PARAMETER BASED KEY DERIVATION
First Claim
1. A computer-implemented method for providing services, comprising:
- under the control of one or more computer systems configured with executable instructions,receiving, from an authenticating party, electronic information encoding a message, a signature for the message, and a set of one or more restrictions on keys derived from a secret credential shared with the authenticating party, the signature being determinable by applying a hash-based message authentication code function to the message, the secret credential, and the set of one or more restrictions, but also being undeterminable having only the hash-based message authentication code function but without having the set of one or more restrictions;
obtaining a key generated at least in part using at least a subset of the set of one or more restrictions;
calculating, by the one or more computer systems, a value of a hash-based message authentication code function by at least inputting into the hash-based message authentication code function;
first input based at least in part on the obtained key; and
second input based at least in part on the set of one or more restrictions;
determining, by the one or more computer systems and based at least in part on the calculated value, whether the signature is valid; and
providing access to one or more computing resources when determined that the signature is valid.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information that, as a result of being used to generate the keys, renders the generated keys usable for a smaller scope of uses than the secret credential. Further, key generation may involve multiple invocations of a function where each of at least a subset of the invocations of the function results in a key that has a smaller scope of permissible use than a key produced from a previous invocation of the function. Generated keys may be used as signing keys to sign messages. One or more actions may be taken depending on whether a message and/or the manner in which the message was submitted complies with restrictions of the a key'"'"'s use.
73 Citations
29 Claims
-
1. A computer-implemented method for providing services, comprising:
under the control of one or more computer systems configured with executable instructions, receiving, from an authenticating party, electronic information encoding a message, a signature for the message, and a set of one or more restrictions on keys derived from a secret credential shared with the authenticating party, the signature being determinable by applying a hash-based message authentication code function to the message, the secret credential, and the set of one or more restrictions, but also being undeterminable having only the hash-based message authentication code function but without having the set of one or more restrictions; obtaining a key generated at least in part using at least a subset of the set of one or more restrictions; calculating, by the one or more computer systems, a value of a hash-based message authentication code function by at least inputting into the hash-based message authentication code function; first input based at least in part on the obtained key; and second input based at least in part on the set of one or more restrictions; determining, by the one or more computer systems and based at least in part on the calculated value, whether the signature is valid; and providing access to one or more computing resources when determined that the signature is valid. - View Dependent Claims (2, 3, 4, 5, 6)
-
7. A computer-implemented method for providing services, comprising:
under the control of one or more computer systems configured with executable instructions, obtaining electronic information encoding (i) a message, (ii) a first signature for the message, and (iii) a set of one or more parameters, the first signature having been generated based at least in part on (i) the message, (ii) a secret credential, and (iii) the set of one or more parameters, the first signature further being undeterminable having only the message and the secret credential but without the set of one or more parameters; deriving a second credential based at least in part on the secret credential and at least a subset of the set of one or more parameters; generating, based at least in part on the derived second credential, a second signature; determining whether the first signature matches the second signature; and providing access to one or more computing resources when the generated second signature matches the first signature. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
-
16. A non-transitory computer-readable storage medium having stored thereon instructions that, when executed by a computer system, cause the computer system to at least:
-
obtain an intermediate key that is derived from at least a secret credential and one or more parameters for use of the intermediate key; apply, based at least in part on the obtained intermediate key, at least a portion of a signature generation process that results in a signature for a message, the signature generation process configured such that the signature is undeterminable, by the signature generation process, to a computing device having the message, the secret credential, and the signature but lacking the one or more restrictions; and provide the message, the signature, and the one or more parameters to another computer system that is configured to analyze, based at least in part on the one or more parameters and the message, the signature to determine whether the signature is valid. - View Dependent Claims (17, 18, 19, 20, 21)
-
-
22. A computer system, comprising:
-
one or more processors; and memory including instructions that, when executed by one or more processors of a computer system, cause the computer system to at least; receive one or more electronic communications that collectively encode a message, a signature for the message, and one or more parameters, the signature being generated based at least in part on the secret credential and the one or more parameters; analyze, based at least in part on the one or more parameters, an intermediate credential derived from at least a portion of the one or more parameters and the secret credential, but without the secret credential, the message and signature to determine whether the signature is valid; and take one or more actions contingent on determining that the signature is valid. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
-
Specification