Data storage key rotation

US 10,523,434 B1
Filed: 03/04/2016
Issued: 12/31/2019
Est. Priority Date: 03/04/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

storing encrypted data on a data storage system, the data storage system accessible to a client computer system via a network, and the encrypted data encrypted with a first cryptographic key;

generating a second cryptographic key to replace the first cryptographic key;

providing the second cryptographic key to the data storage system;

obtaining executable code that is compatible with an execution environment on the data storage system, wherein the execution environment is sandboxed to prevent the executable code from interfering with other components of the data storage system;

uploading the executable code to the execution environment; and

initiating execution of the executable code within the execution environment, the execution of the executable code causing the data storage system to;

read the encrypted data from the data storage system into the execution environment;

decrypt the encrypted data, according to a cryptographic algorithm determined by the client computer system, using the first cryptographic key to produce plaintext data;

encrypt the plaintext data, according to a cryptographic algorithm determined by the client computer system, with a second cryptographic key to produce re-encrypted data; and

store the re-encrypted data to the data storage system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present document describes a data storage system that includes a sandboxed execution environment. The execution environment is made available to clients of the data storage system. Clients are able to upload executable instructions to the execution environment, which can be used to manipulate data stored on the data storage system. In various examples, clients use the execution environment to perform key rotation operations on encrypted data stored on the data storage system. Clients transfer executable instructions and cryptographic keys to the execution environment, where the encrypted data stored on the data storage system can be read into the execution environment, decrypted with an old key, re-encrypted with a new key, and returned to the data storage system.

27 Citations

View as Search Results

20 Claims

1. A computer-implemented method, comprising:
- storing encrypted data on a data storage system, the data storage system accessible to a client computer system via a network, and the encrypted data encrypted with a first cryptographic key;
  
  generating a second cryptographic key to replace the first cryptographic key;
  
  providing the second cryptographic key to the data storage system;
  
  obtaining executable code that is compatible with an execution environment on the data storage system, wherein the execution environment is sandboxed to prevent the executable code from interfering with other components of the data storage system;
  
  uploading the executable code to the execution environment; and
  
  initiating execution of the executable code within the execution environment, the execution of the executable code causing the data storage system to;
  
  read the encrypted data from the data storage system into the execution environment;
  
  decrypt the encrypted data, according to a cryptographic algorithm determined by the client computer system, using the first cryptographic key to produce plaintext data;
  
  encrypt the plaintext data, according to a cryptographic algorithm determined by the client computer system, with a second cryptographic key to produce re-encrypted data; and
  
  store the re-encrypted data to the data storage system.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein:
    - the execution environment includes a JavaScript interpreter;
      
      the executable code is JavaScript code; and
      
      the executable code is uploaded to the execution environment via a network connection.
  - 3. The computer-implemented method of claim 1, further comprising:
    - obtaining, from the data storage system, information that describes a characteristic of the execution environment; and
      
      modifying the executable code based at least in part on the characteristic of the execution environment.
  - 4. The computer-implemented method of claim 1, further comprising:
    - reading the re-encrypted data from the data storage system; and
      
      decrypting the re-encrypted data using the second cryptographic key.

5. A system, comprising a computing device that implements a data storage service to:
- obtain, from a client computer system, encoded data that is encoded in accordance with a first encoding;
  
  store, on a data storage device connected to the computing device, the encoded data;
  
  obtain, from the client computer system, a second encoding and executable instructions that are compatible with an execution environment on the computing device, wherein the execution environment is sandboxed to prevent interference with other execution environments; and
  
  decrypt the encoded data and re-encrypt the encoded data so that the encoded data is in accordance with the second encoding by at least in part executing the executable instructions, the executable instructions determining an algorithm for cryptographic operations, within the execution environment.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The system of claim 5, wherein:
    - the first encoding is a first encryption algorithm using a first cryptographic key; and
      
      the second encoding is a second encryption algorithm using a second cryptographic key.
  - 7. The system of claim 6, wherein:
    - the first cryptographic key is a public-private key pair having a first public key and a first private key;
      
      the second cryptographic key is a public-private key pair having a second public key and a second private key; and
      
      modifying the encoded data is accomplished in part by decrypting the encoded data with the first private key to produce decrypted data, and encrypting the decrypted data with the second public key to produce re-encrypted data.
  - 8. The system of claim 6, wherein the first encryption algorithm is different than the second encryption algorithm.
  - 9. The system of claim 6, wherein the data storage service:
    - retrieves the first cryptographic key from a key management service;
      
