Data security service

US 9,590,959 B2
Filed: 02/12/2013
Issued: 03/07/2017
Est. Priority Date: 02/12/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for providing data storage services, comprising:

under the control of one or more computer systems of a computing resource service provider, the one or more computer systems configured with executable instructions,receiving, at a data service front end, from a customer of the computing resource service provider, a request to utilize a data storage service of the computing resource service provider to store a data object; and

as a result of having received the request to utilize the data storage service, at least;

obtaining, by the data service front end, proof information usable to cryptographically verify authenticity of the request;

analyzing the request to determine a cryptographic signature of the request; and

if the cryptographic signature matches the proof information, at least;

causing a cryptography service of the computing resource service provider to provide, to the data storage service, information encrypted by the cryptography service using a key that is inaccessible to the data storage service, the encrypted information usable to obtain the data object in unencrypted form and the key from a plurality of keys managed by the cryptography service on behalf of a plurality of customers of the computing resource service provider; and

using the data storage service to store the encrypted information and the data object in encrypted form.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A distributed computing environment utilizes a cryptography service. The cryptography service manages keys securely on behalf of one or more entities. The cryptography service is configured to receive and respond to requests to perform cryptographic operations, such as encryption and decryption. The requests may originate from entities using the distributed computing environment and/or subsystems of the distributed computing environment.

Citations

29 Claims

1. A computer-implemented method for providing data storage services, comprising:
- under the control of one or more computer systems of a computing resource service provider, the one or more computer systems configured with executable instructions,receiving, at a data service front end, from a customer of the computing resource service provider, a request to utilize a data storage service of the computing resource service provider to store a data object; and
  
  as a result of having received the request to utilize the data storage service, at least;
  
  obtaining, by the data service front end, proof information usable to cryptographically verify authenticity of the request;
  
  analyzing the request to determine a cryptographic signature of the request; and
  
  if the cryptographic signature matches the proof information, at least;
  
  causing a cryptography service of the computing resource service provider to provide, to the data storage service, information encrypted by the cryptography service using a key that is inaccessible to the data storage service, the encrypted information usable to obtain the data object in unencrypted form and the key from a plurality of keys managed by the cryptography service on behalf of a plurality of customers of the computing resource service provider; and
  
  using the data storage service to store the encrypted information and the data object in encrypted form.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein:
    - causing the cryptography service to provide the encrypted information includes providing a digitally signed request, from the data storage service, that the received request to utilize the data storage service has been made by the customer; and
      
      including the signed request in the proof information is necessary for the cryptography service to provide the encrypted information.
  - 3. The computer-implemented method of claim 1, wherein:
    - the request to utilize the data storage service includes a request to store, in encrypted form, a data object using the data storage service;
      
      the information includes a second key used to encrypt the data object; and
      
      using the data storage service to store the encrypted information includes using the data storage service to store, in encrypted form, the data object.
  - 4. The computer-implemented method of claim 1, wherein the method further comprises:
    - receiving a request to retrieve the data object from the data storage service;
      
      obtaining the encrypted information from the data storage service;
      
      causing the cryptography service to decrypt the encrypted information; and
      
      using the information to provide the data object in response to the received request to retrieve the data object.
  - 5. The computer-implemented method of claim 4, wherein using the information to provide the data object in response to the received request to retrieve the data object includes using the key to decrypt the encrypted data object.
  - 6. The computer-implemented method of claim 1, wherein the method further comprises:
    - providing to the cryptography service the encrypted information for decryption; and
      
      causing the cryptography service to check whether a policy on the key allows the key to be used to decrypt the encrypted information and, when allowed by the policy, decrypt the encrypted information, where the policy is maintained by the cryptography service.
  - 7. The computer-implemented method of claim 1, wherein:
    - the method further comprises receiving, from the customer, information representing a policy on the key; and
      
      causing the cryptography service to operate in accordance with the represented policy.
  - 8. The computer-implemented method of claim 1, wherein:
    - the method further comprises;
      
      receiving, from the cryptography service, a policy on the key;
      
      checking whether the received policy allows fulfilling the request; and
      
      causing the cryptography service to provide the encrypted information is dependent on the policy allows fulfilling the request; and
      
      causing the cryptography service to operate in accordance with the represented policy.

