Revocable shredding of security credentials

US 9,071,429 B1
Filed: 04/29/2013
Issued: 06/30/2015
Est. Priority Date: 04/29/2013
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for managing a cryptographic key, comprising:

storing, in a data store managed by a key management service, a cryptographic key for use in encrypting data for a customer of a service provider associated with the cryptographic key, the key management service being operated in a service provider environment of the service provider;

receiving a suspend request to suspend storage of the cryptographic key by the key management service;

generating a restore key to be associated with the customer;

encrypting the cryptographic key with the restore key;

encrypting at least a portion of metadata associated with the cryptographic key under the restore key to generate encrypted metadata, the at least a portion of metadata being associated with the restore key;

updating the at least a portion of metadata with audit information and retaining a copy of the encrypted metadata at the key management service;

sending, to the customer, the cryptographic key as encrypted under the restore key;

destroying any copy of the cryptographic key stored by the key management service;

receiving a restore request to cause to the key management service to store a copy of the cryptographic key, the restore request including a copy of the cryptographic key as encrypted under the restore key;

comparing at least a copy of metadata received with the restore request with the copy of the encrypted metadata at the key management service;

authorizing the restore request based at least in part on the comparing; and

decrypting the copy of the cryptographic key as encrypted under the restore key using the restore key and storing the copy of the cryptographic key and a copy of the encrypted metadata in the key management service on behalf of the customer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Customers accessing resources and/or data in a multi-tenant environment can obtain assurance that a provider of that environment will honor only requests associated with the customer. A multi-tenant cryptographic service can be used to manage cryptographic key material and/or other security resources in the multi-tenant environment. The cryptographic service can provide a mechanism in which the service can receive requests to use the cryptographic key material to access encrypted customer data, export key material out of the cryptographic service, destroy key material managed by the cryptographic service, among others. Such an approach can enable a customer to manage key material without exposing the key material outside a secure environment.

83 Citations

View as Search Results

22 Claims

1. A computer implemented method for managing a cryptographic key, comprising:
- storing, in a data store managed by a key management service, a cryptographic key for use in encrypting data for a customer of a service provider associated with the cryptographic key, the key management service being operated in a service provider environment of the service provider;
  
  receiving a suspend request to suspend storage of the cryptographic key by the key management service;
  
  generating a restore key to be associated with the customer;
  
  encrypting the cryptographic key with the restore key;
  
  encrypting at least a portion of metadata associated with the cryptographic key under the restore key to generate encrypted metadata, the at least a portion of metadata being associated with the restore key;
  
  updating the at least a portion of metadata with audit information and retaining a copy of the encrypted metadata at the key management service;
  
  sending, to the customer, the cryptographic key as encrypted under the restore key;
  
  destroying any copy of the cryptographic key stored by the key management service;
  
  receiving a restore request to cause to the key management service to store a copy of the cryptographic key, the restore request including a copy of the cryptographic key as encrypted under the restore key;
  
  comparing at least a copy of metadata received with the restore request with the copy of the encrypted metadata at the key management service;
  
  authorizing the restore request based at least in part on the comparing; and
  
  decrypting the copy of the cryptographic key as encrypted under the restore key using the restore key and storing the copy of the cryptographic key and a copy of the encrypted metadata in the key management service on behalf of the customer.
- View Dependent Claims (2)
- - 2. The computer implemented method of claim 1, wherein the audit information indicates at least one of a customer initiating the suspend request or a time of initiating the suspend request.