      causes the second cryptographic key to be generated by the key management service; and
      
      retrieves the second cryptographic key from the key management service.
  - 10. The system of claim 6, wherein the data storage service further:
    - obtains the first cryptographic key from the client computer system;
      
      generates the second cryptographic key; and
      
      provides the second cryptographic key to the client computer system.
  - 11. The system of claim 6, wherein the encoded data includes a third cryptographic key, and the data storage service further:
    - obtains, from a client computer system, encrypted data that is encrypted with the third cryptographic key; and
      
      stores, on the data storage device, the encrypted data.
  - 12. The system of claim 5, wherein:
    - the first encoding is an H.264 video encoding; and
      
      the second encoding is an MPEG-4 video encoding.

13. A non-transitory computer-readable storage medium comprising executable instructions that, as a result of being executed by one or more processors of a storage controller, cause the storage controller to at least:
- obtain, from a client computer system, encrypted data that is encrypted with a first cryptographic key;
  
  store the encrypted data on a data storage device associated with the storage controller;
  
  obtain, from a client computer system, the first cryptographic key and a second cryptographic key;
  
  obtain, from the client computer system, information describing operations that are able to be performed within an execution environment on the storage controller, wherein the execution environment is sandboxed to prevent interference with other components of the storage controller; and
  
  perform, within the execution environment, a sequence of operations, the sequence of operations causing the storage controller to;
  
  decrypt the encrypted data, according to a cryptographic algorithm determined by the client computer system, using the first cryptographic key to produce plaintext data; and
  
  encrypt the plaintext data, according to a cryptographic algorithm determined by the client computer system, using the second cryptographic key.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The non-transitory computer-readable storage medium of claim 13, wherein:
    - the encrypted data includes an envelope key;
      
      the envelope key is encrypted with the first cryptographic key; and
      
      the non-transitory computer-readable storage medium further comprises instructions that, as a result of being executed by the one or more processors, cause the storage controller to;
      
      obtain, from the client computer system, second encrypted data that is encrypted with the envelope key; and
      
      store the second encrypted data on the data storage device.
  - 15. The non-transitory computer-readable storage medium of claim 13, wherein:
    - the encrypted data includes a first envelope key;
      
      the first envelope key is encrypted with the first cryptographic key;
      
      the non-transitory computer-readable storage medium further comprises instructions that, as a result of being executed by the one or more processors, cause the storage controller to;
      
      obtain, from the client computer system, second encrypted data that is encrypted with the first envelope key;
      
      store the second encrypted data on the data storage device; and
      
      obtain, from the client computer system, a second envelope key to replace the first envelope key; and
      
      the sequence of operations further causes the storage controller to;
      
      decrypt the second encrypted data using the first envelope key to produce second plaintext data; and
      
      encrypt the second plaintext data using the second envelope key.
  - 16. The non-transitory computer-readable storage medium of claim 13, wherein:
    - the encrypted data includes a plurality of envelope keys;
      
      the envelope keys are encrypted with the first cryptographic key; and
      
      the non-transitory computer-readable storage medium further comprises instructions that, as a result of being executed by the one or more processors, cause the storage controller to;
      
      receive, from the client computer system, second encrypted data that is encrypted with a particular envelope key;
      
      store the second encrypted data on the data storage device; and
      
      add the particular envelope key to the plurality of envelope keys.
  - 17. The non-transitory computer-readable storage medium of claim 16, wherein the particular envelope key is stored in association with the second encrypted data on the data storage device.
  - 18. The non-transitory computer-readable storage medium of claim 13, further comprising instructions that, as a result of being executed by the one or more processors, cause the storage controller to:
    - delete the plaintext data from the execution environment;
      
      delete the first cryptographic key from the execution environment; and
      
      delete the second cryptographic key from the execution environment.
  - 19. The non-transitory computer-readable storage medium of claim 13, wherein:
    - the second cryptographic key is a public key of a second public-private key pair; and
      
      a private key of the second public-private key pair is not accessible to the computer system.
  - 20. The non-transitory computer-readable storage medium of claim 13, wherein:
    - data within the execution environment is protected from being accessed from outside the execution environment; and
      
      the execution environment is limited to accessing data accessible to the client computer system as a result of performing, within the execution environment, the sequence of operations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Sharifi Mehr, Nima
Primary Examiner(s)
Chang, Kenneth W

Application Number

US15/061,937
Time in Patent Office

1,397 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 9/445   Program loading or initiati...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

Data storage key rotation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Data storage key rotation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links