Encryption key management

US 8,539,231 B1
Filed: 08/14/2012
Issued: 09/17/2013
Est. Priority Date: 02/17/2009
Status: Active Grant

First Claim

Patent Images

1. A method of performing secure operations, comprising:

receiving, at a computing device, a request to perform a secure operation, the request identifying a secure identifier; and

selecting, based at least in part on the secure identifier and whether the request includes a version number, a secure object to be used in performing the secure operation, the secure object being identified by the secure identifier, being configured to be associated with a particular version number, and being selected such that;

as a result of the request including the particular version number, selecting the secure object is further based at least in part on the particular version number; and

as a result of the request not including any version number, selecting the secure object includes selecting a default secure object based at least in part on the secure identifier identifying the secure object.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure information is managed for each host or machine in an electronic environment using a series of key identifiers that each represent one or more secure keys, passwords, or other secure information. Applications and services needing access to the secure information can specify the key identifier, for example, and the secure information currently associated with that identifier can be determined without any change to the code or manual input or exposure of the secure information on the respective device. Functionality such as encryption key management and rotation are inaccessible and transparent to the user. In a networked or distributed environment, the key identifiers can be associated with host classes such that at startup any host in a class can obtain the necessary secure information. Updates and key rotation can be performed in a similar fashion by pushing updates to host classes transparent to a user, application, or service.

10 Citations

View as Search Results

24 Claims

1. A method of performing secure operations, comprising:
- receiving, at a computing device, a request to perform a secure operation, the request identifying a secure identifier; and
  
  selecting, based at least in part on the secure identifier and whether the request includes a version number, a secure object to be used in performing the secure operation, the secure object being identified by the secure identifier, being configured to be associated with a particular version number, and being selected such that;
  
  as a result of the request including the particular version number, selecting the secure object is further based at least in part on the particular version number; and
  
  as a result of the request not including any version number, selecting the secure object includes selecting a default secure object based at least in part on the secure identifier identifying the secure object.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising performing the secure operation using at least the selected secure object.
  - 3. The method of claim 1, wherein the one or more secure objects are usable for performing at least two different secure operations.
  - 4. The method of claim 1, wherein the association between the one or more secure objects and the one or more secure identifiers and the association between the one or more secure objects and the one or more version numbers, if any, are changeable.
  - 5. The method of claim 1, wherein an entity sending the request to perform the secure operation is unaware of a change, if any, to the secure object used in performing the secure operation.
  - 6. The method of claim 1, wherein the secure operation is at least one of encoding, decoding, securely storing, digitally signing, or providing secure access to at least one of a resource or content.

7. A computer system for performing secure operations, comprising:
- one or more processors; and
  
  memory, including executable instructions that, when executed by the one or more processors, cause the one or more processors to collectively at least;
  
  receive a request to perform a secure operation, the request specifying a first identifier; and
  
  select, based at least in part on the first identifier and whether the request includes a second identifier, a secure object from one or more secure objects to be used in performing the secure operation, the secure object being identified by the first identifier, being configured to be associated with a particular second identifier, and being selected such that;
  
  as a result of the request including the particular second identifier, selecting the secure object is further based at least in part on the particular second identifier; and
  
  as a result of the request not including any second identifier, selecting the secure object includes selecting a default secure object based at least in part on the first identifier identifying the secure object.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The computer system of claim 7, wherein access to at least some of the one or more secure objects is restricted.
  - 9. The computer system of claim 7, wherein the instructions further cause the one or more processors to collectively at least perform the secure operation using at least the selected secure object.
  - 10. The computer system of claim 7, wherein the secure operation includes encoding content and the instructions further cause the one or more processors to collectively at least:
    - encode the content using at least the selected secure object; and
      
      store information usable for decoding the content as a part of the encoded content.
  - 11. The computer system of claim 10, wherein the information usable for decoding the content identifies at least an encoding or decoding algorithm and the selected secure object.
  - 12. The computer system of claim 10, wherein the instructions further cause the one or more processors to collectively at least automatically re-encode the content using a different secure object.
  - 13. The computer system of claim 12, wherein the different secure object is selected from the one or more secure objects.

14. A method for decoding data, comprising:
- receiving, at a computing device, a request to decode data, the data including information usable for decoding the data, the information including at least a secure identifier;
  
  selecting, based at least in part on the secure identifier and whether the request includes a version number, a secure object to be used in decoding the data, the secure object being associated with the secure identifier, being configured to be associated with a particular version number, and being selected such that;
  
  as a result of the request including the particular version number, selecting the secure object is further based at least in part on the particular version number;
  
  as a result of the request not including any version number, selecting the secure object includes selecting a default secure object based at least in part on the secure identifier being associated with the secure object; and
  
  decoding the data using at least the selected secure object and the information usable for decoding the data.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method of claim 14, wherein the information usable for decoding the data includes at least an indication of a data encoding algorithm.
  - 16. The method of claim 14, wherein the information usable for decoding the data includes at least an indication of a data decoding algorithm.
  - 17. The method of claim 14, wherein the information usable for decoding the data is stored as metadata of the data.
  - 18. The method of claim 14, wherein the selected secure object includes a cryptographic key or a password.

19. One or more non-transient computer-readable storage media having collectively stored thereon instructions executable by one or more processors of a computer system that, when executed by the one or more processors, cause the computer system to at least:
- receive a request to perform a secure operation, the request specifying a secure identifier;
  
  select, based at least in part on the secure identifier and whether the request includes a version number, a secure object from a plurality of secure objects to be used in performing the secure operation, the secure object being associated with the secure identifier, being configured to be associated with a particular version number, and being selected such that;
  
  as a result of the request including the particular version number, selecting the secure object is further based at least in part on the particular version number; and
  
  as a result of the request not including any version number, selecting the secure object includes selecting a default secure object based at least in part on the secure identifier being associated with the secure object.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The one or more computer-readable storage media of claim 19, wherein the instructions further cause the computer system to cause performance of the secure operation using at least the selected secure object.
  - 21. The one or more computer-readable storage media of claim 19, wherein the instructions further cause the computer system to update a secure object associated with a secure identifier and/or a version number one or more times in a period of time.
  - 22. The one or more computer-readable storage media of claim 21, wherein the instructions further cause the computer system to perform the secure operation using an updated secure object.
  - 23. The one or more computer-readable storage media of claim 21, wherein the updating of the secure object is performed automatically and transparently to a user of the computer system.
  - 24. The one or more computer-readable storage media of claim 19, wherein the instructions further cause the computer system to provide an application programming interface (API) that enables an entity to send the request, the request including the secure identifier, independent of a user of the entity having knowledge of the secure identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Durgin, Cyrus J., Dave, Pratik S., Martin, Eric J.
Primary Examiner(s)
Zee, Edward

Application Number

US13/585,728
Time in Patent Office

399 Days
Field of Search

726/5, 726/6, 726/19, 713/164, 713/167, 713/189, 713/193, 380/286
US Class Current

713/167
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/604   Tools and structures for ma...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

Encryption key management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

10 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Encryption key management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links