Envelope-based encryption method

US 9,973,481 B1
Filed: 06/16/2015
Issued: 05/15/2018
Est. Priority Date: 06/16/2015
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

one or more processors; and

memory that stores computer-executable instructions that, as a result of being executed, cause the system to;

receive, in a request, an envelope from a client, the envelope including;

a data encryption key reference; and

data encrypted with a data encryption key;

provide the data encryption key reference to a server;

receive, from the server, in accordance with a set of access controls maintained by the server, an encrypted data encryption key that is associated with the data encryption key reference;

decrypt the encrypted data encryption key with a key encrypting key to produce the data encryption key;

on a condition that a trust score for the client is of an amount relative to a threshold value that indicates to trust the client, provide the data to the client in response to the request in unencrypted form decrypted using the data encryption key; and

on a condition that the trust score for the client is of an amount relative to the threshold value that indicates a lack of trust in the client provide the data to the client in encrypted form.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present document describes systems and methods that, in some situations, improve data security. In one embodiment, communications between a client and a server are encrypted using an envelope-based encryption scheme. The envelope includes: a data encryption key reference; and data encrypted with a corresponding data encryption key. A data encryption key server maintains a collection of data encryption keys that are accessible using corresponding data encryption key references. In another embodiment, a storage server maintains stored data using the envelope-based encryption scheme. The stored data is made available to particular clients in encrypted or plaintext form based at least in part on a trust score determined for each client'"'"'s request. In yet another embodiment, as a result of a secure transport handshake, a client is provided with a pluggable cipher suite.

38 Citations

View as Search Results

20 Claims

1. A system, comprising:
- one or more processors; and
  
  memory that stores computer-executable instructions that, as a result of being executed, cause the system to;
  
  receive, in a request, an envelope from a client, the envelope including;
  
  a data encryption key reference; and
  
  data encrypted with a data encryption key;
  
  provide the data encryption key reference to a server;
  
  receive, from the server, in accordance with a set of access controls maintained by the server, an encrypted data encryption key that is associated with the data encryption key reference;
  
  decrypt the encrypted data encryption key with a key encrypting key to produce the data encryption key;
  
  on a condition that a trust score for the client is of an amount relative to a threshold value that indicates to trust the client, provide the data to the client in response to the request in unencrypted form decrypted using the data encryption key; and
  
  on a condition that the trust score for the client is of an amount relative to the threshold value that indicates a lack of trust in the client provide the data to the client in encrypted form.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein:
    - the data encryption key reference is encrypted; and
      
      the computer-executable instructions include instructions that further cause the system to decrypt the data encryption key reference with the key encrypting key.
  - 3. The system of claim 1, wherein the computer-executable instructions include instructions that further cause the system to:
    - receive a second envelope from the client, the second envelope including a second instance of the data encryption key reference and a second data encrypted with the data encryption key;
      
      determine that the second instance of the data encryption key reference references the data encryption key; and
      
      decrypt the second data with the data encryption key.
  - 4. The system of claim 1, wherein the key encrypting key is a public key of a public-private key pair.
  - 5. The system of claim 1, wherein the computer-executable instructions that cause the system to provide the data include instructions that cause the system to determine the trust score for the client.
  - 6. The system of claim 5, wherein:
    - the computer-executable instructions further include instructions that cause the system to receive credentials from the client; and
      
      the computer-executable instructions that cause the system to determine the trust score include instructions that cause the system to determine the trust score based at least in part on the credentials received.
  - 7. The system of claim 5, wherein the trust score is based at least in part on a network address of the client and a set of trusted network addresses.

8. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of execution by one or more processors of a computer system, cause the computer system to at least:
- receive a request from a client, the request including a data encryption key reference and data encrypted with a data encryption key;
  
  provide the data encryption key reference to a server;
  
  receive, from the server, in accordance with a set of access controls maintained by the server, a data encryption key that is associated with the data encryption key reference; and
  
  on a condition that a trust score is of an amount relative to a threshold value that indicates to trust the client, provide the data to the client in response to the request in unencrypted form decrypted using the data encryption key; and
  
  on a condition that the trust score is of an amount relative to the threshold value that indicates a lack of trust in the client, provide the data to the client in encrypted form.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The non-transitory computer-readable storage medium of claim 8, wherein the data encryption key reference is a pre-signed URI that expires after an amount of time.
  - 10. The non-transitory computer-readable storage medium of claim 8, wherein the data encryption key reference is an index to a key management system.
  - 11. The non-transitory computer-readable storage medium of claim 8, wherein:
    - the data encryption key is encrypted; and
      
      the executable instructions further comprise instructions that cause the computer system to decrypt the data encryption key with a key encrypting key.
  - 12. The non-transitory computer-readable storage medium of claim 11, wherein the key encrypting key is a shared-secret cryptographic key.
  - 13. The non-transitory computer-readable storage medium of claim 11, wherein the executable instructions further comprise instructions that cause the computer system to:
    - indicate, to the server, that the key encrypting key is potentially compromised; and
      
      receive a new key encrypting key from the server.
  - 14. The non-transitory computer-readable storage medium of claim 8, wherein the executable instructions that cause the computer system to provide the data comprise instructions that cause the computer system to determine the trust score for the client.
  - 15. The non-transitory computer-readable storage medium of claim 14, wherein the executable instructions that provide the response to the client in encrypted form include instructions that cause the computer system to:
    - generate a response data encryption key;
      
      encrypt the response with the response data encryption key to produce an encrypted response message;
      
      provide the response data encryption key to the server;
      
      receive a response data encryption key reference from the server; and
      
      provide the response data encryption key reference and the encrypted response message to the client.

16. A computer-implemented method, comprising:
- receiving, in a request, an envelope from a client, the envelope including;
  
  a data encryption key reference; and
  
  data encrypted with a data encryption key;
  
  providing the data encryption key reference to a server;
  
  receiving, from the server, in accordance with a set of access controls maintained by the server, an encrypted data encryption key that is associated with the data encryption key reference;
  
  decrypting the encrypted data encryption key with a key encrypting key to produce the data encryption key; and
  
  providing the data in accordance with a trust score by;
  
  on a condition that a trust score for the client is of an amount relative to a threshold value that indicates to trust the client, provide the data to the client in response to the request in unencrypted form decrypted using the data encryption key; and
  
  on a condition that the trust score for the client is of an amount relative to the threshold value that indicates a lack of trust in the client, provide the data to the client in encrypted form.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer-implemented method of claim 16, wherein the data encryption key reference is a pre-signed Uniform Resource Identifier that includes security credentials usable to gain access to the data encryption key stored on the server for a limited amount of time.
  - 18. The computer-implemented method of claim 16, further comprising, prior to receiving the envelope from the client:
    - generating the data encryption key;
      
      encrypting a message with the data encryption key;
      
      encrypting the data encryption key with a key encrypting key;
      
      storing the encrypted data encryption key to be accessible via the server;
      
      determining, as a result of storing the encrypted data encryption key, the data encryption key reference usable to retrieve the data encryption key from the server;
      
      creating the envelope that includes the message encrypted and the data encryption key reference; and
      
      transmitting the envelope to a recipient.
  - 19. The computer-implemented method of claim 18, wherein generating a data encryption key is accomplished at least in part by receiving the data encryption key from the server.
  - 20. The computer-implemented method of claim 18, wherein:
    - the method further comprises encrypting the data encryption key reference with the key encrypting key; and
      
      the data encryption key reference that is included in the envelope is encrypted with the key encrypting key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Sharifi Mehr, Nima
Primary Examiner(s)
Parsons, Theodore C
Assistant Examiner(s)
De Jesus Lassala, Carlos M

Application Number

US14/741,374
Time in Patent Office

1,064 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/062   applying encryption of the ...

H04L 63/045   wherein the sending and rec...

H04L 63/062   for key distribution, e.g. ...

H04L 63/10   for controlling access to d...

H04L 63/168   above the transport layer

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

Envelope-based encryption method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

38 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Envelope-based encryption method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links