3. A computer implemented method, comprising:
- storing, on behalf of a customer, a local copy of a secret usable to perform operations in a service provider environment;
  
  receiving a request at a key management service in a service provider environment to suspend storage of the local copy of the secret;
  
  generating a restore key;
  
  encrypting the local copy of the secret with the restore key to generate the secret encrypted under the restore key;
  
  encrypting at least a portion of metadata associated with the secret under the restore key to generate encrypted metadata, the at least a portion of metadata being associated with the restore key;
  
  updating the at least a portion of metadata with audit information and retaining a copy of the encrypted metadata at the key management service;
  
  providing the customer the secret encrypted under the restore key;
  
  retaining the restore key and destroying the local copy of the secret;
  
  in response to a request to store a copy of the secret, the restore request including a copy of the secret encrypted under the restore key, comparing a copy of metadata received with the restore request with the copy of the encrypted metadata;
  
  authorizing the restore request based at least in part on the comparing; and
  
  decrypting the copy of the secret as encrypted under the restore key using the restore key.
- View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 4. The computer implemented method of claim 3, further comprising:
    - making available the local copy of the secret to the customer to perform one or more operations using the local copy of the secret.
  - 5. The computer implemented method of claim 4, wherein the secret is associated with at least one of one or more policies associated with the at least a portion of metadata, an identifier of an account in which the secret is associated with, a name of the secret, history information regarding use of the secret, or audit information associated with the secret.
  - 6. The computer implemented method of claim 3, wherein the secret and the restore key are each cryptographic keys.
  - 7. The computer implemented method of claim 6, wherein each of the cryptographic keys is associated with usage information operable to support one or more cryptographic operations, the one or more cryptographic operations including at least one of an export operation or an import operation.
  - 8. The computer implemented method of claim 3, further comprising:
    - in response to providing the customer a copy of the secret encrypted under the restore key, flagging the local copy of the secret as pending deletion;
      
      destroying any copy of the secret when an acknowledgment of receipt of the secret encrypted under the restore key is received;
      
      orproviding the customer a copy of the secret encrypted under the restore key when a determined amount of time passes before the acknowledgment of receipt is received.
  - 9. The computer implemented method of claim 3, further comprising rotating the restore key, wherein rotating the restore key includes:
    - encrypting the restore key using a second restore key at an expiration of a determined interval of time and providing the customer a copy of the restore key encrypted under the second restore key;
      
      orin response to receiving a copy of the secret encrypted under the restore key, decrypting the secret encrypted under the restore key and encrypting the secret using a second restore key, wherein a copy of the secret encrypted under the second restore key is provided to the customer.
  - 10. The computer implemented method of claim 3, further comprising:
    - encrypting the restore key under a second restore key;
      
      providing a copy of the restore key encrypted under a second key to a second authorized customer, wherein the customer and the second authorized customer are authorized customers of the secret;
      
      receiving a restore request, the restore request including a copy of the secret encrypted under the restore key and a copy of the restore key encrypted under the second key;
      
      restoring the restore key encrypted under the second key using the second key; and
      
      restoring the secret encrypted under the restore key using the restore key.
  - 11. The computer implemented method of claim 4, further comprising:
    - causing a notification to be sent to at least one of each authorized customer of the secret or at least one authorized customer of the secret in response to receiving the restore request.
  - 12. The computer implemented method of claim 11, further comprising:
    - in response to causing the notification to be sent, decrypting the copy of the secret encrypted under the restore key using the restore key at an expiration of a predetermined period of time.
  - 13. The computer implemented method of claim 3, further comprising:
    - splitting the local copy of the secret into at least first information and second information using an information splitting algorithm; and
      
      providing the first information to a first customer and the second information to a second customer,wherein restoring the local copy of the secret includes receiving at least the first information and the second information.

14. A computing system, comprising:
- at least one processor; and
  
  memory including instructions that, when executed by the at least one processor, cause the computing system to;
  
  store, on behalf of a customer, a local copy of a secret usable by a key management service;
  
  receive a request at the key management service to suspend storage of the local copy of the secret;
  
  encrypt the local copy of the secret with information usable to obtain the local copy of the secret;
  
  encrypt at least a portion of metadata associated with the secret under the information to generate encrypted metadata, the at least a portion of metadata being associated with the information;
  
  update the at least a portion of metadata with audit information and retain a copy of the encrypted metadata at the key management service;
  
