session token with a second key and a third key, the second key available to a set of servers, the third key associated with an account of a customer, the third key available to a proper subset of the set of servers, the proper subset specified by a service different from the system, the service identifying the proper subset of servers where the session token is allowed to be used;
  
  receive a request that is signed using a credential of the customer; and
  
  in response to the request, provide the encrypted token and the first key to a device associated with the account.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The system of claim 5, wherein the credential is at least one of:
    - a long-term key associated with the requester, a password associated with the requester, a certificate generated by the requester, a short-term credential associated with the requester, or a private long-term key associated with the requester, the private long-term key corresponding to a public long-term key obtainable from the requester.
  - 7. The system of claim 5, wherein:
    - the second key is generated as a consequence of a key rotation event generated by a service of a computing resource service provider, the key rotation event causing the one or more services to at least;
      
      invalidate the second key; and
      
      generate a new second key.
  - 8. The system of claim 7, wherein the one or more services are further configured to, at least:
    - receive a new request for a session at the proper subset of the set of servers, the request digitally signed using the credential;
      
      validate the credential;
      
      perform an operation to encrypt a set of session data to generate a new session token, the new session token encrypted using the new second key and the third key; and
      
      provide the new session token and the first key to the device associated with the customer.
  - 9. The system of claim 5, wherein the second key is one of a plurality of global session keys, the plurality of global session keys maintained in a session keychain, the session keychain configured to delete each global session key of the plurality of global session keys upon expiration of a corresponding time interval.
  - 10. The system of claim 9, wherein the plurality of global session keys includes a global session key designated as an encryption key, the encryption key being used to encrypt a set of session data to generate the session token.
  - 11. The system of claim 10, wherein the second key is generated as a result of a keychain update event generated by a service of a computing resource service provider, the keychain update event causing the one or more services to at least:
    - generate a new global session key;
      
      designate the new global session key as the encryption key; and
      
      invalidate an old global session key of the session keychain, the old global session key selected based at least in part on a corresponding creation time associated with the old global session key.
  - 12. The system of claim 9, wherein a key invalidation event causes the system to at least:
    - select a global session key of the session keychain for invalidation, the global session key selected based at least in part on a corresponding creation time associated with the second key, the creation time corresponding to a time interval designated by a computing resource service provider; and
      
      invalidate the global session key.

13. A set of one or more non-transitory computer-readable storage media having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
- generate a session token that includes a first key;
  
  obtain an indication of a proper subset of a set of servers from a policy service based at least in part on a policy associated with a customer;
  
  encrypt the session token with a second key and a third key, the second key available to the set of servers, the third key associated with an account of the customer, the third key available to the proper subset of the set of servers;
  
  receive a request that is signed using a credential of the customer; and
  
  in response to the request, provide the encrypted token and the first key to a device associated with the account.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The set of one or more non-transitory computer-readable storage media of claim 13, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to invalidate the third key in response to an application programming interface request from the device associated with the customer.
  - 15. The set of one or more non-transitory computer-readable storage media of claim 13, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to invalidate the third key in response to a security event generated by a computing resource service provider.
  - 16. The set of one or more non-transitory computer-readable storage media of claim 13, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to receive a key rotation event generated by a computing resource service provider, the key rotation event causing the one or more services to invalidate the third key.
  - 17. The set of one or more non-transitory computer-readable storage media of claim 13, wherein the proper subset of the set of servers is selected based at least in part on the account associated with the customer being authorized by one or more customer policies.
  - 18. The set of one or more non-transitory computer-readable storage media of claim 13, wherein the proper subset of the set of servers is based at least in part on one or more regions of a plurality of regions that are designated as trusted regions by the customer.
  - 19. The set of one or more non-transitory computer-readable storage media of claim 13, wherein the instructions that cause the computer system to provide the second key to the set of servers further include instructions that cause the computer system to provide the second key to one or more regions designated as trusted regions by a computing resource service provider.
  - 20. The set of one or more non-transitory computer-readable storage media of claim 13, wherein the first key is a public key of a public key cryptography key pair, the public key cryptography key pair including a private key corresponding to the first key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Praus, Slavka, Sedky, Khaled Salah, Mandadi, Srikanth, Barbour, Marc R.
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Chao, Michael W

Application Number

US14/958,892
Time in Patent Office

1,139 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/33   using certificates

G06F 21/335   for accessing specific reso...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 9/0833   involving conference or gro...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3247   involving digital signatures

H04L 9/50   using hash chains, e.g. blo...

Personalizing global session identifiers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Personalizing global session identifiers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links