Key export techniques

US 10,469,477 B2
Filed: 03/31/2015
Issued: 11/05/2019
Est. Priority Date: 03/31/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

selecting a first cryptographic key with an expiration that matches a lifetime specified in a request;

providing, in response to the request, an encrypted second cryptographic key generated by encrypting a second cryptographic key using the first cryptographic key; and

after providing the encrypted second cryptographic key, performing one or more operations to lose information to prevent an ability to obtain the second cryptographic key until another request that includes the encrypted second cryptographic key is later obtained.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system performs cryptographic operations as a service. The computer system is configured to allow users of the service to maintain control of their respective cryptographic material. The computer system uses inaccessible cryptographic material to encrypt a user'"'"'s cryptographic material in a token that is then provided to the user. The user is unable to access a plaintext copy of the cryptographic material in the token, but can provide the token back to the service to cause the service to decrypt and use the cryptographic material.

138 Citations

20 Claims

1. A computer-implemented method, comprising:
- selecting a first cryptographic key with an expiration that matches a lifetime specified in a request;
  
  providing, in response to the request, an encrypted second cryptographic key generated by encrypting a second cryptographic key using the first cryptographic key; and
  
  after providing the encrypted second cryptographic key, performing one or more operations to lose information to prevent an ability to obtain the second cryptographic key until another request that includes the encrypted second cryptographic key is later obtained.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, further comprising associating a policy with an identifier of the second cryptographic key such that a cryptography service uses the policy to control fulfillment of requests to perform cryptographic operations using the second cryptographic key.
  - 3. The computer-implemented method of claim 1, further comprising:
    - receiving, at a web server of a cryptography service, a second request for a hosted cryptographic key;
      
      generating, in a device that provides hardware protection of cryptographic material, the hosted cryptographic key;
      
      encrypting, using a third cryptographic key stored in the device, the hosted cryptographic key; and
      
      storing the encrypted hosted cryptographic key in a location accessible to the cryptography service.
  - 4. The computer-implemented method of claim 3, wherein:
    - the first cryptographic key is selected from a first subset of a set of first cryptographic keys within the device; and
      
      the third cryptographic key is from a second subset of the set of first cryptographic keys provisioned for hosted cryptographic keys.

5. A system, comprising memory to store instructions that, as a result of execution by one or more processors, cause the system to:
- encrypt a cryptographic key using cryptographic material inaccessible outside of a set of hardware devices that each provide hardware protection of the cryptographic material, the cryptographic material including an expiration corresponding to a time after which the cryptographic material becomes inaccessible, the expiration matching a lifetime specified in a request;
  
  provide the encrypted cryptographic key; and
  
  lose access to information to cause the system to be unable to obtain copies of the cryptographic key until another request that includes the encrypted cryptographic key is later obtained.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The system of claim 5, wherein:
    - the instructions, as a result of execution by the one or more processors, further cause the system to generate a token that comprises an identifier of the cryptographic key; and
      
      provide the encrypted cryptographic key includes providing the generated token.
  - 7. The system of claim 5, wherein the instructions, as a result of execution by the one or more processors, further cause the system to:
    - receive a second request to perform a cryptographic operation using the cryptographic key, the second request comprising the encrypted cryptographic key; and
      
      fulfill the second request by, contingent on the cryptographic material still being available, decrypting the encrypted cryptographic key and performing the cryptographic operation using the cryptographic key.
  - 8. The system of claim 7, wherein the instructions, as a result of execution by the one or more processors, further cause the system to:
    - receive a third request to perform the cryptographic operation, the third request specifying an identifier of a second cryptographic key;
      
      obtain, from a data storage location, an encrypted copy of the second cryptographic key;
      
      decrypt the encrypted copy of the second cryptographic key; and
      
      use the second cryptographic key to perform the cryptographic operation.
  - 9. The system of claim 5, wherein the instructions, as a result of execution by the one or more processors, further cause the system to:
    - associate a policy with the cryptographic key, the policy specifying a set of permissions for the cryptographic key; and
      
      control fulfillment of requests to use the cryptographic key in accordance with the policy.
  - 10. The system of claim 5, wherein the instructions, as a result of execution by the one or more processors, further cause the system to select the cryptographic material based at least in part on an expiration of the cryptographic material, the expiration indicating a time after which the system will lose access to the cryptographic material.
  - 11. The system of claim 5, wherein the hardware devices are hardware security modules.
  - 12. The system of claim 5, wherein the instructions, as a result of execution by the one or more processors, further cause the system to:
    - retrieve an encrypted copy of the cryptographic key from a data storage system; and
      
      decrypt the encrypted copy of the cryptographic key using other cryptographic material different from the cryptographic material.

13. A non-transitory computer-readable storage medium comprising executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
- obtain a key token comprising an encrypted copy of a first cryptographic key and information usable to identify a second cryptographic key including an expiration that matches a lifetime specified in a request;
  
  cause access to information usable to determine the first cryptographic key to be lost after the key token is generated until another request that includes the key token is later obtained; and
  
  if the second cryptographic key has not expired, derive the first cryptographic key from the key token and use the derived first cryptographic key to perform one or more cryptographic operations.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The non-transitory computer-readable storage medium of claim 13, wherein the executable instructions to obtain the key token, as a result of being executed by the one or more processors, cause the computer system to obtain the key token as a result of receipt of the request.
  - 15. The non-transitory computer-readable storage medium of claim 13, wherein the executable instructions to obtain the key token, as a result of being executed by the one or more processors, cause the computer system to issue a command to a device of a set of devices to cause generation of the key token.
  - 16. The non-transitory computer-readable storage medium of claim 13, wherein the executable instructions that, as a result of being executed by the one or more processors, further cause the computer system to:
    - determine, based at least in part on an identifier of the first cryptographic key, a set of policies defining a set of permissions for using the first cryptographic key;
      
      determine whether fulfillment of a second request complies with the determined set of policies; and
      
      derive the first cryptographic key from the key token and use the derived first cryptographic key to perform the one or more cryptographic operations is contingent on determining that fulfillment of the second request complies with the determined set of policies.
  - 17. The non-transitory computer-readable storage medium of claim 13, wherein the expiration of the second cryptographic key indicates a time after which the second cryptographic key becomes inaccessible to a set of hardware devices that manages the second cryptographic key.
  - 18. The non-transitory computer-readable storage medium of claim 13, wherein the executable instructions that cause the computer system to derive the first cryptographic key from the key token, as a result of being executed by the one or more processors, cause the computer system to determine the key token from a second request.
  - 19. The non-transitory computer-readable storage medium of claim 13, wherein the information usable to determine the first cryptographic key is the first cryptographic key.
  - 20. The non-transitory computer-readable storage medium of claim 13, wherein the executable instructions that, as a result of being executed by the one or more processors, further cause the computer system to provide a response to a second request that is based at least in part on a result of the one or more cryptographic operations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Campagna, Matthew John, Roth, Gregory Branchek
Primary Examiner(s)
Tsang, Henry

Application Number

US14/675,614
Publication Number

US 20170006018A1
Time in Patent Office

1,680 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

H04L 63/0435   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 9/088   Usage controlling of secret...

Key export techniques

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

138 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Key export techniques

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

138 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links