FEDERATED KEY MANAGEMENT

US 20140229737A1
Filed: 02/12/2013
Published: 08/14/2014
Est. Priority Date: 02/12/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

under the control of one or more computer systems configured with executable instructions,receiving, from a requestor, a request to perform a cryptographic operation, the request including information and an electronic signature generated based at least in part on a portion of the information, the electronic signature verifiable with a first key of a set of one or more keys corresponding to a second key;

detecting whether the request specifies a key holder of a plurality of key holders;

as a result of detecting that the request specifies a particular key holder of the plurality of key holders, causing the particular key holder to at least;

determine, based at least in part on the information and the first key, whether the electronic signature is valid;

determine, based at least in part on the information, whether the information satisfies one or more conditions for fulfilling the request;

as a result of the particular key holder determining that the electronic signature is valid and that the information satisfies the one or more conditions, obtaining, from the particular key holder, response information necessary for fulfilling the request, the response information having been generated based at least in part on one or more cryptographic operations performed using the second key; and

using the obtained response information to provide, to the requestor, a response to the request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system uses information submitted in connection with a request to determine if and how to process the request. The information may be electronically signed by a requestor using a key such that the system processing the request can verify that the requestor has the key and that the information is authentic. The information may include information that identifies a holder of a key needed for processing the request, where the holder of the key can be the system or another, possibly third party, system. Requests to decrypt data may be processed to ensure that a certain amount of time passes before access to the decrypted data is provided, thereby providing an opportunity to cancel such requests and/or otherwise mitigate potential security breaches.

68 Citations

View as Search Results

25 Claims

1. A computer-implemented method, comprising:
- under the control of one or more computer systems configured with executable instructions,receiving, from a requestor, a request to perform a cryptographic operation, the request including information and an electronic signature generated based at least in part on a portion of the information, the electronic signature verifiable with a first key of a set of one or more keys corresponding to a second key;
  
  detecting whether the request specifies a key holder of a plurality of key holders;
  
  as a result of detecting that the request specifies a particular key holder of the plurality of key holders, causing the particular key holder to at least;
  
  determine, based at least in part on the information and the first key, whether the electronic signature is valid;
  
  determine, based at least in part on the information, whether the information satisfies one or more conditions for fulfilling the request;
  
  as a result of the particular key holder determining that the electronic signature is valid and that the information satisfies the one or more conditions, obtaining, from the particular key holder, response information necessary for fulfilling the request, the response information having been generated based at least in part on one or more cryptographic operations performed using the second key; and
  
  using the obtained response information to provide, to the requestor, a response to the request.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, wherein the particular key holder is a computer system hosted by a third party.
  - 3. The computer-implemented method of claim 1, wherein the set of one or more keys corresponding to the second key comprises a plurality of keys, each key of the plurality of keys being usable to verify satisfaction of a condition required for fulfillment of requests.
  - 4. The computer-implemented method of claim 1, further comprising:
    - receiving a second request to perform a cryptographic operation, the second request including second information and a second electronic signature based at least in part on a portion of the second information, the electronic signature verifiable with a third key of a second set of one or more keys corresponding to a fourth key;
      
      determining, based at least in part on the second information and the third key, whether the second electronic signature is valid;
      
      determining, based at least in part on the second information, whether the information satisfies one or more second conditions for fulfilling the second request;
      
      as a result of determining that the second electronic signature is valid and that the second information satisfies the one or more second conditions, using the fourth key to perform one or more cryptographic operations to fulfill the second request.
  - 5. The computer-implemented method of claim 1, wherein the one or more conditions for fulfilling the request are defined by one or more policies corresponding to the second key.
  - 6. The computer-implemented method of claim 1, wherein the second key is inaccessible in plaintext form to the one or more computer systems.

