Binding digitally signed requests to sessions

US 9,780,952 B1
Filed: 12/12/2014
Issued: 10/03/2017
Est. Priority Date: 12/12/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

establishing a cryptographically protected communications session;

after the cryptographically protected communications session is established,receiving, from a client over the cryptographically protected communications session, a request and a digital signature, the request including a parameter specific to a cryptographically protected communications session over which the request was submitted;

determining whether the cryptographically protected communications session is the same as the cryptographically protected communications session over which the request was submitted by at least;

determining information specific to the cryptographically protected communications session;

determining whether the information specific to the cryptographically protected communications session matches the parameter specific to the cryptographically protected communications session over which the request was submitted;

accessing a cryptographic key registered prior to establishment of the cryptographically protected communications session and in association with the client; and

determining, based at least in part on the request and the cryptographic key, whether the digital signature is valid; and

as a result of both the digital signature being valid and the information specific to the cryptographically protected communications session matching the parameter specific to the cryptographically protected communications session over which the request was submitted;

generating a response to the request;

using the cryptographic key to generate a digital signature of the response; and

transmitting the generated response and the generated digital signature to the client over the cryptographically protected communications session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A client establishes an cryptographically protected communications session and determines information usable to distinguish the session from other sessions. The client digitally signs the information using a cryptographic key that is independent of the session to enable a server to check whether the information matches the session that it established and whether the digital signature is correct. The server may perform mitigating operations if either or both of the information or the digital signature is/are invalid.

33 Citations

View as Search Results

21 Claims

1. A computer-implemented method, comprising:
- establishing a cryptographically protected communications session;
  
  after the cryptographically protected communications session is established,receiving, from a client over the cryptographically protected communications session, a request and a digital signature, the request including a parameter specific to a cryptographically protected communications session over which the request was submitted;
  
  determining whether the cryptographically protected communications session is the same as the cryptographically protected communications session over which the request was submitted by at least;
  
  determining information specific to the cryptographically protected communications session;
  
  determining whether the information specific to the cryptographically protected communications session matches the parameter specific to the cryptographically protected communications session over which the request was submitted;
  
  accessing a cryptographic key registered prior to establishment of the cryptographically protected communications session and in association with the client; and
  
  determining, based at least in part on the request and the cryptographic key, whether the digital signature is valid; and
  
  as a result of both the digital signature being valid and the information specific to the cryptographically protected communications session matching the parameter specific to the cryptographically protected communications session over which the request was submitted;
  
  generating a response to the request;
  
  using the cryptographic key to generate a digital signature of the response; and
  
  transmitting the generated response and the generated digital signature to the client over the cryptographically protected communications session.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein the information specific to the cryptographically protected communications session is based at least in part on a secret negotiated as part of a handshake process to establish the cryptographically protected communications session.
  - 3. The computer-implemented method of claim 2, wherein determining whether the information specific to the cryptographically protected communications session matches the parameter specific to the cryptographically protected communications session over which the request was submitted comprises deriving a reference parameter specific to the cryptographically protected communications session from the secret.
  - 4. The computer-implemented method of claim 1, wherein the cryptographically protected communications session is a transport layer security session.

5. A system, comprising at least one computing device configured to implement one or more services, the one or more services configured to:
- receive, over an established cryptographically protected communications session, a digital signature and a request associated with a client;
  
  obtain, prior to establishment of the established cryptographically protected communications session, a cryptographic key associated with the client;
  
  perform, based at least in part on the request, the cryptographic key, and the digital signature, a verification of whether the request was transmitted from the client to the system over the established cryptographically protected communications session; and
  
  perform one or more mitigating actions if the verification results in the request being transmitted from the client to the system over the established cryptographically protected communications session being unverified.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
- - 6. The system of claim 5, wherein:
    - the one or more services are further configured to determine information specific to the established cryptographically protected communications session; and
      
