Asymmetric session credentials

US 9,900,160 B1
Filed: 12/03/2015
Issued: 02/20/2018
Est. Priority Date: 12/03/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for authenticating resource requests, comprising:

under the control of one or more computer systems configured with executable instructions,receiving, from a device associated with a customer, a first request for a session, the request for the session digitally signed using a long-term key associated with an account of the customer;

validating the first request;

generating a set of session data, the set of session data at least including a public session key corresponding to a private session key, the public session key and the private session key forming a public key cryptography key pair;

encrypting the set of session data to generate a session token, the session token encrypted by a security service using a session encryption key, the session encryption key maintained as a secret by the security service;

providing the session token and the private session key to the device associated with the customer; and

as a result of receiving a request for resources from the device associated with the customer, the request for resources including the session token, the request for resources digitally signed using a digital signature generated from the private session key, at least;

extracting the public session key from the session token using the session encryption key to produce an extracted public session key;

validating the digital signature using the extracted public session key; and

satisfying the request for resources by providing access to one or more resources associated with the request for resources.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for using short-term credentials using asymmetric session keys are described herein. A request for a short-term credential is received that is digitally signed with a different credential. In response to the request, short-term credential data is generated and populated with a public session key corresponding to a private session key. The short-term credential data is then encrypted with a session encryption key to produce the short-term credential token, which can then be used by the requester as a short-term credential for subsequent requests.

Citations

21 Claims

1. A computer-implemented method for authenticating resource requests, comprising:
- under the control of one or more computer systems configured with executable instructions,receiving, from a device associated with a customer, a first request for a session, the request for the session digitally signed using a long-term key associated with an account of the customer;
  
  validating the first request;
  
  generating a set of session data, the set of session data at least including a public session key corresponding to a private session key, the public session key and the private session key forming a public key cryptography key pair;
  
  encrypting the set of session data to generate a session token, the session token encrypted by a security service using a session encryption key, the session encryption key maintained as a secret by the security service;
  
  providing the session token and the private session key to the device associated with the customer; and
  
  as a result of receiving a request for resources from the device associated with the customer, the request for resources including the session token, the request for resources digitally signed using a digital signature generated from the private session key, at least;
  
  extracting the public session key from the session token using the session encryption key to produce an extracted public session key;
  
  validating the digital signature using the extracted public session key; and
  
  satisfying the request for resources by providing access to one or more resources associated with the request for resources.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein the session encryption key is generated by cryptographically combining a global session key with an account key associated with the account of the customer, the global session key provided by the security service.
  - 3. The computer-implemented method of claim 2, wherein the global session key is one of a plurality of global session keys, the plurality of global session keys maintained in a global session keychain, the global session keychain configured to delete each global session key of the plurality of global session keys upon expiration of a corresponding time interval associated with each global session key.
  - 4. The computer-implemented method of claim 1, wherein validating the first request includes determining, based at least in part on an allowed users policy, whether the account of the customer is authorized to receive the session token.

5. A system, comprising:
- memory to store instructions that, if executed by one or more processors of the system, cause the system to;
  
  receive a request for a short-term credential, the request for the short-term credential corresponding to a requester associated with the request, the request for the short-term credential digitally signed by the requester;
  
  generate short-term credential data, the short-term credential data at least specifying a public key that corresponds to a private key, the private key generated based at least in part on a global session key and the public key generated from the private key;
  
  encrypt, using a security service, the short-term credential data to produce the short-term credential, the encryption performed using a session encryption key stored within the security service of the one or more services, the session encryption key maintained as a secret by the security service; and
  
  provide the short-term credential to enable the requester to process a different request, based at least in part on the short-term credential and the private key.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
- - 6. The system of claim 5, wherein:
    - the public key is provided by the requester with the request; and
      
