Key rotation with external workflows

US 10,630,662 B1
Filed: 02/24/2016
Issued: 04/21/2020
Est. Priority Date: 05/17/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

generating, by a computing system for a client, a keypair for distribution to a computing resource of the computing system over an internal network to the computing system, the computing resource accessible to the client over an external network to the computing system, the keypair unavailable to the client for use on the computing resource until activation of the keypair based at least in part on a workflow;

the keypair generated based at least in part on a security policy specifying a time-based rotation of keypairs within the computing system;

selecting, by the computing system, a workflow template for the workflow based at least in part on a class of the keypair, the workflow template defined for the class of the keypair based at least in part on input of an administrator of the computing system, the workflow template specifying actions within the computing system to complete the activation of the keypair based at least in part on the class of the keypair;

performing, by the computing system, the actions within the computing system to complete the workflow;

associating, by the computing system, the keypair with an active status based at least in part on completion of the workflow;

distributing, by the computing system based at least in part on the active status, the keypair to the computing resource over the internal network without sending the keypair to the client, the keypair distributed to the computing resource as a non-preferred keypair, the distributing comprising replacing, for the client, an existing keypair with the keypair based at least in part on the time-based rotation;

receiving, by the computing system from the computing resource, an acknowledgement about receipt of the keypair by the computing resource; and

providing, by the computing system to the computing resource and based at least in part on the acknowledgment, instructions about using the keypair for the client as a preferred keypair, the keypair becoming available to the client on the computing resource over the external network based at least in part on the keypair being the preferred keypair.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A material set, such as an asymmetric keypair, is processed using an associated workflow to prepare the material set for activation and/or use. In one embodiment, a material set is generated and information about the material set is communicated to a workflow manager. Based at least on the information, the workflow manager generates a workflow that when accomplished will allow the material set to be activated and/or used. In another embodiment, a service provider provides a key manager, workflow manager and destination for the key, such as a load balancer that terminates SSL connections. A key can be generated by the key manager, sent through the workflow manager for processing (potentially communicated to third parties such as a certificate authority, if needed) and installed at a destination.

Citations

18 Claims

1. A computer-implemented method, comprising:
- generating, by a computing system for a client, a keypair for distribution to a computing resource of the computing system over an internal network to the computing system, the computing resource accessible to the client over an external network to the computing system, the keypair unavailable to the client for use on the computing resource until activation of the keypair based at least in part on a workflow;
  
  the keypair generated based at least in part on a security policy specifying a time-based rotation of keypairs within the computing system;
  
  selecting, by the computing system, a workflow template for the workflow based at least in part on a class of the keypair, the workflow template defined for the class of the keypair based at least in part on input of an administrator of the computing system, the workflow template specifying actions within the computing system to complete the activation of the keypair based at least in part on the class of the keypair;
  
  performing, by the computing system, the actions within the computing system to complete the workflow;
  
  associating, by the computing system, the keypair with an active status based at least in part on completion of the workflow;
  
  distributing, by the computing system based at least in part on the active status, the keypair to the computing resource over the internal network without sending the keypair to the client, the keypair distributed to the computing resource as a non-preferred keypair, the distributing comprising replacing, for the client, an existing keypair with the keypair based at least in part on the time-based rotation;
  
  receiving, by the computing system from the computing resource, an acknowledgement about receipt of the keypair by the computing resource; and
  
  providing, by the computing system to the computing resource and based at least in part on the acknowledgment, instructions about using the keypair for the client as a preferred keypair, the keypair becoming available to the client on the computing resource over the external network based at least in part on the keypair being the preferred keypair.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein the workflow template is further selected based at least in part on an identifier of a certificate authority, wherein the identifier is received from the client, and wherein the actions specified in the workflow template comprises requesting a secure sockets layer (SSL) certificate from the certificate authority.
  - 3. The computer-implemented method of claim 1, wherein the keypair comprises an asymmetric keypair for SSL communications, wherein the actions specified in the workflow template comprise obtaining an SSL certificate based at least in part on a public key of the asymmetric keypair, and wherein activating the keypair comprises distributing a private key of the asymmetric keypair and the SSL certificate to the computing resource.
  - 4. The computer-implemented method of claim 1, wherein the keypair comprises a public key and a private key for secure communications of the client, wherein the actions specified in the workflow template comprise:
    - generating a certificate signing request based at least in part on the public key;
      
