Trusted data verification

US 10,181,953 B1
Filed: 09/16/2013
Issued: 01/15/2019
Est. Priority Date: 09/16/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

reading, by one or more computer systems from persistent data storage, data and an electronic signature, the electronic signature having been generated based at least in part on;

the data; and

first secret information shared between a first entity and a verification system, the first secret information being;

derived from second secret information that indicates a scope of use of the first secret information, the scope of use comprising one or more computing operations allowed to be taken using the first secret information; and

inaccessible to the one or more computer systems;

submitting, over a network to the verification system, a request to verify the electronic signature, the request including the data and the electronic signature;

obtaining, from the verification system, a response to the request that includes an indication whether the verification system attests to validity of the electronic signature, the indication being dependent at least in part on whether the electronic signature is verifiable as being within the scope of use indicated by the second secret information; and

performing the one or more computing operations using the first secret information dependent on the indication.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Electronically signed data is persistently stored in data storage. After the passage of time, the data may be accessed and presented to a trusted entity for verification of the data. The trusted entity may have access to secret information used to sign the data. The trusted entity may use the secret information to verify an electronic signature of the data. One or more actions may be taken based at least in part on a response provided by the verification system.

237 Citations

29 Claims

1. A computer-implemented method, comprising:
- reading, by one or more computer systems from persistent data storage, data and an electronic signature, the electronic signature having been generated based at least in part on;
  
  the data; and
  
  first secret information shared between a first entity and a verification system, the first secret information being;
  
  derived from second secret information that indicates a scope of use of the first secret information, the scope of use comprising one or more computing operations allowed to be taken using the first secret information; and
  
  inaccessible to the one or more computer systems;
  
  submitting, over a network to the verification system, a request to verify the electronic signature, the request including the data and the electronic signature;
  
  obtaining, from the verification system, a response to the request that includes an indication whether the verification system attests to validity of the electronic signature, the indication being dependent at least in part on whether the electronic signature is verifiable as being within the scope of use indicated by the second secret information; and
  
  performing the one or more computing operations using the first secret information dependent on the indication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method of claim 1, wherein reading the data and the electronic signature includes obtaining the data and the electronic signature from another computer system different from the one or more computer systems.
  - 3. The computer-implemented method of claim 2, wherein the electronic signature was generated by the other computer system.
  - 4. The computer-implemented method of claim 1, wherein the electronic signature was generated using one or more symmetric cryptographic primitives.
  - 5. The computer-implemented method of claim 1, wherein:
    - the persistent data storage is a component of a database; and
      
      reading the data includes querying the database.
  - 6. The computer-implemented method of claim 1, wherein:
    - the data and electronic signature includes metadata with information associated with at least one of the data or an entity requesting to verify the electronic signature; and
      
      the verification system is configured to determine, based at least in part on the metadata, how to construct the response.
  - 7. The computer-implemented method of claim 1, wherein the request is a first request:
    - the response to the first request indicates that the verification system attests to validity of the electronic signature; and
      
      the method further comprises;
      
      transmitting, over the network, a second request to verify the electronic signature;
      
      obtaining, from the verification system, a response to the second request that lacks an attestation of validity of the electronic signature; and
      
      performing one or more second computing operations, different from the one or more computing operations, as a result of the response to the second request lacking the attestation.
  - 8. The computer-implemented method of claim 1, wherein the response obtained includes information usable to determine at least one of:
    - an identity of a signor that generated the electronic signature, orone or more restraints on use of the data.
  - 9. The computer-implemented method of claim 1, wherein:
    - the response to the request includes information about a context of generation of the electronic signature; and
      
      the one or more computing operations are dependent on the information about the context.
  - 10. The computer-implemented method of claim 1, wherein:
    - the network is a virtual network implemented by a hypervisor; and
      
      the verification system is implemented in a virtual machine running on said hypervisor.

