DATA SECURITY WITH A SECURITY MODULE

US 20160283723A1
Filed: 06/03/2016
Published: 09/29/2016
Est. Priority Date: 02/12/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for key management, comprising:

under control of a computer system configured with executable instructions,storing secret information in memory of the computer system;

detecting an event that triggers a transition into an administrative mode in which one or more administrative operations are permitted as a result of transitioning into the administrative mode; and

as a result of detecting the triggering event, rendering inaccessible information necessary to access the secret information in plaintext form.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security module securely manages keys. The security module is usable to implement a cryptography service that includes a request processing component. The request processing component responds to requests by causing the security module to perform cryptographic operations that the request processing component cannot perform due to a lack of access to appropriate keys. The security module may be a member of a group of security modules that securely manage keys. Techniques for passing secret information from one security module to the other prevent unauthorized access to secret information.

Citations

20 Claims

1. A computer-implemented method for key management, comprising:
- under control of a computer system configured with executable instructions,storing secret information in memory of the computer system;
  
  detecting an event that triggers a transition into an administrative mode in which one or more administrative operations are permitted as a result of transitioning into the administrative mode; and
  
  as a result of detecting the triggering event, rendering inaccessible information necessary to access the secret information in plaintext form.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein rendering the information inaccessible includes deleting the information at least in part by executing a confirmable erase operation.
  - 3. The computer-implemented method of claim 1, wherein rendering the information inaccessible is accomplished at least in part by deleting information necessary for obtaining the secret information from volatile memory storage.
  - 4. The computer-implemented method of claim 3, wherein:
    - the information necessary for obtaining the secret information in plaintext form includes a key with which the secret information is encrypted; and
      
      the secret information is persistently stored in a data storage device of the computer system in encrypted form.
  - 5. The computer-implemented method of claim 1, wherein the method further comprises restoring the information necessary to obtain the secret information in plaintext form at a time after leaving the administrative mode.
  - 6. The computer-implemented method of claim 5, wherein the method further comprises:
    - detecting a tamper event indicating intrusion into the computer system; and
      
      as a result of detecting the tamper event, deleting the information needed to obtain the secret information in plaintext form.
  - 7. The computer-implemented method of claim 1, wherein deleting the information needed to obtain the secret information in plaintext form includes deleting the secret information from the memory of the computer system.

8. A computer system, comprising:
- memory comprising;
  
  volatile memory; and
  
  non-volatile memory; and
  
  one or more processors collectively configured with executable instructions that, as a result of being executed by the processor, cause the processor to;
  
  manage secret information stored in the memory such that the secret information is unable to be stored in the non-volatile memory in plaintext form; and
  
  upon detection of a security event, configure the memory such that the secret information is unavailable in plaintext form to the computer system.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The computer system of claim 8, wherein configuring the memory includes removing power to the volatile memory.
  - 10. The computer system of claim 8, wherein configuring the memory includes destroying access to a key used to encrypt the secret information.
  - 11. The computer system of claim 8, wherein:
    - the computer system is hosted by a computing resource provider;
      
      the secret information comprises a plurality of customer keys, each customer key of the plurality of customer keys managed by the computer system on behalf of a corresponding customer of the computing resource provider; and
      
      the executable instructions further cause the processor to use at least some customer keys from the plurality of customer keys to perform one or more cryptographic operations as part of fulfilling requests submitted to another computer system.
  - 12. The computer system of claim 8, wherein the security event is selected from the group consisting of:
    - a reboot event;
      
      a physical-intrusion event;
      
      a physical-movement-of-the-computer-system event;
      
      a request to enter an administrative mode; and
      
      a power-disruption event.
  - 13. The computer system of claim 8, wherein:
    - the one or more processors include;
      
      a first processor connected by a bus to a memory device having at least a portion of the non-volatile memory;
      
      a second processor of a data storage subsystem is configured with an ability to transmit an erase command over the bus; and
      
      configuring the memory includes transmitting the erase command over the bus.

14. A computer system, comprising:
- a plurality of security modules, each security module of the plurality of security modules configured to;
  
  store a set of keys; and
  
  detect a security event and, as a result of detecting the security event, deny itself access to the set of keys; and
  
  a management subsystem configured to;
  
  use a selected security module from the plurality of security modules to respond to requests for performance of cryptographic operations; and
  
  for a particular security module that has denied itself access to the set of keys, obtain and provide, to the particular security module, encrypted information from one or more other security modules that enables the particular security module to regain access to the set of keys.
- View Dependent Claims (15, 16, 17)
- - 15. The computer system of claim 14, wherein:
    - the encrypted information is an encrypted key; and
      
      the particular security module is configured to decrypt the encrypted key and use the decrypted encrypted key to decrypt the set of keys to regain access to the set of keys.
  - 16. The computer system of claim 15, wherein:
    - each security module of the plurality of security modules share a common key that is inaccessible to the management subsystem; and
      
      the management subsystem is further configured to obtain, from a first security module of the plurality of security modules, information encrypted under the common key and provide, to a second security module of the plurality of security modules, the information encrypted under the common key.
  - 17. The computer system of claim 14, wherein the security event is selected from the group consisting of:
    - a reboot-event;
      
      a physical-intrusion event;
      
      a physical-movement-of-the-computer-system-event;
      
      a request to enter an administrative mode; and
      
      a power-disruption event.

18. A non-transitory computer-readable storage medium having stored thereon instructions that, as a result of being executed by a processor of a computer system, cause the computer system to at least:
- store secret information in a memory of the computer system;
  
  detect a transition of the computer system into an administrative mode in which an operator is allowed to access contents of the memory; and
  
  as a result of detecting the transition, cause information necessary to access the secret information in plaintext form to be inaccessible to the computer system.
- View Dependent Claims (19, 20)
- - 19. The non-transitory computer-readable storage medium of claim 18, wherein the computer-readable storage medium encodes the instructions such that they are executable by at least two different processors each having a different internal architecture that implements a compatible instruction set architecture.
  - 20. The non-transitory computer-readable storage medium of claim 18, wherein the information necessary to access the secret information in plaintext form includes a key used to encrypt the secret information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Wren, Matthew James, Brandwine, Eric Jason, Pratt, Brian Irl

Granted Patent

US 11,036,869 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/1416   Event detection, e.g. attac...

H04L 9/0897   involving additional device...

DATA SECURITY WITH A SECURITY MODULE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DATA SECURITY WITH A SECURITY MODULE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links