      the private key is maintained as a secret by the requester.
  - 7. The system of claim 5, wherein the private key is provided to the requester with the short-term credential.
  - 8. The system of claim 5, wherein the request for the credential is digitally signed using at least one of:
    - a long-term key associated with the requester, a password associated with the requester, a certificate generated by the requester, a short-term credential associated with the requester, or a private key associated with the requester, the private key corresponding to a public key obtainable from the requester.
  - 9. The system of claim 5, wherein the global session key is provided by the security service.
  - 10. The system of claim 5, wherein the private key is generated based at least in part on a long-term key associated with the requester.
  - 11. The system of claim 5, wherein the instructions that, if executed by one or more processors of the system, further cause the system to:
    - receive the different request for access to one or more of the one or more services, the different request for access including the credential;
      
      extract the public key from the credential using the session encryption key to produce an extracted public key;
      
      validate the different request for resources using the extracted public key and the credential; and
      
      satisfy the different request by at least providing access to the one or more of the one or more services.
  - 12. The system of claim 5, wherein the instructions that, if executed by one or more processors of the system, further cause the system to verify that the different request is digitally signed using the private key.
  - 13. The system of claim 5, wherein the instructions that, if executed by one or more processors of the system, further cause the system to:
    - receive the request encrypted using a private key associated with the requester;
      
      obtain a public key corresponding to the private key; and
      
      decrypt the request encrypted using the private key by performing a cryptographic operation using the public key.

14. A set of one or more non-transitory computer-readable storage media having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
- generate a signed request for a session, the signed request digitally signed using a long-term key associated with an account of a customer of the computer system;
  
  receive, in response to the signed request, at least;
  
  a private session key, the private session key associated with a public session key, the public session key being a first key of a public key cryptography key pair and the private session key being a second key of the public key cryptography key pair; and
  
  a session token, the session token including the public session key, the session token encrypted using a session encryption key, the session encryption key maintained as a secret by a security service; and
  
  generate one or more requests using the session token, each request of the one or more requests signed using the private session key.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The set of one or more non-transitory computer-readable storage media of claim 14, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to verify that the one or more requests are digitally signed with the private session key.
  - 16. The set of one or more non-transitory computer-readable storage media of claim 14, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to encrypt the one or more requests using the private session key.
  - 17. The set of one or more non-transitory computer-readable storage media of claim 16, wherein the instructions further comprise instruction that, as a result of being executed by the one or more processors, cause the computer system to decrypt the one or more requests using the public session key.
  - 18. The set of one or more non-transitory computer-readable storage media of claim 14, wherein the session encryption key is generated using elliptic curve cryptography.
  - 19. The set of one or more non-transitory computer-readable storage media of claim 14, wherein the session encryption key is generated by cryptographically combining a global session key and an account key associated with the account of the customer, the global session key provided by the security service.
  - 20. The set of one or more non-transitory computer-readable storage media of claim 19, wherein the instructions further comprise instruction that, as a result of being executed by the one or more processors, cause the computer system to invalidate the session encryption key upon detection of unauthorized access by deleting the global session key.
  - 21. The set of one or more non-transitory computer-readable storage media of claim 19, wherein the instructions further comprise instruction that, as a result of being executed by the one or more processors, cause the computer system to invalidate the session encryption key upon detection of unauthorized access by deleting the account key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Barbour, Marc R., Sedky, Khaled Salah, Mandadi, Srikanth, Praus, Slavka
Primary Examiner(s)
Vaughan, Michael R

Application Number

US14/958,872
Time in Patent Office

810 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0442   wherein the sending and rec...

H04L 63/045   wherein the sending and rec...

H04L 63/062   for key distribution, e.g. ...

H04L 63/068   using time-dependent keys, ...

H04L 63/126   the source of the received ...

H04L 9/0822   using key encryption key

H04L 9/0866   involving user or device id...

H04L 9/0891   Revocation or update of sec...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

H04L 9/50   using hash chains, e.g. blo...

Asymmetric session credentials

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Asymmetric session credentials

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links