Establishing entropy on a system

US 9,749,127 B1
Filed: 06/03/2014
Issued: 08/29/2017
Est. Priority Date: 06/03/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for providing a secure random number code, comprising:

receiving, at a computer system with a hardware random number generator, a request over a secure communications connection, the secure communications connection being established based at least in part on a first random code generated by a client transmitting the request, and the request being for a second random code; and

as a result of receiving the request;

generating the second random code using the hardware random number generator, the second random code being cryptographically-stronger than the first random code; and

providing, to the client, the generated second random code.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Servers in datacenters, mobile devices and virtualized servers without human interaction may experience difficulties in establishing entropy in a virtualized computing environment. Entropy is an important foundation for cryptography and a lack of entropy has led to weaknesses that can be used to break cryptographic systems in the past.

8 Citations

View as Search Results

19 Claims

1. A computer-implemented method for providing a secure random number code, comprising:
- receiving, at a computer system with a hardware random number generator, a request over a secure communications connection, the secure communications connection being established based at least in part on a first random code generated by a client transmitting the request, and the request being for a second random code; and
  
  as a result of receiving the request;
  
  generating the second random code using the hardware random number generator, the second random code being cryptographically-stronger than the first random code; and
  
  providing, to the client, the generated second random code.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein the secure communications connection established by the client is a temporary connection, the temporary connection terminating when the client receives the secure random code.
  - 3. The computer-implemented method of claim 1, wherein the client and the computer system with the hardware random number generator are co-located, the co-location enabling the client and the hardware random number generator to communicate over a local and/or trusted network.
  - 4. The computer-implemented method of claim 1, further comprising updating one or more accounting records to indicate usage, by an entity associated with a computer system that submitted the request, of an entropy service that provides random number seeds in exchange for value.

5. A system, comprising:
- at least one computing device configured to implement one or more services, wherein the one or more services;
  
  receive a request over a secure network connection, the secure network connection being established based at least in part on an initial code generated by a requestor, the request being for a first code;
  
  utilize a random number generator to generate the first code; and
  
  provide the generated first code via the secure network connection in response to the request.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
- - 6. The system of claim 5, wherein:
    - the system provides the generated first code to a process in a privileged domain of a hypervisor that hosts a virtual machine; and
      
      the virtual machine obtains the first code from the process in the privileged domain and uses the first code to establish a secure communication channel.
  - 7. The system of claim 5, wherein the random number generator is a hardware random number generator.
  - 8. The system of claim 5, wherein the first code is to be utilized for all future communications over the network connection or a different network connection.
  - 9. The system of claim 5, wherein:
    - the system includes a client;
      
      the request is received from the client;
      
      the network connection is a Secure Sockets Layer (SSL) protocol connection or a Transport Layer Security (TLS) protocol connection with the client; and
      
      the first code is provided to a random bit generator to generate a numerical stream to use with the SSL or TLS protocol connection.
  - 10. The system of claim 9, wherein the random bit generator is a cryptographically secure pseudorandom number generator or a pseudorandom number generator.
  - 11. The system of claim 5, wherein the request received via a web service interface.
  - 12. The system of claim 5, wherein the random number generator generates the random number as a result of receipt of the request.
  - 13. The system of claim 5, wherein:
    - the system further comprises a proxy server connected with an entropy service over the network connection;
      
      the request is received as a result of the proxy server relaying the request from a client over the network connection; and
      
      the generated first code is provided to the client over a second network connection.

14. A non-transitory computer-readable storage medium having stored thereon executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
- generate, at the computer system, a first random number code;
  
  provide the generated first random number code to a first random number generator at the computer system;
  
  initiate a cryptographic protocol for a first secure communications connection with another computer system using an output from the first random number generator; and
  
  utilize the secure communications connection to obtain a second random number code from a second random number generator, wherein the second random number generator has higher entropy than the first random number generator.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The non-transitory computer-readable storage medium of claim 14, wherein the computer system is a virtual computer system and wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the virtual computer system to utilize a state of the virtual computer system to generate the first random number code.
  - 16. The non-transitory computer-readable storage medium of claim 14, wherein the instructions that cause the computer system to obtain the second random number code further include instructions that cause the computer system to reinitiate a network connection utilizing the obtained second random number code to obtain a third random number code to replace the second random number code.
  - 17. The non-transitory computer-readable storage medium of claim 14, wherein the instructions that cause the computer system to obtain the second random number code cause the computer system to transmit a web service request to the other computer system over a network and receive, in a response to the request, the second random number code.
  - 18. The non-transitory computer-readable storage medium of claim 17, wherein the instructions that cause the computer system to obtain the second random number code further include instructions that cause the computer system to obtain the second random number code produced by a hardware security module (HSM).
  - 19. The non-transitory computer-readable storage medium of claim 14, wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to connect a proxy server and the computer system over a first trusted connection, the proxy server being configured to relay at least a request message from the computer system to an entropy service via an untrusted network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Doane, Andrew Jeffrey, Cignetti, Todd Lawrence
Primary Examiner(s)
Hoffman, Brandon

Application Number

US14/294,997
Time in Patent Office

1,183 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 7/582   Pseudo-random number genera...

H04L 63/164   at the network layer

H04L 67/10   in which an application is ...

H04L 9/002   Countermeasures against att...

H04L 9/0662   with particular pseudorando...

H04L 9/0877   using additional device, e....

Establishing entropy on a system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

8 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Establishing entropy on a system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others