Asymmetric session credentials
First Claim
Patent Images
1. A computer-implemented method for authenticating resource requests, comprising:
- under the control of one or more computer systems configured with executable instructions,receiving, from a device associated with a customer, a first request for a session, the request for the session digitally signed using a long-term key associated with an account of the customer;
validating the first request;
generating a set of session data, the set of session data at least including a public session key corresponding to a private session key, the public session key and the private session key forming a public key cryptography key pair;
encrypting the set of session data to generate a session token, the session token encrypted by a security service using a session encryption key, the session encryption key maintained as a secret by the security service;
providing the session token and the private session key to the device associated with the customer; and
as a result of receiving a request for resources from the device associated with the customer, the request for resources including the session token, the request for resources digitally signed using a digital signature generated from the private session key, at least;
extracting the public session key from the session token using the session encryption key to produce an extracted public session key;
validating the digital signature using the extracted public session key; and
satisfying the request for resources by providing access to one or more resources associated with the request for resources.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques for using short-term credentials using asymmetric session keys are described herein. A request for a short-term credential is received that is digitally signed with a different credential. In response to the request, short-term credential data is generated and populated with a public session key corresponding to a private session key. The short-term credential data is then encrypted with a session encryption key to produce the short-term credential token, which can then be used by the requester as a short-term credential for subsequent requests.
-
Citations
21 Claims
-
1. A computer-implemented method for authenticating resource requests, comprising:
under the control of one or more computer systems configured with executable instructions, receiving, from a device associated with a customer, a first request for a session, the request for the session digitally signed using a long-term key associated with an account of the customer; validating the first request; generating a set of session data, the set of session data at least including a public session key corresponding to a private session key, the public session key and the private session key forming a public key cryptography key pair; encrypting the set of session data to generate a session token, the session token encrypted by a security service using a session encryption key, the session encryption key maintained as a secret by the security service; providing the session token and the private session key to the device associated with the customer; and as a result of receiving a request for resources from the device associated with the customer, the request for resources including the session token, the request for resources digitally signed using a digital signature generated from the private session key, at least; extracting the public session key from the session token using the session encryption key to produce an extracted public session key; validating the digital signature using the extracted public session key; and satisfying the request for resources by providing access to one or more resources associated with the request for resources. - View Dependent Claims (2, 3, 4)
-
5. A system, comprising:
memory to store instructions that, if executed by one or more processors of the system, cause the system to; receive a request for a short-term credential, the request for the short-term credential corresponding to a requester associated with the request, the request for the short-term credential digitally signed by the requester; generate short-term credential data, the short-term credential data at least specifying a public key that corresponds to a private key, the private key generated based at least in part on a global session key and the public key generated from the private key; encrypt, using a security service, the short-term credential data to produce the short-term credential, the encryption performed using a session encryption key stored within the security service of the one or more services, the session encryption key maintained as a secret by the security service; and provide the short-term credential to enable the requester to process a different request, based at least in part on the short-term credential and the private key. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
-
14. A set of one or more non-transitory computer-readable storage media having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
-
generate a signed request for a session, the signed request digitally signed using a long-term key associated with an account of a customer of the computer system; receive, in response to the signed request, at least; a private session key, the private session key associated with a public session key, the public session key being a first key of a public key cryptography key pair and the private session key being a second key of the public key cryptography key pair; and a session token, the session token including the public session key, the session token encrypted using a session encryption key, the session encryption key maintained as a secret by a security service; and generate one or more requests using the session token, each request of the one or more requests signed using the private session key. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
Specification