SIGNED ENVELOPE ENCRYPTION
First Claim
Patent Images
1. A system, comprising:
- a first computer system comprising;
a first one or more processors; and
first memory that stores executable instructions that, as a result of being executed by the first one or more processors, causes the first computer system to;
generate a first ciphertext based at least in part on a message by obtaining a cryptographic data key and encrypting at least the message using the data key;
generate a digitally signed payload that includes the first ciphertext and a digital signature generated using at least the first ciphertext and a private key; and
obtain an authenticated payload that includes a second ciphertext based at least in part on the data key, a public key that corresponds to the private key, and an authentication tag verifiable using data that includes at least the data key and the public key; and
a second computer system comprising;
a second one or more processors; and
second memory that stores executable instructions that, as a result of being executed by the second one or more processors, causes the second computer system to;
receive the digitally signed payload and the authenticated payload;
obtain the data key and a key identifier based on at least the second ciphertext, the public key, and the authentication tag;
verify that the key identifier matches an expected key identifier associated with the first computer system and that the digital signature is valid; and
obtain the message by decrypting the first ciphertext using the data key.
1 Assignment
0 Petitions
Accused Products
Abstract
Clients within a computing environment may establish a secure communication session. Sometimes, a client may trust another client to read, but not modify, a message. Clients may utilize a cryptography service to generate a message protected against improper modification. Clients may utilize a cryptography service to verify whether a protected message has been improperly modified.
30 Citations
21 Claims
-
1. A system, comprising:
-
a first computer system comprising; a first one or more processors; and first memory that stores executable instructions that, as a result of being executed by the first one or more processors, causes the first computer system to; generate a first ciphertext based at least in part on a message by obtaining a cryptographic data key and encrypting at least the message using the data key; generate a digitally signed payload that includes the first ciphertext and a digital signature generated using at least the first ciphertext and a private key; and obtain an authenticated payload that includes a second ciphertext based at least in part on the data key, a public key that corresponds to the private key, and an authentication tag verifiable using data that includes at least the data key and the public key; and a second computer system comprising; a second one or more processors; and second memory that stores executable instructions that, as a result of being executed by the second one or more processors, causes the second computer system to; receive the digitally signed payload and the authenticated payload; obtain the data key and a key identifier based on at least the second ciphertext, the public key, and the authentication tag; verify that the key identifier matches an expected key identifier associated with the first computer system and that the digital signature is valid; and obtain the message by decrypting the first ciphertext using the data key. - View Dependent Claims (2, 3, 4)
-
-
5. A computer-implemented method, comprising:
under the control of one or more computer systems configured with executable instructions, generating a first ciphertext based at least in part on a message by obtaining a cryptographic data key and encrypting at least the message using the data key; generating, using an asymmetric private key, a digital signature based at least in part on the first ciphertext; generating a digitally signed payload including at least the first ciphertext and the digital signature; requesting, to a cryptography service, an authenticated encryption by providing at least the cryptographic data key and an asymmetric public key that corresponds to the asymmetric private key, wherein at least the cryptographic data key is indicated to be encrypted; receiving, in response to the request for the authenticated encryption, a second ciphertext and an authentication tag; generating an authenticated payload including at least the second ciphertext, the asymmetric public key, and the authentication tag; and making available, to another computer system, at least the digitally signed payload and the authenticated payload. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
-
14. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
-
receive a protected message comprising; a digitally signed payload further comprising a first ciphertext and a digital signature over the first ciphertext; and an authenticated payload further comprising a second ciphertext, an asymmetric public key, and an authentication tag; request, to a cryptography service, an authenticated decryption of the second ciphertext by providing at least the second ciphertext, the asymmetric public key, and the authentication tag; receive, in response to the request for the authenticated decryption, at least a cryptographic data key and a key identifier; verify that the key identifier matches an expected key identifier associated with an expected client and that the digital signature of the digitally signed payload is valid; and obtain a message by decrypting, using the cryptographic data key, the first ciphertext of the digitally signed payload. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
Specification