Mutual authentication with symmetric secrets and signatures

US 10,375,067 B2
Filed: 08/11/2017
Issued: 08/06/2019
Est. Priority Date: 06/26/2014
Status: Expired due to Fees

First Claim

Patent Images

1. A non-transitory computer-readable storage medium storing thereon instructions that, as a result of execution by one or more processors of a computer system, cause the computer system to:

access a cryptographic key usable to derive a signing key, the signing key accessible to a second computer system and usable to generate a digital signature of a request to cause the second computer system to fulfill the request;

derive, from the cryptographic key, a session key by at least deriving a pre-shared key from the cryptographic key and generating the session key from the pre-shared key; and

use the session key to encrypt at least a portion of one or more communications to the second computer system, the one or more communications comprising a first request that is digitally signed using the signing key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A client and server negotiate a secure communication channel using a pre-shared key where the server, at the time the negotiation initiates, lacks access to the pre-shared key. The server obtains the pre-shared key from another server that shares a secret with the client. A digital signature or other authentication information generated by the client may be used to enable the other server to determine whether to provide the pre-shared key.

Citations

21 Claims

1. A non-transitory computer-readable storage medium storing thereon instructions that, as a result of execution by one or more processors of a computer system, cause the computer system to:
- access a cryptographic key usable to derive a signing key, the signing key accessible to a second computer system and usable to generate a digital signature of a request to cause the second computer system to fulfill the request;
  
  derive, from the cryptographic key, a session key by at least deriving a pre-shared key from the cryptographic key and generating the session key from the pre-shared key; and
  
  use the session key to encrypt at least a portion of one or more communications to the second computer system, the one or more communications comprising a first request that is digitally signed using the signing key.
- View Dependent Claims (2, 3)
- - 2. The non-transitory computer-readable storage medium of claim 1, wherein the signing key is different from the session key.
  - 3. The non-transitory computer-readable storage medium of claim 1, wherein the instructions further comprise instructions that, as a result of execution by the one or more processors, cause the computer system to complete a handshake process in accordance with a protocol to cause the second computer system to utilize the session key.

4. A system, comprising:
- one or more processors; and
  
  memory storing instructions that, if executed by the one or more processors, cause the system to;
  
  access a secret usable to derive a signing key, the signing key accessible to a second computer system and usable to generate a digital signature of a request to cause the second computer system to fulfill the request;
  
  derive a session key based at least in part on the secret;
  
  use the signing key to digitally sign information that is based at least in part on multiple messages transmitted between the system and the second computer system; and
  
  use the session key to cryptographically protect at least a portion of one or more communications to the second computer system, the one or more communications comprising a first request that is digitally signed using the signing key.
- View Dependent Claims (5, 6, 7, 8, 9, 10)
- - 5. The system of claim 4, wherein the signing key and session key are different.
  - 6. The system of claim 4, wherein use of the session key to encrypt at least a portion of one or more communications to the second computer system is according to a protocol for cryptographically protected communications that utilizes a pre-shared key.
  - 7. The system of claim 4, wherein use the session key to encrypt at least a portion of one or more communications to the second computer system comprises encrypting the one or more communications.
  - 8. The system of claim 4, wherein the instructions further include instructions that, if executed by the one or more processors, cause the system to transmit a set of parameters to derive the session key.
  - 9. The system of claim 4, wherein the instructions further comprise instructions that, if executed by the one or more processors, cause the computer system to use the signing key to digitally sign information that is based at least in part on multiple messages transmitted between the computer system and the second computer system.
  - 10. The system of claim 4, wherein the instructions that cause the computer system to derive the session key, as a result of execution by the one or more processors, cause the computer system to perform a plurality of iterations to derive the session key, each iteration of the plurality of iterations involving a different derivation parameter input into a function.

11. A computer-implemented method, comprising:
- deriving a session key based at least in part on a secret, the secret usable to derive a signing key, the signing key accessible to a second computer system and usable to generate a digital signature of a request to cause the second computer system to fulfill the request; and
  
  using the session key to cryptographically protect at least a portion of one or more communications to the second computer system, the one or more communications comprising a first request that is digitally signed using the signing key.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The computer-implemented method of claim 11, wherein the signing key and session key are different.
  - 13. The computer-implemented method of claim 11, wherein cryptographically protecting the at least the portion of the one or more communications comprises encrypting the one or more communications.
  - 14. The computer-implemented method of claim 11, wherein deriving the session key based at least in part on the secret comprises performing a plurality of iterations, wherein the plurality of iterations comprises a first iteration utilizing a first derivation parameter and a second iteration utilizing a second derivation parameter different from the first derivation parameter.
  - 15. The computer-implemented method of claim 14, wherein at least one of the plurality of iterations uses the secret as input into a derivation function.
  - 16. The computer-implemented method of claim 14, wherein the first derivation parameter and second derivation parameter are non-secret values.

17. A non-transitory computer-readable storage medium storing thereon instructions that, as a result of execution by one or more processors of a computer system, cause the computer system to:
- derive a session key based at least in part on a secret, the secret usable to derive a signing key, the signing key accessible to a second computer system and usable to generate a digital signature of a request to cause the second computer system to fulfill the request, the session key being iteratively derived using a plurality of iterations, each iteration of the plurality of iterations involving a different derivation parameter input into a function;
  
  use the session key to cryptographically protect at least a portion of one or more communications to the second computer system, the one or more communications comprising a first request that is digitally signed using the signing key.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The non-transitory computer-readable storage medium of claim 17, wherein the instructions that cause the computer system to derive the session key, comprise instructions that, as a result of execution by the one or more processors, cause the computer system to derive a pre-shared key from the secret and generate the session key from the pre-shared key.
  - 19. The non-transitory computer-readable storage medium of claim 17, wherein the instructions further comprise instructions that, as a result of execution by the one or more processors, cause the computer system to use the signing key to digitally sign information that is based at least in part on multiple messages transmitted between the computer system and the second computer system.
  - 20. The non-transitory computer-readable storage medium of claim 17, wherein the instructions further comprise instructions that, as a result of execution by the one or more processors, cause the computer system to provide parameters for deriving the session key to enable the second computer system to derive the session key.
  - 21. The non-transitory computer-readable storage medium of claim 17, wherein:
    - the secret is a symmetric cryptographic key;
      
      the function is a one-way function; and
      
      cryptographically protecting the at least the portion of the one or more communications comprises encrypting the at least the portion of the one or more communications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Rubin, Gregory Alan
Primary Examiner(s)
Shayanfar, Ali

Application Number

US15/675,605
Publication Number

US 20170346819A1
Time in Patent Office

725 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0869   for achieving mutual authen...

H04L 63/123   received data contents, e.g...

H04L 63/166   at the transport layer

H04L 9/0861   Generation of secret inform...

H04L 9/14   using a plurality of keys o...

H04L 9/32   including means for verifyi...

H04L 9/321   involving a third party or ...

H04L 9/3247   involving digital signatures

H04L 9/3273   for mutual authentication n...

Mutual authentication with symmetric secrets and signatures

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Mutual authentication with symmetric secrets and signatures

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links