MULTIPLE AUTHORITY DATA SECURITY AND ACCESS

US 20140380054A1
Filed: 06/20/2013
Published: 12/25/2014
Est. Priority Date: 06/20/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-readable storage medium having stored thereon instructions that, when executed by one or more processors of a computer system of a customer of a computing resource service provider, cause the computer system to:

cause data to be encrypted under a first key;

obtain the first key encrypted based at least in part on a second key and a third key, the customer lacking access to the second key and the computing resource service provider lacking access to the third key, obtaining the first key encrypted based at least in part on the second key and the third key including;

submitting to the computing resource service provider a request to perform one or more cryptographic operations using the second key, the request including information that enables the computing resource provider to select the second key from a plurality of keys managed on behalf of customers of the computing resource service provider; and

causing the data encrypted under the first key to be stored in association with the first key encrypted based at least in part on the second key and the third key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data is encrypted such that multiple keys are needed to decrypt the data. The keys are accessible to different entities so that no single entity has access to all the keys. At least one key is managed by a service provider. A customer computer system of the service provider may be configured with executable instructions directing the orchestration of communications between the various entities having access to the keys. As a result, security compromise in connection with a key does not, by itself, render the data decryptable.

Citations

26 Claims

1. A computer-readable storage medium having stored thereon instructions that, when executed by one or more processors of a computer system of a customer of a computing resource service provider, cause the computer system to:
- cause data to be encrypted under a first key;
  
  obtain the first key encrypted based at least in part on a second key and a third key, the customer lacking access to the second key and the computing resource service provider lacking access to the third key, obtaining the first key encrypted based at least in part on the second key and the third key including;
  
  submitting to the computing resource service provider a request to perform one or more cryptographic operations using the second key, the request including information that enables the computing resource provider to select the second key from a plurality of keys managed on behalf of customers of the computing resource service provider; and
  
  causing the data encrypted under the first key to be stored in association with the first key encrypted based at least in part on the second key and the third key.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, wherein obtaining the first key encrypted based at least in part on the second key and the third key includes:
    - receiving, from the computing resource service provider, the first key encrypted under the second key; and
      
      encrypting the received first key encrypted under the second key.
  - 3. The computer-implemented method of claim 1, wherein obtaining the first key encrypted based at least in part on the second key and the third key includes:
    - receiving, from the computing resource service provider, the first key encrypted under the second key; and
      
      causing a second computing resource service provider to use the third key to encrypt the received first key encrypted under the second key.
  - 4. The computer-implemented method of claim 1, wherein obtaining the first key encrypted based at least in part on the second key and the third key includes:
    - using the third key to encrypt the first key; and
      
      the request provides the encrypted first key.
  - 5. The computer-implemented method of claim 1, wherein:
    - the first key is based at least in part on a first key component and a second key component;
      
      the request provides the first key component for encryption by the computing resource service provider using the second key;
      
      obtaining the first key encrypted based at least in part on a second key includes causing the second key component to be encrypted under the third key.
  - 6. The computer-implemented method of claim 1, wherein causing the data encrypted under the first key to be stored includes transmitting, to a data storage service operated by the computing resource service provider, the data encrypted under the first key and the first key encrypted based at least in part on the second key and the third key.

7. A computer-implemented method, comprising:
- under the control of one or more computer systems configured with executable instructions,obtaining, based at least in part on first information inaccessible to a computing resource service provider and second information inaccessible to a customer of the computing resource service provider, an encrypted first key and data encrypted under the first key by at least;
  
  submitting, to the computing resource service provider a request to perform one or more operations using the second information, the request including information enabling the computing resource service provider to select the second information from other information managed on behalf of other customers of the computing resource service provider; and
  
  causing the data encrypted under the first key and encrypted first key to be persisted so that authorized decryption of the data encrypted under the first key requires use of the first information and second information.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein the first information comprises a second key and the second information comprises a third key.
  - 9. The method of claim 7, wherein:
    - the method further comprises;
      
      transmitting the data encrypted under the first key to a second computing resource service provider that has access to the first information; and
      
      obtaining, from the second computing resource service provider, third information comprising the data encrypted under the first key also encrypted using the first information; and
      
      causing the data encrypted under the first key and encrypted first key to be persisted includes causing the third information and encrypted first key to be stored in a data storage system that lacks access to both the first information and the second information.
  - 10. The method of claim 7, wherein the computing resource service provider lacks access to the first key.
  - 11. The method of claim 7, wherein:
    - the first key is determinable from a plurality of key components comprising a first key component and a second key component; and
      
      the encrypted first key comprises;
      
      the first key component to be encrypted using the first information; and
      
      the second key component to be encrypted using the second information.
  - 12. The method of claim 7, wherein the first information is accessible to the customer.

