公开(公告)号：US11190504B1

公开(公告)日：2021-11-30

申请号：US15598185

申请日：2017-05-17

Applicant: Amazon Technologies, Inc.

Inventor： Malcolm Russell Ah Kun ,  Uday Bheema ,  Ankur Goyal ,  Chao Li ,  Alexey A. Nikitin ,  Himesh Pandya ,  Prasanna Subash ,  Zhenghong Sun ,  Nathan Bartholomew Thomas ,  Harshit Kumar Tiwari ,  Venkatesh Velaga ,  Lihao Wang ,  Brian Scott Waters ,  Jeffery David Wells ,  Anand Krishnamoorthy

IPC: H04L29/06 ,  H04L9/32

Abstract: A computer server controls access to a hosted service using digital certificates that are requested from each client attempting to access the service. When a particular client accesses the hosted service, the host service requests a digital certificate from the particular client and issues a challenge message. The particular client signs the challenge message and provides a client digital certificate to the hosted service. The hosted service confirms that the signature on the challenge message matches the client digital certificate, and that the client digital certificate is signed by a trusted entity. Trusted entities are defined by an administrator by uploading, to the hosted service, one or more trusted digital certificates associated with a trusted entities. Using the trusted digital certificates, the hosted service confirms that the digital certificate provided by the particular client is signed by at least one of the trusted entities.

公开(公告)号：US10346618B1

公开(公告)日：2019-07-09

申请号：US15469367

申请日：2017-03-24

Applicant: Amazon Technologies, Inc.

Inventor： Malcolm Russell Ah Kun ,  Anshuk Chakraborty ,  Gopala Krishna Ambareesh ,  Nakul Namdeo Dhande ,  Nathan Bartholomew Thomas ,  Zhenghong Sun ,  Prasanna Subash ,  Salman Aftab Paracha

IPC: G06F21/62 ,  H04L29/06 ,  G06F21/60 ,  H04L9/08 ,  G06F3/06 ,  G06F12/14

Abstract: Virtual workspaces can be provided using shared resources and network-attached storage. A workspace accessed under a customer account has a unique key generated using a combination of a customer master key and an encryption context. The encryption context is specific to the workspace, such as may include a hash of specific values for the workspace. When a new instance is generated, a first data volume is generated using a machine image and data snapshot encrypted under a current encryption key. The snapshot is copied to a new snapshot, and a new encryption key obtained that is based on the customer master key and the current encryption context. The snapshot is used to create a new data volume encrypted under the new encryption key. The new volume is attached to the workspace instance such that data transmitted between the workspace and the new volume is encrypted under the volume-specific encryption key.