SIGNED ENVELOPE ENCRYPTION

US 20170171219A1
Filed: 12/11/2015
Published: 06/15/2017
Est. Priority Date: 12/11/2015
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a first computer system comprising;

a first one or more processors; and

first memory that stores executable instructions that, as a result of being executed by the first one or more processors, causes the first computer system to;

generate a first ciphertext based at least in part on a message by obtaining a cryptographic data key and encrypting at least the message using the data key;

generate a digitally signed payload that includes the first ciphertext and a digital signature generated using at least the first ciphertext and a private key; and

obtain an authenticated payload that includes a second ciphertext based at least in part on the data key, a public key that corresponds to the private key, and an authentication tag verifiable using data that includes at least the data key and the public key; and

a second computer system comprising;

a second one or more processors; and

second memory that stores executable instructions that, as a result of being executed by the second one or more processors, causes the second computer system to;

receive the digitally signed payload and the authenticated payload;

obtain the data key and a key identifier based on at least the second ciphertext, the public key, and the authentication tag;

verify that the key identifier matches an expected key identifier associated with the first computer system and that the digital signature is valid; and

obtain the message by decrypting the first ciphertext using the data key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Clients within a computing environment may establish a secure communication session. Sometimes, a client may trust another client to read, but not modify, a message. Clients may utilize a cryptography service to generate a message protected against improper modification. Clients may utilize a cryptography service to verify whether a protected message has been improperly modified.

30 Citations

View as Search Results

21 Claims

1. A system, comprising:
- a first computer system comprising;
  
  a first one or more processors; and
  
  first memory that stores executable instructions that, as a result of being executed by the first one or more processors, causes the first computer system to;
  
  generate a first ciphertext based at least in part on a message by obtaining a cryptographic data key and encrypting at least the message using the data key;
  
  generate a digitally signed payload that includes the first ciphertext and a digital signature generated using at least the first ciphertext and a private key; and
  
  obtain an authenticated payload that includes a second ciphertext based at least in part on the data key, a public key that corresponds to the private key, and an authentication tag verifiable using data that includes at least the data key and the public key; and
  
  a second computer system comprising;
  
  a second one or more processors; and
  
  second memory that stores executable instructions that, as a result of being executed by the second one or more processors, causes the second computer system to;
  
  receive the digitally signed payload and the authenticated payload;
  
  obtain the data key and a key identifier based on at least the second ciphertext, the public key, and the authentication tag;
  
  verify that the key identifier matches an expected key identifier associated with the first computer system and that the digital signature is valid; and
  
  obtain the message by decrypting the first ciphertext using the data key.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein:
    - obtaining the second ciphertext is further based on additional authenticated data;
      
      the generated authenticated payload further includes the additional authenticated data; and
      
      obtaining the data key and the key identifier is further based on the additional authenticated data.
  - 3. The system of claim 1, wherein:
    - generating the first ciphertext is based on encrypting at least the message and the public key; and
      
      the second memory further stores executable instructions that causes the second computer system to obtain the public key based on at least the second ciphertext and the authentication tag.
  - 4. The system of claim 1, wherein the private key is an elliptic curve private key, and the public key is an elliptic curve public key.

5. A computer-implemented method, comprising:
- under the control of one or more computer systems configured with executable instructions,generating a first ciphertext based at least in part on a message by obtaining a cryptographic data key and encrypting at least the message using the data key;
  
  generating, using an asymmetric private key, a digital signature based at least in part on the first ciphertext;
  
  generating a digitally signed payload including at least the first ciphertext and the digital signature;
  
  requesting, to a cryptography service, an authenticated encryption by providing at least the cryptographic data key and an asymmetric public key that corresponds to the asymmetric private key, wherein at least the cryptographic data key is indicated to be encrypted;
  
  receiving, in response to the request for the authenticated encryption, a second ciphertext and an authentication tag;
  
  generating an authenticated payload including at least the second ciphertext, the asymmetric public key, and the authentication tag; and
  
  making available, to another computer system, at least the digitally signed payload and the authenticated payload.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
- - 6. The computer-implemented method of claim 5, wherein:
    - requesting the authenticated encryption further includes providing additional authenticated data; and
      
      the authenticated payload further includes the additional authenticated data.
  - 7. The computer-implemented method of claim 5, wherein the asymmetric private key is an elliptic curve private key, and the asymmetric public key is an elliptic curve public key.
  - 8. The computer-implemented method of claim 5, wherein a web API request is used to request the authenticated encryption.
  - 9. The computer-implemented method of claim 5, wherein requesting the cryptography service perform the authenticated encryption further includes indicating the asymmetric public key is to be encrypted.
  - 10. The computer-implemented method of claim 6, wherein requesting the authenticated encryption further includes providing a nonce.
  - 11. The computer-implemented method of claim 10, wherein the authenticated encryption is AES-CCM or AES-GCM encryption.
  - 12. The computer-implemented method of claim 5, wherein at least the digitally signed payload and the authenticated payload are made available by transmitting, in one or more TCP packets, the digitally signed payload and the authenticated payload.
  - 13. The computer-implemented method of claim 5, wherein a web API request is used to obtain, from the cryptography service, the cryptographic data key.

14. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
- receive a protected message comprising;
  
  a digitally signed payload further comprising a first ciphertext and a digital signature over the first ciphertext; and
  
  an authenticated payload further comprising a second ciphertext, an asymmetric public key, and an authentication tag;
  
  request, to a cryptography service, an authenticated decryption of the second ciphertext by providing at least the second ciphertext, the asymmetric public key, and the authentication tag;
  
  receive, in response to the request for the authenticated decryption, at least a cryptographic data key and a key identifier;
  
  verify that the key identifier matches an expected key identifier associated with an expected client and that the digital signature of the digitally signed payload is valid; and
  
  obtain a message by decrypting, using the cryptographic data key, the first ciphertext of the digitally signed payload.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The non-transitory computer-readable storage medium of claim 14, wherein the asymmetric public key is an elliptic curve public key.
  - 16. The non-transitory computer-readable storage medium of claim 14, wherein the protected message further comprises the asymmetric public key.
  - 17. The non-transitory computer-readable storage medium of claim 14, wherein a web API request is used to request the authenticated decryption.
  - 18. The non-transitory computer-readable storage medium of claim 14, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to:
    - receive, in response to the request for the authenticated decryption, at least the cryptographic data key, the asymmetric public key, and the key identifier.
  - 19. The non-transitory computer-readable storage medium of claim 14, wherein the cryptographic data key is a symmetric cryptographic key.
  - 20. The non-transitory computer-readable storage medium of claim 14, wherein:
    - the message is obtained after the digital signature is verified;
      
      the digital signature is verified after receiving at least the cryptographic data key and the key identifier; and
      
      the digital signature is verified after verifying the key identifier matches the expected key identifier associated with an expected client.
  - 21. The non-transitory computer-readable storage medium of claim 14, wherein the protected message is received as part of one or more TCP packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Campagna, Matthew John

Granted Patent

US 10,412,098 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/045   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/123   received data contents, e.g...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/321   involving a third party or ...

H04L 9/3234   involving additional secure...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3247   involving digital signatures

SIGNED ENVELOPE ENCRYPTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

30 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

SIGNED ENVELOPE ENCRYPTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links