Supporting a fixed transaction rate with a variably-backed logical cryptographic key

US 9,438,421 B1
Filed: 06/27/2014
Issued: 09/06/2016
Est. Priority Date: 06/27/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

under the control of one or more computer systems that execute instructions,providing an application programming interface through which requests may be submitted to cause performance of cryptographic operations using a cryptographic key associated with a key identifier;

determining an individual cryptographic key usage rate limit;

receiving an application pro ramming interface request specifying a key identifier usage rate associated with the key identifier;

determining, based at least in part on the individual cryptographic key usage rate limit and the key identifier usage rate, a minimum number of cryptographic keys for a set of cryptographic keys associated with the key identifier such that, as the cryptographic operations are distributed among individual cryptographic keys of the set as part of processing requests associated with the key identifier, usage rates corresponding to each individual cryptographic key of the set are at or below the individual cryptographic key usage rate limit; and

causing the set of cryptographic keys to have at least the minimum number of keys determined.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for receiving requests for performing cryptographic operations with a virtual key having a plurality of actual keys associated with the virtual key, determining which actual key of the plurality of actual keys to use for the cryptographic operation, performing the cryptographic operation using the actual key, and providing the result of performing the cryptographic operation.

Citations

27 Claims

1. A computer-implemented method, comprising:
- under the control of one or more computer systems that execute instructions,providing an application programming interface through which requests may be submitted to cause performance of cryptographic operations using a cryptographic key associated with a key identifier;
  
  determining an individual cryptographic key usage rate limit;
  
  receiving an application pro ramming interface request specifying a key identifier usage rate associated with the key identifier;
  
  determining, based at least in part on the individual cryptographic key usage rate limit and the key identifier usage rate, a minimum number of cryptographic keys for a set of cryptographic keys associated with the key identifier such that, as the cryptographic operations are distributed among individual cryptographic keys of the set as part of processing requests associated with the key identifier, usage rates corresponding to each individual cryptographic key of the set are at or below the individual cryptographic key usage rate limit; and
  
  causing the set of cryptographic keys to have at least the minimum number of keys determined.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-implemented method of claim 1, further comprising:
    - receiving one or more requests for performing cryptographic operations, wherein the one or more requests received specify the key identifier; and
      
      determining the minimum number of cryptographic keys for the set of cryptographic keys associated with the key identifier and causing the set of cryptographic keys to have at least the minimum number are performed as a result of receiving the one or more requests.
  - 3. The computer-implemented method of claim 1, wherein:
    - the individual cryptographic key usage rate limit indicates a maximum rate of cryptographic operations that may be performed by the individual cryptographic keys;
      
      at least a first subset of the cryptographic operations distributed among the individual cryptographic keys are counted against the maximum rate; and
      
      at least a second subset of the cryptographic operations distributed among the individual cryptographic keys are not counted against the maximum rate.
  - 4. The computer-implemented method of claim 3, wherein the first subset of the cryptographic operations comprises encryption operations and the second subset of the cryptographic operations comprises decryption operations.
  - 5. The computer-implemented method of claim 1, wherein the key identifier usage rate is determined at least in part from a rate of performing past cryptographic operations associated with the key identifier.

6. A system, comprising:
- one or more processors;
  
  memory including instructions that, when executed by the one or more processors, cause the system to;
  
  determine a key identifier usage rate corresponding to a key identifier;
  
  determine a plurality of keys such that each key of the plurality of keys has a corresponding individual key usage rate limit, and an aggregate usage rate of the plurality of keys is able to meet the key identifier usage rate without any key from the plurality of keys exceeding its corresponding individual key usage rate limit; and
  
  associate the plurality of keys with the key identifier such that, when a request to perform a cryptographic operation associated with the key identifier is received, a key is selected from the plurality of keys for performing the cryptographic operation.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 7. The system of claim 6, wherein the corresponding individual key usage limit of each key of the plurality of keys includes a usage limit buffer to compensate for uneven distribution of requests to perform cryptographic operations associated with the key identifier among the plurality of keys.
  - 8. The system of claim 6, wherein the memory further includes instructions that cause the system to:
    - determine whether the key selected from the plurality of keys has reached an exhaustion threshold; and
      
      based at least in part on the determination,deprovision the key selected from the plurality of keys such that the key selected from the plurality of keys is prevented from being used for a first subset of cryptographic operations; and
      
      provision a replacement key within the plurality of keys associated with the key identifier such that the replacement key is created and caused to be used for a second subset of cryptographic operations.
  - 9. The system of claim 6, wherein:
    - the system further comprises a set of security modules; and
      
      each key of the set corresponds to a subset of the set of security modules.
  - 10. The system of claim 6, wherein the key identifier usage rate is determined at least in part from a measured rate of performing past cryptographic operations associated with the key identifier.
  - 11. The system of claim 6, wherein:
    - the memory further includes instructions that cause the system to track the usage of the key selected from the plurality of keys; and
      
      the usage tracked is usable to determine whether the key selected from the plurality of keys has reached an exhaustion threshold.
  - 12. The system of claim 6, wherein:
    - the key identifier usage rate represents a group usage rate for key groups of the plurality of keys;
      
      the key groups are associated with respective fault isolation zones of a plurality of fault isolation zones;
      
