Protection from data security threats

US 9,660,972 B1
Filed: 06/25/2012
Issued: 05/23/2017
Est. Priority Date: 06/25/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for authentication, comprising:

under the control of one or more computer systems configured with executable instructions,obtaining an electronic claim of access to a password, the claim comprising;

a first component comprising first information based at least in part on an electronic signature, the electronic signature based at least in part on a first key and a time-dependent value, the first key derived based at least in part on the password; and

a second component comprising second information based at least in part on a second key, the second key being at least;

different from the first key;

derived based at least in part on a derivation function utilizing the password and a second salt value as inputs, where the second salt value is stored by a computing resource service provider; and

the second key being unavailable to the one or more computer systems until at least obtaining the electronic claim of access to the password;

computing, based at least in part on the first key, a first reference component;

computing, based at least in part on the second key from the electronic claim, a second reference component; and

enabling access to at least one computing resource as a result of both the first reference component matching the first component and the second component matching the second reference component.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A credential, such as a password, for an entity is used to generate multiple keys. The generated keys are distributed to credential verification systems to enable the credential verification systems to perform authentication operations. The keys are generated such that access to a generated key allows for authentication with a proper subset of the credential verification systems. Thus, unauthorized access to information used by one authentication system does not, by itself, allow for successful authentication with other authentication systems.

216 Citations

30 Claims

1. A computer-implemented method for authentication, comprising:
- under the control of one or more computer systems configured with executable instructions,obtaining an electronic claim of access to a password, the claim comprising;
  
  a first component comprising first information based at least in part on an electronic signature, the electronic signature based at least in part on a first key and a time-dependent value, the first key derived based at least in part on the password; and
  
  a second component comprising second information based at least in part on a second key, the second key being at least;
  
  different from the first key;
  
  derived based at least in part on a derivation function utilizing the password and a second salt value as inputs, where the second salt value is stored by a computing resource service provider; and
  
  the second key being unavailable to the one or more computer systems until at least obtaining the electronic claim of access to the password;
  
  computing, based at least in part on the first key, a first reference component;
  
  computing, based at least in part on the second key from the electronic claim, a second reference component; and
  
  enabling access to at least one computing resource as a result of both the first reference component matching the first component and the second component matching the second reference component.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, wherein:
    - computing the second reference component further comprises computing a result of a derivation function utilizing the second salt value and the password; and
      
      enabling access to at least one computing resource further comprises comparing the second reference component with the stored second reference component accessed from memory of the one or more computer systems.
  - 3. The computer-implemented method of claim 1, wherein the method further comprises:
    - comparing the second reference component with the stored second reference component accessed from memory of the one or more computer systems; and
      
      updating automatically the stored second reference component multiple times over a time period.
  - 4. The computer-implemented method of claim 3, wherein each update of at least a subset of the updates of the stored second reference component is based at least in part on information provided from a key distribution system, the information being based at least in part on the password and information specific to a key-use zone containing the one or more computer systems, where the information specific to the key-use zone results in a corresponding restriction of use of the first key or the second key to the at least one computing resource.
  - 5. The non-transitory computer computer-implemented method of claim 1, wherein the time-dependent value further comprises current time information.
  - 6. The non-transitory computer computer-implemented method of claim 1, wherein the second salt value is maintained by the computing resource service provider further comprises maintaining the second salt value in a record of a database associated with the password.

7. A computer-implemented method for authentication, comprising:
- under the control of one or more computer systems configured with executable instructions,obtaining information from a computing device attempting authentication;
  
  determining whether the obtained information is valid based at least in part on;
  
  first information accessed from data storage accessible to the one or more computer systems and based at least in part on a first key, the first key based at least in part on a derivation function including a first salt value and a password, where the password is provided by the computing device attempting authentication; and
  
  second information based at least in part on at least a second key different from the first key and a second salt value, where the second salt value is stored in the data storage accessible to the one or more computer systems, and the second key is unavailable to the one or more computer systems until at least obtaining the information from the computing device attempting authentication;
  
  wherein neither the first information nor the second information is alone sufficient for authentication; and
  
  taking one or more actions that are dependent on a determination that the obtained information is valid.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 8. The computer-implemented method of claim 7, wherein the first information is based at least in part on a result of a cryptographic operation performed on the first salt value and the password.
  - 9. The computer-implemented method of claim 8, wherein the cryptographic operation involves at least one of a hash function, hash-based message authentication code, an asymmetric signature, a symmetric signature or an encryption.
  - 10. The computer-implemented method of claim 7, wherein:
    - obtaining the information includes receiving the information in connection with an electronic request; and
      
      the obtained information includes information dependent on the electronic request and information independent from the request.
  - 11. The computer-implemented method of claim 10, wherein the information independent from the request is a password-derived key or hash maintained by the one or more computer systems and the second information is based at least in part on a result of applying at least a hash function to the information independent from the request and obtained from memory of at least one of the one or more computer systems.
  - 12. The computer-implemented method of claim 7, wherein:
    - the first information further includes an electronic signature based at least in part on the first key and time information associated with the obtained information;
      