9. A computer-implemented method for providing cryptographic services, comprising:
- under the control of one or more computer systems configured with executable instructions,as a result of a service receiving a first request to utilize the service to store a data object, receiving a second request to perform one or more cryptographic operations, at a second service, that are necessary for fulfilling the first request;
  
  receiving, by the service, authentication information for the first request;
  
  analyzing, by a third service, the first request to determine a cryptographic signature for the first request;
  
  if the authentication information and the cryptographic signature match, provide, by the first service, proof information to the second service, the proof information configured to enable performance of the requested one or more cryptographic operations;
  
  performing, by the second service, the requested one or more cryptographic operations based at least in part on receiving the proof information; and
  
  providing one or more results of performing the requested one or more cryptographic operations to the service, the one or more results necessary for at least storing the data object and at least one result of the one or more results of performing the requested one or more cryptographic operations.
- View Dependent Claims (10, 11, 12, 13, 14, 28, 29)
- - 10. The computer-implemented method of claim 9, wherein the one or more cryptographic operations include decryption of a key needed to fulfill the received first request to utilize the service.
  - 11. The computer-implemented method of claim 9, wherein:
    - the method further comprises further comprising receiving signed information verifying that the received first request to utilize the service is authentic; and
      
      performing the one or more cryptographic operations by at least including the signed information verifying that the received first request to utilize the service is authentic in the proof information.
  - 12. The computer-implemented method of claim 9, further comprising selecting, from a plurality of keys that comprises at least two keys each managed by the cryptography service on behalf of a different entity, at least one key for performing the one or more cryptographic operations.
  - 13. The computer-implemented method of claim 9, wherein:
    - the one or more cryptographic operations require use of a key;
      
      the method further comprises receiving, for the key, a policy for the key; and
      
      performing the one or more cryptographic operations requires performance of the one or more cryptographic operations to be in compliance with the received policy.
  - 14. The computer-implemented method of claim 9, further comprising:
    - receiving a policy for a key usable to perform the one or more cryptographic operations;
      
      checking whether an existing policy allows implementation of the policy; and
      
      rejecting the received policy as a result of the existing policy disallowing implementation of the policy.
  - 28. The computer-implemented method of claim 9, wherein:
    - the method further comprises further comprising as a result of a service receiving a third request to utilize the service to obtain the data object from the service, receiving a fourth request to perform one or more additional cryptographic operations, at the second service, that are necessary for fulfilling the third request;
      
      performing the requested one or more additional cryptographic operations based at least in part on proof information configured to enable performance of the requested one or more additional cryptographic operations; and
      
      providing a result of performing the requested one or more additional cryptographic operations to the service, the result configured to enable a data service front end to provide in response to the third request the data object in unencrypted form.
  - 29. The computer-implemented method of claim 28, wherein the one or more additional cryptographic operations include decryption of a key needed to fulfill the received third request to utilize the service based at least in part on additional proof information configured to enable performance of the requested one or more additional cryptographic operations, where the additional proof information is provided by the service.

