Techniques for client constructed sessions

US 9,203,613 B2
Filed: 09/29/2011
Issued: 12/01/2015
Est. Priority Date: 09/29/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for managing access to one or more computing resources of a computing resource provider, the one or more computing resources of the computing resource provider being part of a logical grouping of computing resources in a key zone of a plurality of key zones, the method comprising:

under the control of one or more computer systems configured with executable instructions,obtaining, from a central key authority, a session key corresponding to the key zone, the session key having been generated by at least applying a hash-based message authentication code function to a secret credential and a first set of one or more session parameters;

receiving an electronic request to access one or more computing resources and a signature for the electronic request that was generated based at least in part on the secret credential and a second set of one or more session parameters;

generating, by the one or more computer systems, a reference signature by at least applying the hash-based message authentication code function to at least the electronic request, and the obtained session key; and

providing access to the one or more computing resources, in response to the request, when the generated reference signature is equivalent to the received signature.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information that, as a result of being used to generate the keys, renders the generated keys usable for a smaller scope of uses than the secret credential. Further, key generation may involve multiple invocations of a function where each of at least a subset of the invocations of the function results in a key that has a smaller scope of permissible use than a key produced from a previous invocation of the function. Generated keys may be used as signing keys to sign messages. One or more actions may be taken depending on whether a message and/or the manner in which the message was submitted complies with restrictions of the a key'"'"'s use.

Citations

27 Claims

1. A computer-implemented method for managing access to one or more computing resources of a computing resource provider, the one or more computing resources of the computing resource provider being part of a logical grouping of computing resources in a key zone of a plurality of key zones, the method comprising:
- under the control of one or more computer systems configured with executable instructions,obtaining, from a central key authority, a session key corresponding to the key zone, the session key having been generated by at least applying a hash-based message authentication code function to a secret credential and a first set of one or more session parameters;
  
  receiving an electronic request to access one or more computing resources and a signature for the electronic request that was generated based at least in part on the secret credential and a second set of one or more session parameters;
  
  generating, by the one or more computer systems, a reference signature by at least applying the hash-based message authentication code function to at least the electronic request, and the obtained session key; and
  
  providing access to the one or more computing resources, in response to the request, when the generated reference signature is equivalent to the received signature.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein obtaining the session key includes deriving, based at least in part on the electronic request, the first set of one or more session parameters.
  - 3. The computer-implemented method of claim 1, further comprising determining, by the one or more computer systems, whether the request complies with the first set of one or more parameters and wherein providing the electronically requested access is contingent on determining that the request complies with the first set of one or more parameters.
  - 4. The computer-implemented method of claim 3, wherein at least one of the parameters corresponds to a limit on an amount of time the session key is valid.
  - 5. The computer-implemented method of claim 3, wherein at least one of the parameters corresponds to one or more location-based limits on use of the session key.
  - 6. The computer-implemented method of claim 3, wherein at least one of the parameters corresponds to one or more computing resources with which the session key is usable.
  - 7. The computer-implemented method of claim 1, wherein:
    - the message is received from a message signor computer system that generated the signature from a session key that is based at least in part on the secret credential and that was generated by a computer system different from the one or more computer systems and the message signor computer system.

8. A computer-implemented method for managing access to one or more computing resources of a computing resource provider, the one or more computing resources of the computing resource provider being part of a logical grouping of computing resources in a key zone of a plurality of key zones, comprising:
- under the control of one or more computer systems configured with executable instructions,obtaining a session key, the session key having been generated by at least applying a function to at least a secret credential and a first set of one or more session parameters, the session key being associated with the key zone;
  
  receiving an electronic request to access the one or more computing resources and a signature for the electronic request generated based at least in part on a second set of one or more parameters;
  
  determining, by the one or more computer systems, whether the received signature is valid for the request by at least applying the function to at least the electronic request and the obtained session key, the received signature being determined valid as a result of at least the first set of one or more parameters being equivalent to the second set of one or more parameters; and
  
