Session negotiations

US 10,601,789 B2
Filed: 11/27/2017
Issued: 03/24/2020
Est. Priority Date: 06/13/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

at a first security module of a plurality of security modules;

obtaining, from an operator device, a first request for a session key;

in response to the first request, using a domain key to encrypt one or more session keys and information usable to identify the operator device, the domain key accessible to each of the plurality of security modules; and

providing the one or more session keys and encrypted one or more session keys to the operator device; and

at a second security module, different from the first security module, of the plurality of security modules;

obtaining, from the operator device, a second request to perform a cryptographic operation, the second request including data, an encrypted session key from the encrypted one or more session keys, and a digital signature generated based at least in part on the session key;

using the domain key to decrypt the encrypted session key and the information usable to identify the operator device;

verifying that the operator device matches the information usable to identify the operator device;

using the session key to verify the digital signature;

as a result of verifying the digital signature and verifying that the operator device matches the information usable to identify the operator device, performing the requested cryptographic operation using at least the data;

using the session key to encrypt a result of performing the requested cryptographic operation; and

providing the encrypted result to the operator device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A plurality of devices are each operable to provide information that is usable for to prove authorization with any of the other devices. The devices may have common access to a cryptographic key. A device may use the cryptographic key to encrypt a session key and provide both the session key and the encrypted session key. Requests to any of the devices can include the encrypted session key and a digital signature generated using the session key. In this manner, a device that receives the request can decrypt the session key and use the decrypted session key to verify the digital signature.

211 Citations

21 Claims

1. A computer-implemented method, comprising:
- at a first security module of a plurality of security modules;
  
  obtaining, from an operator device, a first request for a session key;
  
  in response to the first request, using a domain key to encrypt one or more session keys and information usable to identify the operator device, the domain key accessible to each of the plurality of security modules; and
  
  providing the one or more session keys and encrypted one or more session keys to the operator device; and
  
  at a second security module, different from the first security module, of the plurality of security modules;
  
  obtaining, from the operator device, a second request to perform a cryptographic operation, the second request including data, an encrypted session key from the encrypted one or more session keys, and a digital signature generated based at least in part on the session key;
  
  using the domain key to decrypt the encrypted session key and the information usable to identify the operator device;
  
  verifying that the operator device matches the information usable to identify the operator device;
  
  using the session key to verify the digital signature;
  
  as a result of verifying the digital signature and verifying that the operator device matches the information usable to identify the operator device, performing the requested cryptographic operation using at least the data;
  
  using the session key to encrypt a result of performing the requested cryptographic operation; and
  
  providing the encrypted result to the operator device.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, wherein:
    - the second request includes another key encrypted under the domain key; and
      
      performing the requested cryptographic operation includes decrypting the encrypted other key and using the decrypted other key to perform the requested cryptographic operation.
  - 3. The computer-implemented method of claim 1, wherein:
    - the one or more session keys are encrypted with an expiration for the one or more session keys; and
      
      verifying the digital signature includes confirming, based at least in part on the expiration, that the session key is unexpired.
  - 4. The computer-implemented method of claim 1, wherein:
    - the second request is encrypted under the session key; and
      
      the method further comprises using the session key to decrypt the second request.
  - 5. The computer-implemented method of claim 1, wherein:
    - decrypting the encrypted session key uses a symmetric-key cryptographic algorithm; and
      
      providing the session key includes using an asymmetric-key cryptographic algorithm to transfer the session key to the operator device.
  - 6. The computer-implemented method of claim 1, wherein:
    - the second request is obtained as a result of obtaining a customer request of a customer of a computing resource service provider that hosts the plurality of security modules.

