Key derivation techniques
First Claim
1. A computer-implemented method of authentication for providing access to one or more computing resources of a computing resource provider, the one or more computing resources of the computing resource provider being part of a logical grouping of computing resources in a key zone of a plurality of key zones, the method comprising:
- under the control of one or more computer systems configured with executable instructions,receiving, by the one or more computer systems, a message and a signature of the message from an authenticating party;
generating, by the one or more computer systems and based at least in part on the received message, an expected signature by at least invoking a hash-based message authentication code function multiple times such that;
at least one invocation of the hash-based message authentication code function involves an input to the hash-based message authentication code function that is based at least in part on a secret credential shared with the authenticating party, the secret credential being received from a central key authority and corresponding to the key zone; and
at least another invocation of the hash-based message authentication code function involves a result from a previous invocation of the hash-based message authentication code function as an input to the hash-based message authentication code function;
determining, by the one or more computer systems, whether the received signature matches the expected signature; and
taking, by the one or more computer systems, when determined that the received signature matches the expected signature, one or more actions for which authentication of the received message is required.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information that, as a result of being used to generate the keys, renders the generated keys usable for a smaller scope of uses than the secret credential. Further, key generation may involve multiple invocations of a function where each of at least a subset of the invocations of the function results in a key that has a smaller scope of permissible use than a key produced from a previous invocation of the function. Generated keys may be used as signing keys to sign messages. One or more actions may be taken depending on whether a message and/or the manner in which the message was submitted complies with restrictions of the a key'"'"'s use.
-
Citations
29 Claims
-
1. A computer-implemented method of authentication for providing access to one or more computing resources of a computing resource provider, the one or more computing resources of the computing resource provider being part of a logical grouping of computing resources in a key zone of a plurality of key zones, the method comprising:
-
under the control of one or more computer systems configured with executable instructions, receiving, by the one or more computer systems, a message and a signature of the message from an authenticating party; generating, by the one or more computer systems and based at least in part on the received message, an expected signature by at least invoking a hash-based message authentication code function multiple times such that; at least one invocation of the hash-based message authentication code function involves an input to the hash-based message authentication code function that is based at least in part on a secret credential shared with the authenticating party, the secret credential being received from a central key authority and corresponding to the key zone; and at least another invocation of the hash-based message authentication code function involves a result from a previous invocation of the hash-based message authentication code function as an input to the hash-based message authentication code function; determining, by the one or more computer systems, whether the received signature matches the expected signature; and taking, by the one or more computer systems, when determined that the received signature matches the expected signature, one or more actions for which authentication of the received message is required. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-implemented method of authenticating access to one or more computing resources of a computing resource provider, the one or more computing resources of the computing resource provider being part of a logical grouping of computing resources in a key zone of a plurality of key zones, comprising:
under the control of one or more computer systems configured with executable instructions, generating, by the one or more computer systems and based at least in part on a received message, an expected signature by at least performing multiple invocations of a set of one or more functions such that at least one invocation involves a result from a first function from the set of one or more functions as an input to a second function of the set of one or more functions, the result being based at least in part on a secret credential shared with the authenticating party, the second credential being obtained from a central key authority and being associated with the key zone; determining, by the one or more computer systems, whether a signature received in connection with the message matches the expected signature; and taking, by the one or more computer systems, when determined that the received signature matches the expected signature, one or more actions for which authentication of the received message is required. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
-
18. A computer system for authentication, comprising:
-
one or more processors; and memory including instructions executable by the one or more processors to cause the computer system to at least; obtain a result of an algorithm used to process at least a first input based at least in part on a credential shared with an authenticating party, the secret credential corresponding to a grouping of computing resources in a key zone of a plurality of key zone; apply the algorithm to input based at least in part on the obtained result and input based at least in part on information from an authenticating party to generate a second result; determine whether the second result matches a received signature from the authenticating party; and take one or more actions as a result of determining that the second result matches the received signature. - View Dependent Claims (19, 20, 21, 22, 23)
-
-
24. A non-transitory computer-readable storage medium having stored thereon instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
-
obtain a signing key that is based at least in part on multiple inputs for a process involving one or more invocations of a function, at least one input of the multiple inputs being based at least in part on a secret credential shared with an authenticator computing device, the secret credential corresponding to one or more computing resources of a key zone of a plurality of key zones; generate a signature for a message by at least inputting the obtained signing key into the function; and submit the generated signature to the authenticator computing device in connection with the message to enable the authenticator computing device to determine, based at least in part on the shared credential, whether the signature is authentic and take one or more actions when the signature is determined to be authentic. - View Dependent Claims (25, 26, 27, 28, 29)
-
Specification