Signed envelope encryption

US 10,412,098 B2
Filed: 12/11/2015
Issued: 09/10/2019
Est. Priority Date: 12/11/2015
Status: Active Grant

First Claim

Patent Images

1. A system, comprising memory to store instructions that, as a result of execution by the one or more processors, cause the system to:

obtain, from a cryptography service and via a web API request, a first set of information comprising;

an encrypted cryptographic key usable to obtain a cryptographic key; and

an authentication tag, validity of the authentication tag cryptographically derivable from at least the cryptographic key and a public key;

generate a second set of information by at least;

encrypting data using the cryptographic key, thereby generating a second ciphertext; and

using a private key corresponding to the public key to generate a digital signature based at least in part on the data, wherein validity of the digital signature is verifiable using the public key; and

provide the first set of information and the second set of information to another computer system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Clients within a computing environment may establish a secure communication session. Sometimes, a client may trust another client to read, but not modify, a message. Clients may utilize a cryptography service to generate a message protected against improper modification. Clients may utilize a cryptography service to verify whether a protected message has been improperly modified.

27 Citations

View as Search Results

20 Claims

1. A system, comprising memory to store instructions that, as a result of execution by the one or more processors, cause the system to:
- obtain, from a cryptography service and via a web API request, a first set of information comprising;
  
  an encrypted cryptographic key usable to obtain a cryptographic key; and
  
  an authentication tag, validity of the authentication tag cryptographically derivable from at least the cryptographic key and a public key;
  
  generate a second set of information by at least;
  
  encrypting data using the cryptographic key, thereby generating a second ciphertext; and
  
  using a private key corresponding to the public key to generate a digital signature based at least in part on the data, wherein validity of the digital signature is verifiable using the public key; and
  
  provide the first set of information and the second set of information to another computer system.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein:
    - the second ciphertext is further generated using at least additional authenticated data;
      
      the first set of information further comprises additional authenticated data; and
      
      obtaining the cryptographic key and a key identifier based on the additional authenticated data.
  - 3. The system of claim 1, wherein:
    - the system further comprises the other system, the other system comprising a second memory to store instructions that, as a result of execution by a second one or more processors, causes the other system to;
      
      receive the first set of information and the second set of information;
      
      obtain the cryptographic key and a key identifier based at least in part on the first ciphertext, the public key, and the authentication tag;
      
      verify that the key identifier matches an expected key identifier and that the digital signature is valid; and
      
      obtain the data by decrypting the second ciphertext using the cryptographic key.
  - 4. The system of claim 1, wherein the private key is an elliptic curve private key, and the public key is an elliptic curve public key.

5. A computer-implemented method, comprising:
- obtaining, from a cryptography service, a first set of information comprising;
  
  an encrypted cryptographic key usable to obtain a cryptographic key; and
  
  an authentication tag, validity of the authentication tag cryptographically derivable from at least the cryptographic key and a public key;
  
  generating a second set of information by at least;
  
  encrypting data using the cryptographic key to generate a second ciphertext of the data; and
  
  generating a digital signature of at least the data using a private key corresponding to the public key; and
  
  providing the first set of information and the second set of information to another computer system.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The computer-implemented method of claim 5, wherein:
    - the first set of information further comprises additional authenticated data; and
      
      obtaining the first set of information comprises;
      
      requesting, to the cryptography service, an authenticated encryption by providing at least the cryptographic key, the public key, the additional authenticated data, and an indication to encrypt the cryptographic key using the public key; and
      
      receiving the encrypted cryptographic key and the authentication tag in response to the request.
  - 7. The computer-implemented method of claim 6, further comprising providing the additional authenticated data to the other computer system.
  - 8. The computer-implemented method of claim 6, wherein requesting the authenticated encryption further includes providing a nonce.
  - 9. The computer-implemented method of claim 8, wherein the authenticated encryption is AES-CCM or AES-GCM encryption.
  - 10. The computer-implemented method of claim 5, wherein the private key is an elliptic curve private key, and the public key is an elliptic curve public key.
  - 11. The computer-implemented method of claim 5, providing the first set of information and the second set of information comprises transmitting, in one or more TCP packets, the first set of information and the second set of information.
  - 12. The computer-implemented method of claim 5, further comprising using a second web API request to obtain the cryptographic data key.

13. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
- receive a first set of information comprising;
  
  an encrypted cryptographic key usable to obtain a cryptographic key; and
  
  an authentication tag, validity of the authenticity tag cryptographically derivable from at least the cryptographic key and a public key;
  
  receive a second set of information comprising;
  
  a ciphertext; and
  
  a digital signature, authenticity of the digital signature verifiable using at least in part on the public key;
  
  provide, to a cryptography service and via a web API request, the encrypted cryptographic key, the public key, and the authentication tag;
  
  receive, as a response, at least the cryptographic key and a key identifier;
  
  verify that the key identifier matches an expected key identifier associated with an expected client and that the digital signature is valid; and
  
  decrypt the ciphertext using the cryptographic key to obtain a plaintext, wherein the cryptography service lacks sufficient cryptographic material to generate the digital signature from the plaintext.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The non-transitory computer-readable storage medium of claim 13, wherein the public key is an elliptic curve public key.
  - 15. The non-transitory computer-readable storage medium of claim 13, wherein the second set of information further comprises the public key.
  - 16. The non-transitory computer-readable storage medium of claim 13, wherein the instructions to provide, to the cryptography service and via the web API request, the encrypted cryptographic key, the public key, and the authentication tag comprise instructions that, as a result of being executed by the one or more processors of the computer system, cause the computer system to request an authenticated decryption of the encrypted cryptographic key.
  - 17. The non-transitory computer-readable storage medium of claim 13, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to:
    - receive, as the response, at least the cryptographic data key, the public key, and the key identifier.
  - 18. The non-transitory computer-readable storage medium of claim 13, wherein the cryptographic key is a symmetric cryptographic key.
  - 19. The non-transitory computer-readable storage medium of claim 13, wherein:
    - the message is obtained after the digital signature is verified;
      
      the digital signature is verified after receiving at least the cryptographic key and the key identifier; and
      
      the digital signature is verified after verifying the key identifier matches the expected key identifier associated with an expected client.
  - 20. The non-transitory computer-readable storage medium of claim 13, wherein the first set of information or the second set of information is received as part of one or more TCP packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Campagna, Matthew John
Primary Examiner(s)
Shehni, Ghazal B

Application Number

US14/967,142
Publication Number

US 20170171219A1
Time in Patent Office

1,369 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/045   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/123   received data contents, e.g...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/321   involving a third party or ...

H04L 9/3234   involving additional secure...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3247   involving digital signatures

Signed envelope encryption

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Signed envelope encryption

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links