Parameter based key derivation
First Claim
Patent Images
1. A computer-implemented method, comprising:
- obtaining a first cryptographic key;
using the first cryptographic key and a plurality of restriction identifiers to derive a second cryptographic key;
using the second cryptographic key and a request for access to a set of resources to generate a digital signature of the request;
providing the request with the digital signature as a digitally signed request to access the set of resources; and
receiving a response to the digitally signed request, the response granting access to the set of resources based on verifying that an expected signature, which is based on the first cryptographic key and the plurality of restriction identifiers, matches the digital signature.
1 Assignment
0 Petitions
Accused Products
Abstract
A delegation request is submitted to a session-based authentication service, fulfillment of which involves granting an entity an access privilege to a computing resource. A session key is received from the session-based authentication service. The session key having been generated based at least in part on a restriction and a secret credential shared with the session-based authentication service and usable at least in part to prove possession of the access privilege to the computing resource. The session key is provided to the entity without providing the shared secret credential.
229 Citations
23 Claims
-
1. A computer-implemented method, comprising:
-
obtaining a first cryptographic key; using the first cryptographic key and a plurality of restriction identifiers to derive a second cryptographic key; using the second cryptographic key and a request for access to a set of resources to generate a digital signature of the request; providing the request with the digital signature as a digitally signed request to access the set of resources; and receiving a response to the digitally signed request, the response granting access to the set of resources based on verifying that an expected signature, which is based on the first cryptographic key and the plurality of restriction identifiers, matches the digital signature. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system, comprising:
memory to store instructions executable by one or more processors to cause the system to; obtain a first cryptographic key; use the first cryptographic key and a set of restriction identifiers to derive a plurality of cryptographic keys; and distribute the plurality of cryptographic keys among a plurality of services, wherein at least one service of the plurality of services uses at least one cryptographic key of the plurality of cryptographic keys to generate a request signature to enable signing an access request to a computing resource with the request signature, the request signature based on the access request and on at least one restriction identifier of the set of restriction identifiers. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
20. A non-transitory computer-readable storage medium storing executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
-
obtain a first cryptographic key; use the first cryptographic key and a set of restriction identifiers to derive a plurality of cryptographic keys; and distribute the plurality of cryptographic keys among a plurality of services, wherein at least one service of the plurality of services uses at least one cryptographic key of the plurality of cryptographic keys, the at least one cryptographic key based on at least one restriction identifier of the set of restriction identifiers, to enable signing an access request, to a computing resource, with a request signature, the request signature based on the access request and the at least one cryptographic key, the access request subject to a restriction corresponding to the at least one restriction identifier. - View Dependent Claims (21, 22, 23)
-
Specification