7. A computer-implemented method, comprising:
- under the control of one or more computer systems configured with executable instructions,receiving, in connection with a request, information and an electronic signature based at least in part on at least a portion of the information;
  
  detecting a holder of the second key, from a plurality of key holders, being specified in the information;
  
  as a result of detecting the holder of the second key, causing the holder of the second key to;
  
  determine, based at least in part on the portion of the information and a first key that is associated with a second key, whether the electronic signature is valid; and
  
  as a result of determining that the signature is valid, perform one or more cryptographic operations using the second key;
  
  using one or more results of the one or more cryptographic obtained from the holder of the second key to fulfill the request.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer-implemented method of claim 7, wherein the first key is a member of a set of one or more keys corresponding to the second key, each key of the set of one or more keys usable to verify electronic signatures that are required to be valid for corresponding requests to be fulfilled.
  - 9. The computer-implemented method of claim 7, wherein the holder of the second key is a third party.
  - 10. The computer-implemented method of claim 7, wherein the one or more computer systems lack access to the second key in plaintext form.
  - 11. The computer-implemented method of claim 7, wherein:
    - the information includes one or more values;
      
      the method further comprises determining whether the one of more values satisfy one or more conditions; and
      
      fulfilling the request is dependent on determining that the one or more values satisfy the one or more conditions.
  - 12. The computer-implemented method of claim 7, wherein the holder of the second key is the one or more computer systems.

13. A system, comprising:
- one or more processors; and
  
  memory including instructions that, when executed by the one or more processors, cause the computer system to;
  
  store a set of one or more keys in association with a first key;
  
  receive a request that requires use of the first key for fulfillment; and
  
  as a result of the first key being held by a third party, cause the third party to;
  
  use a second key from the set of one or more keys to determine whether the request should be fulfilled; and
  
  as a result of determining that the request should be fulfilled, use the first key to perform one or more cryptographic operations.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, wherein the holder of the first key is a third party system.
  - 15. The system of claim 13, wherein the set of one or more keys includes a subset of administrative keys, each usable for electronic signature verification required for changing the set of one or more keys.
  - 16. The system of claim 13, wherein the system is hosted by an entity and the entity lacks access to the first key in plaintext form.
  - 17. The system of claim 13, wherein the request specifies the first key.
  - 18. The system of claim 13, wherein using the second key from the set of one or more keys to determine whether the request should be fulfilled includes using the second key to verify an electronic signature submitted in connection with the request.

19. One or more computer-readable storage media, having stored thereon instructions that, when executed by one or more processors of a computer system, cause the computer system to:
- associate a set of one or more keys with a first key; and
  
  use a second key from the set of one or more keys to determine whether to enable fulfillment of a request by at least causing a holder of the first key to use the first key in one or more cryptographic operations.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The one or more computer-readable storage media of claim 19, wherein the holder of the first key is a third party.
  - 21. The one or more computer-readable storage media of claim 19, wherein:
    - the request is submitted in connection with request information;
      
      the instructions further cause the computer system to verify that one or more conditions on the request information are satisfied; and
      
      satisfaction of the one or more conditions are required for enabling fulfillment of the request.
  - 22. The one or more computer-readable storage media of claim 19, wherein:
    - the set of one or more keys includes a subset of administrative keys; and
      
      each administrative key in the subset of administrative keys is usable to determine whether to fulfill a request to change the set of one or more keys.
  - 23. The one or more computer-readable storage media of claim 22, wherein changing the set of one or more keys includes adding or removing a key from the set of one or more keys.
  - 24. The one or more computer-readable storage media of claim 19, wherein the request is submitted in connection with information identifying the holder of the first key.
  - 25. The one or more computer-readable storage media of claim 19, wherein the holder of the first key is the computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Wren, Matthew James, Brandwine, Eric Jason, Pratt, Brian Irl

Granted Patent

US 9,705,674 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/176
CPC Class Codes

H04L 9/0618   Block ciphers, i.e. encrypt...

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/088   Usage controlling of secret...

H04L 9/0891   Revocation or update of sec...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/321   involving a third party or ...

H04L 9/3247   involving digital signatures

FEDERATED KEY MANAGEMENT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

68 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

FEDERATED KEY MANAGEMENT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links