FEDERATED KEY MANAGEMENT
First Claim
1. A computer-implemented method, comprising:
- under the control of one or more computer systems configured with executable instructions,receiving, from a requestor, a request to perform a cryptographic operation, the request including information and an electronic signature generated based at least in part on a portion of the information, the electronic signature verifiable with a first key of a set of one or more keys corresponding to a second key;
detecting whether the request specifies a key holder of a plurality of key holders;
as a result of detecting that the request specifies a particular key holder of the plurality of key holders, causing the particular key holder to at least;
determine, based at least in part on the information and the first key, whether the electronic signature is valid;
determine, based at least in part on the information, whether the information satisfies one or more conditions for fulfilling the request;
as a result of the particular key holder determining that the electronic signature is valid and that the information satisfies the one or more conditions, obtaining, from the particular key holder, response information necessary for fulfilling the request, the response information having been generated based at least in part on one or more cryptographic operations performed using the second key; and
using the obtained response information to provide, to the requestor, a response to the request.
1 Assignment
0 Petitions
Accused Products
Abstract
A system uses information submitted in connection with a request to determine if and how to process the request. The information may be electronically signed by a requestor using a key such that the system processing the request can verify that the requestor has the key and that the information is authentic. The information may include information that identifies a holder of a key needed for processing the request, where the holder of the key can be the system or another, possibly third party, system. Requests to decrypt data may be processed to ensure that a certain amount of time passes before access to the decrypted data is provided, thereby providing an opportunity to cancel such requests and/or otherwise mitigate potential security breaches.
68 Citations
25 Claims
-
1. A computer-implemented method, comprising:
under the control of one or more computer systems configured with executable instructions, receiving, from a requestor, a request to perform a cryptographic operation, the request including information and an electronic signature generated based at least in part on a portion of the information, the electronic signature verifiable with a first key of a set of one or more keys corresponding to a second key; detecting whether the request specifies a key holder of a plurality of key holders; as a result of detecting that the request specifies a particular key holder of the plurality of key holders, causing the particular key holder to at least; determine, based at least in part on the information and the first key, whether the electronic signature is valid; determine, based at least in part on the information, whether the information satisfies one or more conditions for fulfilling the request; as a result of the particular key holder determining that the electronic signature is valid and that the information satisfies the one or more conditions, obtaining, from the particular key holder, response information necessary for fulfilling the request, the response information having been generated based at least in part on one or more cryptographic operations performed using the second key; and using the obtained response information to provide, to the requestor, a response to the request. - View Dependent Claims (2, 3, 4, 5, 6)
-
7. A computer-implemented method, comprising:
under the control of one or more computer systems configured with executable instructions, receiving, in connection with a request, information and an electronic signature based at least in part on at least a portion of the information; detecting a holder of the second key, from a plurality of key holders, being specified in the information; as a result of detecting the holder of the second key, causing the holder of the second key to; determine, based at least in part on the portion of the information and a first key that is associated with a second key, whether the electronic signature is valid; and as a result of determining that the signature is valid, perform one or more cryptographic operations using the second key; using one or more results of the one or more cryptographic obtained from the holder of the second key to fulfill the request. - View Dependent Claims (8, 9, 10, 11, 12)
-
13. A system, comprising:
-
one or more processors; and memory including instructions that, when executed by the one or more processors, cause the computer system to; store a set of one or more keys in association with a first key; receive a request that requires use of the first key for fulfillment; and as a result of the first key being held by a third party, cause the third party to; use a second key from the set of one or more keys to determine whether the request should be fulfilled; and as a result of determining that the request should be fulfilled, use the first key to perform one or more cryptographic operations. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. One or more computer-readable storage media, having stored thereon instructions that, when executed by one or more processors of a computer system, cause the computer system to:
-
associate a set of one or more keys with a first key; and use a second key from the set of one or more keys to determine whether to enable fulfillment of a request by at least causing a holder of the first key to use the first key in one or more cryptographic operations. - View Dependent Claims (20, 21, 22, 23, 24, 25)
-
Specification