DELAYED DATA ACCESS

US 20140229739A1
Filed: 02/12/2013
Published: 08/14/2014
Est. Priority Date: 02/12/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

under the control of one or more computer systems configured with executable instructions,receiving, to a service of a computing resource provider, a request to decrypt ciphertext using a key specified by the request, the request satisfying a set of one or more conditions sufficient for the request to be fulfilled;

at a time during which the request is pending, transmitting one or more notifications of the request to one or more computer systems of a customer corresponding to the key;

enabling the request to be aborted during pendency of the request;

decrypting the ciphertext to obtain plaintext; and

providing the plaintext as a result of at least a predetermined amount of time having passed and the request not having been aborted.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system uses information submitted in connection with a request to determine if and how to process the request. The information may be electronically signed by a requestor using a key such that the system processing the request can verify that the requestor has the key and that the information is authentic. The information may include information that identifies a holder of a key needed for processing the request, where the holder of the key can be the system or another, possibly third party, system. Requests to decrypt data may be processed to ensure that a certain amount of time passes before access to the decrypted data is provided, thereby providing an opportunity to cancel such requests and/or otherwise mitigate potential security breaches.

247 Citations

31 Claims

1. A computer-implemented method, comprising:
- under the control of one or more computer systems configured with executable instructions,receiving, to a service of a computing resource provider, a request to decrypt ciphertext using a key specified by the request, the request satisfying a set of one or more conditions sufficient for the request to be fulfilled;
  
  at a time during which the request is pending, transmitting one or more notifications of the request to one or more computer systems of a customer corresponding to the key;
  
  enabling the request to be aborted during pendency of the request;
  
  decrypting the ciphertext to obtain plaintext; and
  
  providing the plaintext as a result of at least a predetermined amount of time having passed and the request not having been aborted.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, wherein the predetermined time is configurable by the customer.
  - 3. The computer-implemented method of claim 1, wherein transmitting the one or more notifications includes sending an electronic message to one or more individuals designated to receive notifications.
  - 4. The computer-implemented method of claim 1, wherein satisfaction of one or more conditions sufficient for aborting the request are insufficient for the request to be fulfilled.
  - 5. The computer-implemented method of claim 1, further comprising, as a result of the request, performing additional audit functions in connection with the ciphertext.
  - 6. The computer-implemented method of claim 1, wherein:
    - providing the plaintext includes enforcing a delay in providing the plaintext; and
      
      transmitting the one or more notifications and enforcing the delay is performed as a result of a configuration of a policy corresponding to the key.

7. A computer-implemented method, comprising:
- under the control of one or more computer systems configured with executable instructions,receiving an authenticated request to access plaintext, the fulfillment of which requiring one or more cryptographic operations;
  
  processing the request such that a preprogrammed delay is required before a response to the request corresponding to fulfillment of the request is provided; and
  
  providing a response to the request after the delay.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The computer-implemented method of claim 7, wherein the one or more cryptographic operations include decryption of ciphertext.
  - 9. The computer-implemented method of claim 7, wherein the one or more cryptographic operations include generating an electronic signature.
  - 10. The computer-implemented method of claim 7, wherein the predetermined delay is required as a result of a policy corresponding to a key for decrypting ciphertext.
  - 11. The computer-implemented method of claim 7, further comprising sending one or more notifications of the request to one or more entities with authority to abort the request.
  - 12. The computer-implemented method of claim 11, further comprising enabling an ability to abort the request during the delay.
  - 13. The computer-implemented method of claim 7, wherein the request being authenticated is sufficient to cause the response to be provided unless the request is aborted.
  - 14. The computer-implemented method of claim 7, further comprising causing increased auditing as a result of the request.

15. A computer system, comprising:
- one or more processors; and
  
  memory including instructions that, when executed by the one or more processors, cause the computer system to;
  
  detect a trigger in connection with an authenticated request, from a requestor, to access data, where accessing the data requires the performance of one or more cryptographic operations; and
  
  as a result of detecting the trigger, cause a preprogrammed amount of time to pass before the data is accessible to the requestor, the request being abortable by an entity different from the requestor during passage of the amount of time.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-system of claim 15, wherein:
    - the system further comprises a messaging subsystem; and
      
      the instructions further cause the computer system to cause the messaging subsystem to transmit a notification of the request.
  - 17. The computer-system of claim 15, wherein the trigger is a policy on a key required for the one or more cryptographic operations.
  - 18. The computer-system of claim 15, wherein:
    - the computer system is hosted by a computing resource provider; and
      
      the request is received by the computing resource provider from a customer of the computing resource provider.
  - 19. The computer-system of claim 18, wherein the predetermined amount of time is configurable by the customer.
  - 20. The computer-system of claim 15, wherein the instructions further cause the computer system to perform the one or more cryptographic operations.

21. One or more computer-readable media having collectively stored thereon instructions that, when executed by one or more processors of a computer system, cause the computer system to:
- detect a trigger in connection with an authenticated request, from a requestor, to access data, where accessing the data requires the performance of one or more cryptographic operations; and
  
  as a result of detecting the trigger, cause the request to be abortable by an entity different from the requestor, for an amount of time.
- View Dependent Claims (22, 23, 24, 25, 26, 27)
- - 22. The one or more computer-readable storage media of claim 21, wherein the amount of time is a predetermined amount of time.
  - 23. The one or more computer-readable storage media of claim 21, wherein the instructions further cause the computer system to cause transmission of one or more notifications of the request to another computer system.
  - 24. The one or more computer-readable storage media of claim 21, wherein:
    - the one or more cryptographic operations use a key; and
      
      the trigger is a policy for the key requiring the request to be cancellable for the amount of time.
  - 25. The one or more computer-readable storage media of claim 21, wherein:
    - validity of the request requires satisfaction of one or more conditions; and
      
      cancellation of the request is possible with at least one of the one or more conditions unsatisfied.
  - 26. The one or more computer-readable storage media of claim 21, wherein the instructions further cause the system to notify one or more individuals specified for receiving notifications of requests to access the data.
  - 27. The one or more computer-readable storage media of claim 21, wherein the request to access the data is a request to decrypt ciphertext using a key specified by the request.

28. A system, comprising:
- one or more processors; and
  
  memory including instructions that, when executed by the one or more processors, cause the system to;
  
  receive a request for a policy to be effective at a time indicated by the request;
  
  determine, based at least in part on the indicated time, whether fulfillment of the request complies with a currently effective policy;
  
  at a time between receipt of the request and the indicated time, enable another request to be received to abort the request.
- View Dependent Claims (29, 30, 31)
- - 29. The system of claim 28, wherein the request is to change one or more conditions required to be satisfied for access to data.
  - 30. The system of claim 28, wherein the policy corresponds to a key managed by a cryptography service and indicates one or more conditions required to be satisfied for the cryptography service to perform one or more cryptographic operations.
  - 31. The system of claim 28, wherein the instructions further cause the system to, as a result of receiving the request, transmit one or more notifications to one or more entities each with authority to abort the request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Wren, Matthew James, Brandwine, Eric Jason, Pratt, Brian Irl

Granted Patent

US 10,210,341 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/189
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2137   Time limited access, e.g. t...

H04L 63/0442   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 9/088   Usage controlling of secret...

DELAYED DATA ACCESS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

247 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

DELAYED DATA ACCESS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

247 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links