      the second key is derived based at least in part on the password and the second salt value, where the second salt value is obtained for a database maintained by the one or more computer systems; and
      
      the one or more computer systems lack access to the second key prior to receiving the obtained information.
  - 13. The computer-implemented method of claim 12, wherein the first key and the second key are derived based at least in part on secret information.
  - 14. The computer-implemented method of claim 7, wherein the second information comprises information that is valid for authentication by the one or more computer systems for a limited time.
  - 15. The computer-implemented method of claim 7, wherein:
    - determining whether the obtained information is valid comprises;
      
      computing, based at least in part on the first information, an electronic signature;
      
      computing, based at least in part on the second information, a hash value; and
      
      determining whether the computed electronic signature matches a provided electronic signature of the obtained information and whether the computed hash value matches hash information in data storage accessible to the one or more computer systems.
  - 16. The computer-implemented method of claim 15, wherein:
    - computing the electronic signature is further based at least in part on a time-dependent parameter; and
      
      determining that the obtained information is valid requires the obtained information to have been generated in accordance with the time-dependent parameter.

17. A computer system, comprising:
- one or more processors; and
  
  memory including instructions that, when executed by the one or more processors, cause the computer system to at least;
  
  obtain information from computing devices attempting authentication;
  
  for each party of a plurality of parties, access information specific to the party from a data store to determine whether the party is authentic, where determining whether the party is authentic requires at least that;
  
  first reference information, computed based at least in part on an electronic signature, the electronic signature based at least in part on a first key and a time-dependent value, the first key computed based at least in part on a first result of a derivation function utilizing a password and a first salt value, matches the obtained information; and
  
  second reference information, different from the first reference information and computed based at least in part on a second result of the derivation function utilizing the password and a second salt value, where the second salt value is stored in the data store, matches the information specific to the party, maintained by a computing resource service provider, and the second reference information is unavailable until obtained from the party; and
  
  take one or more actions that are dependent on a determination that the party is authentic.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The computer system of claim 17, wherein:
    - the first reference information is based at least in part on the first key which includes information specific to the party;
      
      the second reference information is based at least in part on a second key of the obtained information, where the second key is different from the first key; and
      
      the first key and the second key are derived from a password.
  - 19. The computer system of claim 17, wherein the second reference information is based at least in part on an electronic signature generated based at least in part on the information specific to the party and maintained by the computing resource service provider.
  - 20. The computer system of claim 17, wherein the first reference information is computed further based at least in part on a value, the value depends on a time at which the value was obtained.
  - 21. The computer system of claim 17, wherein the first reference information and second reference information are based at least in part on a common key to which the computer system lacks access.
  - 22. The computer system of claim 17, wherein the instructions further cause the computer system to automatically update the information specific to the party multiple times over a time period.

23. A non-transitory computer-readable storage medium having stored thereon instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
- in connection with an electronic request involving access to one or more computing resources, generate a secret information claim comprising at least;
  
  a first component based at least in part on a cryptographic operation involving a first key, the first key determined based at least in part on a result of providing secret information and a first salt value as inputs to a derivation function, and information about the electronic request; and
  
  an encoding of a second key that is different from the first key, the second key being derived based at least in part on secret information and a second salt value, the second key being unavailable to an authentication computer system until receiving the secret information claim; and
  
  transmit the generated secret information claim to the authentication computer system to obtain access to the one or more computing resources for which successful authentication is required.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
- - 24. The non-transitory computer computer-readable storage medium of claim 23, wherein the information about the electronic request is based at least in part on a current time.
  - 25. The non-transitory computer computer-readable storage medium of claim 23, wherein the information about the electronic request is publicly determinable.
  - 26. The non-transitory computer computer-readable storage medium of claim 23, wherein the first component comprises an electronic signature generated based at least in part on the first key.
  - 27. The non-transitory computer computer-readable storage medium of claim 23, wherein the generated secret information further includes the first component and a second component based at least in part on the second key.
  - 28. The non-transitory computer computer-readable storage medium of claim 23, wherein:
    - the instructions, when executed by the one or more processors, further cause the computer system to select a key-use zone from a plurality of key-use zones; and
      
      the first component is generated further based at least in part on information specific to the selected key-use zone.
  - 29. The non-transitory computer computer-readable storage medium of claim 28, wherein:
    - the instructions, when executed by the one or more processors, further cause the computer system to select a sub-key-use zone for the selected key-use zone; and
      
      the first component is generated further based at least in part on information specific to the selected sub-key-use zone.
  - 30. The non-transitory computer computer-readable storage medium of claim 23, wherein the second salt value is not included in the electronic request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory B., Baer, Graeme D.
Primary Examiner(s)
Kim, Tae

Application Number

US13/532,753
Time in Patent Office

1,793 Days
Field of Search

726 2- 8, 726 21, 726 26- 30, 713182-185
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/45   Structures or tools for the...

G06F 21/6218   to a system of files or obj...

H04L 2463/061   applying further key deriva...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 9/0861   Generation of secret inform...

H04L 9/0863   involving passwords or one-...

H04L 9/3228   One-time or temporary data,...

Protection from data security threats

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

216 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Protection from data security threats

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

216 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links