Unified management of cryptographic keys using virtual keys and referrals

US 9,887,836 B1
Filed: 09/26/2014
Issued: 02/06/2018
Est. Priority Date: 09/26/2014
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

memory to store executable instructions that, if executed by one or more hardware processors, cause at least one computing device to;

receive, from a client, a request for a data key, the request specifying a key identifier;

select, based at least in part on the key identifier, a key from a set of keys managed for an entity associated with the client, the set of keys includinga subset of virtual keys, the subset of virtual keys being associated with a set of cryptographic keys that is inaccessible to the at least one computing device and managed by different computing device; and

provide, based at least in part on the key being a member of the subset of virtual keys, a cryptographic configuration and a reference to the different computing device, the reference includinginformation usable to cause the different computing device to provide the data key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cryptography service allows for management of cryptographic keys in multiple environments. The service allows for specification of policies applicable to cryptographic keys, such as what cryptographic algorithms should be used in which contexts. In some contexts, the cryptography service, upon receiving a request for a key, provides a referral to another system to obtain the key.

Citations

21 Claims

1. A system, comprising:
- memory to store executable instructions that, if executed by one or more hardware processors, cause at least one computing device to;
  
  receive, from a client, a request for a data key, the request specifying a key identifier;
  
  select, based at least in part on the key identifier, a key from a set of keys managed for an entity associated with the client, the set of keys includinga subset of virtual keys, the subset of virtual keys being associated with a set of cryptographic keys that is inaccessible to the at least one computing device and managed by different computing device; and
  
  provide, based at least in part on the key being a member of the subset of virtual keys, a cryptographic configuration and a reference to the different computing device, the reference includinginformation usable to cause the different computing device to provide the data key.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, wherein the executable instructions further cause the at least one computing device to:
    - receive an application programming interface request to add a second key to the subset of virtual keys; and
      
      fulfill the application programming interface request by at least associating an identifier for the second key with a second reference to the different computing device.
  - 3. The system of claim 1, wherein:
    - the request for the data key specifies one or more capabilities of the client; and
      
      the executable instructions further cause the at least one computing device to select the cryptographic configuration to match the one or more capabilities of the client.
  - 4. The system of claim 1, wherein the reference comprises information usable by the client to determine credentials usable to cause the different computing device to provide the data key.
  - 5. The system of claim 1, wherein:
    - the executable instructions further cause the computer system to determine, based at least in part on the key identifier, a cryptographic configuration that specifies a cryptographic algorithm to be used; and
      
      the system further comprises the client, wherein the client is configured to;
      
      generate the request;
      
      receive the cryptographic configuration;
      
      obtain, using the cryptographic configuration, the data key from the different computing device; and
      
      use the data key to perform the cryptographic algorithm.

6. A computer-implemented method, comprising:
- receiving, at computer system, a request for a key, the request indicating a set of cryptographic algorithms and a key identifier of a key stored by the computer system;
  
  selecting, based at least in part on the key identifier and the set of cryptographic algorithms, a cryptographic algorithm; and
  
  providing a response to the request that comprises the key and indicates the cryptographic algorithm.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
- - 7. The computer-implemented method of claim 6, further comprising:
    - receiving a second request for a second key, the second request specifying a second key identifier different from the key identifier; and
      
      providing a response to the request that includes a referral to a computing device, different from the computer system, operable to provide the second key.
  - 8. The computer-implemented method of claim 6, wherein:
    - the method further comprises encrypting the key using a cryptographic key identified by the key identifier, to generate an encrypted data key; and
      
      the response further comprises the encrypted data key.
  - 9. The computer-implemented method of claim 6, further comprising selecting the key identified by the key identifier from a set of cryptographic keys that comprises a subset of cryptographic keys inaccessible to the computer systems.
  - 10. The computer-implemented method of claim 6, wherein:
    - the request for the key comprises an encryption context;
      
      the method further comprises obtaining an encrypted data key by at least causing the key to be encrypted using a cryptographic key identified by the key identifier and an authenticated mode of an encryption algorithm, with additional authenticated data for the authenticated mode of the encryption algorithm being based at least in part on the encryption context; and
      
      the response further comprises the encrypted data key.
  - 11. The computer-implemented method of claim 10, further comprising selecting the cryptographic algorithm further based at least in part on the encryption context.
  - 12. The computer-implemented method of claim 10, wherein the encryption context specifies information about data to be encrypted using the key.
  - 13. The computer-implemented method of claim 6, wherein:
    - the request is received from a requestor and specifies one or more capabilities of the requestor; and
      
      the method further comprises selecting the cryptographic algorithm further based at least in part on the one or more capabilities.
  - 14. The computer-implemented method of claim 13, further comprising selecting the cryptographic algorithm further based at least in part on a ranking of cryptographic algorithms that is associated with the key identifier.

15. A non-transitory computer-readable storage medium to store executable instructions that, if executed by one or more processors of a computer system, cause the computer system to at least:
- receive, from a first computing device, a response to a first request, the first request specifying a key identifier;
  
  determine that the response indicates a referral to a second computing device; and
  
  transmit a second request to the second computing device to obtain a key.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein the executable instructions further include instructions that cause the computer system to:
    - receive, from the first computing device, another response to a third request specifying another key identifier;
      
      determine that the other response includes another key; and
      
      use the other key to encrypt data.
  - 17. The non-transitory computer-readable storage medium of claim 15, wherein executable instructions further include instructions that cause the computer system to:
    - receive, from the first computing device, another response to a third request specifying another key identifier;
      
      determine that the other response includes another key and an encrypted data key encrypted under a cryptographic key identified by the other key identifier;
      
      encrypt data to produce encrypted data; and
      
      associate the encrypted data with the encrypted data key.
  - 18. The non-transitory computer-readable storage medium of claim 15, wherein the second computing device is accessible over a private network that includes the computer system.
  - 19. The non-transitory computer-readable storage medium of claim 15, wherein the second computing device is a hardware security module.
  - 20. The non-transitory computer-readable storage medium of claim 15, wherein:
    - the response specifies a cryptographic algorithm; and
      
      as a result of the response specifying the cryptographic algorithm, the executable instructions further include executable instructions that cause the computer system to encrypt data using the key and the cryptographic algorithm.
  - 21. The non-transitory computer-readable storage medium of claim 15, wherein:
    - the response further includes information sufficient to determine credentials for obtaining the key from the second computing device; and
      
      the executable instructions further include instructions that cause the computer system to;
      
      determine the credentials based at least in part on the information; and
      
      obtain, based at least in part on the credentials, the key from the second computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Getachew, Abiy

Application Number

US14/498,732
Time in Patent Office

1,229 Days
Field of Search

380 44
US Class Current
CPC Class Codes

H04L 2209/24   Key scheduling, i.e. genera...

H04L 9/0822   using key encryption key

H04L 9/0861   Generation of secret inform...

H04L 9/088   Usage controlling of secret...

H04L 9/0897   involving additional device...

Unified management of cryptographic keys using virtual keys and referrals

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Unified management of cryptographic keys using virtual keys and referrals

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links