Dynamic response signing capability in a distributed system

US 10,326,597 B1
Filed: 06/27/2014
Issued: 06/18/2019
Est. Priority Date: 06/27/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

obtaining, at a first computer system and from a requestor, an application programming interface request to perform one or more operations, the application programming interface request including a digital signature;

forwarding the application programming interface request and the digital signature to an authentication server configured with cryptographic material shared with the requestor but inaccessible to the first computer system;

obtaining, by the first computer system from the authentication server, an indication that the digital signature matches the application programming interface request and, as a result of the digital signature matching the application programming interface request, a cryptographic key cryptographically derived, by the authentication server, from the cryptographic material and by performing a plurality of cryptographic operations where, for a subset of the cryptographic operations, output of each cryptographic operation of the subset is based at least in part on output of a previous cryptographic operation of the plurality of cryptographic operations and a key derivation parameter using an ordered plurality of key derivation parameters in accordance with the ordering;

generating, based at least in part on the indication, a response to the application programming interface request;

generating a digital signature of the generated response based at least in part on the obtained cryptographic key; and

providing the generated response and the generated digital signature to the requestor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system that provides responses to requests obtains a key that is used to digitally sign the request. The key is derived from information that is shared with a requestor to which the response is sent. The requestor derives, using the shared information, derives a key usable to verify the digital signature of the response, thereby enabling the requestor to operate in accordance with whether the digital signature of the response matches the response.

Citations

24 Claims

1. A computer-implemented method, comprising:
- obtaining, at a first computer system and from a requestor, an application programming interface request to perform one or more operations, the application programming interface request including a digital signature;
  
  forwarding the application programming interface request and the digital signature to an authentication server configured with cryptographic material shared with the requestor but inaccessible to the first computer system;
  
  obtaining, by the first computer system from the authentication server, an indication that the digital signature matches the application programming interface request and, as a result of the digital signature matching the application programming interface request, a cryptographic key cryptographically derived, by the authentication server, from the cryptographic material and by performing a plurality of cryptographic operations where, for a subset of the cryptographic operations, output of each cryptographic operation of the subset is based at least in part on output of a previous cryptographic operation of the plurality of cryptographic operations and a key derivation parameter using an ordered plurality of key derivation parameters in accordance with the ordering;
  
  generating, based at least in part on the indication, a response to the application programming interface request;
  
  generating a digital signature of the generated response based at least in part on the obtained cryptographic key; and
  
  providing the generated response and the generated digital signature to the requestor.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein:
    - obtaining the cryptographic key includes obtaining a second cryptographic key, the cryptographic key and the second cryptographic key being different and derived from the cryptographic material; and
      
      the method further comprises using the second cryptographic key to verify a digital signature of at least one additional request obtained from the requestor.
  - 3. The computer-implemented method of claim 1, wherein:
    - obtaining the cryptographic key includes obtaining information usable to cryptographically prove, to a second computer system, authority to cause the second computer system to fulfill a request submitted on behalf of the requestor; and
      
      the method further comprises using the information to submit at least one request to the second computer system.
  - 4. The computer-implemented method of claim 1, wherein:
    - obtaining the cryptographic key includes obtaining a set of policies; and
      
      the method further comprises using the obtained set of policies to determine whether to fulfill at least one future request received obtained from the requestor.

5. A system, comprising:
- at least one computing device implementing a server, the server operating to;
  
  obtain, via a different system, a request and a first digital signature, the request generated by a requestor;
  
  determine whether the first digital signature matches the obtained request;
  
  generate information usable to generate response signatures that are verifiable using information available to the requestor, the information usable to generate response signatures comprising a cryptographic key derived by;
  
  obtaining an ordered plurality of key derivation parameters, andperforming a plurality of cryptographic operations where, for a subset of the cryptographic operations, output of each cryptographic operation of the subset is based at least in part on output of a previous cryptographic operation of the plurality of cryptographic operations and a key derivation parameter from the ordered plurality of key derivation parameters in accordance with the ordering; and
  
  as a result of the first digital signature matching the received obtained request, provide the generated information to the different system.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 6. The system of claim 5, wherein:
    - the system determines whether the digital signature matches the request using a request signing key that is different from the response signing key;
      
      the information available to the requestor comprises cryptographic material available to the requestor; and
      
      the response signing key is derived from the cryptographic material available to the requestor.
  - 7. The system of claim 5, wherein the request is a web service application programming interface request.
  - 8. The system of claim 5, wherein the information usable to generate response signatures comprises the cryptographic key that is derived based at least in part on cryptographic material used by the requestor to generate the first digital signature.
  - 9. The system of claim 5, wherein the system further implements a second server, the second server configured to:
    - obtain the information usable to sign requests from the server;
      
      generate a response to the request;
      
      determine a response signing key based at least in part on the information usable to sign responses;
      