13. A system, comprising:
- a collection of computing resources collectively configured to;
  
  operate a first service configured to manage, on behalf of a plurality of entities, a plurality of keys;
  
  operate a second service configured to store data without access to the plurality of keys; and
  
  provide, to a client computing device corresponding to an entity of the plurality of entities, executable instructions that cause the client computing device to at least;
  
  submit a request to perform one or more cryptographic operations using a first key, from the plurality of keys, specified by the request;
  
  receive, in response to the request, a result of performance of the one or more cryptographic operations;
  
  generate, based at least in part on the result and a second key inaccessible to the system, information that includes encrypted data, the information configured such that use of at least both the first key and second key is required to decrypt the data; and
  
  transmit the generated information to the storage service.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, wherein:
    - the encrypted data is encrypted with a third key; and
      
      the information includes the third key encrypted based at least in part on the first key and second key.
  - 15. The system of claim 14, wherein the client computing device has access to the third key.
  - 16. The system of claim 13, wherein:
    - the first service and the second service each provide a corresponding web service application programming interface;
      
      the request is received through a web service interface of the first service; and
      
      transmitting the generated information includes submitting a web service call to a web service interface of the second service.
  - 17. The system of claim 13, wherein the system lacks access to the second key.
  - 18. The system of claim 13, wherein the executable instructions are in the form of a scripting language.

19. A computer-readable storage medium having stored thereon instructions that, when executed by one or more processors of a computer system, cause the computer system to:
- obtain, based at least in part on first information inaccessible to a computing resource service provider and second information, an encrypted first key and data encrypted under the first key by at least;
  
  submitting, to the computing resource service provider a request to perform one or more operations using the second information, the request including information enabling the computing resource service provider to select the second information from other information managed on behalf of customers of the computing resource service provider; and
  
  cause the data encrypted under the first key and the encrypted first key to be persistently stored so that authorized access to the data in plaintext form requires use of the first information and second information.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The computer-readable storage medium of claim 19, wherein causing the data encrypted under the first key and the encrypted first key to be persistently stored includes utilizing a data storage service of the computing resource service provider to store at least one of the data encrypted under the first key and the encrypted first key.
  - 21. The computer-readable storage medium of claim 19, wherein the computing resource service provider lacks access to the first key.
  - 22. The computer-readable storage medium of claim 19, wherein obtaining the data encrypted under the first key includes causing a second computing resource service provider to perform one or more operations using the first information.
  - 23. The computer-readable storage medium of claim 19, wherein:
    - the first information is a second key to which the computer system has access; and
      
      obtaining the data encrypted under the first key includes performing one or more operations using the second key.
  - 24. The computer-readable storage medium of claim 19, wherein:
    - the first information is a second key and the second information is a third key; and
      
      both the second key and the third key are used to obtain the data encrypted under the first key.
  - 25. The computer-readable storage medium of claim 19, wherein the executable instructions are configured such that obtaining the encrypted first key and data encrypted under the first key and causing the data encrypted under the first key and the encrypted first key to be persistently stored are performed as a result of an instruction to a file system interface to perform a storage operation.
  - 26. The computer-readable storage medium of claim 19, wherein:
    - the one or more operations include use of a cryptographic algorithm supporting additional authenticated data;
      
      the request includes metadata usable by the computing resource service provider as additional authenticated data, the computing resource service provider being configured to enforce one or more policies based at least in part on the metadata.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Wren, Matthew James

Granted Patent

US 9,407,440 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

G06F 21/6209   to a single file or object,...

H04L 63/0435   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/083   involving central third par...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

MULTIPLE AUTHORITY DATA SECURITY AND ACCESS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

MULTIPLE AUTHORITY DATA SECURITY AND ACCESS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links