HIERARCHICAL DATA ACCESS TECHNIQUES

US 20160065549A1
Filed: 11/11/2015
Published: 03/03/2016
Est. Priority Date: 03/27/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

under the control of one or more computer systems that execute instructions,obtaining a plurality of keys, each obtained key of the plurality of keys being based at least in part on an information set for the plurality of keys and at least one other key distinct from the plurality of keys;

calculating, by inputting a combination of the plurality of keys into a function with the information set for the plurality of keys, a signing key; and

using the signing key to evaluate whether access to one or more computing resources is to be granted, the information set preventing the access from being granted when a request for the access is submitted out of compliance with the information set for the plurality of keys.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A plurality of keys is obtained, with each obtained key of the plurality of keys being based at least in part on an information set for the plurality of keys and at least one other key distinct from the plurality of keys. A signing key is calculated by inputting a combination of the plurality of keys into a function with the information set for the plurality of keys, and the signing key is used to evaluate whether access to one or more computing resources is to be granted, with the information set preventing access from being granted when a request for the access is submitted out of compliance with the information set for the plurality of keys.

Citations

21 Claims

1. A computer-implemented method, comprising:
- under the control of one or more computer systems that execute instructions,obtaining a plurality of keys, each obtained key of the plurality of keys being based at least in part on an information set for the plurality of keys and at least one other key distinct from the plurality of keys;
  
  calculating, by inputting a combination of the plurality of keys into a function with the information set for the plurality of keys, a signing key; and
  
  using the signing key to evaluate whether access to one or more computing resources is to be granted, the information set preventing the access from being granted when a request for the access is submitted out of compliance with the information set for the plurality of keys.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein the function is a cryptographic function.
  - 3. The computer-implemented method of claim 1, wherein using the signing key further includes generating, based at least in part on the signing key, a reference signature for a message submitted in connection with a message signature.
  - 4. The computer-implemented method of claim 3, wherein the information set includes a set of key-use restrictions comprising one or more restrictions for each of the plurality of keys.
  - 5. The computer-implemented method of claim 3, wherein the information set corresponds to at least one of time, date, region, zone, service, protocol, device, device model, or device manufacturer.
  - 6. The computer-implemented method of claim 3, wherein the combination of the plurality of keys comprises an output of a commutative function having an operand corresponding to each of the plurality of keys.
  - 7. The computer-implemented method of claim 3, wherein:
    - the information set includes, for each key of the plurality of keys, an encoding of at least one restriction on the key; and
      
      generating the reference signature is performed in a manner that ensures that the reference signature will match the message signature when the message and signature are in compliance with the at least one restriction of the information set.
  - 8. The computer-implemented method of claim 3, wherein the reference signature matches the message signature as a result of the plurality of keys and a set of one or more keys used to generate the message signature being derived using a cryptographic hash function of a same set of one or more keys.

9. A system, comprising:
- one or more processors; and
  
  memory including instructions that, as a result of execution by one or more processors of a computer system, cause the computer system to at least, for an electronic signature submitted for verification in connection with a message;
  
  obtain a plurality of keys, each obtained key of the plurality of keys being based at least in part on an information set for the plurality of keys and at least one other key distinct from the plurality of keys, the information set corresponding to at least one of time, date, region, zone, service, protocol, device, device model, or device manufacturer;
  
  compute, based at least in part on information derived based at least in part on the plurality of keys, whether the electronic signature is valid; and
  
  cause one or more actions to be taken based at least in part on whether the electronic signature is valid, the one or more actions including evaluating whether access to one or more computing resources is permitted, with the information set preventing use of a key of the plurality of keys that is noncompliant with the information set.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9, wherein:
    - each key of the plurality of keys is derived based at least in part on a corresponding set of one or more specialization parameters; and
      
      the instructions that cause the computer system to compute whether the electronic signature is valid include instructions that cause the computer system to;
      
      calculate, based at least in part on the plurality of keys and the corresponding sets of one or more specialization parameters, a reference signature; and
      
      determine whether the reference signature matches the electronic signature.
  - 11. The system of claim 10, wherein:
    - the instructions that cause the computer system to compute whether the electronic signature is valid include instructions that cause the computer system to determine whether the message complies with the sets of one or more specialization parameters; and
      
      the one or more actions are caused to be taken based at least in part on whether the message complies with the sets of one or more specialization parameters.
  - 12. The system of claim 10, wherein the instructions that cause the computer system to calculate the reference signature includes instructions that cause the computer system to input a combination of the plurality of keys and an encoding of the corresponding sets of specialization parameters into a function based at least in part on a cryptographic hash function.
  - 13. The system of claim 12, wherein the instructions further cause the computer system to calculate the combination of the plurality of keys in a manner in which ordering the keys within the plurality of keys is unnecessary.
  - 14. The system of claim 9, wherein the one or more actions include causing fulfilment of a request encoded by the message.
  - 15. The system of claim 9, wherein the instructions that cause the computer system to obtain the plurality of keys include instructions that cause the computer system to obtain at least one of the plurality of keys from a computer system that lacks access to at least one other of the plurality of keys.

16. A non-transitory computer-readable storage medium having stored thereon instructions that, when executed by a computer system, cause the computer system to at least:
- obtain a plurality of keys, each obtained key of the plurality of keys being based at least in part on an information set for the plurality of keys and at least one other key distinct from the plurality of keys, the information set corresponding to at least one of time, date, region, zone, service, protocol, device, device model, or device manufacturer;
  
  calculate, based at least in part on the plurality of keys, a signing key;
  
  generate, based at least in part on the signing key and a message, a signature for the message; and
  
  cause the message and the signature to be transmitted to another computer system for use in evaluating whether access to one or more computing resources is permitted, the information set preventing use of the signing key that is noncompliant with the information set.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The non-transitory computer-readable storage medium of claim 16, wherein the information set includes a set of key-use restrictions comprising one or more restrictions for each of the plurality of keys.
  - 18. The non-transitory computer-readable storage medium of claim 16, wherein:
    - the other computer system verifies validity of the signature; and
      
      the instructions that cause the computer system to obtain the plurality of keys include instructions that cause the computer system to derive, based at least in part on a key shared with the other computer system, at least one of the plurality of keys.
  - 19. The non-transitory computer-readable storage medium of claim 18, wherein the instructions that cause the computer system to derive the at least one of the plurality of keys include instructions that cause the computer system to compute a value for a function based at least in part on the key shared with the other computer system.
  - 20. The non-transitory computer-readable storage medium of claim 16, wherein the instructions that cause the computer system to obtain the plurality of keys include instructions that cause the computer system to obtain at least one of the plurality of keys from a computer system that lacks access to another of the plurality of keys.
  - 21. The non-transitory computer-readable storage medium of claim 16, wherein the instructions that cause the computer system to calculate the signing key include instructions that cause the computer system to input a combination of the plurality of keys into a function with the information set for the plurality of keys, the combination being based at least in part on a commutative operation on the plurality of keys

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory B., Barbour, Marc R., Behm, Bradley Jeffrey, Ilac, Cristian M., Brandwine, Eric Jason

Granted Patent

US 10,356,062 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/64   Protecting data integrity, ...

H04L 2209/60   Digital content management,...

H04L 2463/061   applying further key deriva...

H04L 63/06   for supporting key manageme...

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 9/0836   using tree structure or hie...

H04L 9/321   involving a third party or ...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247   involving digital signatures

H04L 9/50   using hash chains, e.g. blo...

HIERARCHICAL DATA ACCESS TECHNIQUES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

HIERARCHICAL DATA ACCESS TECHNIQUES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links