Signed envelope encryption
First Claim
Patent Images
1. A system, comprising memory to store instructions that, as a result of execution by the one or more processors, cause the system to:
- obtain, from a cryptography service and via a web API request, a first set of information comprising;
an encrypted cryptographic key usable to obtain a cryptographic key; and
an authentication tag, validity of the authentication tag cryptographically derivable from at least the cryptographic key and a public key;
generate a second set of information by at least;
encrypting data using the cryptographic key, thereby generating a second ciphertext; and
using a private key corresponding to the public key to generate a digital signature based at least in part on the data, wherein validity of the digital signature is verifiable using the public key; and
provide the first set of information and the second set of information to another computer system.
1 Assignment
0 Petitions
Accused Products
Abstract
Clients within a computing environment may establish a secure communication session. Sometimes, a client may trust another client to read, but not modify, a message. Clients may utilize a cryptography service to generate a message protected against improper modification. Clients may utilize a cryptography service to verify whether a protected message has been improperly modified.
-
Citations
20 Claims
-
1. A system, comprising memory to store instructions that, as a result of execution by the one or more processors, cause the system to:
- obtain, from a cryptography service and via a web API request, a first set of information comprising;
an encrypted cryptographic key usable to obtain a cryptographic key; and
an authentication tag, validity of the authentication tag cryptographically derivable from at least the cryptographic key and a public key;
generate a second set of information by at least;
encrypting data using the cryptographic key, thereby generating a second ciphertext; and
using a private key corresponding to the public key to generate a digital signature based at least in part on the data, wherein validity of the digital signature is verifiable using the public key; and
provide the first set of information and the second set of information to another computer system. - View Dependent Claims (2, 3, 4)
- obtain, from a cryptography service and via a web API request, a first set of information comprising;
-
5. A computer-implemented method, comprising:
-
obtaining, from a cryptography service, a first set of information comprising; an encrypted cryptographic key usable to obtain a cryptographic key; and an authentication tag, validity of the authentication tag cryptographically derivable from at least the cryptographic key and a public key; generating a second set of information by at least; encrypting data using the cryptographic key to generate a second ciphertext of the data; and generating a digital signature of at least the data using a private key corresponding to the public key; and providing the first set of information and the second set of information to another computer system. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
- receive a first set of information comprising;
an encrypted cryptographic key usable to obtain a cryptographic key; and
an authentication tag, validity of the authenticity tag cryptographically derivable from at least the cryptographic key and a public key;
receive a second set of information comprising;
a ciphertext; and
a digital signature, authenticity of the digital signature verifiable using at least in part on the public key;
provide, to a cryptography service and via a web API request, the encrypted cryptographic key, the public key, and the authentication tag;
receive, as a response, at least the cryptographic key and a key identifier;
verify that the key identifier matches an expected key identifier associated with an expected client and that the digital signature is valid; and
decrypt the ciphertext using the cryptographic key to obtain a plaintext, wherein the cryptography service lacks sufficient cryptographic material to generate the digital signature from the plaintext. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- receive a first set of information comprising;
Specification