15. A computer system, comprising:
- one or more processors; and
  
  memory storing instructions executable by the one or more processors to cause the computer system to implement at least;
  
  a cryptography service configured to at least;
  
  store a plurality of keys such that the plurality of keys are inaccessible to a service different from the cryptography service and associated with a customer of a plurality of customers of a computing resource provider; and
  
  upon detecting a request pending at the service;
  
  determining whether proof information obtained from the service is authentic by at least analyzing authenticity of the request independently of the proof information provided by the service;
  
  as a result of determining that proof information obtained from the service is authentic, selecting a key from the plurality of keys and using the selected key to perform one or more cryptographic operations needed to fulfill the pending request;
  
  perform one or more cryptographic operations to verify pendency of the request; and
  
  provide to a front end server of the service a result of performing the one or more cryptographic operations.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer system of claim 15, wherein detecting the request pending at the service includes receiving, from the service, notification and proof information associated with the request pending at the service, where the proof information is configured to enable the cryptography service to verify the pending request.
  - 17. The computer system of claim 15, wherein:
    - the computer system is operated by a computing resource service provider;
      
      the request is generated by the customer of the plurality of customers of the computing resource provider; and
      
      each key of the plurality of keys has a corresponding customer of the computing resource provider.
  - 18. The computer system of claim 15, wherein the cryptography service is further configured to verify that the pending request is authorized based at least in part on an electronic signature included in the request.
  - 19. The computer system of claim 15, further comprising a metering service configured to receive output of the cryptography service and generate accounting records based at least in part on the received output.
  - 20. The computer system of claim 15, wherein the cryptography service is further configured to:
    - store policy information that defines one or more policies for each of at least a subset of the plurality of keys; and
      
      enforce the one or more policies.
  - 21. The computer system of claim 20, wherein:
    - the computer system is operated by a computing resource service provider;
      
      each key of the plurality of keys corresponds to a customer of the computing resource provider; and
      
      the cryptography service is configured to;
      
      receive, from customers of the computing resource provider, policy updates; and
      
      update the stored policy information according to the received policy updates.

22. A non-transitory computer-readable storage medium having stored thereon instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
- receive a request to utilize a service; and
  
  as a result of having received the request to utilize the service;
  
  provide to a cryptography service proof, based at least in part on the request, that the request was received, wherein the proof is provided by the service;
  
  cause the cryptography service to verify authenticity of the request by at least comparing the proof to a result of a cryptographic verification of the request independent of the proof;
  
  if the cryptography service verifies that the request is authentic, cause the cryptography service to use a key to perform one or more cryptographic operations on information that, after the one or more cryptographic operations have been performed, is usable to fulfill the request to utilize the service; and
  
  as a result of receiving, by the service, a result of performing the one or more cryptographic operations, fulfilling, by the service, the request to utilize the service using at least the information on which the one or more cryptographic operations were performed and the result.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. The non-transitory computer-readable storage medium of claim 22, wherein the proof comprises authentication information that enables the cryptography service to verify that the request to utilize the service is authentic.
  - 24. The non-transitory computer-readable storage medium of claim 22, wherein:
    - the request to utilize the service includes a request to perform an operation in connection with a data object; and
      
      the information is a key used to encrypt the data object.
  - 25. The non-transitory computer-readable storage medium of claim 22, wherein the instructions, when executed by the one or more processors, cause the cryptography service to enforce one or more policies on the key, the one or more policies being determinative of whether the one or more cryptographic operations are performable using the key.
  - 26. The non-transitory computer-readable storage medium of claim 22, wherein the request to utilize the service is a request to perform a storage operation in connection with a data object.
  - 27. The non-transitory computer-readable storage medium of claim 22, wherein causing the cryptography service to use the key to perform one or more cryptographic operations includes providing an identifier of the key to enable the cryptography service to select the key from a plurality of keys stored by the cryptography service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Wren, Matthew James, Brandwine, Eric Jason, Pratt, Brian Irl
Primary Examiner(s)
BROWN, ANTHONY D

Application Number

US13/764,963
Publication Number

US 20140229729A1
Time in Patent Office

1,484 Days
Field of Search

713/153, 726/2
US Class Current

1/1
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/045   wherein the sending and rec...

H04L 63/0471   applying encryption by an i...

H04L 63/08   for authentication of entit...

H04L 67/1097   for distributed storage of ...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247   involving digital signatures

Data security service

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Data security service

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links