Distributed encryption key management

US 8,848,922 B1
Filed: 11/26/2012
Issued: 09/30/2014
Est. Priority Date: 02/17/2009
Status: Active Grant

First Claim

Patent Images

1. A system for managing secure objects for a host computer of a plurality of host computers, comprising:

a processor; and

a memory including instructions that, when executed by the processor, cause the processor to;

assign the host computer to a host class, the host class associated with a secure function;

obtain a secure identifier for the host class, the secure identifier being associated with at least one secure object for use in performing the secure function; and

provide information regarding an update to the host computer at least in response to the update, the update identifying a change to the at least one secure object associated with the secure identifier, wherein the secure identifier has a default secure object specified to be used to perform the secure function.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure information is managed for each host or machine in an electronic environment using a series of key identifiers that each represent one or more secure keys, passwords, or other secure information. Applications and services needing access to the secure information can specify the key identifier, for example, and the secure information currently associated with that identifier can be determined without any change to the code or manual input or exposure of the secure information on the respective device. Functionality such as encryption key management and rotation are inaccessible and transparent to the user. In a networked or distributed environment, the key identifiers can be associated with host classes such that at startup any host in a class can obtain the necessary secure information. Updates and key rotation can be performed in a similar fashion by pushing updates to host classes transparent to a user, application, or service.

Citations

25 Claims

1. A system for managing secure objects for a host computer of a plurality of host computers, comprising:
- a processor; and
  
  a memory including instructions that, when executed by the processor, cause the processor to;
  
  assign the host computer to a host class, the host class associated with a secure function;
  
  obtain a secure identifier for the host class, the secure identifier being associated with at least one secure object for use in performing the secure function; and
  
  provide information regarding an update to the host computer at least in response to the update, the update identifying a change to the at least one secure object associated with the secure identifier, wherein the secure identifier has a default secure object specified to be used to perform the secure function.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the secure function is able to be performed by the host computer assigned to the host class by specifying the secure identifier.
  - 3. The system of claim 2, wherein the secure function is able to be performed independent of a change in the at least one secure object associated with the secure identifier.
  - 4. The system of claim 1, wherein the host computer is able to determine a correct secure object to use to perform the secure function using the secure identifier based at least in part on the default secure object.
  - 5. The system of claim 1, wherein information for the secure identifier associated with the host class is stored to a host class access control list.
  - 6. The system of claim 1, wherein the secure function includes at least one of encrypting, decrypting, re-encrypting, securely storing, or providing secure access to at least one of a resource or content.

7. A non-transitory computer-readable medium storing computer-executable instructions for managing secure objects for a host computer of a plurality of host computers that, when executed by one or more computer systems, configure the one or more computer systems to perform operations comprising:
- receiving a request from the host computer that is assigned to a host class, the host class being associated with a secure function, wherein the secure function includes encrypting or decrypting content or a resource;
  
  obtaining a secure identifier associated with the host class assigned to the host computer from which the request was received, the secure identifier associated with a secure object to be used to perform a secure function;
  
  providing the secure identifier and the secure object to the host computer in response to the request; and
  
  distributing an algorithm to individual members of the host class, wherein individual host computers have access to the algorithm and the respective secure object is configured to encrypt or decrypt the content or the resource.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The non-transitory computer-readable medium of claim 7, wherein the host computer is configured to receive the secure object to perform the secure function based at least in part on the host class to which the host computer belongs.
  - 9. The non-transitory computer-readable medium of claim 7, further comprising updating the secure object with the host computer based at least in part on a change made to the secure object.
  - 10. The non-transitory computer-readable medium of claim 9, wherein updating the secure object includes at least one of addition of a new secure object, deletion of the secure object, a change in a version number of the secure object to be used to perform the secure function, or a change in a current default secure object.
  - 11. The non-transitory computer-readable medium of claim 9, wherein updating the secure object includes at least providing a new secure object for the secure identifier to the host computer of associated with the host class, and further comprising:
    - receiving confirmation from the host computer of the associated host class when the host computer receives the new secure object; and
      
      at a time after receiving the confirmation, providing an activation message indicating that the new secure object is to be used to perform the secure function when a corresponding secure identifier is specified.

