Dynamically updating authentication schemes

US 10,284,519 B1
Filed: 01/23/2012
Issued: 05/07/2019
Est. Priority Date: 01/23/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

under control of one or more processors configured with executable instructions, performing actions including;

generating, by an application, a service request to a network services provider that includes one or more request parameters;

composing a string-to-sign based at least in part on the one or more request parameters and in accordance with a predefined digital signature generation scheme defined, at least in part, by the network services provider;

signing the string-to-sign in accordance with the predefined digital signature generation scheme to generate an authenticating digital signature;

submitting, through the application, the service request and the authenticating digital signature;

receiving, from the network services provider, a notification regarding an updated digital signature generation scheme, the notification indicating at least one of an expiration of the predefined digital signature generation scheme or that the predefined digital signature generation scheme is invalid;

receiving, from the network services provider, instructions for creating an authentication signature by implementing the updated digital signature generation scheme; and

in response to receiving the instructions, implementing the updated digital signature generation scheme when subsequently composing and signing the string-to-sign, wherein receiving the instructions for creating the authentication signature and implementing the updated digital signature generation scheme occurs while the application is executing.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

When requesting network services, clients often supply authentication information such as digital signatures. A network provider may from time to time change its authentication scheme. Clients are notified of the change and are provided with an updated authentication specification. Upon receiving the updated authentication specification, a client updates its authentication logic accordingly, and subsequently prepares and provides authentication information in accordance with the new authentication scheme.

7 Citations

32 Claims

1. A method, comprising:
- under control of one or more processors configured with executable instructions, performing actions including;
  
  generating, by an application, a service request to a network services provider that includes one or more request parameters;
  
  composing a string-to-sign based at least in part on the one or more request parameters and in accordance with a predefined digital signature generation scheme defined, at least in part, by the network services provider;
  
  signing the string-to-sign in accordance with the predefined digital signature generation scheme to generate an authenticating digital signature;
  
  submitting, through the application, the service request and the authenticating digital signature;
  
  receiving, from the network services provider, a notification regarding an updated digital signature generation scheme, the notification indicating at least one of an expiration of the predefined digital signature generation scheme or that the predefined digital signature generation scheme is invalid;
  
  receiving, from the network services provider, instructions for creating an authentication signature by implementing the updated digital signature generation scheme; and
  
  in response to receiving the instructions, implementing the updated digital signature generation scheme when subsequently composing and signing the string-to-sign, wherein receiving the instructions for creating the authentication signature and implementing the updated digital signature generation scheme occurs while the application is executing.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein:
    - the actions are performed by the application during its execution; and
      
      the receiving is performed at least upon initiating the application.
  - 3. The method of claim 1, wherein:
    - the actions are performed by the application during its execution; and
      
      the receiving is performed at least upon an initial use of the application.
  - 4. The method of claim 1, wherein the updated digital signature generation scheme indicates at least one or more of the following:
    - a digital signing protocol;
      
      a cryptographic algorithm;
      
      ora canonicalization routine.
  - 5. The method of claim 1, wherein the updated digital signature generation scheme comprises executable code.
  - 6. The method of claim 1, wherein the updated digital signature generation scheme is defined procedurally.
  - 7. The method of claim 1, wherein the updated digital signature generation scheme is defined declaratively.
  - 8. The method of claim 1, further comprising periodically checking with the network services provider for the updated digital signature generation scheme.
  - 9. The method of claim 1, further comprising receiving an error indication in response to submitting the service request, wherein receiving the instructions for creating the authentication signature to result in the updated digital signature generation scheme is performed in response to receiving the error indication.
  - 10. The method of claim 1, wherein receiving the instructions for creating the authentication signature to result in the updated digital signature generation scheme is performed in response to the expiration of the predefined digital signature generation scheme.
  - 11. The method of claim 1, wherein the service request and the authenticating digital signature are submitted to the network services provider.

12. One or more non-transitory computer-readable media including instructions that are executable by one or more processors to perform actions comprising:
- generating a digital signature scheme based at least in part on client authentication logic that is predetermined, at least in part, by a network service;
  
  generating a string-to-sign based at least in part on the digital signature scheme and a service request that includes one or more request parameters;
  
  determining a signed string-to-sign based at least in part on the string-to-sign;
  
  generating an authenticating digital signature based at least in part on the signed string-to-sign and the digital signature scheme;
  
  calling the network service from a client application;
  
  submitting, through the client application, the authenticating digital signature;
  
  receiving, from the network service, a notification indicating at least one of an expiration of the digital signature scheme or that the digital signature scheme is no longer valid;
  
