Unified management of cryptographic keys using virtual keys and referrals

US 10,644,881 B2
Filed: 04/01/2019
Issued: 05/05/2020
Est. Priority Date: 09/26/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

obtaining a request from a computing entity to perform an operation, the request specifying a key identifier;

selecting, based at least in part on the key identifier, a key from a set of keys managed on behalf of the computing entity, the set of keys including a subset of virtual keys, the subset of virtual keys being associated with a set of cryptographic keys that is stored in a computing device;

as a result of the key being a member of the subset of virtual keys, determining configuration information usable to access a cryptographic key of the set of cryptographic keys stored in the computing device, wherein the cryptographic key is associated with the member of the subset of virtual keys;

obtaining the cryptographic key from the computing device according to the configuration information; and

performing, using the cryptographic key, the operation to fulfill the request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cryptography service allows for management of cryptographic keys in multiple environments. The service allows for specification of policies applicable to cryptographic keys, such as what cryptographic algorithms should be used in which contexts. The cryptography service, upon receiving a request for a key, may provide a referral to another system to obtain the key.

4 Citations

20 Claims

1. A computer-implemented method, comprising:
- obtaining a request from a computing entity to perform an operation, the request specifying a key identifier;
  
  selecting, based at least in part on the key identifier, a key from a set of keys managed on behalf of the computing entity, the set of keys including a subset of virtual keys, the subset of virtual keys being associated with a set of cryptographic keys that is stored in a computing device;
  
  as a result of the key being a member of the subset of virtual keys, determining configuration information usable to access a cryptographic key of the set of cryptographic keys stored in the computing device, wherein the cryptographic key is associated with the member of the subset of virtual keys;
  
  obtaining the cryptographic key from the computing device according to the configuration information; and
  
  performing, using the cryptographic key, the operation to fulfill the request.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-implemented method of claim 1, wherein the request is an application programming interface request.
  - 3. The computer-implemented method of claim 1, wherein:
    - the request indicates one or more capabilities of the computing entity; and
      
      the operation is performed based at least in part on the one or more capabilities.
  - 4. The computer-implemented method of claim 1, wherein:
    - the configuration information comprises a cryptographic configuration and a reference to the computing device; and
      
      obtaining the cryptographic key from the computing device according to the configuration information comprises;
      
      determining, based at least in part on the cryptographic configuration and the reference, credentials to obtain the cryptographic key from the computing device;
      
      submitting a first request to the computing device for the cryptographic key, the first request comprising the credentials; and
      
      obtaining, in response to the first request, the cryptographic key from the computing device.
  - 5. The computer-implemented method of claim 1, wherein the operation comprises performing one or more cryptographic operations using the cryptographic key.

6. A system comprising memory storing executable instructions that, as a result of execution by one or more processors, cause the system to:
- obtain, from an entity, a first request to perform an operation, the first request indicating a key identifier;
  
  determine the key identifier is associated with a key of a set of cryptographic keys that is stored in a computing device;
  
  determine configuration information usable to access a cryptographic key of the set of cryptographic keys;
  
  submit a second request to obtain, using the configuration information, the cryptographic key from the computing device; and
  
  execute, using the cryptographic key, the operation to fulfill the first request.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13)
- - 7. The system of claim 6, wherein the first request comprises:
    - a network location of the computing device; and
      
      information indicating a format for a fulfillment of the first request.
  - 8. The system of claim 6, wherein the key identifier is associated with the cryptographic key.
  - 9. The system of claim 6, wherein:
    - the first request comprises an encryption context; and
      
      the executable instructions to execute the operation comprise instructions that, as a result of execution by the one or more processors, cause the system to utilize the encryption context to fulfill the first request.
  - 10. The system of claim 9, wherein the encryption context indicates a set of supported encryption algorithms.
  - 11. The system of claim 6, wherein the computing device is a security module.
  - 12. The system of claim 6, wherein:
    - the configuration information comprises a cryptographic configuration and a reference to the computing device; and
      
      the second request comprises credentials to obtain the cryptographic key from the computing device, the credentials determined based at least in part on the configuration information.
  - 13. The system of claim 6, wherein the configuration information is determined based at least in part on the key identifier.

14. A non-transitory computer-readable storage medium to store executable instructions that, if executed by one or more processors of a computer system, cause the computer system to:
- obtain, from a first computing device, a first request, the first request indicating a key identifier;
  
  determine that the first request indicates a referral to a second computing device;
  
  obtain, from the second computing device, a key associated with the key identifier; and
  
  execute, in association with the key, an operation as part of fulfillment of the first request.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory computer-readable storage medium of claim 14, wherein the first request indicates the operation.
  - 16. The non-transitory computer-readable storage medium of claim 14, wherein the first request is obtained through one or more cryptographically protected networks.
  - 17. The non-transitory computer-readable storage medium of claim 14, wherein the second computing device is accessible over a private network that includes the computer system.
  - 18. The non-transitory computer-readable storage medium of claim 14, wherein the second computing device is a hardware security module.
  - 19. The non-transitory computer-readable storage medium of claim 14, wherein the executable instructions to execute the operation comprise instructions that, as a result of execution by the one or more processors, cause the computer system to:
    - determine, based at least in part on the first request, a cryptographic algorithm; and
      
      perform one or more cryptographic operations using the key and the cryptographic algorithm.
  - 20. The non-transitory computer-readable storage medium of claim 14, wherein the executable instructions to obtain the key comprise instructions that, as a result of execution by the one or more processors, cause the computer system to:
    - determine, based at least in part on the first request, credentials to obtain the key from the second computing device;
      
      submit a second request to the second computing device based at least in part on the credentials, the second request requesting access to the key; and
      
      obtain, in response to the second request, the key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek
Primary Examiner(s)
Getachew, Abiy

Application Number

US16/372,029
Publication Number

US 20190229899A1
Time in Patent Office

400 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2209/24   Key scheduling, i.e. genera...

H04L 9/0822   using key encryption key

H04L 9/0861   Generation of secret inform...

H04L 9/088   Usage controlling of secret...

H04L 9/0897   involving additional device...

Unified management of cryptographic keys using virtual keys and referrals

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

4 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Unified management of cryptographic keys using virtual keys and referrals

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

4 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links