Data security service
First Claim
Patent Images
1. A computer-implemented method for providing data storage services, comprising:
- under the control of one or more computer systems of a computing resource service provider, the one or more computer systems configured with executable instructions,receiving, at a data service front end, from a customer of the computing resource service provider, a request to utilize a data storage service of the computing resource service provider to store a data object; and
as a result of having received the request to utilize the data storage service, at least;
obtaining, by the data service front end, proof information usable to cryptographically verify authenticity of the request;
analyzing the request to determine a cryptographic signature of the request; and
if the cryptographic signature matches the proof information, at least;
causing a cryptography service of the computing resource service provider to provide, to the data storage service, information encrypted by the cryptography service using a key that is inaccessible to the data storage service, the encrypted information usable to obtain the data object in unencrypted form and the key from a plurality of keys managed by the cryptography service on behalf of a plurality of customers of the computing resource service provider; and
using the data storage service to store the encrypted information and the data object in encrypted form.
1 Assignment
0 Petitions
Accused Products
Abstract
A distributed computing environment utilizes a cryptography service. The cryptography service manages keys securely on behalf of one or more entities. The cryptography service is configured to receive and respond to requests to perform cryptographic operations, such as encryption and decryption. The requests may originate from entities using the distributed computing environment and/or subsystems of the distributed computing environment.
-
Citations
29 Claims
-
1. A computer-implemented method for providing data storage services, comprising:
under the control of one or more computer systems of a computing resource service provider, the one or more computer systems configured with executable instructions, receiving, at a data service front end, from a customer of the computing resource service provider, a request to utilize a data storage service of the computing resource service provider to store a data object; and as a result of having received the request to utilize the data storage service, at least; obtaining, by the data service front end, proof information usable to cryptographically verify authenticity of the request; analyzing the request to determine a cryptographic signature of the request; and if the cryptographic signature matches the proof information, at least; causing a cryptography service of the computing resource service provider to provide, to the data storage service, information encrypted by the cryptography service using a key that is inaccessible to the data storage service, the encrypted information usable to obtain the data object in unencrypted form and the key from a plurality of keys managed by the cryptography service on behalf of a plurality of customers of the computing resource service provider; and using the data storage service to store the encrypted information and the data object in encrypted form. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
9. A computer-implemented method for providing cryptographic services, comprising:
under the control of one or more computer systems configured with executable instructions, as a result of a service receiving a first request to utilize the service to store a data object, receiving a second request to perform one or more cryptographic operations, at a second service, that are necessary for fulfilling the first request; receiving, by the service, authentication information for the first request; analyzing, by a third service, the first request to determine a cryptographic signature for the first request; if the authentication information and the cryptographic signature match, provide, by the first service, proof information to the second service, the proof information configured to enable performance of the requested one or more cryptographic operations; performing, by the second service, the requested one or more cryptographic operations based at least in part on receiving the proof information; and providing one or more results of performing the requested one or more cryptographic operations to the service, the one or more results necessary for at least storing the data object and at least one result of the one or more results of performing the requested one or more cryptographic operations. - View Dependent Claims (10, 11, 12, 13, 14, 28, 29)
-
15. A computer system, comprising:
-
one or more processors; and memory storing instructions executable by the one or more processors to cause the computer system to implement at least; a cryptography service configured to at least; store a plurality of keys such that the plurality of keys are inaccessible to a service different from the cryptography service and associated with a customer of a plurality of customers of a computing resource provider; and upon detecting a request pending at the service; determining whether proof information obtained from the service is authentic by at least analyzing authenticity of the request independently of the proof information provided by the service; as a result of determining that proof information obtained from the service is authentic, selecting a key from the plurality of keys and using the selected key to perform one or more cryptographic operations needed to fulfill the pending request; perform one or more cryptographic operations to verify pendency of the request; and provide to a front end server of the service a result of performing the one or more cryptographic operations. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. A non-transitory computer-readable storage medium having stored thereon instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
-
receive a request to utilize a service; and as a result of having received the request to utilize the service; provide to a cryptography service proof, based at least in part on the request, that the request was received, wherein the proof is provided by the service; cause the cryptography service to verify authenticity of the request by at least comparing the proof to a result of a cryptographic verification of the request independent of the proof; if the cryptography service verifies that the request is authentic, cause the cryptography service to use a key to perform one or more cryptographic operations on information that, after the one or more cryptographic operations have been performed, is usable to fulfill the request to utilize the service; and as a result of receiving, by the service, a result of performing the one or more cryptographic operations, fulfilling, by the service, the request to utilize the service using at least the information on which the one or more cryptographic operations were performed and the result. - View Dependent Claims (23, 24, 25, 26, 27)
-
Specification