Automating key rotation in a distributed system

US 8,964,990 B1
Filed: 05/17/2012
Issued: 02/24/2015
Est. Priority Date: 05/17/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for key management, comprising:

generating a key for a plurality of computing resources;

determining a subset of computing resources from the plurality of computing resources to each receive the key, the subset of computing resources using an other key as a preferred key in performance of encryption operations;

electronically transmitting the key to the subset of computing resources as a non-preferred key;

receiving one or more messages from the subset of computing resources confirming receipt of the key, the one or more messages signed with the key; and

at a time after receiving the one or more messages, electronically transmitting to the subset of computing resources a request that the key be marked as preferred allowing the set of computing resources to replace the other key with the key marked as preferred.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A material set, such as an asymmetric keypair, is processed using an associated workflow to prepare the material set for activation and/or use. In one embodiment, a material set is generated and information about the material set is communicated to a workflow manager. Based at least on the information, the workflow manager generates a workflow that when accomplished will allow the material set to be activated and/or used. In another embodiment, a service provider provides a key manager, workflow manager and destination for the key, such as a load balancer that terminates SSL connections. A key can be generated by the key manager, sent through the workflow manager for processing (potentially communicated to third parties such as a certificate authority, if needed) and installed at a destination.

96 Citations

View as Search Results

24 Claims

1. A computer-implemented method for key management, comprising:
- generating a key for a plurality of computing resources;
  
  determining a subset of computing resources from the plurality of computing resources to each receive the key, the subset of computing resources using an other key as a preferred key in performance of encryption operations;
  
  electronically transmitting the key to the subset of computing resources as a non-preferred key;
  
  receiving one or more messages from the subset of computing resources confirming receipt of the key, the one or more messages signed with the key; and
  
  at a time after receiving the one or more messages, electronically transmitting to the subset of computing resources a request that the key be marked as preferred allowing the set of computing resources to replace the other key with the key marked as preferred.
- View Dependent Claims (4, 5, 6, 7)
- - 4. The computer-implemented method of claim 1, wherein the operations of claim 1 are repeated approximately at a regular interval.
  - 5. The computer-implemented method of claim 1, wherein the method further comprises:
    - setting a deadline upon which a workflow should be completed;
      
      sending a warning when a threshold time before the deadline is exceeded and the workflow is not completed; and
      
      providing an interface to configure exceptions to the workflow.
  - 6. The computer-implemented method of claim 5, wherein the method further comprises removing a server from the subset of servers based at least in part on an exception to the workflow and a lack of acknowledgement received from the server.
  - 7. The computer-implemented method of claim 1, further comprising:
    - receiving a selection for a class of the first key;
      
      determining a workflow based on the class of the first key; and
      
      determining a deadline to replace the second key with the first key based at least in part on the workflow, andwherein communicating to the subset of servers that the generated first key be marked as preferred is based at least in part on the deadline.

2. A key management system comprising:
- one or more processors and memory including executable instructions that, when executed by the one or more processors, cause the one or more processors to implement at least;
  
  a key manager that generates and associates a key with a plurality of computing resources and determines that the key is to be distributed to a subset of computing resources from the plurality of computing resources, the subset of computing resources using a second key as a preferred key in performance of encryption operations; and
  
  a key distribution manager that generates a workflow in response to a notification to distribute the key from the key manager, distributes the key to the subset of computing resources as a non-preferred key, receives one or more acknowledgements of receipt of the key from the subset of computing resources, the one or more acknowledgments signed with the key, and requests the subset of computing resources to mark the key as preferred allowing the subset of computing resources to replace the second key with the key marked as preferred.

3. One or more non-transitory computer-readable storage media having collectively stored thereon executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
- process a workflow based at least in part on a policy for key rotation, the workflow comprising;
  
  generating a key for a plurality of computing resources;
  
  determining a subset of computing resources from the plurality of computing resources to each receive the key, the subset of computing resources using another key as a preferred key in performance of encryption operations;
  
  communicating the key to the subset of computing resources as a non-preferred key;
  
  receiving an acknowledgement of receipt of the key from the subset of computing resources, the acknowledgement signed with the key; and
  
  communicating to the subset of computing resources that the key be marked as preferred allowing the subset of computing resources to replace uses of the non-preferred key with uses of the key marked as preferred.

