Secured communication in network environments

US 10,574,443 B2
Filed: 02/16/2016
Issued: 02/25/2020
Est. Priority Date: 01/17/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

performing a handshake between a client device and a first computing device to generate;

a session key for encrypting data that is communicated between the client device and the first computing device; and

an access controlled compartment, the access controlled compartment associated with access rights preventing the first computing device from performing cryptographic operations using the session key;

receiving, within the access controlled compartment and from the client device, a request for data, wherein the request for data is encrypted using the session key;

sending, from the first computing device to a second computing device, a copy of the session key and the request for data;

receiving, at the first computing device, from the second computing device, the data encrypted with the session key, access rights for the first computing device preventing decryption of the data; and

making the encrypted data available to the client device in response to the request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing device can obtain a session key for encrypting data that is communicated between a client device and the computing device. The computing device can receive, from the client device, an encrypted request for data. The encrypted request can be encrypted by the client device using the session key. The data requested can be stored on a second computing device. The computing device can send, to the second computing device, a copy of the session key and the encrypted request for data. The second computing device can decrypt the data using the session key and can also encrypt data responsive to the request using the session key.

Citations

20 Claims

1. A computer-implemented method comprising:
- performing a handshake between a client device and a first computing device to generate;
  
  a session key for encrypting data that is communicated between the client device and the first computing device; and
  
  an access controlled compartment, the access controlled compartment associated with access rights preventing the first computing device from performing cryptographic operations using the session key;
  
  receiving, within the access controlled compartment and from the client device, a request for data, wherein the request for data is encrypted using the session key;
  
  sending, from the first computing device to a second computing device, a copy of the session key and the request for data;
  
  receiving, at the first computing device, from the second computing device, the data encrypted with the session key, access rights for the first computing device preventing decryption of the data; and
  
  making the encrypted data available to the client device in response to the request.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-implemented method of claim 1, wherein obtaining the session key at the first computing device further comprises:
    - performing, with the client device, a cryptographic protocol handshake; and
      
      generating, in response to performing the cryptographic protocol handshake, the session key.
  - 3. The computer-implemented method of claim 1, further comprising:
    - receiving, from the client device, a different encrypted request for different data, the different encrypted request encrypted with the session key, and wherein the different data is stored on a third computing device that is accessible to the first computing device;
      
      sending, to the third computing device, a copy of the session key and the different encrypted request;
      
      receiving, from the third computing device, the different data, the different data encrypted by the third computing device using the session key; and
      
      sending, to the client device, the different data that is responsive to the different request,wherein the client device is able to decrypt, using the session key, the different data.
  - 4. The computer-implemented method of claim 1, wherein sending, from the first computing device to the second computing device, a copy of the session key and the information that identifies data responsive to the request further comprises:
    - obtaining a public key associated with the second computing device;
      
      encrypting the session key using the public key associated with the second computing device; and
      
      sending, to the second computing device, the session key encrypted using the public key associated with the second computing device,wherein the second computing device is able to decrypt the session key using a private key associated with the second computing device.
  - 5. The computer-implemented method of claim 1, wherein:
    - the first computing device is limited to providing the session key to the second computing device; and
      
      the first computing device does not decrypt the data responsive to the request.

6. A system comprising:
- one or more processors; and
  
  memory storing instructions that, upon execution by the one or more processors, cause the system;
  
  perform a handshake between a client device and a first computing device to generate;
  
  a session key associated with a communication session between the client device and the first computing device; and
  
  an access controlled compartment, the access controlled compartment associated with access rights preventing the first computing device from performing cryptographic operations using the session key;
  
  send a request from the client device, to the access controlled compartment, wherein the request is encrypted using the session key;
  
  provide, from the access controlled compartment to a second computing device, the session key and the request;
  
  receive, in response to the request, by the access controlled compartment, from the second computing device, using a different encryption handshake between the first computing device and the second computing device, encrypted data encrypted with the session key, access rights on the first computing device prohibiting the encrypted data to be decrypted using the session key; and
  
