Service-to-service digital path tracing

US 9,559,849 B1
Filed: 09/18/2014
Issued: 01/31/2017
Est. Priority Date: 09/18/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

under control of one or more computer systems configured with executable instructions,receiving, from a service, a digital message, and a trace, the trace including an ordered set of a plurality of digital signatures of, and respectively added to the digital message by, a plurality of services of a service set, that participated in causing the digital message to be communicated and received and specifying an ordering of the plurality of services, the ordering according to an order of participation of the plurality of services in causing the digital message to be communicated and received and the digital message being of a particular type, the communication of the digital message specifying at least a first service and a second service;

determining, based at least in part on the trace, that the-plurality of services of the service set corresponds to a message communication path that has been recorded for the type of the digital message;

utilizing one or more digital certificates corresponding to the ordered set of digital signatures to verify that the ordered set of digital signatures are valid; and

as a result of the ordered set of digital signatures being valid, processing the digital message.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A service receives from a sender service a digital message and a corresponding trace, which includes an ordered set of digital signatures of one or more services that participated in causing the service to receive the digital message. The trace may further specify an ordering of the one or more services, which may be generated according to the order of participation of these one or more services. The service may compare the received trace to recorded message paths to determine whether the ordering specified within the trace is valid. If the ordering is valid, the service may use one or more digital certificates to further verify the digital signatures included within the trace. If the service determines that these digital signatures are also valid, the service may process the message.

16 Citations

View as Search Results

12 Claims

1. A computer-implemented method, comprising:
- under control of one or more computer systems configured with executable instructions,receiving, from a service, a digital message, and a trace, the trace including an ordered set of a plurality of digital signatures of, and respectively added to the digital message by, a plurality of services of a service set, that participated in causing the digital message to be communicated and received and specifying an ordering of the plurality of services, the ordering according to an order of participation of the plurality of services in causing the digital message to be communicated and received and the digital message being of a particular type, the communication of the digital message specifying at least a first service and a second service;
  
  determining, based at least in part on the trace, that the-plurality of services of the service set corresponds to a message communication path that has been recorded for the type of the digital message;
  
  utilizing one or more digital certificates corresponding to the ordered set of digital signatures to verify that the ordered set of digital signatures are valid; and
  
  as a result of the ordered set of digital signatures being valid, processing the digital message.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein the one or more digital certificates are received from the service along with the digital message and the trace.
  - 3. The computer-implemented method of claim 1, further comprising obtaining, from a certificate service, the one or more digital certificates in order to enable utilization of the one or more digital certificates to verify the ordered set of digital signatures are valid.
  - 4. The computer-implemented method of claim 1, wherein processing the digital message includes appending, to the trace, a digital signature and transmitting the digital message and the appended trace to another service.

5. A non-transitory computer-readable storage medium having stored thereon executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
- determine, in response to receiving a digital message of a particular type and a trace from a service, whether a message path specified within the trace corresponds to a recorded message path, wherein the trace including an ordered set of a plurality of digital signatures of, and respectively added to the digital message by, a plurality of services of a service set;
  
  identify from the recorded message an ordering of a plurality of services that participated in causing the digital message to be received and that respectively added a digital signature of the service to the digital message,wherein the ordering is according to an order of participation of the plurality of services in causing the digital message to be communicated and received; and
  
  wherein the communication of the digital message specifies at least a first service and a second service;
  
  utilize one or more digital certificates corresponding to the ordered set of the plurality of digital signatures to verify that the ordered set of digital signatures are valid; and
  
  process the digital message based on the ordered set of digital signatures being valid.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The non-transitory computer-readable storage medium of claim 5, wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to:
    - obtain, from the digital message and trace from the service, one or more digital signatures of the plurality of services specified within the trace; and
      
      utilize one or more digital certificates corresponding to the obtained one or more digital signatures to verify the one or more digital signatures.
  - 7. The non-transitory computer-readable storage medium of claim 6, wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to obtain, from a certificate service, the one or more digital certificates in order to enable utilization of the one or more digital certificates to verify the one or more digital signatures.
  - 8. The non-transitory computer-readable storage medium of claim 6, wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to remove a digital signature of the one or more digital signatures from the trace as a result of the trace exceeding a maximum length limit.
  - 9. The non-transitory computer-readable storage medium of claim 5, wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to add, to the trace, a digital signature and transmit the digital message and the appended trace to another service upon processing the digital message.
  - 10. The non-transitory computer-readable storage medium of claim 5, wherein:
    - the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to verify that the recorded message path specified within the trace corresponds to a recorded message path of a set of recorded message paths corresponding to the particular type to determine if the recorded message path specified within the trace corresponds to the recorded message path.
  - 11. The non-transitory computer-readable storage medium of claim 5, wherein the trace specifies an ordering of a set of services, the ordering according to an order of participation in causing the digital message to be received.
  - 12. The non-transitory computer-readable storage medium of claim 5, wherein the trace comprises a plurality of components, individual components of the plurality of components digitally signed by a respective service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Wasiq, Muhammad, Sharifi Mehr, Nima
Primary Examiner(s)
Zhao, Don

Application Number

US14/490,465
Time in Patent Office

866 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/123   received data contents, e.g...

H04L 63/1483   service impersonation, e.g....

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

Service-to-service digital path tracing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

12 Claims

Specification

Use Cases

Quick Links

Others

Service-to-service digital path tracing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

12 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others