Virtual requests

US 9,450,758 B1
Filed: 03/12/2012
Issued: 09/20/2016
Est. Priority Date: 03/12/2012
Status: Active Grant

First Claim

Patent Images

1. A system, comprising a servicer computer configured to:

cause an authentication service computer to store a digital identity certificate of a client computer, the client computer configured to generate the digital identity certificate based at least in part on a private key associated with the client computer;

cause the authentication service computer to determine a validity of the digital identity certificate based at least in part on a public key associated with the digital identity certificate;

initiate a certificate exchange session utilizing a transport layer security (TLS) protocol with the client computer, the certificate exchange session comprising a handshake portion that includes a time-dependent request component, a service-dependent request component, and an action-dependent request component, the action-dependent request component comprising an association between a request of the certificate exchange session and an action the client computer is requested to perform;

enable the client computer to transmit the digital identity certificate to the servicer computer;

compute a servicer certificate exchange receipt based at least in part on the certificate exchange session; and

cause the client computer to compute a client certificate exchange receipt based at least in part on the certificate exchange session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first request from a client using a first protocol is translated into one or more second requests by a servicer using a second protocol through a virtual request using the first protocol. A client may use parameters of the first protocol to pass virtual request components to the servicer. A format agreement between the client, servicer and/or authentication service may allow the servicer and/or authentication service to translate the virtual request components over the first protocol to one or more second requests using the second protocol. Virtual request components may prove the authenticity of the virtual request received by the servicer to an authentication service. Once satisfied the virtual request is valid, the authentication service may issue a credential to the servicer to send the one or more second requests to an independent service. Virtual requests may be included in various protocols, including credential-based protocols and certificate exchange-based protocols.

40 Citations

View as Search Results

19 Claims

1. A system, comprising a servicer computer configured to:
- cause an authentication service computer to store a digital identity certificate of a client computer, the client computer configured to generate the digital identity certificate based at least in part on a private key associated with the client computer;
  
  cause the authentication service computer to determine a validity of the digital identity certificate based at least in part on a public key associated with the digital identity certificate;
  
  initiate a certificate exchange session utilizing a transport layer security (TLS) protocol with the client computer, the certificate exchange session comprising a handshake portion that includes a time-dependent request component, a service-dependent request component, and an action-dependent request component, the action-dependent request component comprising an association between a request of the certificate exchange session and an action the client computer is requested to perform;
  
  enable the client computer to transmit the digital identity certificate to the servicer computer;
  
  compute a servicer certificate exchange receipt based at least in part on the certificate exchange session; and
  
  cause the client computer to compute a client certificate exchange receipt based at least in part on the certificate exchange session.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the servicer computer is further configured to:
    - transmit the servicer certificate exchange receipt or the client certificate exchange receipt to the authentication service computer; and
      
      when at least one of the client certificate exchange receipt or the servicer certificate exchange receipt is validated, cause the authentication service computer to transmit an issued credential to the servicer computer, the issued credential used to communicate with an independent service on behalf of the client computer.
  - 3. The system of claim 2, wherein the servicer computer is further configured to:
    - cause the authentication service computer to validate a signature of the servicer certificate exchange receipt by retrieving a principal identity for the servicer computer using a public key associated with the servicer computer; and
      
      cause the authentication service computer to verify the public key associated with the servicer computer.
  - 4. The system of claim 3, wherein the servicer computer is further configured to:
    - cause the authentication service computer to verify the public key associated with the servicer computer by comparing the time-dependent request component with a current time.
  - 5. The system of claim 3, wherein the servicer computer is further configured to:
    - cause the authentication service computer to verify the public key associated with the servicer computer by matching the service-dependent request component with the digital identity certificate of the client computer.
  - 6. The system of claim 1, wherein the authentication service computer is configured to store the digital identity certificate of the client computer in a certificate store.

