Asymmetric session credentials

US 10,680,827 B2
Filed: 01/19/2018
Issued: 06/09/2020
Est. Priority Date: 12/03/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

obtaining a first request to establish a session, the first request cryptographically protected by a first key;

generating, at least in part as a result of cryptographically verifying the first request using the first key, credential data comprising a second key usable to authenticate messages within the session, wherein the second key is associated with a shorter duration than duration of the first key;

encrypting the credential data with a first asymmetric key of a key pair to generate encrypted credential data;

providing, in response to the first request, the encrypted credential dataand the second key, wherein decryption of the encrypted credential data using a second asymmetric key of the key pair produces an extracted second key from the encrypted credential data;

authenticating a second request using the extracted second key, wherein the second request, which includes the encrypted credential data, is signed using the second key; and

fulfilling the second request by providing access to a computer resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for using short-term credentials using asymmetric session keys are described herein. A request for a short-term credential is received that is digitally signed with a different credential. In response to the request, short-term credential data is generated and populated with a public session key corresponding to a private session key. The short-term credential data is then encrypted with a session encryption key to produce the short-term credential token, which can then be used by the requester as a short-term credential for subsequent requests.

Citations

21 Claims

1. A computer-implemented method, comprising:
- obtaining a first request to establish a session, the first request cryptographically protected by a first key;
  
  generating, at least in part as a result of cryptographically verifying the first request using the first key, credential data comprising a second key usable to authenticate messages within the session, wherein the second key is associated with a shorter duration than duration of the first key;
  
  encrypting the credential data with a first asymmetric key of a key pair to generate encrypted credential data;
  
  providing, in response to the first request, the encrypted credential dataand the second key, wherein decryption of the encrypted credential data using a second asymmetric key of the key pair produces an extracted second key from the encrypted credential data;
  
  authenticating a second request using the extracted second key, wherein the second request, which includes the encrypted credential data, is signed using the second key; and
  
  fulfilling the second request by providing access to a computer resource.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein the credential data is valid for a predetermined amount of time.
  - 3. The computer-implemented method of claim 1, further comprising:
    - generating additional requests, while the credential data is valid, to authenticate additional messages.
  - 4. The computer-implemented method of claim 1, further comprising:
    - in response to determining that the credential data has been comprised, invalidating the credential data; and
      
      sending a request for new credential data.

5. A system, comprising:
- memory to store instructions that, as a result of execution by one or more processors of the system, cause the system to;
  
  decrypt a token associated with a first request from a device to establish a session, the token of the first request encrypted with a first key;
  
  as a result of decrypting the token of the first request to establish a session, generate credential data comprising a second key that is associated with a shorter duration of availability than duration of availability of the first key, the second key usable to authenticate messages within the session;
  
  encrypt the credential data to generate an encrypted credential data with a session encryption key of a set of session encryption keys;
  
  provide, in response to the first request, the encrypted credential data and the second key, whereindecryption of the encrypted credential data using the session encryption key or an additional session encryption key of the set of session encryption keys produces an extracted second key, the additional session encryption key corresponds to the session encryption key;
  
  authenticate a second request using the extracted second key, wherein the second request, which includes the encrypted credential data, is signed using the second key; and
  
  satisfy the second request by providing access to a computer resource.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
- - 6. The system of claim 5, wherein the credential data is valid for a predetermined amount of time.
  - 7. The system of claim 5, wherein the instructions that, if executed by one or more processors of the system, further cause the system to:
    - generate additional requests, while the credential data is valid, to authenticate additional messages.
  - 8. The system of claim 5, wherein the instructions that, as a result of execution by one or more processors of the system, further cause the system to:
    - in response to determining that the credential data has been comprised, invalidate the credential data; and
      
      send a request for new credential data.
  - 9. The system of claim 5, wherein the first request to establish the session is digitally signed using the first key associated with an account of a requestor wherein the first key is a long-term key.
  - 10. The system of claim 9, wherein the instructions that, as a result of execution by one or more processors of the system, further cause the system to:
    - verify, at a security service, a digital signature associated with the first request to establish the session.
  - 11. The system of claim 10, wherein in response to the security service verifying the request, the security service generates the credential data.
  - 12. The system of claim 11, wherein the session encryption key and the additional session encryption key are two keys of an asymmetric session encryption key pair.
  - 13. The system of claim 11, wherein in response to the security service generating the credential data, the security service encrypts the generated credential data using a session encryption key.

14. A non-transitory computer-readable storage medium comprising executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
- validate a first request to establish a session, the first request cryptographically protected with a first key associated with a first duration;
  
  as a result of validating the first request to establish a session, generate credential data comprising a second key associated with a second duration that is shorter than the first duration usable to digitally sign and authenticate messages within the session;
  
  encrypt the credential data with a third key to generate an encrypted credential data;
  
  provide, in response to the first request, the encrypted credential dataand the second key, wherein decryption of the encrypted credential data using the third key produces an extracted second key from the encrypted credential data;
  
  authenticate a second request using the extracted second key, wherein the second request, which includes the encrypted credential data, is signed using the second key; and
  
  fulfil the second request by providing access to a computing system resource.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The non-transitory computer-readable storage medium of claim 14, wherein the credential data is valid for a predetermined amount of time.
  - 16. The non-transitory computer-readable storage medium of claim 14, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to:
    - generate additional requests, while the credential data is valid, to authenticate additional messages.
  - 17. The non-transitory computer-readable storage medium of claim 14, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to:
    - in response to determining that the credential data has been comprised, invalidate the credential data; and
      
      send a request for new credential data.
  - 18. The non-transitory computer-readable storage medium of claim 14, wherein the first key is a long-term key associated with an account of a requestor, the first key usable to generate a digital signature of the request.
  - 19. The non-transitory computer-readable storage medium of claim 18, wherein the instructions that, as a result of execution by one or more processors of the system, further cause the system to:
    - verify, at a security service, the digital signature associated with the first request to establish the session.
  - 20. The non-transitory computer-readable storage medium of claim 19, wherein in response to the security service verifying the first request, the security service generates the credential data.
  - 21. The non-transitory computer-readable storage medium of claim 20, wherein in response to the security service generating the credential data, the security service encrypts the generated credential data using a session encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Barbour, Marc R., Sedky, Khaled Salah, Mandadi, Srikanth, Praus, Slavka
Primary Examiner(s)
Vaughan, Michael R

Application Number

US15/875,995
Publication Number

US 20180145835A1
Time in Patent Office

872 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0442   wherein the sending and rec...

H04L 63/045   wherein the sending and rec...

H04L 63/062   for key distribution, e.g. ...

H04L 63/068   using time-dependent keys, ...

H04L 63/126   the source of the received ...

H04L 9/0822   using key encryption key

H04L 9/0866   involving user or device id...

H04L 9/0891   Revocation or update of sec...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

H04L 9/50   using hash chains, e.g. blo...

Asymmetric session credentials

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Asymmetric session credentials

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links