Asymmetric session credentials
First Claim
Patent Images
1. A computer-implemented method, comprising:
- obtaining a first request to establish a session, the first request cryptographically protected by a first key;
generating, at least in part as a result of cryptographically verifying the first request using the first key, credential data comprising a second key usable to authenticate messages within the session, wherein the second key is associated with a shorter duration than duration of the first key;
encrypting the credential data with a first asymmetric key of a key pair to generate encrypted credential data;
providing, in response to the first request, the encrypted credential dataand the second key, wherein decryption of the encrypted credential data using a second asymmetric key of the key pair produces an extracted second key from the encrypted credential data;
authenticating a second request using the extracted second key, wherein the second request, which includes the encrypted credential data, is signed using the second key; and
fulfilling the second request by providing access to a computer resource.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques for using short-term credentials using asymmetric session keys are described herein. A request for a short-term credential is received that is digitally signed with a different credential. In response to the request, short-term credential data is generated and populated with a public session key corresponding to a private session key. The short-term credential data is then encrypted with a session encryption key to produce the short-term credential token, which can then be used by the requester as a short-term credential for subsequent requests.
-
Citations
21 Claims
-
1. A computer-implemented method, comprising:
-
obtaining a first request to establish a session, the first request cryptographically protected by a first key; generating, at least in part as a result of cryptographically verifying the first request using the first key, credential data comprising a second key usable to authenticate messages within the session, wherein the second key is associated with a shorter duration than duration of the first key; encrypting the credential data with a first asymmetric key of a key pair to generate encrypted credential data; providing, in response to the first request, the encrypted credential data and the second key, wherein decryption of the encrypted credential data using a second asymmetric key of the key pair produces an extracted second key from the encrypted credential data; authenticating a second request using the extracted second key, wherein the second request, which includes the encrypted credential data, is signed using the second key; and fulfilling the second request by providing access to a computer resource. - View Dependent Claims (2, 3, 4)
-
-
5. A system, comprising:
memory to store instructions that, as a result of execution by one or more processors of the system, cause the system to; decrypt a token associated with a first request from a device to establish a session, the token of the first request encrypted with a first key; as a result of decrypting the token of the first request to establish a session, generate credential data comprising a second key that is associated with a shorter duration of availability than duration of availability of the first key, the second key usable to authenticate messages within the session; encrypt the credential data to generate an encrypted credential data with a session encryption key of a set of session encryption keys; provide, in response to the first request, the encrypted credential data and the second key, wherein decryption of the encrypted credential data using the session encryption key or an additional session encryption key of the set of session encryption keys produces an extracted second key, the additional session encryption key corresponds to the session encryption key; authenticate a second request using the extracted second key, wherein the second request, which includes the encrypted credential data, is signed using the second key; and satisfy the second request by providing access to a computer resource. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
-
14. A non-transitory computer-readable storage medium comprising executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
-
validate a first request to establish a session, the first request cryptographically protected with a first key associated with a first duration; as a result of validating the first request to establish a session, generate credential data comprising a second key associated with a second duration that is shorter than the first duration usable to digitally sign and authenticate messages within the session; encrypt the credential data with a third key to generate an encrypted credential data; provide, in response to the first request, the encrypted credential data and the second key, wherein decryption of the encrypted credential data using the third key produces an extracted second key from the encrypted credential data; authenticate a second request using the extracted second key, wherein the second request, which includes the encrypted credential data, is signed using the second key; and fulfil the second request by providing access to a computing system resource. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
Specification