Data security operations with expectations

US 10,560,441 B2
Filed: 12/17/2014
Issued: 02/11/2020
Est. Priority Date: 12/17/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, from a requestor associated with a customer of a service provider, a web service request whose fulfillment includes performance of a cryptographic operation;

selecting, based at least in part on information in the web service request, a cryptographic key from a plurality of cryptographic keys managed by the service provider for a plurality of customers of the service provider;

determining a set of security expectations applicable to the web service request, the set of security expectations defining a set of conditions applicable to the selected cryptographic key that, when fulfilled and regardless of whether the selected cryptographic key is usable to perform the cryptographic operation, indicate that a result of the cryptographic operation is trusted;

evaluating the set of security expectations against the selected cryptographic key;

generating a response to the web service requests based at least in part on evaluation of the set of security expectations; and

providing the generated response.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cryptography service allows for management of cryptographic keys and for the evaluation of security expectations when processing incoming requests. In some contexts, the cryptography service, upon receiving a request to perform a cryptographic operation, evaluates a set of security expectations to determine whether the cryptographic key or keys usable to perform the cryptographic operation should be trusted. A response to the request is dependent on evaluation of the security expectations.

Citations

22 Claims

1. A computer-implemented method, comprising:
- receiving, from a requestor associated with a customer of a service provider, a web service request whose fulfillment includes performance of a cryptographic operation;
  
  selecting, based at least in part on information in the web service request, a cryptographic key from a plurality of cryptographic keys managed by the service provider for a plurality of customers of the service provider;
  
  determining a set of security expectations applicable to the web service request, the set of security expectations defining a set of conditions applicable to the selected cryptographic key that, when fulfilled and regardless of whether the selected cryptographic key is usable to perform the cryptographic operation, indicate that a result of the cryptographic operation is trusted;
  
  evaluating the set of security expectations against the selected cryptographic key;
  
  generating a response to the web service requests based at least in part on evaluation of the set of security expectations; and
  
  providing the generated response.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-implemented method of claim 1, wherein the set of security expectations are specified in the request.
  - 3. The computer-implemented method of claim 1, wherein:
    - the method further comprises;
      
      determining, a set of policies applicable to the request, the set of policies from a stored plurality of policy documents; and
      
      determining that the set of policies allows fulfillment of the request; and
      
      determining the set of security expectations includes determining at least one security expectation from the determined set of policies.
  - 4. The computer-implemented method of claim 3, wherein the method further comprises:
    - receiving, from an entity authorized by the customer to modify policies, a web service request to enforce the set of security expectations to a set of policies associated with the customer; and
      
      fulfilling the request by modifying the set of policies to include the set of security expectations.
  - 5. The computer-implemented method of claim 3, wherein the cryptographic operations is decryption or digital signature verification.

6. A system, comprising at least one computing device configured to implement one or more services, the one or more services configured to:
- receive, from a client, a request to perform a cryptographic operation;
  
  determine a cryptographic key for performance of the cryptographic operation, the cryptographic key being from a set of cryptographic keys managed by the system;
  
  determine, based at least in part on information contained in the request, a set of conditions under which a result of performance of the cryptographic operation should be trusted by the client;
  
  generate, based at least in part on the cryptographic key and the determined set of conditions, a response to the request; and
  
  provide the generated response to the client.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
- - 7. The system of claim 6, wherein the one or more services are further configured to determine at least one condition of the set of conditions as a result of the at least one condition being specified in the request.
  - 8. The system of claim 6, wherein:
    - the client is authenticated as an identity; and
      
      the one or more services are configured to determine the set of conditions by at least;
      
      selecting a subset of a set policies as applicable to the identity; and
      
      determining at least one condition of the set of conditions as a result of the at least one condition being specified in the subset of the set of policies.
  - 9. The system of claim 8, wherein:
    - the system is operated by a service provider; and
      
      the set of policies is programmatically modifiable by a customer of the service provider associated with the identity.
  - 10. The system of claim 6, wherein the system is a device with hardware-based protection of the set of cryptographic keys and from which the cryptographic keys are programmatically unexportable from the device in plaintext form.
  - 11. The system of claim 6, wherein:
    - the cryptographic key is managed by the system on behalf of a first customer of a service provider; and
      
      the set of cryptographic keys comprises a second cryptographic key that is managed by the system on behalf of a second customer of the service provider.
  - 12. The system of claim 11, wherein the client is operated by a third customer of the service provider.
  - 13. The system of claim 6, wherein the generated response includes information indicating a result of evaluation of the set of conditions.
  - 14. The system of claim 6, wherein the set of conditions require that the cryptographic key be from a set of cryptographic keys specified as trusted.

15. A non-transitory computer-readable storage medium having stored thereon executable instructions that, when executed by one or more processors of a computer system, cause the computer system to provide a service that is configured to:
- determine, based at least in part on information included in a request, from a requestor, whose fulfillment involves a cryptographic operation involving a cryptographic key, a set of conditions applicable to the cryptographic key for determining whether the requestor should trust a result of the cryptographic operation, the cryptographic key being from a set of cryptographic keys managed by the computer system for a plurality of entities, each with a corresponding subset of the set of cryptographic keys;
  
  evaluate the determined set of conditions to determine a manner of fulfilling the request; and
  
  as a result of evaluation of the determined set of conditions indicating the cryptographic key can be trusted, causing the cryptographic operation to be performed and the result of the cryptographic operation to be provided in response to the request.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein the entities are customers of a service provider that operates the computer system.
  - 17. The non-transitory computer-readable storage medium of claim 15, wherein the instructions that cause the computer system to determine the set of conditions, when executed by the one or more processors, cause the system to obtain at least one condition of the set of conditions from a policy associated with an identity that submitted the request.
  - 18. The non-transitory computer-readable storage medium of claim 15, wherein the request is a web service request.
  - 19. The non-transitory computer-readable storage medium of claim 15, wherein the the set of conditions are based at least in part on an inherent property of the cryptographic key.
  - 20. The non-transitory computer-readable storage medium of claim 15, wherein at least one condition from the determined set of conditions is specified by the request.
  - 21. The non-transitory computer-readable storage medium of claim 20, wherein the set of conditions includes multiple conditions connected with Boolean operators.
  - 22. The non-transitory computer-readable storage medium of claim 15, wherein the instructions further include instructions that, when executed by the one or more processors, cause the computer system to evaluate a set of policies applicable to the request as a prerequisite to evaluation of the determined set of conditions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Rubin, Gregory Alan, Roth, Gregory Branchek
Primary Examiner(s)
Siddiqi, Mohammad A

Application Number

US14/574,337
Publication Number

US 20160182470A1
Time in Patent Office

1,882 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/06   for supporting key manageme...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Data security operations with expectations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Data security operations with expectations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links