7. A system, comprising a client computer configured to:
- generate a digital identity certificate based at least in part on a private key associated with the client computer;
  
  cause an authentication service computer to store the digital identity certificate of the client computer;
  
  cause the authentication service computer to determine a validity of the digital identity certificate based at least in part on a public key associated with the digital identity certificate;
  
  cause a servicer computer to initiate a certificate exchange session utilizing a transport layer security (TLS) protocol with the servicer computer, the certificate exchange session comprising a handshake portion that includes a time-dependent request component, a service-dependent request component, and an action-dependent request component, the action-dependent request component comprising an association between a request of the certificate exchange session and an action the client computer is requested to perform;
  
  transmit the digital identity certificate to the servicer computer;
  
  compute a client certificate exchange receipt based at least in part on the certificate exchange session; and
  
  cause the servicer computer to compute a servicer certificate exchange receipt based at least in part on the certificate exchange session.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The system of claim 7, wherein the client computer is further configured to:
    - transmit to the servicer computer, from the client computer, the digital identity certificate in the handshake portion; and
      
      transmit to the servicer computer, from the client computer, a handshake verification associated with the handshake portion.
  - 9. The system of claim 8, wherein the handshake verification is calculated using a secure cryptographic hash function using the private key associated with the client computer as a hash-based message authentication code (HMAC) key.
  - 10. The system of claim 7, wherein the client computer is further configured to:
    - receive a format agreement from the servicer computer at the client computer, the format agreement including instructions to convert a first request using a first protocol to a second request using a second protocol, wherein the first request is directed to an independent service on behalf of the client computer.
  - 11. The system of claim 10, wherein the client computer is further configured to:
    - sign the format agreement, wherein the format agreement includes at least one of the time-dependent request component, the service-dependent request component, or the action-dependent request component.

12. A system, comprising an authentication service computer configured to:
- receive a digital identity certificate of a client computer, the client computer configured to generate the digital identity certificate based at least in part on a private key associated with the client computer;
  
  store the digital identity certificate of a client computer;
  
  determine a validity of the digital identity certificate based at least in part on a public key associated with the digital identity certificate;
  
  cause a servicer computer to initiate a certificate exchange session utilizing a transport layer security (TLS) protocol with the client computer, the certificate exchange session comprising a handshake portion that includes a time-dependent request component, a service-dependent request component, and an action-dependent request component, the action-dependent request component comprising an association between a request of the certificate exchange session and an action the client computer is requested to perform;
  
  cause the servicer computer to enable the client computer to transmit the digital identity certificate to the servicer computer;
  
  cause the client computer to compute a client certificate exchange receipt based at least in part on the certificate exchange session; and
  
  cause the servicer computer to compute a servicer certificate exchange receipt based at least in part on the certificate exchange session.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The system of claim 12, wherein the authentication service computer is further configured to:
    - store a mapping to a principal identity with the digital identity certificate of the client computer.
  - 14. The system of claim 12, wherein the authentication service computer is further configured to:
    - verify the public key associated with the servicer computer by comparing the time-dependent request component with a current time.
  - 15. The system of claim 12, wherein the authentication service computer is further configured to:
    - verify the public key associated with the servicer computer by matching the service-dependent request component with the digital identity certificate of the client computer.
  - 16. The system of claim 12, wherein the time-dependent request component includes a time stamp, a date stamp, or a sequence number.
  - 17. The system of claim 12, wherein the service-dependent request component includes a service identifier, a moniker, or a hostname.
  - 18. The system of claim 12, wherein the action-dependent request component includes a request path, a request parameter, an action string, or a query string.
  - 19. The system of claim 12, wherein the digital identity certificate is an X.509 public key certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Allen, Nicholas Alexander, Roth, Gregory B., Dykhno, Elena
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Nguy, Chi

Application Number

US13/418,270
Time in Patent Office

1,653 Days
Field of Search

713155-157
US Class Current

1/1
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 9/321   involving a third party or ...

H04L 9/3268   using certificate validatio...

H04L 9/3297   involving time stamps, e.g....

Virtual requests

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

40 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual requests

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links