8. A computer-implemented method for key management, comprising:
- generating a key for a plurality of computing resources;
  
  determining a subset of computing resources from the plurality of computing resources to each receive the key, the subset of computing resources using an other key as a preferred key in performance of encryption operations;
  
  electronically transmitting the key to the subset of computing resources as a non-preferred key;
  
  receiving one or more messages from the subset of computing resources confirming receipt of the key, the one or more messages signed with the key; and
  
  at a time after receiving the one or more messages, electronically transmitting to the subset of computing resources a request that the key be marked as preferred allowing the set of computing resources to replace the other key with the key marked as preferred.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The computer-implemented method of claim 8, wherein the computing resources are configured to use the key in cryptographic operations in response to the key having been marked as preferred.
  - 10. The computer-implemented method of claim 9, wherein the method further comprises:
    - receiving a request to generate a key from a client, the request causing the key to be generated; and
      
      selecting a set of computing resources associated with a client, the set of computing resources selected from a plurality of resources, at least some of the plurality of resources associated with other clients.
  - 11. The computer-implemented method of claim 8, wherein the method further comprises:
    - triggering a workflow to be created and executed upon a generating of a key; and
      
      wherein at least the electronically transmitting the key, the receiving the one or more messages from the set of computing resources confirming receipt of the key and the electronically transmitting to the set of computing resources a request are components of the workflow.
  - 12. The computer-implemented method of claim 11, wherein the method further comprises updating an access control policy that denies client access to the key.
  - 13. The computer-implemented method of claim 8, wherein the method further comprises:
    - setting a key rotation deadline upon which a new key should become preferred; and
      
      sending a warning when a threshold time before the deadline is exceeded and the new key has yet to be set as preferred by the set of computing resources.

14. A key management system comprising:
- one or more processors and memory including executable instructions that, when executed by the one or more processors, cause the one or more processors to implement at least;
  
  a key manager that generates and associates a key with a plurality of computing resources and determines that the key is to be distributed to a subset of computing resources from the plurality of computing resources, the subset of computing resources using a second key as a preferred key in performance of encryption operations; and
  
  a key distribution manager that generates a workflow in response to a notification to distribute the key from the key manager, distributes the key to the subset of computing resources as a non-preferred key, receives one or more acknowledgements of receipt of the key from the subset of computing resources, the one or more acknowledgments signed with the key, and requests the subset of computing resources to mark the key as preferred allowing the subset of computing resources to replace the second key with the key marked as preferred.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The key management system of claim 14, wherein the key management system further comprises a key generator, the key generator creating the key for use with the workflow.
  - 16. The key management system of claim 15, wherein the key generator triggers generation of the workflow by the key distribution manager upon creating the key.
  - 17. The key management system of claim 14, wherein the key management system further comprises an auditing system, the auditing system providing an audit history of actions performed by the key manager and the key distribution manager.
  - 18. The key management system of claim 14, wherein the key management system further comprises an administrative interface, the administrative interface providing an interface to allow exceptions to the workflow to be received.

19. One or more non-transitory computer-readable storage media having collectively stored thereon executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
- process a workflow based at least in part on a policy for key rotation, the workflow comprising;
  
  generating a key for a plurality of computing resources;
  
  determining a subset of computing resources from the plurality of computing resources to each receive the key, the subset of computing resources using another key as a preferred key in performance of encryption operations;
  
  communicating the key to the subset of computing resources as a non-preferred key;
  
  receiving an acknowledgement of receipt of the key from the subset of computing resources, the acknowledgement signed with the key; and
  
  communicating to the subset of computing resources that the key be marked as preferred allowing the subset of computing resources to replace uses of the non-preferred key with uses of the key marked as preferred.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The non-transitory computer-readable storage media of claim 19, wherein processing the workflow further comprises processing the workflow once a period, the period specified in the policy for key rotation.
  - 21. The non-transitory computer-readable storage media of claim 19, wherein the receiving an acknowledgement further comprises verifying the acknowledgement is based at least in part on the key.
  - 22. The non-transitory computer-readable storage media of claim 21, wherein the verifying the acknowledgement is based at least in part on the key further comprises verifying the acknowledgement contains a signature based at least in part on the key.
  - 23. The non-transitory computer-readable storage media of claim 19, wherein the workflow further comprises:
    - setting a deadline upon which the workflow should be completed; and
      
      sending a warning when a threshold time before the deadline is exceeded and the workflow is not completed.
  - 24. The non-transitory computer-readable storage media of claim 23, wherein the workflow further comprises processing an exception to the workflow, the exception allowing the workflow to be processed without an acknowledgement from a computing resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Baer, Graeme D., Hulme, David M., Seidenberg, Benjamin E.
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
MALINOWSKI, WALTER J

Application Number

US13/474,536
Time in Patent Office

1,013 Days
Field of Search
US Class Current

380/279
CPC Class Codes

H04L 63/06 for supporting key manageme...

H04L 63/062 for key distribution, e.g. ...

Automating key rotation in a distributed system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

96 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Automating key rotation in a distributed system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

96 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links