Encryption key management

US 8,245,037 B1
Filed: 02/17/2009
Issued: 08/14/2012
Est. Priority Date: 02/17/2009
Status: Active Grant

First Claim

Patent Images

1. A method of managing secure objects in a computing device, comprising:

storing, at the computing device, one or more secure objects for performing a secure operation;

associating one or more secure identifiers with the one or more secure objects;

associating one of the one or more version numbers with a particular one of the one or more secure objects associated with one of the one or more secure identifiers, the one or more secure objects being associated with at least one of the one or more version numbers;

receiving, at the computing device, a request to perform the secure operation, the request identifying a particular one of the one or more secure identifiers to be used in performing the secure operation;

as a result of the request including a particular one of the one or more version numbers for identifying a version of the one or more secure objects to be used in performing the secure operation, selecting a particular one of the one or more secure objects corresponding to the particular one of the one or more secure identifiers and associated with the particular one of the one or more version numbers;

as a result of the request not including a version number for identifying the version of the one or more secure objects to be used in performing the secure operation, selecting a current default secure object corresponding to the particular one of the one or more secure identifiers; and

performing the secure operation at the computing device using the selected secure object.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure information is managed for each host or machine in an electronic environment using a series of key identifiers that each represent one or more secure keys, passwords, or other secure information. Applications and services needing access to the secure information can specify the key identifier, for example, and the secure information currently associated with that identifier can be determined without any change to the code or manual input or exposure of the secure information on the respective device. Functionality such as encryption key management and rotation are inaccessible and transparent to the user. In a networked or distributed environment, the key identifiers can be associated with host classes such that at startup any host in a class can obtain the necessary secure information. Updates and key rotation can be performed in a similar fashion by pushing updates to host classes transparent to a user, application, or service.

114 Citations

26 Claims

1. A method of managing secure objects in a computing device, comprising:
- storing, at the computing device, one or more secure objects for performing a secure operation;
  
  associating one or more secure identifiers with the one or more secure objects;
  
  associating one of the one or more version numbers with a particular one of the one or more secure objects associated with one of the one or more secure identifiers, the one or more secure objects being associated with at least one of the one or more version numbers;
  
  receiving, at the computing device, a request to perform the secure operation, the request identifying a particular one of the one or more secure identifiers to be used in performing the secure operation;
  
  as a result of the request including a particular one of the one or more version numbers for identifying a version of the one or more secure objects to be used in performing the secure operation, selecting a particular one of the one or more secure objects corresponding to the particular one of the one or more secure identifiers and associated with the particular one of the one or more version numbers;
  
  as a result of the request not including a version number for identifying the version of the one or more secure objects to be used in performing the secure operation, selecting a current default secure object corresponding to the particular one of the one or more secure identifiers; and
  
  performing the secure operation at the computing device using the selected secure object.
- View Dependent Claims (2, 3)
- - 2. A method according to claim 1, further comprising:
    - changing the current default secure object corresponding to the secure identifier,wherein the request to perform the secure operation is able to be processed using the secure identifier independent of the change in the current default secure object.
  - 3. A method according to claim 1, further comprising:
    - when the secure operation for the request relates to encrypted content to be processed, determining whether the encrypted content includes a version number for the secure identifier to be used in performing the secure operation.

4. A method of performing a secure operation on a computing device, comprising:
- receiving, at the computing device, a request to perform a secure operation, the request identifying a secure identifier to be used in performing the secure operation;
  
  determining a secure object associated with the secure identifier to perform the secure operation, the secure identifier being associated with one or more secure objects for the secure operation;
  
  as a result of the request including a version number for identifying a version of the secure object to be used, performing the secure operation at the computing device using the determined secure object based at least in part on the included version number,wherein the secure object to be used to perform the secure operation is able to be changed by the computing device based at least in part on the version number, andwherein the request to perform the secure operation identifies the secure identifier independent of a change in the secure object to be used to perform the secure operation; and
  
  as a result of the request not including a version number, performing the secure operation at the computing device using a default secure object.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 5. A method according to claim 4, wherein the one or more secure objects includes at least one of an encryption key or a password.
  - 6. A method according to claim 4, further comprising:
    - when the request includes a version number, selecting the secure object corresponding to the secure identifier and associated with the version number;
      
      when the request does not include a version number, selecting a current default secure object corresponding to the secure identifier.
  - 7. A method according to claim 4, wherein the secure identifier is associated with the request by at least one of the request specifying the secure identifier and the computing device determining the secure identifier for the request.
  - 8. A method according to claim 4, wherein the secure operation is selected from the group consisting of encrypting, decrypting, re-encrypting, securely storing, digitally signing, and providing secure access to at least one of a resource or content.
  - 9. A method according to claim 4, wherein the secure operation includes encrypting content, and further comprising:
    - encrypting content associated with the request using a determined algorithm and the selected secure object; and
      
      storing information identifying the determined algorithm and the selected secure object in the encrypted content,wherein a computing device having access to the determined algorithm and the selected secure object is able to decrypt the content using the information stored in the encrypted content.
  - 10. A method according to claim 9, wherein the information is stored in metadata of the encrypted content.
  - 11. A method according to claim 4, further comprising:
    - periodically changing a default secure object associated with the secure identifier.
  - 12. A method according to claim 4, further comprising:
    - storing each secure object to a storage facility available to the computing device and associating each secure object with a secure identifier,wherein after each secure object is associated with a respective secure identifier the secure object is not exposed outside the storage facility.
  - 13. A method according to claim 4, further comprising:
    - defining an interface wherein an application is able to send the request, including the secure identifier, from a client device independent of a user of the application having knowledge of the secure identifier.

