Epoch-based management of security credentials

US 9,847,983 B1
Filed: 04/29/2014
Issued: 12/19/2017
Est. Priority Date: 04/29/2014
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable storage medium having computer-executable instructions stored thereupon which, when executed by a credential system, cause the credential system to:

generate a temporary security credential, the temporary security credential specifying an epoch identifier and a version of the epoch identifier, the temporary security credentials valid while the version of the epoch identifier matches a current version for the epoch identifier;

send the temporary security credential to an electronic device; and

after sending the temporary security credential to the electronic device, send, to an epoch system, a request to change a previous version for the epoch identifier that is stored by the epoch system to the current version for the epoch identifier.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technologies are disclosed herein for epoch-based expiration of temporary security credentials. A temporary security credential is issued that identifies one or more epochs and that specifies one or more versions of the identified epochs during which the temporary security credential is valid. The temporary security credential may then be utilized to request access to another system, service or component. In order to determine whether such a request may be granted, current epoch versions for the epochs identified in the temporary security credential are obtained. The current epoch versions for the identified epochs are then compared to epoch versions specified in the temporary security credential to determine if the request can be granted. The current epoch versions may be periodically modified in order to expire previously issued temporary security credentials. A temporary security credential might also specify an expiration time after which the temporary security credential is no longer valid.

Citations

20 Claims

1. A non-transitory computer-readable storage medium having computer-executable instructions stored thereupon which, when executed by a credential system, cause the credential system to:
- generate a temporary security credential, the temporary security credential specifying an epoch identifier and a version of the epoch identifier, the temporary security credentials valid while the version of the epoch identifier matches a current version for the epoch identifier;
  
  send the temporary security credential to an electronic device; and
  
  after sending the temporary security credential to the electronic device, send, to an epoch system, a request to change a previous version for the epoch identifier that is stored by the epoch system to the current version for the epoch identifier.
- View Dependent Claims (2, 3, 4, 5, 19)
- - 2. The non-transitory computer-readable storage medium of claim 1, wherein the temporary security credential is validated based, at least in part, on the current version of the epoch identifier specified in the temporary security credential and the current version for the epoch as stored by the epoch system.
  - 3. The non-transitory computer-readable storage medium of claim 1, wherein the current version for the epoch is made available by way of one or more of a network service, a database, or a broadcast.
  - 4. The non-transitory computer-readable storage medium of claim 1, wherein the epoch identifier is associated with a geographic region, an availability zone, a role, an identity corresponding to the temporary security credential, the credential system, a virtual machine instance, or a customer account.
  - 5. The non-transitory computer-readable storage medium of claim 1, wherein the temporary security credential further specifies an expiration time after which the temporary security credential is invalid.
  - 19. The non-transitory computer-readable storage medium of claim 1, further storing instructions which, when executed by the credential system, cause the credential system to:
    - generate a new temporary security credential, the new temporary security credential specifying the epoch identifier and a new version of the epoch identifier;
      
      send the new temporary security credential to the electronic device; and
      
      after sending the new temporary security credential to the electronic device, send, to the epoch system, an additional request to change the current epoch identifier that is stored by the ebock system to the new version of the epoch identifier.

6. A system for managing a lifetime of a temporary security credential, the system comprising:
- at least one computer system executing a credential service configured to generate a temporary security credential, the temporary security credential identifying an epoch and a version of the epoch; and
  
  at least one computer system executing a called service configured to;
  
  receive, from a host computer system, information based, at least in part, on a service request that includes the temporary security credential;
  
  send, to at least one computer system executing an epoch service, a request for a current version for the epoch;
  
  receive, from the at least one computer system executing the epoch service, an indication of the current version for the epoch; and
  
  determine to grant the service request based, at least in part, on the version of the epoch identified in the temporary security credential and the current version for the epoch.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 20)
- - 7. The system of claim 6, further comprising the at least one computer system executing the epoch service configured to send the indication of the current version for the epoch to the at least one computer system executing the called service.
  - 8. The system of claim 6, wherein the at least one computer system executing the credential service is further configured to generate a new temporary security credential, the new temporary security credential identifying the epoch and a new version of the epoch during which the new temporary security credential is valid.
  - 9. The system of claim 6, wherein the host computer system is configured to obtain the temporary security credential and to generate the service request using the temporary security credential, and wherein the at least one computer system executing the credential service is further configured to:
    - provide a new temporary security credential to the host computer; and
      
      modify the current version for the epoch to include a new version once the new temporary security credential has been distributed to the host computer.
  - 10. The system of claim 9, wherein the host computer is operating in a service provider environment.
  - 11. The system of claim 6, wherein the epoch is associated with a geographic region, an identity corresponding to the temporary security credential, availability zone, a role, the credential service, the host computer system, or a customer account.
  - 12. The system of claim 6, wherein the at least one computer system executing the credential service is further configured send a request to the at least one computer system executing the epoch service, and wherein the at least one computer system executing the epoch service is further configured to modify the current version for the epoch to include the new version of the epoch in response to receiving the request from the at least one computer system executing the credential service.
  - 13. The system of claim 12, wherein the at least one computer system executing the epoch service is further configured to expose an application programming interface for modifying an epoch version.
  - 20. The system of claim 6, further comprising the at least one computer system executing the epoch service configured to:
    - store a previous version for the epoch identifier;
      
      receive, from the at least one computer system executing the credential service, a request to modify the previous version for the epoch identifier to the current version for the epoch identifier; and
      
      modify the previous version for the epoch identifier to the current version for the epoch identifier.

14. A computer-implemented method for managing a lifetime of a temporary security credential, the method comprising:
- receiving, at a computing system, and from a host computing system, a first request that includes the temporary security credential, the temporary security credential associated with at least an epoch identifier and at least an epoch version of the epoch identifier;
  
  sending, by the computing system, and to an epoch system, a second request for a current version for the epoch identifier;
  
  receiving, at the computing system, and from the epoch system, a message indicating the current version for the epoch identifier;
  
  determining, at the computing system, that the epoch version of the epoch identifier corresponds to the current version for the epoch identifier; and
  
  determining, at the computing system, to grant the first request based, at least in part, on the epoch version of the epoch identifier corresponding to the current version for the epoch identifier.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The computer-implemented method of claim 14, wherein the temporary security credential further defines an expiration time after which the temporary security credential is invalid, and wherein the method further comprises determining to grant the first request based, at least in part, on the expiration time specified in the temporary security credential.
  - 16. The computer-implemented method of claim 14, wherein the epoch version of the epoch identifier associated with the temporary security credential is modified in order to invalidate the temporary security credential.
  - 17. The computer-implemented method of claim 14, wherein the epoch identifier associated with the temporary security credential is associated with a geographic region, an availability zone, a role, a service configured to generate the temporary security credential, a virtual machine instance, or a customer account.
  - 18. The computer-implemented method of claim 14, further comprising operating the computing system within a service provider environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Farley, Benjamin Tillman, Baer, Graeme David
Primary Examiner(s)
Brown, Anthony
Assistant Examiner(s)
Corum, Jr., William

Application Number

US14/264,897
Time in Patent Office

1,330 Days
Field of Search

726 6
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/068   using time-dependent keys, ...

H04L 63/08   for authentication of entit...

H04W 12/63   Location-dependent; Proximi...

Epoch-based management of security credentials

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Epoch-based management of security credentials

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links