12. A system for managing secure objects for a host computer of a plurality of host computers, comprising:
- a processor; and
  
  a memory including instructions that, when executed by the processor, cause the processor to;
  
  assign the host computer to a host class, the host class associated with a secure function;
  
  obtain a secure identifier for the host class, the secure identifier being associated with at least one secure object for use in performing the secure function; and
  
  provide information regarding an update to the host computer at least in response to the update, the update identifying a change to the at least one secure object associated with the secure identifier, wherein the secure identifier has a default secure object specified to be used to perform the secure function.
- View Dependent Claims (13, 14)
- - 13. The system of claim 12, wherein the instructions further cause the processor to assign a secure identifier associated with the host class to the host computer from which a service request was received.
  - 14. The system of claim 13, wherein the secure identifier is assigned at least in response to receiving the service request from the host computer.

15. A computer-implemented method, comprising:
- receiving a request from the host computer that is assigned to a host class, the host class being associated with a secure function;
  
  obtaining a secure identifier associated with the host class assigned to the host computer from which the request was received, the secure identifier associated with a secure object to be used to perform a secure function;
  
  providing the secure identifier and the secure object to the host computer in response to the request; and
  
  updating the secure object with the host computer based at least in part on a change made to the secure object, wherein updating the secure object includes at least one of addition of a new secure object, deletion of the secure object, a change in a version number of the secure object to be used to perform the secure function, or a change in a current default secure object.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer-implemented method of claim 15, further comprising enabling the host computer to perform the secure function based at least in part on the secure identifier associated with the secure function.
  - 17. The computer-implemented method of claim 16, wherein the host computer is capable of performing the secure function independent of the update to the secure object associated with the secure identifier.
  - 18. The computer implemented method of claim 15, wherein information regarding the secure object update is provided to the host computer at least in response to a request for updated information from the host computer.
  - 19. The computer implemented method of claim 15, wherein information regarding the secure object update is provided to the host computer based at least in part on an instruction to automatically push updates to the host computer, the instruction generated at least in response to the update in the secure object associated with the secure identifier.

20. A system for managing secure objects for a host computer of a plurality of host computers, comprising:
- a processor;
  
  a non-transitory computer-readable medium having processor-executable instructions;
  
  means for assigning the host computer to a host class, the host class associated with a secure function;
  
  means for obtaining a secure identifier for the host class, the secure identifier being associated with at least one secure object for use in performing the secure function; and
  
  means for providing information regarding an update to the host computer at least in response to the update, the update identifying a change to the at least one secure object associated with the secure identifier, wherein the secure identifier has a default secure object specified to be used to perform the secure function.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. The system of claim 20, wherein the secure function is able to be performed by the host computer assigned to the host class by specifying the secure identifier.
  - 22. The system of claim 21, wherein the secure function is able to be performed independent of a change in the at least one secure object associated with the secure identifier.
  - 23. The system of claim 20, wherein the host computer is able to determine a correct secure object to use to perform the secure function using the secure identifier based at least in part on the default secure object.
  - 24. The system of claim 20, wherein information for the secure identifier associated with the host class is stored to a host class access control list.
  - 25. The system of claim 20, wherein the secure function includes at least one of encrypting, decrypting, re-encrypting, securely storing, or providing secure access to at least one of a resource or content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Durgin, Cyrus J., Dave, Pratik S., Martin, Eric J.
Primary Examiner(s)
Perungavoor, Venkat

Application Number

US13/685,643
Time in Patent Office

673 Days
Field of Search

None
US Class Current

380/280
CPC Class Codes

G06F 21/6209 to a single file or object,...

G06F 21/6218 to a system of files or obj...

Distributed encryption key management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed encryption key management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links