  receiving, from the network service, an updated digital signature generation scheme designated by the network service to authorize the client application to call the network service; and
  
  in response to receiving the updated digital signature generation scheme, updating the client authentication logic in accordance with the updated digital signature generation scheme when subsequently generating the string-to-sign and the authenticating digital signature without restarting the client application.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 13. The one or more non-transitory computer-readable media of claim 12, wherein receiving the updated digital signature generation scheme and updating the client authentication logic are performed during execution of the client application.
  - 14. The one or more non-transitory computer-readable media of claim 12, wherein receiving the updated digital signature generation scheme and updating the client authentication logic are performed at least upon an application initialization.
  - 15. The one or more non-transitory computer-readable media of claim 12, wherein receiving the updated digital signature generation scheme and updating the client authentication logic are performed, at least in part, in response to a time expiration.
  - 16. The one or more non-transitory computer-readable media of claim 12, wherein the client authentication logic comprises software designated by the network service.
  - 17. The one or more non-transitory computer-readable media of claim 12, wherein the updated digital signature generation scheme is specified declaratively.
  - 18. The one or more non-transitory computer-readable media of claim 12, wherein the updated digital signature generation scheme is specified procedurally.
  - 19. The one or more non-transitory computer-readable media of claim 12, the actions further comprising repeatedly checking with the network service for the updated digital signature generation scheme.
  - 20. The one or more non-transitory computer-readable media of claim 12, the actions further comprising receiving an alert from the network service indicating availability of the updated digital signature generation scheme.
  - 21. The one or more non-transitory computer-readable media of claim 12, the actions further comprising receiving an alert from the network service indicating availability of the updated digital signature generation scheme, the alert being received in conjunction with the calling.
  - 22. The one or more non-transitory computer-readable media of claim 12, the actions further comprising receiving an error in response to submitting the authenticating digital signature, wherein receiving the notification is in response to receiving the error.
  - 23. The one or more non-transitory computer-readable media of claim 12, wherein the updated digital signature generation scheme indicates at least one or more of the following:
    - a digital signing protocol;
      
      a cryptographic algorithm;
      
      ora canonicalization routine.
  - 24. The one or more non-transitory computer-readable media of claim 12, wherein:
    - determining the signed string-to-sign comprises cryptographically signing the string-to-sign; and
      
      the updated digital signature generation scheme indicates how to compose the string-to-sign.

25. A network-based service, comprising:
- one or more processors;
  
  computer-readable memory storing instructions that are executable by the one or more processors to perform actions comprising;
  
  receiving one or more service requests from a client, the one or more service requests being generated by a client application associated with the client and including one or more request parameters;
  
  receiving authenticating information from the client in conjunction with the one or more service requests, the authenticating information comprising a signed string-to-sign based at least in part on a digital signature generation scheme, wherein the signed string-to-sign is generated based at least in part on the one or more request parameters, and wherein the digital signature generation scheme is at least one of expired or invalid;
  
  authenticating the one or more service requests based at least in part on the authenticating information;
  
  notifying the client that the digital signature generation scheme is at least one of expired or invalid; and
  
  indicating an updated digital signature generation scheme to the client, wherein the updated digital signature generation scheme is to be implemented by the client in order to generate the authenticating information.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32)
- - 26. The network-based service of claim 25, wherein indicating the updated digital signature generation scheme comprises providing executable code to the client.
  - 27. The network-based service of claim 25, wherein indicating the updated digital signature generation scheme comprises providing a declarative specification to the client.
  - 28. The network-based service of claim 25, the actions further comprising associating an expiration time with the updated digital signature generation scheme.
  - 29. The network-based service of claim 25, wherein notifying the client is based at least in part on determining that the digital signature scheme is at least one of expired or invalid.
  - 30. The network-based service of claim 25, the actions further comprising alerting the client to availability of the updated digital signature generation scheme.
  - 31. The network-based service of claim 25, the actions further comprising alerting the client to availability of the updated digital signature generation scheme in response to receiving the one or more service requests.
  - 32. The network-based service of claim 25, wherein the updated digital signature generation scheme indicates at least one or more of the following:
    - a digital signing protocol;
      
      a cryptographic algorithm;
      
      ora canonicalization routine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Brandwine, Eric J., DeSantis, Peter N.
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Truvan, Leynna T

Application Number

US13/356,470
Time in Patent Office

2,661 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 8/65   Updates security arrangemen...

H04L 63/00   Network architectures or ne...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 9/16   the keys or algorithms bein...

H04L 9/3247   involving digital signatures

Dynamically updating authentication schemes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

7 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamically updating authentication schemes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

7 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links