Virtual requests

US 10,623,399 B1
Filed: 09/16/2016
Issued: 04/14/2020
Est. Priority Date: 03/12/2012
Status: Active Grant

First Claim

Patent Images

1. A request service of a distributed computing system, comprising:

one or more memories; and

one or more processors executing instructions from the one or more memories, the request service configured to;

identify that an authentication service computer stores a client digital identity certificate of a client computer;

initiate a certificate exchange session with the client computer;

prior to computing a certificate exchange receipt and during the certificate exchange session,construct a session identifier based at least in part on an action-dependent request component, the action-dependent request component comprising an association between a request of the certificate exchange session and an action that the client computer requests to perform as part of completing a handshake procedure; and

transmit the session identifier to the client computer as part of the handshake procedure;

compute the certificate exchange receipt based at least in part on the certificate exchange session;

sign the certificate exchange receipt using a private key for a service digital identity certificate of the request service;

provide the signed certificate exchange receipt to the authentication service computer;

receive an issued credential for calling an independent service; and

communicate with the independent service using the issued credential.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first request from a client using a first protocol is translated into one or more second requests by a servicer using a second protocol through a virtual request using the first protocol. A client may use parameters of the first protocol to pass virtual request components to the servicer. A format agreement between the client, servicer and/or authentication service may allow the servicer and/or authentication service to translate the virtual request components over the first protocol to one or more second requests using the second protocol. Virtual request components may also prove the authenticity of the virtual request received by the servicer to an authentication service. Once satisfied the virtual request is valid, the authentication service may issue a credential to the servicer to send the one or more second requests to an independent service. Virtual requests may be included in various protocols, including credential-based protocols and certificate exchange-based protocols.

25 Citations

18 Claims

1. A request service of a distributed computing system, comprising:
- one or more memories; and
  
  one or more processors executing instructions from the one or more memories, the request service configured to;
  
  identify that an authentication service computer stores a client digital identity certificate of a client computer;
  
  initiate a certificate exchange session with the client computer;
  
  prior to computing a certificate exchange receipt and during the certificate exchange session,construct a session identifier based at least in part on an action-dependent request component, the action-dependent request component comprising an association between a request of the certificate exchange session and an action that the client computer requests to perform as part of completing a handshake procedure; and
  
  transmit the session identifier to the client computer as part of the handshake procedure;
  
  compute the certificate exchange receipt based at least in part on the certificate exchange session;
  
  sign the certificate exchange receipt using a private key for a service digital identity certificate of the request service;
  
  provide the signed certificate exchange receipt to the authentication service computer;
  
  receive an issued credential for calling an independent service; and
  
  communicate with the independent service using the issued credential.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The request service of claim 1, wherein the request service is further configured to import one or more virtual request components to the certificate exchange session.
  - 3. The request service of claim 2, wherein the one or more virtual request components comprise a time-dependent request component, a service-dependent request component, and the action-dependent request component.
  - 4. The request service of claim 1, wherein the issued credential is received from the authentication service computer by the request service of the distributed computing system.
  - 5. The request service of claim 1, wherein the client computer provides the client digital identity certificate to the authentication service computer, and wherein the client digital identity certificate corresponds with a second private key associated with the client computer.
  - 6. The request service of claim 1, wherein the client digital identity certificate is an X.509 public key certificate.
  - 7. The request service of claim 1, wherein the certificate exchange session includes the handshake procedure.

8. A computer-implemented method performed by a request service of a distributed computing system, comprising:
- identifying, by the request service, that an authentication service computer stores a digital identity certificate of a client computer;
  
  initiating, by the request service, a certificate exchange session with the client computer;
  
  prior to computing a certificate exchange receipt and during the certificate exchange session,constructing a session identifier based at least in part on an action-dependent request component, the action-dependent request component comprising an association between a request of the certificate exchange session and an action that the client computer requests to perform as part of completing a handshake procedure; and
  
  transmitting the session identifier to the client computer as part of the handshake procedure;
  
  computing, by the request service, the certificate exchange receipt based at least in part on the certificate exchange session;
  
  signing, by the request service, the certificate exchange receipt using a private key for a service digital identity certificate of the request service;
  
  providing, by the request service, the signed certificate exchange receipt to the authentication service computer, the signed certificate exchange receipt being associated with the certificate exchange session;
  
  receiving, by the request service, an issued credential for calling an independent service; and
  
  communicating, by the request service, with the independent service using the issued credential.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The computer-implemented method of claim 8, wherein a second certificate exchange receipt is computed by the client computer based at least in part on the certificate exchange session.
  - 10. The computer-implemented method of claim 8, wherein the issued credential is received from the authentication service computer by the request service of the distributed computing system.
  - 11. The computer-implemented method of claim 8, wherein the request service communicates with the independent service to provide one or more requests on behalf of the client computer.
  - 12. The computer-implemented method of claim 11, wherein the request service communicates with the independent service through an application program interface (API).
  - 13. The computer-implemented method of claim 11, wherein the request service communicates with the independent service to sign the one or more requests on behalf of the client computer.

14. An authentication service computer of a distributed computing system, comprising:
- one or more memories; and
  
  one or more processors executing instructions from the one or more memories, the authentication service computer configured to;
  
  receive a client digital identity certificate from a client computer;
  
  identify that the client computer and a request service of the distributed computing system initiate a certificate exchange session;
  
  prior to computing a certificate exchange receipt and during the certificate exchange session,enable construction of a session identifier based at least in part on an action-dependent request component, the action-dependent request component comprising an association between a request of the certificate exchange session and an action that the client computer requests to perform as part of completing a handshake procedure; and
  
  enable transmission of the session identifier to the client computer as part of the handshake procedure;
  
  receive, from the request service, the certificate exchange receipt that was signed by the request service using a private key for a service digital identity certificate of the request service, the signed certificate exchange receipt associated with the certificate exchange session, the request service, and the client computer;
  
  compare the signed certificate exchange receipt with the service digital identity certificate signed by the request service; and
  
  based at least in part on the comparison, provide an issued credential associated with the client computer to the request service.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The authentication service computer of claim 14, wherein the authentication service computer is further configured to map the service digital identity certificate to a principal identity in a certificate store.
  - 16. The authentication service computer of claim 14, wherein the authentication service computer is further configured to validate a signature associated with the certificate exchange session before providing the issued credential to the request service.
  - 17. The authentication service computer of claim 14, wherein the service digital identity certificate is an X.509 public key certificate that corresponds with the private key of the request service.
  - 18. The authentication service computer of claim 14, wherein the signed certificate exchange receipt is received from the request service, and wherein the comparison between the signed certificate exchange receipt and the service digital identity certificate validates involvement of the client computer and the request service with the certificate exchange session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Allen, Nicholas Alexander, Roth, Gregory B., Dykhno, Elena
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Nguy, Chi D

Application Number

US15/268,168
Time in Patent Office

1,306 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 9/321   involving a third party or ...

H04L 9/3268   using certificate validatio...

H04L 9/3297   involving time stamps, e.g....

Virtual requests

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual requests

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links