Dynamic response signing capability in a distributed system
First Claim
Patent Images
1. A computer-implemented method, comprising:
- obtaining, at a first computer system and from a requestor, an application programming interface request to perform one or more operations, the application programming interface request including a digital signature;
forwarding the application programming interface request and the digital signature to an authentication server configured with cryptographic material shared with the requestor but inaccessible to the first computer system;
obtaining, by the first computer system from the authentication server, an indication that the digital signature matches the application programming interface request and, as a result of the digital signature matching the application programming interface request, a cryptographic key cryptographically derived, by the authentication server, from the cryptographic material and by performing a plurality of cryptographic operations where, for a subset of the cryptographic operations, output of each cryptographic operation of the subset is based at least in part on output of a previous cryptographic operation of the plurality of cryptographic operations and a key derivation parameter using an ordered plurality of key derivation parameters in accordance with the ordering;
generating, based at least in part on the indication, a response to the application programming interface request;
generating a digital signature of the generated response based at least in part on the obtained cryptographic key; and
providing the generated response and the generated digital signature to the requestor.
1 Assignment
0 Petitions
Accused Products
Abstract
A system that provides responses to requests obtains a key that is used to digitally sign the request. The key is derived from information that is shared with a requestor to which the response is sent. The requestor derives, using the shared information, derives a key usable to verify the digital signature of the response, thereby enabling the requestor to operate in accordance with whether the digital signature of the response matches the response.
-
Citations
24 Claims
-
1. A computer-implemented method, comprising:
-
obtaining, at a first computer system and from a requestor, an application programming interface request to perform one or more operations, the application programming interface request including a digital signature; forwarding the application programming interface request and the digital signature to an authentication server configured with cryptographic material shared with the requestor but inaccessible to the first computer system; obtaining, by the first computer system from the authentication server, an indication that the digital signature matches the application programming interface request and, as a result of the digital signature matching the application programming interface request, a cryptographic key cryptographically derived, by the authentication server, from the cryptographic material and by performing a plurality of cryptographic operations where, for a subset of the cryptographic operations, output of each cryptographic operation of the subset is based at least in part on output of a previous cryptographic operation of the plurality of cryptographic operations and a key derivation parameter using an ordered plurality of key derivation parameters in accordance with the ordering; generating, based at least in part on the indication, a response to the application programming interface request; generating a digital signature of the generated response based at least in part on the obtained cryptographic key; and providing the generated response and the generated digital signature to the requestor. - View Dependent Claims (2, 3, 4)
-
-
5. A system, comprising:
-
at least one computing device implementing a server, the server operating to; obtain, via a different system, a request and a first digital signature, the request generated by a requestor; determine whether the first digital signature matches the obtained request; generate information usable to generate response signatures that are verifiable using information available to the requestor, the information usable to generate response signatures comprising a cryptographic key derived by; obtaining an ordered plurality of key derivation parameters, and performing a plurality of cryptographic operations where, for a subset of the cryptographic operations, output of each cryptographic operation of the subset is based at least in part on output of a previous cryptographic operation of the plurality of cryptographic operations and a key derivation parameter from the ordered plurality of key derivation parameters in accordance with the ordering; and as a result of the first digital signature matching the received obtained request, provide the generated information to the different system. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A non-transitory computer-readable storage medium comprising executable instructions that, if executed by one or more processors of a computer system, cause the computer system to at least:
-
obtain a request and a digital signature of the request from a requestor; provide the request and the digital signature to another system, different from the requestor, to obtain, from the other system, information usable to generate digital signatures of responses such that the digital signatures of the responses are verifiable using information available to the requestor, the obtained information including an ordered plurality of derivation parameters, the digital signatures generated by performing a plurality of cryptographic operations where, for a subset of the cryptographic operations, output of each cryptographic operation of the subset is based at least in part on output of a previous cryptographic operation of the plurality of cryptographic operations and a key derivation parameter including a portion of the obtained information including an ordered plurality of derivation parameters in accordance with the ordering; generate, based at least in part on a generated response to the request and the ordered plurality of derivation parameters of the obtained information, a digital signature of the generated response; and make the generated response and the generated digital signature available to the requestor. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
-
Specification