      use the response signing key to generate a digital signature of the response; and
      
      provide the response and the generated digital signature to the requestor.
  - 10. The system of claim 9, wherein:
    - the server is further configured to determine a request verification key based at least in part on the request and provide the request verification key with the response signing key; and
      
      the second server is further configured to cache the request verification key and use the request verification key to verify a digital signature on at least one future request obtained from the requestor.
  - 11. The system of claim 10, wherein the response signing key and the request verification key are each derived from cryptographic material available to the requestor by obtaining an ordered plurality of key derivation parameters including an ordering and performing a plurality of cryptographic operations where, for a subset of the cryptographic operations, output of each cryptographic operation of the subset is based at least in part on output of a previous cryptographic operation of the plurality of cryptographic operations and a key derivation parameter from the ordered plurality of key derivation parameters in accordance with the ordering.
  - 12. The system of claim 5, wherein:
    - the information available to the requestor comprises cryptographic material available to the requestor; and
      
      the server is further configured to select, based at least in part on an association of the request with an entity, the cryptographic material from multiple instances of cryptographic material uniquely corresponding to different entities.
  - 13. The system of claim 5, wherein generating the information comprises deriving a cryptographic key based at least in part on cryptographic material available to the requestor.
  - 14. The system of claim 5, wherein:
    - the request corresponds to a customer of a plurality of customers of a service provider; and
      
      the information is generated to be, for other customers of the plurality of customers, insufficient for generating response signatures.
  - 15. The system of claim 5, wherein the system is operated by a service provider and the other system is operated by a customer of the service provider.

16. A non-transitory computer-readable storage medium comprising executable instructions that, if executed by one or more processors of a computer system, cause the computer system to at least:
- obtain a request and a digital signature of the request from a requestor;
  
  provide the request and the digital signature to another system, different from the requestor, to obtain, from the other system, information usable to generate digital signatures of responses such that the digital signatures of the responses are verifiable using information available to the requestor, the obtained information including an ordered plurality of derivation parameters, the digital signatures generated by performing a plurality of cryptographic operations where, for a subset of the cryptographic operations, output of each cryptographic operation of the subset is based at least in part on output of a previous cryptographic operation of the plurality of cryptographic operations and a key derivation parameter including a portion of the obtained information including an ordered plurality of derivation parameters in accordance with the ordering;
  
  generate, based at least in part on a generated response to the request and the ordered plurality of derivation parameters of the obtained information, a digital signature of the generated response; and
  
  make the generated response and the generated digital signature available to the requestor.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
- - 17. The non-transitory computer-readable storage medium of claim 16, wherein, when the request is obtained, the information is unavailable to the computer system.
  - 18. The non-transitory computer-readable storage medium of claim 16, wherein:
    - the information comprises a cryptographic key operable to sign responses and a second cryptographic key derived from cryptographic material available to the requestor; and
      
      the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to use the second cryptographic key to perform at least one operation as a result of receipt of a future request from the requestor.
  - 19. The non-transitory computer-readable storage medium of claim 16, wherein:
    - the information comprises a cryptographic key operable to sign responses and a second cryptographic key derived from cryptographic material available to the requestor; and
      
      the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to store the cryptographic key and use the stored cryptographic key to digitally sign a response to a future request obtained from the requestor.
  - 20. The non-transitory computer-readable storage medium of claim 16, wherein the instructions that cause the computer system to make the generated response and the generated digital signature available to the requestor, when executed by the one or more processors, cause the computer system to fragment a message comprising the response and the digital signature, thereby producing a plurality of fragments, and transmitting the fragments to the requestor over a network.
  - 21. The non-transitory computer-readable storage medium of claim 16, wherein:
    - the information usable to generate digital signatures of responses comprises cryptographic material available to the requestor; and
      
      the cryptographic material is unavailable to the computer system when the request is obtained.
  - 22. The non-transitory computer-readable storage medium of claim 16, wherein the request is a web service application programming interface request.
  - 23. The non-transitory computer-readable storage medium of claim 16, wherein the instructions that cause the computer system to generate the digital signature, when executed by the one or more processors, cause the computer system to use a symmetric cryptographic algorithm to generate the digital signature.
  - 24. The non-transitory computer-readable storage medium of claim 16, wherein:
    - the digital signature was generated using a first cryptographic key including a first lifetime; and
      
      the information comprises a second cryptographic key including a second lifetime based at least in part on the first lifetime.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Brandwine, Eric Jason
Primary Examiner(s)
Truong, Thanhnga B
Assistant Examiner(s)
An, Wayne

Application Number

US14/318,457
Time in Patent Office

1,817 Days
Field of Search
US Class Current
CPC Class Codes

H04L 9/0836   using tree structure or hie...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/3247   involving digital signatures

Dynamic response signing capability in a distributed system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic response signing capability in a distributed system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links