  provide the encrypted data to the client device, from the access controlled compartment.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 7. The system of claim 6, wherein the session key and the request are provided to the second computing device by at least sending the session key and the request to the second computing device via a secure communication channel, the secure communication channel using a different session key.
  - 8. The system of claim 6, wherein the operations further comprise:
    - receiving, from the client device, a different request for different data, the different request encrypted with the session key, a fourth computing device able to send data to the computing device via a third computing device; and
      
      sending, to the fourth computing device, a copy of the session key and the different request for data.
  - 9. The system of claim 8, wherein:
    - the session key and the request for data are not sent to the fourth computing device via the third computing device; and
      
      the different request is encrypted with the session key.
  - 10. The system of claim 8, wherein the operations further comprise:
    - receiving, from the third computing device, in response to the different request, different encrypted data provided by the fourth computing device, the different encrypted data encrypted with the session key; and
      
      sending, to the client device, the different encrypted data,wherein the third computing device does not have access to the session key.
  - 11. The system of claim 6, wherein the first computing device does not decrypt the data responsive to the request.
  - 12. The system of claim 6, wherein obtaining the session key associated with the communication session between the client device and the first computing device further comprises:
    - performing, with the client device, a handshake associated with establishment of the communication session; and
      
      generating, as a result of performing the handshake, the session key.
  - 13. The system of claim 12, wherein the first computing device includes:
    - a first module that performs the handshake, and negotiates the session key in coordination with the client device;
      
      a second module that encrypts and decrypts data using the session key; and
      
      a third module that causes the session key to be available to another computing device.
  - 14. The system of claim 13, wherein the first module, the second module, and the third module are able to have different permissions to access the session key.
  - 15. The system of claim 13, wherein the second computing device is able to encrypt and decrypt data using the session key.
  - 16. The system of claim 6, wherein providing, to the second computing device, the session key and the request further comprises:
    - obtaining a public key associated with the second computing device;
      
      encrypting the session key using the public key associated with the second computing device to produce an encrypted session key; and
      
      sending, to the second computing device, the encrypted session key,wherein a private key associated with the second computing device is accessible to the second computing device.

17. A non-transitory computer-readable storage medium comprising executable instructions that, upon execution by one or more processors of a computing system, cause the computing system to at least:
- receive, from a first computing device, a session key and a request, the request encrypted with the session key, the session key established as a result of a negotiation between a client device and the first computing device, the request stored on the first computing device within an access controlled compartment, the access controlled compartment associated with access rights preventing the first computing device from performing cryptographic operations using the session key;
  
  decrypt the request using the session key;
  
  process the request to obtain data that is responsive to the request;
  
  encrypt, using the session key, the data to produce encrypted data; and
  
  relay, through the first computing device, the encrypted data to the client device, wherein access rights for the first computing device prevent decryption of the encrypted data on the first computing device.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-readable storage medium of claim 17, wherein:
    - the session key is encrypted using a public key associated with the computing device; and
      
      the executable instructions, as a result of being executed by the one or more processors of the computing device, further cause the computing device to decrypt the session key using a private key associated with the computing device.
  - 19. The non-transitory computer-readable storage medium of claim 17, wherein the session key is established between the client device and the first computing device as a result of a key exchange algorithm performed by the client device and the first computing device.
  - 20. The non-transitory computer-readable storage medium of claim 17, wherein the executable instructions, as a result of being executed by the one or more processors of the computing device, further cause the computing device to:
    - receive, from the first computing device, a different request;
      
      send, to a second computing device and over a different communication channel between the computing device and a second computing device, a copy of the session key and the different request;
      
      receive, from the second computing device and over the different communication channel, different encrypted data that is responsive to the different request, the different encrypted data encrypted using the session key; and
      
      send, to the first computing device and over the communication channel, the different encrypted data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Tribble, Alexander Julian, Barry, Robert Michael, Boynes, Jeremy, Davis, Melissa Elaine, Spac, Igor
Primary Examiner(s)
Herzog, Madhuri R

Application Number

US15/045,113
Publication Number

US 20160173280A1
Time in Patent Office

1,470 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/60   Protecting data

G06F 21/606   by securing the transmissio...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0435   wherein the sending and rec...

H04L 63/067   using one-time keys cryptog...

H04L 9/0827   involving distinctive inter...

H04L 9/0838   Key agreement, i.e. key est...

Secured communication in network environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secured communication in network environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links