Parameter based key derivation

US 9,178,701 B2
Filed: 09/29/2011
Issued: 11/03/2015
Est. Priority Date: 09/29/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for providing access to one or more computing resources of a computing resource provider, the one or more computing resources of the computing resource provider being part of a logical grouping of computing resources in a key zone of a plurality of key zones, the method comprising:

under the control of one or more computer systems configured with executable instructions,receiving, from an authenticating party, electronic information encoding a message, a signature for the message, and a set of one or more restrictions on keys derived from a secret credential shared with the authenticating party, the signature being determinable by applying a hash-based message authentication code function to the message, the secret credential, and the set of one or more restrictions, but also being undeterminable having only the hash-based message authentication code function but without having the set of one or more restrictions;

obtaining, from a central key authority, a key corresponding to the key zone, the key being generated at least in part using at least a subset of the set of one or more restrictions;

calculating, by the one or more computer systems, a value of a hash-based message authentication code function by at least inputting into the hash-based message authentication code function;

first input based at least in part on the obtained key; and

second input based at least in part on the set of one or more restrictions;

determining, by the one or more computer systems and based at least in part on the calculated value, whether the signature is valid; and

providing access to the one or more computing resources when determined that the signature is valid.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information that, as a result of being used to generate the keys, renders the generated keys usable for a smaller scope of uses than the secret credential. Further, key generation may involve multiple invocations of a function where each of at least a subset of the invocations of the function results in a key that has a smaller scope of permissible use than a key produced from a previous invocation of the function. Generated keys may be used as signing keys to sign messages. One or more actions may be taken depending on whether a message and/or the manner in which the message was submitted complies with restrictions of the a key'"'"'s use.

219 Citations

29 Claims

1. A computer-implemented method for providing access to one or more computing resources of a computing resource provider, the one or more computing resources of the computing resource provider being part of a logical grouping of computing resources in a key zone of a plurality of key zones, the method comprising:
- under the control of one or more computer systems configured with executable instructions,receiving, from an authenticating party, electronic information encoding a message, a signature for the message, and a set of one or more restrictions on keys derived from a secret credential shared with the authenticating party, the signature being determinable by applying a hash-based message authentication code function to the message, the secret credential, and the set of one or more restrictions, but also being undeterminable having only the hash-based message authentication code function but without having the set of one or more restrictions;
  
  obtaining, from a central key authority, a key corresponding to the key zone, the key being generated at least in part using at least a subset of the set of one or more restrictions;
  
  calculating, by the one or more computer systems, a value of a hash-based message authentication code function by at least inputting into the hash-based message authentication code function;
  
  first input based at least in part on the obtained key; and
  
  second input based at least in part on the set of one or more restrictions;
  
  determining, by the one or more computer systems and based at least in part on the calculated value, whether the signature is valid; and
  
  providing access to the one or more computing resources when determined that the signature is valid.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, wherein:
    - the message comprises a request for access to the one or more computing resources;
      
      the method further comprises determining whether the set of one or more restrictions indicate that the request should be fulfilled; and
      
      providing access to the one or more computing resources is contingent on determining that providing access is consistent with the set of one or more restrictions.
  - 3. The computer-implemented method of claim 2, wherein the information encoding the set of one or more restrictions is encoded by a document and wherein determining whether the set of restrictions indicate that the request should be fulfilled includes evaluating the document against a context in which the request was received.
  - 4. The computer-implemented method of claim 1, wherein:
    - the message comprises a request to access a computing resource of the one or more computing resources;
      
      the information encoding the set of one or more restrictions includes information specifying the computing resource; and
      
      providing access to the one or more computing resources includes providing access to the computing resource when the computing resource matches the specified computing resource.
  - 5. The computer-implemented method of claim 1, wherein:
    - the information encoding the set of one or more restrictions corresponds to a time period for which the message is valid; and
      
      determining whether the signature is valid is based at least in part on whether the time period corresponds to the key zone of the one or more computing resources.
  - 6. The computer-implemented method of claim 1, wherein:
    - the information encoding the set of one or more restrictions corresponds to a restriction based at least in part on a location; and
      
      determining whether the signature is valid is based at least in part on whether the location corresponds to the key zone of the one or more computing resources.

7. A computer-implemented method for providing access to one or more computing resources of a computing resource provider, the one or more computing resources of the computing resource provider being part of a logical grouping of computing resources in a key zone of a plurality of key zones, the method comprising:
- under the control of one or more computer systems configured with executable instructions,obtaining electronic information encoding (i) a message, (ii) a first signature for the message, and (iii) a set of one or more parameters, the first signature having been generated based at least in part on (i) the message, (ii) a secret credential, and (iii) the set of one or more parameters, the first signature further being undeterminable having only the message and the secret credential but without the set of one or more parameters;
  
  deriving a second credential based at least in part on the secret credential and at least a subset of the set of one or more parameters, the second credential being obtained from a central key authority and being associated with the key zone;
  
  generating, based at least in part on the derived second credential, a second signature;
  
  determining whether the first signature matches the second signature; and
  
  providing access to the one or more computing resources when the generated second signature matches the first signature.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. The computer-implemented method of claim 7, wherein deriving the second credential includes inputting, into a function, the secret credential and the at least a subset of the set of one or more parameters.
  - 9. The computer-implemented method of claim 8, wherein the function is a symmetric message authentication function.
  - 10. The computer-implemented method of claim 9, wherein the symmetric message authentication function is a hash function.
  - 11. The computer-implemented method of claim 9, wherein inputting, into the function, the secret credential and the at least a subset of the one or more parameters is performed as part of Hash-Based Message Authentication Code (HMAC).
  - 12. The computer-implemented method of claim 8, wherein generating the second signature includes inputting to the function both an output of the function and a parameter from the set of one or more parameters.
  - 13. The computer-implemented method of claim 7, wherein the information encoding the one or more parameters comprises an electronic document encoding the set of one or more parameters.
  - 14. The computer-implemented me hod of claim 8, wherein:
    - generating the second signature is based at least in part on a key;
      
      the set of one or more parameters include one or more restrictions on use of the key; and
      
      providing access to the one or more computing resources is performed in accordance with the one or more restrictions.
  - 15. The computer-implemented method of claim 14, wherein the key is based at least in part on a result of inputting the secret credential into a function.