      sending the certificate signing request to a certificate authority;
      
      marking a certificate from the certificate authority as active, the certificate based at least in part on the certificate signing request;
      
      distributing the certificate and the private key to the computing resource,wherein the computing resource utilizes the certificate and the private key for the secure communications.
  - 5. The computer-implemented method of claim 1, wherein the computing resource comprises a storage resource, wherein the keypair comprises an encryption key, wherein the actions specified in the workflow template for the encryption key comprise:
    - sending the encryption key to the storage resource as a non-preferred key; and
      
      instructing the storage resource to start utilizing the encryption key as a preferred key based at least in part on the acknowledgement from the storage resource about receipt of the encryption key, andwherein data of the client stored in the storage resource is encrypted with the encryption key based at least in part on the encryption key being the preferred key.
  - 6. The computer-implemented method of claim 1, wherein the keypair is generated based at least in part on a request of the client, wherein the request identifies the class of the keypair, and wherein the class of the keypair comprises at least one of:
    - a characteristic of the keypair or a description of the use of the keypair on the computing resource.
  - 7. The computer-implemented method of claim 1, wherein associating the keypair with the active status comprises marking the keypair as active.

8. A computing system, comprising:
- one or more processors;
  
  one or more non-transitory computer-readable storage media bearing instructions that, upon execution with the one or more processors, cause the computing system to at least;
  
  generate, for a client, a secret for distribution within the computing system over an internal network to the computing system, the computing system accessible to the client over an external network to the computing system, the secret unavailable to the client for use until activation of the secret based at least in part on a workflow, the secret generated based at least in part on a security policy, the security policy defining a time-based rotation of secrets based at least in part on input of an administrator of the computing system;
  
  select a workflow template for the workflow based at least in part on a class of the secret, the workflow template defined for the class of the secret based at least in part on the input of the administrator, the workflow template specifying actions within the computing system to complete the activation of the secret based at least in part on the class of the secret;
  
  perform the actions within the computing system to complete the workflow;
  
  associate the secret with an active status based at least in part on completion of the workflow template;
  
  distribute, based at least in part on the status state, the secret within the computing system over the internal network without sending the secret to the client, the secret distributed as a non-preferred secret; and
  
  enable the secret to be used in response to an acknowledgement about the secret from a computing resource of the computing system by at least providing instructions to the computing resource about using the secret as a preferred secret, the secret becoming available to the client at the computing system over the external network based at least in part on the secret being the preferred secret.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computing system of claim 8, wherein the secret comprises a key, and wherein the key is generated by a key manager of the computing system, wherein the workflow template is selected by a workflow manager of the computing system based at least in part on receipt of an identifier of the class of the secret from the key manager over the internal network, wherein the actions of the workflow template are performed by a workflow manager of the computing system, and wherein the key is distributed by the key manager to a computing resource of the computing system over the internal network.
  - 10. The computing system of claim 9, the input of the administrator defines interactions between the key manager, the workflow manager, and the computing resource over the internal network to complete the workflow.
  - 11. The computing system of claim 8, wherein the secret is generated based at least on a request of the client for a key, wherein the request identifies the workflow template, and wherein the instructions, upon execution with the one or more processors, further cause the computing system to at least:
    - provide a set of workflow templates to the client, the workflow templates associated with respective classes of secrets; and
      