14. A method of decrypting content, comprising:
- receiving, at a computing device, a request to decrypt content identified by the request;
  
  extracting information from the content identifying a secure identifier and an algorithm used to encrypt the content, wherein the request does not specify the secure identifier and the algorithm used to encrypt the content;
  
  when the computing device has access to the secure identifier and the algorithm, determining a secure object associated with the secure identifier by determining whether a version number is identified in the request;
  
  as a result of the request identifying a version number, decrypting the content using a particular version number of the secure object and the algorithm, and providing access to the decrypted content, the secure object being based at least in part on the particular version number; and
  
  as a result of the request not identifying a version number, decrypting the content using a default secure object and the algorithm, and providing access to the decrypted content.
- View Dependent Claims (15, 16)
- - 15. A method according to claim 14, wherein determining a secure object associated with the secure identifier includes extracting an object version from metadata identifying an appropriate secure object.
  - 16. A method according to claim 14, further comprising:
    - when the computing device does not have access to at least one of the secure identifier and the algorithm, returning a response indicating that the computing device is unable to decrypt the content.

17. A system for performing a secure operation, comprising:
- a processor; and
  
  a memory device including instructions that, when executed by the processor, cause the processor to;
  
  receive a request to perform a secure operation, the request identifying a secure identifier;
  
  determine a secure object associated with the secure identifier, the secure identifier being associated with one or more secure objects for the secure operation;
  
  as a result of the request including a version number for identifying a version of the secure object to be used, perform the secure operation at the computing device using the determined secure object based at least in part on the included version number,wherein the secure object to be used to perform the secure operation is able to be changed by the computing device, andwherein the request to perform the secure operation identifies the secure identifier independent of a change in the secure object to be used to perform the secure operation; and
  
  as a result of the request not including a version number, performing the secure operation at the computing device using a default secure object.
- View Dependent Claims (18, 19, 20, 21)
- - 18. A system according to claim 17, wherein the instructions, when executed by the processor, further cause the processor to:
    - when the request includes a version number, select the secure object corresponding to the secure identifier and associated with the version number;
      
      when the request does not include a version number, select a current default secure object corresponding to the secure identifier.
  - 19. A system according to claim 17, wherein the secure operation includes encrypting content, and wherein the instructions, when executed by the processor, further cause the processor to:
    - encrypt content associated with the request using a determined algorithm and the selected secure object; and
      
      store information identifying the determined algorithm and the selected secure object in the encrypted content,wherein a computing device having access to the determined algorithm and the selected secure object is able to decrypt the content using the stored information.
  - 20. A system according to claim 19, wherein the information is stored in metadata of the encrypted content.
  - 21. A system according to claim 17, wherein the instructions, when executed by the processor, further cause the processor to:
    - change a current default secure object associated with the secure identifier,wherein the request to perform the secure operation is able to be processed using the secure identifier independent of the change in the current default secure object.

22. A computer program product embedded in a non-transitory computer-readable medium including processor-executable instructions for performing a secure operation, comprising:
- program code for receiving, at a computing device, a request to perform a secure operation, the request identifying a secure identifier;
  
  program code for determining a secure object associated with the secure identifier to perform the secure operation, the secure identifier being associated with one or more secure objects for the secure operation;
  
  program code for performing, as a result of the request including a version number for identifying a version of the secure object to be used, the secure operation at the computing device using the determined secure object based at least in part on the included version number,wherein the secure object to be used to perform the secure operation is able to be changed at the computing device, andwherein the request to perform the secure operation identifies the secure identifier independent of a change in the secure object to be used to perform the secure operation; and
  
  program code for performing, as a result of the request not including a version number, the secure operation at the computing device using a default secure object.
- View Dependent Claims (23, 24, 25, 26)
- - 23. A computer program product according to claim 22, further comprising:
    - program code for, when the request includes a version number, selecting the secure object corresponding to the secure identifier and associated with the version number;
      
      program code for, when the request does not include a version number, selecting a current default secure object corresponding to the secure identifier.
  - 24. A computer program product according to claim 22, wherein the secure operation includes encrypting content, and further comprising:
    - program code for encrypting content associated with the request using a determined algorithm and the selected secure object; and
      
      program code for storing information identifying the determined algorithm and the selected secure object in the encrypted content,wherein a computing device having access to the determined algorithm and the selected secure object is able to decrypt the content using the stored information.
  - 25. A computer program product according to claim 22, wherein the information is stored in metadata of the encrypted content.
  - 26. A computer program product according to claim 22, further comprising:
    - program code for changing a current default secure object associated with the secure identifier,wherein the request to perform the secure operation is able to be processed using the secure identifier independent of the change in the current default secure object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Martin, Eric J., Durgin, Cyrus J., Dave, Pratik S.
Primary Examiner(s)
Zee, Edward

Application Number

US12/372,597
Time in Patent Office

1,274 Days
Field of Search

713/193, 713/182, 713/185, 713/189, 713165-167, 713/164, 726/2, 726/5, 726/9, 726/10, 726/6, 726/19, 380277-279, 380/286, 380/45
US Class Current

713/167
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/604   Tools and structures for ma...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

Encryption key management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

114 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Encryption key management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

114 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links