公开(公告)号：US10223538B1

公开(公告)日：2019-03-05

申请号：US14078336

申请日：2013-11-12

Applicant: Amazon Technologies, Inc.

Inventor： Todd Lawrence Cignetti ,  Robert Eric Fitzgerald ,  Andrew J. Doane ,  Eric Jason Brandwine

IPC: G06F21/60 ,  G06F9/455 ,  G06F21/62

Abstract: Organizations maintain and generate large amounts of sensitive information using computer hardware resources and services of a service provider. Furthermore, there is a need to be able to delete large amounts of data securely and quickly by encrypting the data with a key and destroying the key. To ensure that information stored remotely is secure and capable of secure deletion, cryptographic keys used by the organization should be prevented from being persistently stored during serialization operations. A variety of methods may be used to protect access to keying material and prevent the keying material from being stored persistently.

公开(公告)号：US09680808B2

公开(公告)日：2017-06-13

申请号：US14992980

申请日：2016-01-11

Applicant: Amazon Technologies, Inc.

Inventor： Todd Lawrence Cignetti ,  Eric Jason Brandwine ,  Robert Eric Fitzgerald ,  Andrew J. Doane

IPC: H04L29/06 ,  G06F21/60 ,  G06F9/455 ,  G06F9/48 ,  G06F21/62

CPC classification number: H04L63/061 ,  G06F9/45558 ,  G06F9/4812 ,  G06F21/602 ,  G06F21/6218 ,  G06F2221/2101 ,  G06F2221/2143

Abstract: Organizations maintain and generate large amounts of sensitive information using computer hardware resources and services of a service provider. Furthermore, there is a need to be able to delete large amounts of data securely and quickly by encrypting the data with a key and destroying the key. To ensure that information stored remotely is secured and capable of secure deletion, cryptographic keys used by the organization should be prevented from being persistently stored during serialization operations. Signaling methods are used to notify virtual machine instances of serialization events in order to prevent keying material from being stored persistently.

公开(公告)号：US09525672B2

公开(公告)日：2016-12-20

申请号：US14577232

申请日：2014-12-19

Applicant: Amazon Technologies, Inc.

Inventor： Todd Lawrence Cignetti ,  Peter Zachary Bowen ,  Andrew Jeffrey Doane ,  Alexander Edward Schoof

IPC: G06F21/44 ,  H04L29/06

CPC classification number: H04L63/061 ,  G06F21/44 ,  H04L63/0428 ,  H04L63/0823

Abstract: A compute instance of a virtual computing service (VCS) is assigned first and second cryptographically verifiable identities (CVIs) within respective namespaces. A cryptographic key pair associated with the first CVI includes a non-transferable private key managed by a secure key store which does not permit the private key to be copied. The VCS enables the instance to use the private key for asserting the CVIs. In response to a first identity query, the instance indicates the first CVI. In response to a second identity query, the instance indicates the second CVI.

Abstract translation: 虚拟计算服务（VCS）的计算实例被分配在各个命名空间内的第一和第二密码可验证身份（CVI）。 与第一CVI相关联的加密密钥对包括由不允许复制私钥的安全密钥存储管理的不可转移私钥。 VCS使实例能够使用私钥来断言CVI。 响应于第一个身份查询，该实例指示第一个CVI。 响应于第二个身份查询，该实例指示第二个CVI。

公开(公告)号：US20160112387A1

公开(公告)日：2016-04-21

申请号：US14981804

申请日：2015-12-28

Applicant: Amazon Technologies, Inc

Inventor： Todd Lawrence Cignetti ,  Andrew J. Doane ,  Eric Jason Brandwine ,  Robert Eric Fitzgerald

IPC: H04L29/06 ,  G06F9/455 ,  H04L9/32

CPC classification number: H04L63/061 ,  G06F9/45533 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/06 ,  H04L63/0876

Abstract: Organizations maintain and generate large amounts of sensitive information using computer hardware resources and services of a service provider. Furthermore, there is a need to be able to delete large amounts of data securely and quickly by encrypting the data with a key and destroying the key. To ensure that information stored remotely is secured and capable of secure deletion, cryptographic keys used by the organization should be prevented from being persistently stored during serialization operations. If the keys used to encrypt the data have not been exposed during serialization operation, they may be deleted or destroyed enabling the destruction of data encrypted with the keys.

Abstract translation: 组织使用服务提供商的计算机硬件资源和服务维护和生成大量敏感信息。 此外，需要能够通过使用密钥加密数据并销毁密钥来安全而快速地删除大量的数据。 为确保远程存储的信息得到保护并能够进行安全删除，组织使用的加密密钥在串行化操作期间应防止持久存储。 如果用于加密数据的密钥在序列化操作期间未被暴露，则可能会删除或破坏数据，从而能够销毁使用密钥加密的数据。

公开(公告)号：US11888997B1

公开(公告)日：2024-01-30

申请号：US16018014

申请日：2018-06-25

Applicant: Amazon Technologies, Inc.