7. A computer-implemented method, comprising:
- obtaining a request, from a requestor, to perform a cryptographic operation, the request including data, a ciphertext of a first key and information usable to identify the requestor, and authentication information generated based at least in part on the first key;
  
  decrypting the ciphertext using a second key accessible to a plurality of security devices to obtain the first key and the information usable to identify the requestor;
  
  verifying that the requestor matches the information usable to identify the requestor;
  
  verifying authenticity of the request based at least in part on the authentication information and the first key;
  
  as a result of verifying the authenticity of the request and verifying that the requestor matches the information usable to identify the requestor, performing the cryptographic operation using at least the data;
  
  using the first key to encrypt a result of performing the cryptographic operation; and
  
  providing the encrypted result to the requestor.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The computer-implemented method of claim 7, wherein the ciphertext of the first key is obtained from a device that lacks access to the second key.
  - 9. The computer-implemented method of claim 7, wherein:
    - the first key is encrypted by a second device, from the plurality of security devices, that provided the encrypted first key to a third device; and
      
      the request is from the third device.
  - 10. The computer-implemented method of claim 7, wherein:
    - the request further includes an expiration for the first key; and
      
      verifying the authenticity of the request based at least in part on the authentication information and the first key is dependent on the decrypted first key being unexpired according to the expiration.
  - 11. The computer-implemented method of claim 7, wherein the plurality of security devices are security modules.
  - 12. The computer-implemented method of claim 7, wherein:
    - the request includes data and a cryptographic key encrypted under the second key;
      
      the method further includes decrypting the encrypted cryptographic key; and
      
      performing the cryptographic operation is based at least in part on the data and the decrypted cryptographic key.
  - 13. The computer-implemented method of claim 7, wherein the authentication information comprises a digital signature.

14. A system, comprising memory to store instructions that, as a result of execution by one or more processors, cause the system to:
- generate, based at least in part on a first key accessible to each of a plurality of devices, information that is usable, by another device of the plurality of devices lacking access to the first key, for causing any device of the plurality of devices to provide a result of performance of one or more requested cryptographic operations, wherein the information comprises;
  
  authentication information to authenticate a request to perform the one or more requested cryptographic operations; and
  
  an encrypted second key in encrypted data that is separate from the authentication information, the second key being usable to verify the authentication information; and
  
  provide the generated information.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The system of claim 14, wherein:
    - the information includes a second key and is based at least in part on the first key without including the first key; and
      
      the instructions, as a result of execution by the one or more processors, further provide the system the ability to use the first key to verify that use of the second key is authorized.
  - 16. The system of claim 14, wherein accessing any device of the plurality of devices includes causing a selected device from the plurality of devices to perform a cryptographic operation using a cryptographic key in response to a request, specifying the cryptographic key, to perform the cryptographic operation.
  - 17. The system of claim 14, wherein the devices are security modules.
  - 18. The system of claim 14, wherein the information includes an expiration for the information that limits an amount of time for which the information is usable for access to any device of the plurality of devices.
  - 19. The system of claim 14, wherein generating the information is in response to an authenticated request for the information.
  - 20. The system of claim 14, wherein the system comprises the other device, the other device including other memory to store other instructions that, as a result of execution by another one or more processors, causes the other device to:
    - obtain a request to perform the one or more requested cryptographic operations, the request including the generated information;
      
      verify the authentication information;
      
      perform the one or more requested cryptographic operations as a result of verifying the authentication information; and
      
      provide a result of the one or more requested cryptographic operations.
  - 21. The system of claim 20, wherein:
    - the other instructions further include instructions that, as a result of execution by the other one or more processors, cause the other device to;
      
      decrypt the encrypted second key based at least in part on the first key to generate a decrypted second key;
      
      use the decrypted second key to perform the one or more requested cryptographic operations; and
      
      wherein the result is encrypted using the decrypted second key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Wren, Matthew James, Brandwine, Eric Jason, Pratt, Brian Irl
Primary Examiner(s)
Tsang, Henry

Application Number

US15/823,450
Publication Number

US 20180083929A1
Time in Patent Office

848 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/083   involving central third par...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

H04L 9/16   the keys or algorithms bein...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

Session negotiations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

211 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Session negotiations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

211 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others