Parameter based key derivation

US 9,954,866 B2
Filed: 09/25/2015
Issued: 04/24/2018
Est. Priority Date: 09/29/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving a delegation request from a first entity, fulfilment of which involves granting a second entity an access privilege to a computing resource;

generating a session key based at least in part on;

(a) an encoding of a restriction that indicates a limitation on access to be granted to the second entity; and

(b) a secret credential shared with the first entity;

providing the session key to the first entity;

receiving, from the second entity, an access request to access the computing resource, the access request including information that indicates access to the session key;

validating the access request based at least in part on the session key; and

granting, to the second entity, access to the computing resource subject to the restriction.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A delegation request is submitted to a session-based authentication service, fulfilment of which involves granting an entity an access privilege to a computing resource. A session key is received from the session-based authentication service. The session key having been generated based at least in part on a restriction and a secret credential shared with the session-based authentication service and usable at least in part to prove possession of the access privilege to the computing resource. The session key is provided to the entity without providing the shared secret credential.

Citations

20 Claims

1. A computer-implemented method, comprising:
- receiving a delegation request from a first entity, fulfilment of which involves granting a second entity an access privilege to a computing resource;
  
  generating a session key based at least in part on;
  
  (a) an encoding of a restriction that indicates a limitation on access to be granted to the second entity; and
  
  (b) a secret credential shared with the first entity;
  
  providing the session key to the first entity;
  
  receiving, from the second entity, an access request to access the computing resource, the access request including information that indicates access to the session key;
  
  validating the access request based at least in part on the session key; and
  
  granting, to the second entity, access to the computing resource subject to the restriction.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, wherein the restriction corresponds to an identity of a key zone of a plurality of key zones.
  - 3. The computer-implemented method of claim 1, wherein:
    - the delegation request includes an identity of the entity for which the session key is to be generated; and
      
      the restriction is based at least in part on the identity of the entity.
  - 4. The computer-implemented method of claim 1, wherein the restriction corresponds to a restriction on a permitted action.
  - 5. The computer-implemented method of claim 1, wherein:
    - the access request further includes the encoding of the restriction provided by the first entity; and
      
      validating the access request includes validating that the session key was generated based at least in part on the encoding of the restriction included in the access request.
  - 6. The computer-implemented method of claim 1, wherein the restriction corresponds to a limit on an amount of time the session key is valid.

7. A system, comprising:
- one or more processors; and
  
  memory including instructions that, when executed by the one or more processors, cause the system to;
  
  receive a delegation request from a first entity, fulfilment of which involves granting a second entity an access privilege to a computing resource;
  
  in response to receipt of the delegation request;
  
  generate a session key, based at least in part on a secret credential, shared between the first entity and the one or more computer systems, and an encoding of a session restriction through a cryptographic hash algorithm, the session restriction indicating a limitation on access to be granted to the second entity; and
  
  provide the session key to the first entity;
  
  receive an access request from the second entity to access the computing resource, the access request associated with the session key; and
  
  in response to receipt of the access request;
  
  validate the access request based at least in part on the encoding of the session key; and
  
  grant, to the second entity, access to the computing resource subject to the session restriction.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 8. The system of claim 7, wherein the instructions that validate the access request include instructions that cause the system to validate whether the request complies with the session restriction.
  - 9. The system of claim 7, wherein the access request is a first access request and the instructions include further instructions that cause the system to:
    - receive a second access request from a third entity to access the computing resource, the second access request associated with the session key; and
      
      in response to receipt of the second access request;
      
      validate the second access request based at least in part on the encoding of the session key; and
      
      grant, to the third entity, access to the computing resource subject to the session restriction.
  - 10. The system of claim 7, further comprising the first entity, wherein the first entity comprises one or more computer systems configured with first instructions that, when executed by the one or more computer systems, causes the one or more computer systems to, as a result of receiving the session key, provide the session key to the second entity without providing the secret credential to the second entity.
  - 11. The system of claim 10, wherein the first instructions that provide the session key to the second entity include instructions that cause the one or more computer systems to provide information, usable by the second entity to obtain the session key, to an electronic destination accessible to the second entity.
  - 12. The system of claim 11, wherein the electronic destination is an e-mail address.
  - 13. The system of claim 7, wherein the instructions that cause the system to validate the access request, include instructions that cause the system to apply the cryptographic hash algorithm both to a first set of inputs and a second set of inputs, wherein:
    - the first set of inputs include the secret credential, the access request, and the encoding of the session restriction; and
      
      the second set of inputs include the session key and the access request.
  - 14. The system of claim 13, wherein the cryptographic hash algorithm is a hash-based message authentication code function.
  - 15. The system of claim 7, wherein the access request is associated with the session key by providing a digital signature with the access request generated using the session key.
  - 16. The system of claim 15, wherein the instructions that cause the system to validate the access request, include instructions that cause the system to:
    - apply the cryptographic hash algorithm to the secret credential, the access request, and the encoding of the session restriction to obtain a hash result; and
      
      compare the hash result to the digital signature.

17. A non-transitory computer-readable storage medium having stored thereon executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
- receive a first request from a first entity, fulfilment of which involving granting a second entity an access privilege to a computing resource;
  
  generate a session key based at least in part on an encoding of a restriction and a secret credential shared between the first entity and the computer system, the restriction indicating a limitation on access to be granted to the second entity;
  
  provide the session key, usable at least in part to prove possession of an access privilege to a computing resource, to the first entity;
  
  receive a second request to access the computing resource, fulfilment of which involves providing a second entity access to the computing resource, the second request associated with the session key;
  
  validate the second request based at least in part on the session key; and
  
  fulfill the second request by providing access, subject to the restriction, to the computing resource depending at least in part on validation of the session key.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-readable storage medium of claim 17, wherein the executable instructions that cause the computer system to fulfill the second request include executable instructions that cause the computer system to fulfill the second request without providing the second entity access to the secret credential.
  - 19. The non-transitory computer-readable storage medium of claim 17, wherein the executable instructions further include executable instructions that cause the computer system to:
    - receive a third request to access the computing resource, fulfilment of which involves providing a third entity access to the computing resource, the third request associated with the session key;
      
      validate the third request based at least in part on the session key; and
      
      fulfill the third request by providing access to the computing resource depending at least in part on validation of the session key.
  - 20. The non-transitory computer-readable storage medium of claim 17, wherein:
    - the second request includes a digital signature generated using the session key; and
      
      validating the second request further includes validating authenticity of the digital signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Brandwine, Eric Jason, Fitch, Nathan R., Ilac, Cristian M., Crahen, Eric D.
Primary Examiner(s)
Tran, Ellen

Application Number

US14/866,673
Publication Number

US 20160021118A1
Time in Patent Office

942 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 2221/2137   Time limited access, e.g. t...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 9/083   involving central third par...

H04L 9/0861   Generation of secret inform...

H04L 9/088   Usage controlling of secret...

H04L 9/32   including means for verifyi...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247   involving digital signatures

H04L 9/50   using hash chains, e.g. blo...

Parameter based key derivation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Parameter based key derivation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links