      the verification includes determining whether the determined information specific to the established cryptographically protected communications session matches a parameter in the request.
  - 7. The system of claim 6, wherein the verification further comprises determining, based at least in part on the cryptographic key and the request, whether the digital signature is valid.
  - 8. The system of claim 5, wherein the cryptographic key is shared as a secret between the client and the system prior to establishment of the established cryptographically protected communications session.
  - 9. The system of claim 5, wherein the verification includes determining whether information resulting from a handshake process for establishing the established cryptographically protected communications session matches a parameter in the request.
  - 10. The system of claim 5, wherein the one or more services are further configured such that successful verification that the request was transmitted from the client to the system over the established cryptographically protected communications session and successful verification of the digital signature are prerequisites for fulfilling the request.
  - 11. The system of claim 5, wherein the one or more services are further configured to:
    - if determined that the digital signature is valid and that the request was transmitted from the client to the system over the established cryptographically protected communications session;
      
      determine a response to the request; and
      
      digitally sign the response to the request using a cryptographic key that is independent of the established cryptographically protected communications session.
  - 12. The system of claim 11, wherein:
    - the cryptographic key that is associated with the client and the cryptographic key that is registered to the client independent of the established cryptographically protected communications session are a same symmetric cryptographic key.
  - 13. The system of claim 5, wherein the one or more mitigating actions include digitally signing a denial of the request using a cryptographic key that is independent of the established cryptographically protected communications session.

14. A non-transitory computer-readable storage medium having stored thereon executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
- establish a cryptographically protected communications session;
  
  after establishment of the cryptographically protected communications session,determine information usable to distinguish the established cryptographically protected communications session from other cryptographically protected communications session;
  
  digitally sign a request that includes the determined information using a cryptographic key obtained prior to establishment of the cryptographically protected communications session, thereby generating a digital signature; and
  
  transmit the request and the digital signature over the cryptographically protected communications session.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The non-transitory computer-readable storage medium of claim 14, wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to:
    - receive a response to the request and a digital signature;
      
      verify the digital signature using the cryptographic key; and
      
      process the received response dependent on whether the digital signature is verified as valid.
  - 16. The non-transitory computer-readable storage medium of claim 14, wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to:
    - determine information specific to the request;
      
      generate the request to include the determined information specific to the request; and
      
      verify, based at least in part on the determined information specific to the request, whether a received response matches the request.
  - 17. The non-transitory computer-readable storage medium of claim 14, wherein the information usable to distinguish the established cryptographically protected communications session is based at least in part on a secret negotiated as part of a handshake process for establishing the cryptographically protected communications session.
  - 18. The non-transitory computer-readable storage medium of claim 14, wherein:
    - the cryptographically protected communications session is in accordance with a protocol that includes a record protocol and a handshake protocol;
      
      the instructions that cause the computer system to establish the cryptographically protected communications session, when executed by the one or more processors, cause the computer system to perform a handshake process in accordance with the handshake protocol; and
      
      the instructions that cause the computer system to transmit the request and the digital signature over the cryptographically protected communications session, when executed by the one or more processors, cause the computer system to transmit the request and the digital signature in accordance with the record protocol.
  - 19. The non-transitory computer-readable storage medium of claim 14, wherein the information usable to distinguish the established cryptographically protected communications session is determined based at least in part on a digital certificate used to establish the cryptographically protected communications session.
  - 20. The non-transitory computer-readable storage medium of claim 19, wherein the digital certificate is a server digital certificate presented to the computer system during establishment of the cryptographically protected communications session.
  - 21. The non-transitory computer-readable storage medium of claim 19, wherein:
    - the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to;
      
      receive a response to the request and a digital signature;
      
      verify the digital signature using the cryptographic key;
      
      verify whether a parameter of the response matches the information usable to distinguish the established cryptographically protected communications session from other cryptographically protected communications sessions; and
      
      process the received response dependent on whether the digital signature is verified as valid and whether the parameter of the response matches the information usable to distinguish the established cryptographically protected communications session from other cryptographically protected communications sessions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Behm, Bradley Jeffery, Roth, Gregory Branchek, Rubin, Gregory Alan
Primary Examiner(s)
Avery, Jeremiah

Application Number

US14/569,596
Time in Patent Office

1,026 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/1466   Active attacks involving in...

H04L 63/166   at the transport layer

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

Binding digitally signed requests to sessions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

33 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Binding digitally signed requests to sessions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links