  providing the electronically requested access when the generated reference signature is equivalent to the received signature.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-implemented method of claim 8, wherein the function is a hash function.
  - 10. The computer-implemented method of claim 9, wherein applying the function includes performing Hash-Based Message Authentication Code (HMAC).
  - 11. The computer-implemented method of claim 8, wherein the signature is determinable by applying the function to both of a first set of inputs comprising the secret credential, the request, and the first set of one or more parameters and a second set of inputs comprising the session key and the first set of one or more parameters.
  - 12. The computer-implemented method of claim 8, further comprising determining, by the one or more computer systems, whether the request complies with the first set of one or more parameters and wherein providing the electronically requested access is contingent on determining that the request complies with the first set of one or more parameters.
  - 13. The computer-implemented method of claim 8, wherein the first set of one or more parameters limit an amount of time the session key is usable for a session.
  - 14. The computer-implemented method of claim 8, wherein the first set of one or more parameters correspond to a set of one or more identities that are allowed to use the session key.

15. A non-transitory computer-readable storage medium having stored thereon instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
- obtain a session key generated at least in part by application of a function to at least a secret credential and a set of one or more session parameters to generate a session key, the session key corresponding to a grouping of one or more computing resources in a key zone of a plurality of key zones;
  
  sign, based at least in part on the obtained session key, electronic requests for access to the one or more computing resources, thereby generating signatures for the request; and
  
  submit at least the signatures and the requests for verification by a verifier computing device configured to determine whether the submitted signatures match corresponding submitted requests and take one or more actions that cause the requests for access to be fulfilled when the submitted signatures match the corresponding submitted requests.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein:
    - the verifier lacks the session key, but has the secret credential; and
      
      electronically submitting the signatures and the requests includes submitting the set of one or more parameters.
  - 17. The non-transitory computer-readable storage medium of claim 15, wherein the instructions, when executed by the one or more processors of the computer system, further cause the computer system to:
    - provide the obtained session key and the set of one or more parameters to another computer system to enable the other computer system to sign session requests.
  - 18. The non-transitory computer-readable storage medium of claim 15, wherein obtaining the session key does not require access to the secret credential by the computer system.
  - 19. The non-transitory computer-readable storage medium of claim 15, wherein the set of one or more parameters characterize a time period outside of which the verifier will not accept requests electronically signed with the session key.
  - 20. The non-transitory computer-readable storage medium of claim 15, wherein the function is a hash function.
  - 21. The non-transitory computer-readable storage medium of claim 15, wherein application of the function is performed as part of Hash-Based Message Authentication Code (HMAC).

22. A computer system for providing access to computing resources, comprising:
- one or more processors; and
  
  memory including instructions that, when executed by the one or more processors, cause the computer system to at least;
  
  obtain a key;
  
  apply a function to the key and to a set of one or more parameters to generate a session key, the one or more parameters corresponding to one or more restrictions on the session key, the session key corresponding to one or more computing resources of a key zone of a plurality of key zones; and
  
  provide the generated session key to another computing device to enable the other computing device to sign requests using the session key in accordance with the set of one or more parameters.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. The computer system of claim 22, wherein the one or more parameters limit the amount of time the generated session key is usable to sign requests.
  - 24. The computer system of claim 22, wherein the one or more parameters limit a set of computing resources to which the session key can be used to access to the one or more computing resources.
  - 25. The computer system of claim 22, wherein the set of one or more parameters are encoded by a document and wherein applying the function to the key and to the set of one or more parameters includes applying the function to the document.
  - 26. The computer system of claim 22, wherein applying the hash function to the key and to the set of one or more parameters includes calculating a result of applying the hash function to at least a first parameter of the set of one or more parameters and inputting the calculated result into the hash function.
  - 27. The computer system of claim 22, wherein the one or more parameters limit use of the session key to a corresponding location.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory B., Brandwine, Eric Jason, Fitch, Nathan R., Ilac, Cristian M., Crahen, Eric D.
Primary Examiner(s)
TRAN, ELLEN C

Application Number

US13/248,953
Publication Number

US 20130086661A1
Time in Patent Office

1,524 Days
Field of Search

726/7, 713/155, 713/159, 713/168
US Class Current

1/1
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 2221/2137   Time limited access, e.g. t...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 9/083   involving central third par...

H04L 9/0861   Generation of secret inform...

H04L 9/088   Usage controlling of secret...

H04L 9/32   including means for verifyi...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247   involving digital signatures

H04L 9/50   using hash chains, e.g. blo...

Techniques for client constructed sessions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for client constructed sessions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links