公开(公告)号：US20180069844A1

公开(公告)日：2018-03-08

申请号：US15645936

申请日：2017-07-10

Applicant: Amazon Technologies, Inc.

Inventor： Todd Lawrence Cignetti ,  Andrew J. Doane ,  Eric Jason Brandwine ,  Robert Eric Fitzgerald

IPC: H04L29/06 ,  G06F9/455 ,  H04L9/32

CPC classification number: H04L63/061 ,  G06F9/45533 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/06 ,  H04L63/0876

Abstract: Organizations maintain and generate large amounts of sensitive information using computer hardware resources and services of a service provider. Furthermore, there is a need to be able to delete large amounts of data securely and quickly by encrypting the data with a key and destroying the key. To ensure that information stored remotely is secured and capable of secure deletion, cryptographic keys used by the organization should be prevented from being persistently stored during serialization operations. If the keys used to encrypt the data have not been exposed during serialization operation, they may be deleted or destroyed enabling the destruction of data encrypted with the keys.

公开(公告)号：US20170272417A1

公开(公告)日：2017-09-21

申请号：US15615727

申请日：2017-06-06

Applicant: Amazon Technologies, Inc.

Inventor： Todd Lawrence Cignetti ,  Eric Jason Brandwine ,  Robert Eric Fitzgerald ,  Andrew J. Doane

IPC: H04L29/06 ,  G06F21/62 ,  G06F21/60 ,  G06F9/455 ,  G06F9/48

CPC classification number: H04L63/061 ,  G06F9/45558 ,  G06F9/4812 ,  G06F21/602 ,  G06F21/6218 ,  G06F2221/2101 ,  G06F2221/2143

Abstract: Organizations maintain and generate large amounts of sensitive information using computer hardware resources and services of a service provider. Furthermore, there is a need to be able to delete large amounts of data securely and quickly by encrypting the data with a key and destroying the key. To ensure that information stored remotely is secured and capable of secure deletion, cryptographic keys used by the organization should be prevented from being persistently stored during serialization operations.

公开(公告)号：US20170171191A1

公开(公告)日：2017-06-15

申请号：US14968280

申请日：2015-12-14

Applicant: Amazon Technologies, Inc.

Inventor： Todd Lawrence Cignetti ,  Preston Elder

IPC: H04L29/06

Abstract: A certificate manager for a multi-tenant environment can be authorized to automatically renew a certificate for a customer of the environment. Prior to the end of the validity period of the certificate, the certificate manager can obtain a new certificate on behalf of the customer and notify the customer that the certificate is ready to be deployed. The certificate will not be deployed until the customer releases the hold on the certificate. If no such instruction is received, notifications can be sent to the customer about the upcoming end of the validity period, and those notifications can be sent with increasing frequency. If no notification is received before the validity period is to expire, the certificate manager can automatically deploy the certificate to ensure that a valid certificate remains in place for the customer on the associated resource(s).

公开(公告)号：US09552485B1

公开(公告)日：2017-01-24

申请号：US14520168

申请日：2014-10-21

Applicant: Amazon Technologies, Inc.

Inventor： Todd Lawrence Cignetti ,  Andrew Jeffrey Doane ,  Stefan Popoveniuc ,  Matthew Allen Estes ,  Alexander Edward Schoof ,  Robert Eric Fitzgerald ,  Peter Zachary Bowen

IPC: H04L29/06 ,  G06F21/60 ,  H04L9/32

CPC classification number: G06F21/602 ,  G06F8/65 ,  H04L9/3263

Abstract: A method and apparatus for renewing cryptographic material are disclosed. In the method and apparatus a cryptographic material renewal entity of a computing resource service provider detects that cryptographic material stored by a secure module is to be renewed. Renewing the cryptographic material may include rekeying a private key associated with a certificate. Further, a digital certificate may be renewed, and the renewed certificate may be provided for use by the computing resource. The cryptographic material is used to fulfill requests made by a computing resource provisioned by the computing resource service provider for a customer. The renewed cryptographic material is provided to the secure module, whereby the renewed cryptographic material is used by the secure module to fulfill further requests made by the computing resource.

Abstract translation: 公开了一种更新加密材料的方法和装置。 在方法和装置中，计算资源服务提供者的密码材料更新实体检测到由安全模块存储的密码资料将被更新。 更新加密材料可以包括重新键入与证书相关联的私钥。 此外，可以更新数字证书，并且可以提供更新的证书供计算资源使用。 加密材料用于满足由计算资源服务提供商为客户提供的计算资源所做的请求。 更新的加密材料被提供给安全模块，由此安全模块使用更新的密码材料来完成由计算资源进一步的请求。

公开(公告)号：US20160034298A1

公开(公告)日：2016-02-04

申请号：US14881090

申请日：2015-10-12

Applicant: Amazon Technologies, Inc.

Inventor： Andrew Jeffrey Doane ,  Alexander Edward Schoof ,  Robert Eric Fitzgerald ,  Todd Lawrence Cignetti

IPC: G06F9/455 ,  G06Q30/06

Abstract: A vendor of virtual machine images accesses a virtual computer system service to upload a digitally signed virtual machine image to a data store usable by customers of the virtual computer system service to select an image for creating a virtual machine instance. If a digital certificate is uploaded along with the virtual machine image, the virtual computer system service may determine whether the digital certificate has been trusted for use. If the digital certificate has been trusted for use, the virtual computer system service may use a public cryptographic key to decrypt a hash signature included with the image to obtain a first hash value. The service may additionally apply a hash function to the image itself to obtain a second hash value. If the two hash values match, then the virtual machine image may be deemed to be authentic.

公开(公告)号：US09158909B2

公开(公告)日：2015-10-13

申请号：US14196818

申请日：2014-03-04

Applicant: Amazon Technologies, Inc.

Inventor： Andrew Jeffrey Doane ,  Alexander Edward Schoof ,  Robert Eric Fitzgerald ,  Todd Lawrence Cignetti

IPC: G06F21/00 ,  G06F21/44 ,  H04L29/06

CPC classification number: G06F9/45558 ,  G06F21/44 ,  G06F2009/4557 ,  G06F2009/45587 ,  G06F2009/45595 ,  G06Q30/0601 ,  H04L63/0823 ,  H04L63/20

Abstract: A vendor of virtual machine images accesses a virtual computer system service to upload a digitally signed virtual machine image to a data store usable by customers of the virtual computer system service to select an image for creating a virtual machine instance. If a digital certificate is uploaded along with the virtual machine image, the virtual computer system service may determine whether the digital certificate has been trusted for use. If the digital certificate has been trusted for use, the virtual computer system service may use a public cryptographic key to decrypt a hash signature included with the image to obtain a first hash value. The service may additionally apply a hash function to the image itself to obtain a second hash value. If the two hash values match, then the virtual machine image may be deemed to be authentic.

Abstract translation: 虚拟机映像的供应商访问虚拟计算机系统服务以将数字签名的虚拟机映像上载到由虚拟计算机系统服务的客户可用的数据存储，以选择用于创建虚拟机实例的映像。 如果与虚拟机映像一起上传数字证书，则虚拟计算机系统服务可以确定数字证书是否已被信任以供使用。 如果数字证书被信任使用，则虚拟计算机系统服务可以使用公共密码密钥来解密包含在图像中的散列签名以获得第一哈希值。 该服务可以另外向图像本身应用散列函数以获得第二哈希值。 如果两个散列值匹配，则虚拟机映像可能被认为是真实的。