16. A non-transitory computer-readable storage medium having stored thereon instructions that, when executed by a computer system, cause the computer system to at least:
- obtain an intermediate key that is derived from at least a secret credential and one or more parameters for use of the intermediate key, the secret credential being obtained from a central key authority and corresponding to a grouping of computing resources in a key zone of a plurality of key zones;
  
  apply, based at least in part on the obtained intermediate key, at least a portion of a signature generation process that results in a signature for a message, the signature generation process configured such that the signature is undeterminable, by the signature generation process, to a computing device having the message, the secret credential, and the signature but lacking the one or more restrictions; and
  
  provide the message, the signature, and the one or more parameters to another computer system for access to at least a portion of the computing resources, the providing enabling analysis, based at least in part on the one or more parameters and the message, of the signature to determine whether the signature is valid.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The non-transitory computer-readable storage medium of claim 16, wherein the one or more parameters encode one or more restrictions on use of the intermediate key that are enforced, at least in part, by said another computer system.
  - 18. The non-transitory computer-readable storage medium of claim 16, wherein the one or more restrictions correspond to at least one of a time period within which the intermediate key is usable, a location in which the intermediate key is usable, and one or more services for which the intermediate key is usable to gain access.
  - 19. The non-transitory computer-readable storage medium of claim 16, wherein the instructions, when executed by the computer system, enable the computer system to generate the signature without the computer system having access to the secret credential.
  - 20. The non-transitory computer-readable storage medium of claim 19, wherein, having the set of one or more parameters, the signature is determinable by the signature generation process using either the shared secret credential or the intermediate key.
  - 21. The non-transitory computer-readable storage medium of claim 19, wherein obtaining the intermediate key includes performing an algorithm wherein at least one output of a hash function is input, with at least one of the parameters, into the hash function.

22. A computer system, comprising:
- one or more processors; and
  
  memory including instructions that, when executed by the one or more processors of the computer system, cause the computer system to at least;
  
  receive one or more electronic communications that collectively encode a message, a signature for the message, and one or more parameters, the signature being generated based at least in part on a secret credential and the one or more parameters;
  
  analyze, based at least in part on the one or more parameters, an intermediate credential derived from at least a portion of the one or more parameters and the secret credential, the message and signature to determine whether the signature is valid, the secret credential being obtained from a central key authority and corresponding to one or more computing resources of a key zone of a plurality of key zones; and
  
  take one or more actions contingent on determining that the signature is valid.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
- - 23. The computer system of claim 22, wherein:
    - the memory and one or more processors are part of a first server system in a first geographic location;
      
      the computer system comprises a second server system in a second geographic location, the second server system being configured to generate, based at least in part on the secret credential, a different signature;
      
      the first server system and second server system both lack the secret credential;
      
      analyzing the message and signature includes inputting into a function the at least a portion of the one or more parameters and the intermediate credential; and
      
      the first server system and second server system each lack information from which a same signature could be generated, using the function, from the message.
  - 24. The computer system of claim 22, wherein:
    - the computer system corresponds to a service; and
      
      the one or more actions include providing access to the service.
  - 25. The computer system of claim 24, wherein the one or more parameters limit use of the intermediate credential to use in accessing the service.
  - 26. The computer system of claim 22, wherein:
    - analyzing the message and signature includes applying a hash function to the intermediate credential;
      
      the one or more parameters include multiple restrictions on use of the intermediate credential; and
      
      wherein the computer system is configured to enforce the restrictions.
  - 27. The computer system of claim 22, wherein:
    - analyzing the message and signature includes applying a hash function to a key that is derived from the secret credential; and
      
      the instructions, when executed by the one or more processors of the computer system, cause the computer system to further receive the derived key from a key authority computer system.
  - 28. The computer system of claim 27, wherein the instructions that cause the computer system to further receive the derived key from the key authority computer system cause the computer system to receive the derived key from the key authority computer system prior to receipt of the message.
  - 29. The computer system of claim 22, wherein the intermediate credential is determined by another computer system different from the computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory B., Behm, Bradley Jeffery, Crahen, Eric D., Ilac, Cristian M., Fitch, Nathan R., Brandwine, Eric Jason, O'Neill, Kevin Ross
Primary Examiner(s)
TRAN, ELLEN C

Application Number

US13/248,962
Publication Number

US 20130086662A1
Time in Patent Office

1,496 Days
Field of Search

726/7, 713/155, 713/159, 713/168
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2115   Third party

H04L 2463/061   applying further key deriva...

H04L 63/08   for authentication of entit...

H04L 9/083   involving central third par...

H04L 9/088   Usage controlling of secret...

H04L 9/0891   Revocation or update of sec...

H04L 9/3247   involving digital signatures

H04L 9/50   using hash chains, e.g. blo...

Parameter based key derivation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

219 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Parameter based key derivation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

219 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links