  provide the customer with one of the encrypted secret or the information usable to reconstruct the local copy of the secret;
  
  destroy at least one copy of the local copy of the secret;
  
  in response to store a copy of the secret, the restore request including a copy of the secret encrypted under the information, comparing a copy of metadata received with the restore request with the copy of the encrypted metadata;
  
  authorizing the restore request based at least in part on the comparing; and
  
  decrypting the copy of the secret key as encrypted under the secret using the restore key.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The computing system of claim 14, wherein the instructions, when executed, further cause the computing system to:
    - make available the local copy of the secret to the customer to perform one or more operations.
  - 16. The computing system of claim 14, wherein the secret includes at least one of one or more policies associated with the at least a portion of metadata, an identifier of an account in which the secret is associated with, a name of the secret, history information regarding usage of the secret, or audit information associated with the secret;
    - andin response to receiving a restore request to store a copy of the secret, the restore request including a copy of the encrypted secret and the encrypted metadata, decrypt the copy of the encrypted secret and the encrypted metadata.
  - 17. The computing system of claim 14, wherein the secret and the information configured to reconstruct the local copy of the secret are cryptographic keys generated by a provider environment, and wherein the information configured to reconstruct the local copy of the secret is configured to perform one of a suspend operation or a restore operation.
  - 18. The computing system of claim 14, further comprising:
    - a key management service within a multi-tenant environment operable to at least store, receive, encrypt, provide, and destroy the secret, anda trusted platform module (TPM) configured to store the secret, wherein the key management service is further operable to obtain exclusive access to the TPM and manage access to the secret stored on the TPM.

19. A non-transitory computer readable storage medium storing one or more sequences of instructions executable by one or more processors to perform a set of operations comprising:
- storing, on behalf of a customer, a local copy of a secret;
  
  receiving a request at a key management service to suspend storage of the local copy of the secret;
  
  encrypting the local copy of the secret with a restore key;
  
  encrypting at least a portion of metadata associated with the secret under the restore key to generate encrypted metadata, the at least a portion of metadata being associated with the restore key;
  
  updating the at least a portion of metadata with audit information and retaining a copy of the encrypted metadata at the key management service;
  
  providing the customer with the restore key;
  
  destroying at least one copy of the local copy of the secret;
  
  in response to a request to store a copy of the secret, the restore request including a copy of the secret encrypted under the restore key, comparing a copy of metadata received with the restore request with the copy of the encrypted metadata;
  
  authorizing the restore request based at least in part on the comparing; and
  
  decrypting the copy of the secret key as encrypted under the secret using the restore key.
- View Dependent Claims (20, 21, 22)
- - 20. The non-transitory computer readable storage medium of claim 19, further comprising instructions executed by the one or more processors to perform the operations of:
    - making available the local copy of the secret to the customer to perform one or more operations.
  - 21. The non-transitory computer readable storage medium of claim 19, further comprising instructions executed by the one or more processors to perform the operations of:
    - in response to providing the customer a copy of the restore key, flagging the local copy of the secret as pending deletion;
      
      destroying at least one copy of the secret when an acknowledgment of receipt of the restore key is received;
      
      orproviding the customer a copy of the restore key when a determined amount of time passes before the acknowledgment of receipt is received.
  - 22. The non-transitory computer readable storage medium of claim 19, wherein storing, receiving, encrypting, providing, and destroying are performed by a key management service within a multi-tenant environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Wren, Matthew James, Brandwine, Eric Jason
Primary Examiner(s)
Revak, Christopher
Assistant Examiner(s)
Savenkov, Vadim

Application Number

US13/873,083
Time in Patent Office

792 Days
Field of Search

713/150, 713/158, 380/286, 726/6, 726/18
US Class Current

1/1
CPC Class Codes

H04L 2463/062   applying encryption of the ...

H04L 63/06   for supporting key manageme...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 9/0822   using key encryption key

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

Revocable shredding of security credentials

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

83 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

Revocable shredding of security credentials

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others