Parameter based key derivation

US 10,721,238 B2
Filed: 03/16/2018
Issued: 07/21/2020
Est. Priority Date: 09/29/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

obtaining a first cryptographic key;

using the first cryptographic key and a plurality of restriction identifiers to derive a second cryptographic key;

using the second cryptographic key and a request for access to a set of resources to generate a digital signature of the request;

providing the request with the digital signature as a digitally signed request to access the set of resources; and

receiving a response to the digitally signed request, the response granting access to the set of resources based on verifying that an expected signature, which is based on the first cryptographic key and the plurality of restriction identifiers, matches the digital signature.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A delegation request is submitted to a session-based authentication service, fulfillment of which involves granting an entity an access privilege to a computing resource. A session key is received from the session-based authentication service. The session key having been generated based at least in part on a restriction and a secret credential shared with the session-based authentication service and usable at least in part to prove possession of the access privilege to the computing resource. The session key is provided to the entity without providing the shared secret credential.

229 Citations

23 Claims

1. A computer-implemented method, comprising:
- obtaining a first cryptographic key;
  
  using the first cryptographic key and a plurality of restriction identifiers to derive a second cryptographic key;
  
  using the second cryptographic key and a request for access to a set of resources to generate a digital signature of the request;
  
  providing the request with the digital signature as a digitally signed request to access the set of resources; and
  
  receiving a response to the digitally signed request, the response granting access to the set of resources based on verifying that an expected signature, which is based on the first cryptographic key and the plurality of restriction identifiers, matches the digital signature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein a restriction identifier of the plurality of restriction identifiers corresponds to an identity of a key zone of a plurality of key zones.
  - 3. The computer-implemented method of claim 1, wherein a restriction identifier of the plurality of restriction identifiers corresponds to an identity of an entity for which the second cryptographic key is to be derived.
  - 4. The computer-implemented method of claim 1, wherein a restriction identifier of the plurality of restriction identifiers corresponds to a restriction on a permitted action.
  - 5. The computer-implemented method of claim 1, wherein the request includes information indicating a restriction identifier of the plurality of restriction identifiers.
  - 6. The computer-implemented method of claim 1, wherein a restriction identifier of the plurality of restriction identifiers corresponds to a limit on an amount of time the second cryptographic key is valid.
  - 7. The computer-implemented method of claim 1, wherein the first cryptographic key is a shared secret credential that is shared with a system that receives the response.
  - 8. The computer-implemented method of claim 1, wherein the digital signature of the request is generated by applying a cryptographic hash algorithm to the second cryptographic key and the request, wherein the second cryptographic key functions as a shared secret credential.

9. A system, comprising:
- memory to store instructions executable by one or more processors to cause the system to;
  
  obtain a first cryptographic key;
  
  use the first cryptographic key and a set of restriction identifiers to derive a plurality of cryptographic keys; and
  
  distribute the plurality of cryptographic keys among a plurality of services, wherein at least one service of the plurality of services uses at least one cryptographic key of the plurality of cryptographic keys to generate a request signature to enable signing an access request to a computing resource with the request signature, the request signature based on the access request and on at least one restriction identifier of the set of restriction identifiers.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 10. The system of claim 9, wherein the at least one service uses the at least one cryptographic key to validate whether the access request complies with a session restriction corresponding to the at least one restriction identifier.
  - 11. The system of claim 10, wherein the instructions further include instructions that cause the system to:
    - receive the access request from an entity to access the computing resource, the access request signed with the request signature based on the at least one cryptographic key; and
      
      in response to receipt of the access request;
      
      compute a verifying signature based on the at least one cryptographic key and the at least one restriction identifier;
      
      validate the access request by comparing the verifying signature to the request signature; and
      
      grant, to the entity, access to the computing resource.
  - 12. The system of claim 11, wherein the instructions that validate the access request further include instructions that cause the system to validate the access request based at least in part on a session restriction corresponding to the at least one restriction identifier.
  - 13. The system of claim 11, wherein the at least one cryptographic key is computed using a cryptographic hash algorithm.
  - 14. The system of claim 13, wherein the instructions that cause the system to validate the access request, include instructions that cause the system to:
    - apply the cryptographic hash algorithm to the at least one cryptographic key and the at least one restriction identifier to obtain a hash result; and
      
      compute the verifying signature based on the hash result.
  - 15. The system of claim 9, wherein a restriction identifier of the set of restriction identifiers corresponds to an identity of a key zone of a plurality of key zones.
  - 16. The system of claim 9, wherein the instructions further include instructions that cause a service of the plurality of services to receive the access request containing the request signature and validate the request signature based on the at least one cryptographic key.
  - 17. The system of claim 16, wherein the access request includes an encoding of a restriction corresponding to the at least one restriction identifier.
  - 18. The system of claim 17, wherein the instructions that cause the system to validate the access request include instructions that cause the system to validate whether the access request complies with the restriction.
  - 19. The system of claim 11, wherein the request signature is generated by applying a cryptographic hash algorithm to the at least one cryptographic key and the access request, wherein the at least one cryptographic key functions as a shared secret credential.

20. A non-transitory computer-readable storage medium storing executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
- obtain a first cryptographic key;
  
  use the first cryptographic key and a set of restriction identifiers to derive a plurality of cryptographic keys; and
  
  distribute the plurality of cryptographic keys among a plurality of services, wherein at least one service of the plurality of services uses at least one cryptographic key of the plurality of cryptographic keys, the at least one cryptographic key based on at least one restriction identifier of the set of restriction identifiers, to enable signing an access request, to a computing resource, with a request signature, the request signature based on the access request and the at least one cryptographic key, the access request subject to a restriction corresponding to the at least one restriction identifier.
- View Dependent Claims (21, 22, 23)
- - 21. The non-transitory computer-readable storage medium of claim 20, wherein the executable instructions include executable instructions that cause the computer system to:
    - provide the at least one cryptographic key to a first entity;
      
      receive a request containing information based at least in part on the at least one cryptographic key;
      
      compute a verifying signature based at least in part on the at least one restriction identifier; and
      
      verify the first entity has possession of an access privilege to a computing resource based on the verifying signature and the request signature.
  - 22. The non-transitory computer-readable storage medium of claim 21, wherein the executable instructions further include executable instructions that cause the computer system to:
    - fulfill the request by providing access to the computing resource depending at least in part on the verifying signature matching the request signature.
  - 23. The non-transitory computer-readable storage medium of claim 22, wherein:
    - the request further contains information indicating the at least one restriction identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Brandwine, Eric Jason, Fitch, Nathan R., Ilac, Cristian M., Crahen, Eric D.
Primary Examiner(s)
Tran, Ellen

Application Number

US15/924,038
Publication Number

US 20180205738A1
Time in Patent Office

858 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 2221/2137   Time limited access, e.g. t...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 9/083   involving central third par...

H04L 9/0861   Generation of secret inform...

H04L 9/088   Usage controlling of secret...

H04L 9/32   including means for verifyi...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247   involving digital signatures

H04L 9/50   using hash chains, e.g. blo...

Parameter based key derivation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

229 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Parameter based key derivation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

229 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links