      the key identifier is associated with the plurality of fault isolation zones; and
      
      the plurality of keys is determined such that the key groups do not share keys.
  - 13. The system of claim 6, wherein the key identifier usage rate is determined based at least in part on a requested frequency associated with the key identifier.
  - 14. The system of claim 13, wherein the requested frequency is received from a customer of a computing resource service provider and the system is a system hosted by the computing resource service provider.
  - 15. The system of claim 14, wherein the frequency is requested by a request to an application programming interface provided by the computing resource service provider.
  - 16. The system of claim 14, wherein the memory further includes instructions that cause the system to:
    - determine whether the requested frequency exceeds the key identifier usage rate; and
      
      based at least in part on a determination that the requested frequency exceeds the key identifier usage rate, reject the requested frequency or cause the key identifier usage rate to be increased.
  - 17. The system of claim 6, wherein the memory further includes instructions that cause the system to, over an amount of time:
    - receive multiple requests in association with the key identifier to perform cryptographic operations; and
      
      fulfill at least some of the multiple requests such that a first key from the plurality of keys is used to fulfill a first request of the multiple requests and a second key from the plurality of keys is used to fulfill a second request of the multiple requests.
  - 18. The system of claim 17, wherein the memory further includes instructions that cause the system to determine the first key from the plurality of keys used to fulfill the first request and determine the second key from the plurality of keys used to fulfill the second request based at least in part on one of a round-robin scheme, a weighted round robin scheme, a stochastic selection scheme, or whether the key selected from the plurality of keys is located in a cache memory of the system.
  - 19. The system of claim 17, wherein the memory further includes instructions that cause the system to determine the first key from the plurality of keys used to fulfill the first request and determine the second key from the plurality of keys used to fulfill the second request based at least in part on the first request corresponding to a first fault isolation overlay and the second request corresponding to a second fault isolation overlay, such that cryptographic operations corresponding to the first fault isolation overlay are unaffected by a loss of the second key and cryptographic operations corresponding to the second fault isolation overlay are unaffected by a loss of the first key.

20. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of execution by one or more processors of a computer system, causes the computer system to at least:
- determine a usage rate corresponding to a key identifier;
  
  determine a plurality of keys, wherein each key in the plurality of keys has an individual key usage rate limit such that an aggregate usage rate of the plurality of keys is able to meet the usage rate without any key from the plurality of keys exceeding its corresponding individual key usage rate limit; and
  
  associate the plurality of keys with the key identifier such that, if a request to perform a cryptographic operation is received in association with the key identifier, a key is selected from the plurality of keys to perform the cryptographic operation.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
- - 21. The non-transitory computer-readable storage medium of claim 20, wherein the executable instructions that cause the computer system to associate the plurality of keys with the key identifier further cause the computer system to, if fulfillment of a request to perform a cryptographic operation associated with the key identifier would exceed the usage rate, modify a number of keys in the plurality of keys to ensure that an aggregate usage rate of the plurality of keys meets the usage rate without any key from the plurality of keys exceeding its corresponding individual key usage rate limit.
  - 22. The non-transitory computer-readable storage medium of claim 20, wherein each individual usage key rate limit in the plurality of keys is equal to each other individual usage key rate limit in the plurality of keys.
  - 23. The non-transitory computer-readable storage medium of claim 20, wherein the instructions that cause the computer system to select the key from the plurality of keys further include instructions that cause the computer system to select the key from the plurality of keys to perform the cryptographic operation based at least in part on one of a stochastic scheme, an attribute of the request to perform the cryptographic operation, or a type of operation to be performed.
  - 24. The non-transitory computer-readable storage medium of claim 20, wherein:
    - the executable instructions further cause the computer system to at least;
      
      perform the cryptographic operation using the key selected from the plurality of keys; and
      
      provide a result of performing the cryptographic operation; and
      
      the result comprises information including ciphertext and an identification of the key selected from the plurality of keys.
  - 25. The non-transitory computer-readable storage medium of claim 24, wherein:
    - the executable instructions further cause the computer system to at leastdetermine whether performing the cryptographic operation using the key selected from the plurality of keys causes the key selected from the plurality of keys to reach an exhaustion threshold;
      
      at least a first subset of cryptographic operations distributed among the plurality of keys are counted against the exhaustion threshold; and
      
      at least a second subset of the cryptographic operations distributed among the plurality of keys are not counted against the exhaustion threshold.
  - 26. The non-transitory computer-readable storage medium of claim 25, wherein the first subset of the cryptographic operations comprises encryption operations and the second subset of the cryptographic operations comprises decryption operations.
  - 27. The non-transitory computer-readable storage medium of claim 20, wherein the usage rate is determined based at least in part on a rate at which cryptographic operations associated with the key identifier were performed in the past.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Seidenberg, Benjamin Elias, Roth, Gregory Branchek, Campagna, Matthew John
Primary Examiner(s)
Bayou, Yonas

Application Number

US14/318,375
Time in Patent Office

802 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/065   for group communications cr...

H04L 9/088   Usage controlling of secret...

H04L 9/0891   Revocation or update of sec...

H04L 9/14   using a plurality of keys o...

Supporting a fixed transaction rate with a variably-backed logical cryptographic key

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Supporting a fixed transaction rate with a variably-backed logical cryptographic key

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links