Inventor： Peter Zachary Bowen ,  Todd Lawrence Cignetti ,  Preston Anthony Elder, III ,  Brandonn Gorman ,  Ronald Andrew Hoskinson ,  Jonathan Kozolchyk ,  Kenneth Lawler ,  Marcel Andrew Levy ,  Kyle Benjamin Schultheiss ,  Sandeep Shantharaj ,  Param Sharma ,  Jose Maria Silveira Neto

IPC: H04L9/32 ,  H04L9/08

CPC classification number: H04L9/3268 ,  H04L9/0897 ,  H04L9/3247 ,  H04L9/3297

Abstract: A computing resource service provider provides a certificate management service that allows customers of the computing resource service provider to create, distribute, manage, and revoke digital certificates issued by public and/or private certificate authorities. In an embodiment, customers may use the certificate management service to generate private certificate authority which can issue signed certificates to network entities within the customer enterprise. In an embodiment, the private certificate authority is hosted by the computing resource service provider, and the certificate management service automates the renewal and management of active certificates. In an embodiment, the certificate management service allows customer applications to create, renew, and revoke certificates issued by both private and public certificate authorities via an application programming interface.

公开(公告)号：US10698710B2

公开(公告)日：2020-06-30

申请号：US14881090

申请日：2015-10-12

Applicant: Amazon Technologies, Inc.

Inventor： Andrew Jeffrey Doane ,  Alexander Edward Schoof ,  Robert Eric Fitzgerald ,  Todd Lawrence Cignetti

IPC: H04L29/06 ,  H04L29/08 ,  G06F9/455 ,  G06F21/44 ,  G06Q30/06

Abstract: A vendor of virtual machine images accesses a virtual computer system service to upload a digitally signed virtual machine image to a data store usable by customers of the virtual computer system service to select an image for creating a virtual machine instance. If a digital certificate is uploaded along with the virtual machine image, the virtual computer system service may determine whether the digital certificate has been trusted for use. If the digital certificate has been trusted for use, the virtual computer system service may use a public cryptographic key to decrypt a hash signature included with the image to obtain a first hash value. The service may additionally apply a hash function to the image itself to obtain a second hash value. If the two hash values match, then the virtual machine image may be deemed to be authentic.

公开(公告)号：US10693638B1

公开(公告)日：2020-06-23

申请号：US15367114

申请日：2016-12-01

Applicant: Amazon Technologies, Inc.

Inventor： Todd Lawrence Cignetti ,  Matthew John Campagna

IPC: H04L9/08 ,  H04L9/32 ,  H04L29/06

Abstract: A secret cryptographic key is stored in a protected state. While in the protected state, the secret cryptographic key is encrypted with a plurality of cryptographic keys, each of which is used to re-create the plaintext version of the secret cryptographic key. A service operated by an online service provider creates an isolated network environment containing a bastion computer system in communication with an HSM. After establishing the isolated network environment, the online service provider provides a service provider key to the HSM. An HSM key is present on the HSM, and an administrator key is provided by one or more key administrators. Using the HSM key, the service provider key, and the administrator key, the HSM performs cryptographic operations using the secret cryptographic key. When complete, the isolated network environment is deconstructed and the secret cryptographic key is returned to online storage in a protected state.

公开(公告)号：US10666637B2

公开(公告)日：2020-05-26

申请号：US14968280

申请日：2015-12-14

Applicant: Amazon Technologies, Inc.

Inventor： Todd Lawrence Cignetti ,  Preston Elder

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/08 ,  H04L12/46 ,  H04L12/24

Abstract: A certificate manager for a multi-tenant environment can be authorized to automatically renew a certificate for a customer of the environment. Prior to the end of the validity period of the certificate, the certificate manager can obtain a new certificate on behalf of the customer and notify the customer that the certificate is ready to be deployed. The certificate will not be deployed until the customer releases the hold on the certificate. If no such instruction is received, notifications can be sent to the customer about the upcoming end of the validity period, and those notifications can be sent with increasing frequency. If no notification is received before the validity period is to expire, the certificate manager can automatically deploy the certificate to ensure that a valid certificate remains in place for the customer on the associated resource(s).

公开(公告)号：US10367646B1

公开(公告)日：2019-07-30

申请号：US14520048

申请日：2014-10-21

Applicant: Amazon Technologies, Inc.

Inventor： Todd Lawrence Cignetti ,  Andrew Jeffrey Doane ,  Stefan Popoveniuc ,  Matthew Allen Estes ,  Alexander Edward Schoof ,  Robert Eric Fitzgerald ,  Peter Zachary Bowen

IPC: G06F21/00 ,  H04L29/06 ,  H04L9/32 ,  H04L9/08 ,  G06F11/07 ,  G06F12/14

Abstract: A method and apparatus for distributing cryptographic material are disclosed. In the method and apparatus, cryptographic material is obtained and it is determined that the cryptographic material is to be made available for use by one or more computing resources. The cryptographic material is then sent to one or more secure modules, whereby a secure module of the one or more secure modules is programmatically accessible to a computing resource of the one or more computing resources and programmatic access enables the computing resource to request performance of one or more cryptographic operations using the cryptographic material while exporting the cryptographic material to the computing resource is denied.

公开(公告)号：US10127388B1

公开(公告)日：2018-11-13

申请号：US14469488

申请日：2014-08-26

Applicant: Amazon Technologies, Inc.

Inventor： Stefan Popuveniuc ,  Peter Zachary Bowen ,  Alexander Edward Schoof ,  Andrew Jeffrey Doane ,  Todd Lawrence Cignetti ,  Robert Eric Fitzgerald

IPC: G06F21/60 ,  H04L29/12

Abstract: Techniques are disclosed for mitigating against registering a domain name that is confusingly similar to a pre-existing domain name, possibly for the purpose of fooling users. In embodiments, a domain name is presented for registration. The domain name is rendered as an image, and optical character recognition is performed on the image to extract the rendered text. This extracted text is compared against a list of domain names for which confusingly similar domain names cannot be registered, and when the extracted text matches a domain name in this list of domain names, registration of the domain name is denied.