      receiving the request of the client based at least in part on the set of workflow templates.
  - 12. The computing system of claim 8, wherein the secret is generated based at least in part on a trigger event.
  - 13. The computing system of claim 12, wherein the secret comprises a private key, wherein the trigger event comprises a request of the client associated with secure communications, and wherein the instructions, upon execution with the one or more processors, further cause the computing system to at least:
    - send the private key and a certificate of the client to a load balancer of the computing system, wherein the load balancer is configured to terminate the secure communications based at least in part on the private key and the certificate.
  - 14. The computing system of claim 8, wherein the instructions, upon execution with the one or more processors, further cause the computing system to at least:
    - generate a new secret based at least in part on the class of the secret, the new secret unavailable to the client for use within the computing system until processed through a replacement workflow, the replacement workflow replacing the secret with the new secret based at least in part on the class of the secret;
      
      perform the replacement workflow to replace the secret with the new secret;
      
      activate the new secret based at least in part on replacement of the secret with the new secret; and
      
      deactivate the secret based at least in part on the new secret being activated.

15. One or more non-transitory computer-readable storage media having collectively stored thereon executable instructions that, upon execution with one or more processors of a computing system, cause the computing system to at least:
- generate, for a client, a key for distribution within the computing system over an internal network to the computing system, the computing system accessible to the client over an external network to the computing system, the key unavailable to the client for use until activation of the key, the key generated based at least in part on a security policy specifying a time-based rotation of keys within the computing system;
  
  select a workflow template to activate the key based at least in part on a class of the key, the workflow template defined for the class of the key based at least in part on input of an administrator of the computing system, the workflow template specifying actions within the computing system to complete the activation of the key based at least in part on the class of the key;
  
  perform the actions within the computing system based at least in part on the workflow template;
  
  associate the key with an active status based at least in part on the actions of the workflow template being performed;
  
  distribute, based at least in part on the active status, the key within the computing system over the internal network without sending the key to the client, the key distributed as a non-preferred key, the distributing comprising replacing, for the client, an existing key with the key based at least in part on the time-based rotation; and
  
  enable the key to be used in response to an acknowledgement about the key from a resource of the computing system by at least providing instructions to the resource about using the key as a preferred key, the key becoming available to the client at the computing system over the external network based at least in part on the key being the preferred key.
- View Dependent Claims (16, 17, 18)
- - 16. The one or more non-transitory computer-readable storage media of claim 15, wherein the key is distributed to resources of the computing system, and wherein the actions comprise:
    - removing the resource from a list of resources based at least in part on the acknowledgment from the resource of receipt of the key;
      
      redistributing the key to another resource on the list based at least in part of a lack of acknowledgment from the other resource of receipt of the key; and
      
      generating an alarm based at least in part on the lack of presented at a portal of the administrator.
  - 17. The one or more non-transitory computer-readable storage media of claim 15, wherein distributing the key comprises replacing an existing key on the resource of the computing system with the key based at least in part on a rotation of keys, and wherein the actions comprise:
    - determining whether the acknowledgment from the resource of receipt of the key exists;
      
      instructing the resource to activate the key and deactivate the existing key based at least in part on the acknowledgement; and
      
      redistributing the key to the resource based at least in part of a lack of the acknowledgment and generating an alarm based at least in part on the lack of acknowledgement, the alarm presented at a portal of the administrator.
  - 18. The one or more non-transitory computer-readable storage media of claim 15, wherein performing the actions comprises:
    - performing a webservice call using credentials, the webservice call comprising a public key portion of the key; and
      
      receiving an acknowledgement of receipt of the public key portion of the key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Baer, Graeme D., Hulme, David M., Seidenberg, Benjamin E.
Primary Examiner(s)
Gelagay, Shewaye
Assistant Examiner(s)
Fields, Courtney D

Application Number

US15/052,764
Time in Patent Office

1,518 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6209   to a single file or object,...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 2209/64   Self-signed certificates

H04L 63/062   for key distribution, e.g. ...

H04L 63/068   using time-dependent keys, ...

H04L 9/0816   Key establishment, i.e. cry...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/083   involving central third par...

H04L 9/0891   Revocation or update of sec...

H04L 9/3263   involving certificates, e.g...

H04L 9/3268   using certificate validatio...

Key rotation with external workflows

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Key rotation with external workflows

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links