Data security using request-supplied keys
First Claim
Patent Images
1. A computer-implemented method, comprising:
- under the control of one or more computer systems of a service provider, the one or more computer systems configured with executable instructions,receiving, from a requestor corresponding to a customer of the service provider, a request whose fulfillment involves performance of one or more cryptographic operations on data provided with the request and use of a cryptographic key that is encrypted by another key and supplied in the request, the service provider lacking access to the cryptographic key for an amount of time until receipt of the request, wherein the cryptographic key is a public key of a public-private key pair for which the service provider lacks access;
causing the request to be fulfilled by using the supplied cryptographic key as part of performing the one or more cryptographic operations on the specified data, wherein;
performing the one or more cryptographic operations includes causing the cryptographic key supplied in the request to be decrypted, thereby resulting in a decrypted supplied cryptographic key, and the one or more cryptographic operations include performance of an asymmetric algorithm using the public key; and
using the decrypted supplied cryptographic key to perform the one or more cryptographic operations;
providing a result of performing the one or more cryptographic operations to a data storage system; and
at a time after performing the one or more cryptographic operations, performing one or more operations that cause the service provider to lose access to the cryptographic key.
1 Assignment
0 Petitions
Accused Products
Abstract
Requests are submitted to a request processing entity where the requests include a cryptographic key to be used in fulfilling the request. The request processing entity, upon receipt of the request, extracts the key from the request and uses the key to perform one or more cryptographic operations to fulfill the request. The one or more cryptographic operations may include encryption/decryption of data that to be/is stored, in encrypted form, by a subsystem of the request processing entity. Upon fulfillment of the request, the request processing entity may perform one or more operations to lose access to the key in the request, thereby losing the ability to use the key.
211 Citations
10 Claims
-
1. A computer-implemented method, comprising:
under the control of one or more computer systems of a service provider, the one or more computer systems configured with executable instructions, receiving, from a requestor corresponding to a customer of the service provider, a request whose fulfillment involves performance of one or more cryptographic operations on data provided with the request and use of a cryptographic key that is encrypted by another key and supplied in the request, the service provider lacking access to the cryptographic key for an amount of time until receipt of the request, wherein the cryptographic key is a public key of a public-private key pair for which the service provider lacks access; causing the request to be fulfilled by using the supplied cryptographic key as part of performing the one or more cryptographic operations on the specified data, wherein; performing the one or more cryptographic operations includes causing the cryptographic key supplied in the request to be decrypted, thereby resulting in a decrypted supplied cryptographic key, and the one or more cryptographic operations include performance of an asymmetric algorithm using the public key; and using the decrypted supplied cryptographic key to perform the one or more cryptographic operations; providing a result of performing the one or more cryptographic operations to a data storage system; and at a time after performing the one or more cryptographic operations, performing one or more operations that cause the service provider to lose access to the cryptographic key.
-
2. A computer-implemented method, comprising:
under the control of one or more computer systems of a service provider, the one or more computer systems configured with executable instructions, receiving, from a requestor corresponding to a customer of the service provider, a request whose fulfillment involves performance of one or more cryptographic operations on data provided with the request and use of a cryptographic key that is encrypted by another key and supplied in the request, the service provider lacking access to the cryptographic key for an amount of time until receipt of the request; causing the request to be fulfilled by using the supplied cryptographic key as part of performing the one or more cryptographic operations on the specified data, wherein; performing the one or more cryptographic operations includes causing the cryptographic key supplied in the request to be decrypted, thereby resulting in a decrypted supplied cryptographic key, wherein causing the cryptographic key supplied in the request to be decrypted includes transmitting the cryptographic key to another entity for decryption; and using the decrypted supplied cryptographic key to perform the one or more cryptographic operations; providing a result of performing the one or more cryptographic operations to a data storage system; and at a time after performing the one or more cryptographic operations, performing one or more operations that cause the service provider to lose access to the cryptographic key.
-
3. A system, comprising:
-
one or more processors; and memory including instructions that, when executed by the one or more processors, cause the system to; receive, from a requestor over a network, a request whose fulfillment involves performance of one or more cryptographic operations on data specified in the request using information that comprises a cryptographic key supplied in the request, wherein the information is usable to authenticate the request, wherein the cryptographic key supplied in the request is a public key, in encrypted form, of a public-private key pair; as a result of receipt and authenticity of the request, perform the one or more cryptographic operations on the specified data, wherein; performing the one or more cryptographic operations on the specified data includes decrypting the encrypted public key and encrypting the specified data with a symmetric key; and using the public key to encrypt the symmetric key; and provide a result of performing the one or more cryptographic operations. - View Dependent Claims (4, 5, 6, 7, 8, 9, 10)
-
Specification