11. A system, comprising:
- memory to store executable instructions that, as a result of being executed by one or more processors, cause the system to;
  
  obtain secret information and one or more conditions comprising one or more actions that are allowed to be taken using the secret information;
  
  obtain, from a first requestor, a first request to verify an electronic signature that was generated based at least in part on the secret information;
  
  provide a first response to the first request with a first attestation about whether the electronic signature indicates authenticity of data, the first request including information indicative of satisfying the one or more conditions;
  
  obtain, from a second requestor, a second request to verify the electronic signature; and
  
  provide a second response to the second request with a second attestation about whether the electronic signature indicates authenticity of the data, the second attestation providing a different indication of authenticity of the data than the first attestation.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 12. The system of claim 11, wherein the first response and the second response have different amounts of information about the electronic signature as a result of one or more policies.
  - 13. The system of claim 11, wherein the executable instructions further cause the system to make the secret information publicly available after an amount of time.
  - 14. The system of claim 13, wherein:
    - the executable instructions further cause the system to implement a hypervisor and a client domain of the hypervisor; and
      
      at least one of the first request or second request originates from the client domain of the hypervisor.
  - 15. The system of claim 11, wherein the electronic signature was generated by the first requestor or second requestor.
  - 16. The system of claim 11, wherein the executable instructions are configured such that an occurrence of one or more specified events between generation of the electronic signature and receipt of the first request causes the first response to lack an indication that the electronic signature is valid.
  - 17. The system of claim 11, wherein:
    - the first request includes an identifier of the secret information; and
      
      the executable instructions further cause the system to select the secret information from other secret information based at least in part on the identifier.
  - 18. The system of claim 11, wherein at least one of the first response and second response indicates that the electronic signature is valid and another of the first response and second response indicates that the electronic signature is invalid.
  - 19. The system of claim 11, wherein:
    - other secret information, inaccessible to the system, is usable for a set of uses; and
      
      the secret information obtained is cryptographically derived from the other secret information such that the secret information is unusable for a first proper subset of the set of uses but usable for a second proper subset of the set of uses.
  - 20. The system of claim 11, wherein:
    - the executable instructions further cause the system to provide an application programming interface configured to obtain application programming interface requests to configure parameters for responding to requests to verify electronic signatures; and
      
      the second attestation being different from the first attestation is a result of information obtained through the application programming interface.
  - 21. The system of claim 11, wherein:
    - the system is operated by a service provider; and
      
      the first requestor and second requestor correspond to different customers of the service provider.

22. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of execution by one or more processors of a computer system, cause the computer system to:
- obtain, from persistent storage, data and an electronic signature generated based at least in part on;
  
  data and first secret information, the first secret information being;
  
  accessible to a verification system;
  
  inaccessible to the computer system; and
  
  derived from second secret information that indicates a scope of use of the first secret information, the scope of use comprising a set of computing resources that are allowed to be accessed using the first secret information;
  
  transmit, over a network to the verification system, a request to verify the electronic signature, the request including the data and the electronic signature; and
  
  take one or more actions in dependence on a response obtained from the verification system, the response including an indication whether the verification system attests to validity of the electronic signature in accordance with the scope of use indicated by the second secret information, the one or more actions including providing access to the set of computing resources.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
- - 23. The non-transitory computer-readable storage medium of claim 22, wherein the first secret information is accessible to an entity that generated the electronic signature, the entity being different from the verification system.
  - 24. The non-transitory computer-readable storage medium of claim 23, wherein the entity that generated the electronic signature and computer system are different entities.
  - 25. The non-transitory computer-readable storage medium of claim 24, wherein:
    - the executable instructions further cause the computer system to implement a hypervisor; and
      
      the verification system is implemented as part of a process of the hypervisor.
  - 26. The non-transitory computer-readable storage medium of claim 22, wherein the data is an electronic mail message.
  - 27. The non-transitory computer-readable storage medium of claim 22, wherein:
    - the verification system is configured to publish the first secret information; and
      
      the response is further dependent on whether the verification system has published the secret information.
  - 28. The non-transitory computer-readable storage medium of claim 22, wherein the executable instructions that cause the computer system to obtain the persistently stored data include instructions that cause the computer system to read the persistently stored data from a database that persistently stores the data.
  - 29. The non-transitory computer-readable storage medium of claim 22, wherein the executable instructions that cause the computer system to obtain the persistently stored data include instructions that cause the computer system to obtain the persistently stored data from a third party that persistently stores the data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Seidenberg, Benjamin Elias, Roth, Gregory Branchek, Farley, Benjamin Tillman
Primary Examiner(s)
Pyzocha, Michael

Application Number

US14/027,843
Time in Patent Office

1,947 Days
Field of Search

713168
US Class Current
CPC Class Codes

H04L 9/0861   Generation of secret inform...

H04L 9/088   Usage controlling of secret...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247   involving digital signatures

Trusted data verification

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

237 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Trusted data verification

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

237 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links