BINDING DIGITALLY SIGNED REQUESTS TO SESSIONS

US 20180026797A1
Filed: 10/02/2017
Published: 01/25/2018
Est. Priority Date: 12/12/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, over an established cryptographically protected communications session, a message and a digital signature;

verifying, based at least in part on the message, a cryptographic key obtained outside of the established cryptographically protected communications session, and the digital signature, whether the message was transmitted over the established cryptographically protected communications session; and

indicating whether the message was transmitted over the established cryptographically protected communications session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A client establishes an cryptographically protected communications session and determines information usable to distinguish the session from other sessions. The client digitally signs the information using a cryptographic key that is independent of the session to enable a server to check whether the information matches the session that it established and whether the digital signature is correct. The server may perform mitigating operations if either or both of the information or the digital signature is/are invalid.

19 Citations

View as Search Results

20 Claims

1. A computer-implemented method, comprising:
- receiving, over an established cryptographically protected communications session, a message and a digital signature;
  
  verifying, based at least in part on the message, a cryptographic key obtained outside of the established cryptographically protected communications session, and the digital signature, whether the message was transmitted over the established cryptographically protected communications session; and
  
  indicating whether the message was transmitted over the established cryptographically protected communications session.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein the cryptographic key corresponds to a secret negotiated as part of a handshake process to establish the cryptographically protected communications session.
  - 3. The computer-implemented method of claim 1, further comprising performing one or more mitigating actions as a result of failing to verify that the message was transmitted over the established cryptographically protected communications session.
  - 4. The computer-implemented method of claim 1, wherein the cryptographic key is obtained outside of a process for establishing the established cryptographically protected communications session.

5. A system, comprising:
- one or more machine-readable mediums having stored thereon a set of instructions, which if performed by one or more processors, cause the system to at least;
  
  receive, over an established cryptographically protected communications session, a message and a digital signature;
  
  verify, based at least in part on the message, a cryptographic key obtained outside of the established cryptographically protected communications session, and the digital signature, whether the message was transmitted over the established cryptographically protected communications session; and
  
  indicate whether the message was transmitted over the established cryptographically protected communications session.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
- - 6. The system of claim 5, wherein verifying the message includes determining whether a digital signature generated using the cryptographic key matches the digital signature.
  - 7. The system of claim 5, wherein the set of instructions further cause the system to determine information specific to the cryptographically protected communications session, the verification being based at least in part on the information specific to the cryptographically protected communications session.
  - 8. The system of claim 7, wherein generating the information specific to the cryptographically protected communications session includes applying the cryptographic key to a parameter used to establish the cryptographically protected communications session.
  - 9. The system of claim 5, the set of instructions further cause the system to generate a value specific to the cryptographically protected communications session, wherein the verification includes comparing a second value, received in association with the message, with the value specific to the cryptographically protected communications session.
  - 10. The system of claim 9, wherein the value specific to the cryptographically protected communications session is generated based at least in part on a secret used to establish the cryptographically protected communications session.
  - 11. The system of claim 5, the set of instructions further cause the system to:
    - based at least in part on verifying that the message was transmitted over the cryptographically protected communications session, generate a response to the message, the response including a digital signature generated using the cryptographic key.
  - 12. The system of claim 5, wherein the verification includes determining whether information resulting from a process for establishing the cryptographically protected communications session matches a parameter associated with the message.
  - 13. The system of claim 5, wherein processing the message is dependent upon successful verification that the message was transmitted over the cryptographically protected communications session.

14. A non-transitory computer-readable storage medium having stored thereon executable instructions that, if executed by one or more processors of a computer system, cause the computer system to at least:
- receive, over an established cryptographically protected communications session, a message and a digital signature;
  
  verify, based at least in part on the message, a cryptographic key obtained outside of the established cryptographically protected communications session, and the digital signature, whether the message was transmitted over the established cryptographically protected communications session; and
  
  indicate whether the message was transmitted over the established cryptographically protected communications session.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory computer-readable storage medium of claim 14, wherein establishment of the cryptographically protected communications session includes using a handshake protocol for a cryptographic protocol.
  - 16. The non-transitory computer-readable storage medium of claim 15, wherein the cryptographic key is obtained outside of a handshake process establishing the cryptographically protected communications session.
  - 17. The non-transitory computer-readable storage medium of claim 15, wherein the instructions further comprise instructions that, if executed by the one or more processors, cause the computer system to perform one or more mitigating actions performed based on an indication that the message was received over a different cryptographically protected communications session.
  - 18. The non-transitory computer-readable storage medium of claim 14, wherein the instructions further comprise instructions that, if executed by the one or more processors, cause the computer system to determine information usable to distinguish the established cryptographically protected communications session from a different cryptographically protected communications session.
  - 19. The non-transitory computer-readable storage medium of claim 18, wherein the information usable to distinguish the established cryptographically protected communications session is determined based at least in part on a digital certificate used to establish the cryptographically protected communications session.
  - 20. The non-transitory computer-readable storage medium of claim 18, wherein the verification includes determining whether the information usable to distinguish the established cryptographically protected communications session matches a parameter associated with the message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Behm, Bradley Jeffery, Roth, Gregory Branchek, Rubin, Gregory Alan

Granted Patent

US 10,142,111 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/1466   Active attacks involving in...

H04L 63/166   at the transport layer

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

BINDING DIGITALLY SIGNED REQUESTS TO SESSIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

19 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

BINDING DIGITALLY SIGNED REQUESTS TO SESSIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links