Personalizing global session identifiers
First Claim
1. A computer-implemented method, comprising:
- generating a session token that includes a first key;
encrypting the session token with an encryption key, the encryption key generated from a combination of a second key and a third key, the second key associated with and available to a set of servers, the third key associated with a customer account, and the third key available to a proper subset of the set of servers, the proper subset specified by a policy service that identifies the proper subset of servers where the session token is allowed to be used;
providing the encrypted token and the first key to a device associated with the customer account; and
in response to receiving a request to establish a session, the request including the token, and the request signed with the first key;
recovering the first key from the token using the encryption key to acquire a recovered first key;
verifying that the request is validly signed using the recovered first key; and
as a result of verifying that the request is validly signed using the recovered first key, fulfilling the request.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques for personalizing short-term session credentials are described herein. A global session key is provided to a plurality of regions of a computing resource service provider and an account key is also provided to one or more of the plurality of regions based at least in part on those regions being trusted by a customer of the computing resource service provider. When a request for short-term session credentials is received at the trusted region by that customer, a session token is generated and encrypted with a combination of the global session key and the account key, thereby creating a session token that can be uniquely associated with the customer and that may only be used in regions that that customer has designated as trusted regions.
-
Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
generating a session token that includes a first key; encrypting the session token with an encryption key, the encryption key generated from a combination of a second key and a third key, the second key associated with and available to a set of servers, the third key associated with a customer account, and the third key available to a proper subset of the set of servers, the proper subset specified by a policy service that identifies the proper subset of servers where the session token is allowed to be used; providing the encrypted token and the first key to a device associated with the customer account; and in response to receiving a request to establish a session, the request including the token, and the request signed with the first key; recovering the first key from the token using the encryption key to acquire a recovered first key; verifying that the request is validly signed using the recovered first key; and as a result of verifying that the request is validly signed using the recovered first key, fulfilling the request. - View Dependent Claims (2, 3, 4)
-
-
5. A system, comprising at least one computing device that includes a processor and memory, the memory storing instructions that, as a result of being executed by the processor cause the system to:
-
generate a session token that includes a first key; encrypt the session token with a second key and a third key, the second key available to a set of servers, the third key associated with an account of a customer, the third key available to a proper subset of the set of servers, the proper subset specified by a service different from the system, the service identifying the proper subset of servers where the session token is allowed to be used; receive a request that is signed using a credential of the customer; and in response to the request, provide the encrypted token and the first key to a device associated with the account. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
-
-
13. A set of one or more non-transitory computer-readable storage media having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
-
generate a session token that includes a first key; obtain an indication of a proper subset of a set of servers from a policy service based at least in part on a policy associated with a customer; encrypt the session token with a second key and a third key, the second key available to the set of servers, the third key associated with an account of the customer, the third key available to the proper subset of the set of servers; receive a request that is signed using a credential of the customer; and in response to the request, provide the encrypted token and the first key to a device associated with the account. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification