公开(公告)号：US09756031B1

公开(公告)日：2017-09-05

申请号：US14513147

申请日：2014-10-13

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Cristian M. Ilac ,  James E. Scharf, Jr. ,  Nathan R. Fitch ,  Graeme D. Baer ,  Brian Irl Pratt ,  Kevin Ross O'Neill

IPC: H04L29/06 ,  G06F21/00 ,  H04L29/08

CPC classification number: H04L63/08 ,  G06F21/123 ,  G06Q20/3821 ,  H04L63/0428 ,  H04L67/22

Abstract: Systems and methods provide a storage media on a portable physical object associated with a set of credentials that enables access to a set of computing resources associated with a set of Web services. In some embodiments, information including a set of credentials is prepackaged onto the storage media of the portable physical object. A pre-activated subscription to the set of Web services in a distributed system is provisioned. Access to the set of Web services is enabled when the portable physical object is coupled with a computing device and the set of credentials is authenticated. In some embodiments, the portable physical object is purchased by a user on a prepaid basis without requiring the user to register an account with the set of Web services, allowing the user to remain anonymous with respect to interaction with the set of Web services.

公开(公告)号：US09686261B2

公开(公告)日：2017-06-20

申请号：US14629332

申请日：2015-02-23

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Nathan R. Fitch ,  Kevin Ross O'Neill ,  Graeme D. Baer ,  Bradley Jeffery Behm ,  Brian Irl Pratt

IPC: G06F7/04 ,  H04L29/06 ,  G06F21/62

CPC classification number: H04L63/08 ,  G06F21/62 ,  G06F2221/2141 ,  H04L63/10

Abstract: Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.

公开(公告)号：US09607162B2

公开(公告)日：2017-03-28

申请号：US14714982

申请日：2015-05-18

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Eric D. Crahen ,  Graeme D. Baer ,  Eric J. Brandwine ,  Nathan R. Fitch

IPC: G06F21/00 ,  G06F21/60 ,  G06F9/445 ,  G06F9/455 ,  H04L29/06 ,  G06Q30/06

CPC classification number: G06F21/602 ,  G06F9/44505 ,  G06F9/45558 ,  G06F21/606 ,  G06F2009/45587 ,  G06Q30/06 ,  H04L63/0209 ,  H04L63/0428 ,  H04L63/0471 ,  H04L63/08 ,  H04L63/166

Abstract: A support system negotiates secure connections on behalf of multiple guest systems using a set of credentials associated with the guest systems. The operation of the secure connection may be transparent to the guest system such that guest system may send and receive messages that are encrypted or decrypted by the support system, such as a hypervisor. As the support system is in between the guest system and a destination, the support system may act as a local endpoint to the secure connection. Messages may be altered by the support system to indicate to a guest system which communications were secured. The credentials may be managed by the support system such that the guest system does not require access to the credentials.

公开(公告)号：US20160205110A1

公开(公告)日：2016-07-14

申请号：US15076264

申请日：2016-03-21

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Eric Jason Brandwine ,  Graeme D. Baer

IPC: H04L29/06

CPC classification number: H04L63/102 ,  G06F9/455 ,  G06F21/31 ,  G06F21/606 ,  H04L63/105 ,  H04L63/20

Abstract: The usage of data in a multi-tenant environment can be controlled by utilizing functionality at the hypervisor level of various resources in the environment. Data can be associated with various tags, security levels, and/or compartments. The ability of resources or entities to access the data can depend at least in part upon whether the resources or entities are also associated with the tags, security levels, and/or compartments. Limitations on the usage of the data can be controlled by one or more policies associated with the tags, security levels, and/or compartments. A control service can monitor traffic to enforce the appropriate rules or policies, and in some cases can prevent encrypted traffic from passing beyond a specified egress point unless the encryption was performed by a trusted resource with the appropriate permissions.

Abstract translation: 可以通过利用环境中各种资源的虚拟机管理程序级别的功能来控制在多租户环境中的数据的使用。 数据可以与各种标签，安全级别和/或隔离专区相关联。 资源或实体访问数据的能力至少部分取决于资源或实体是否也与标签，安全级别和/或隔离专区相关联。 可以通过与标签，安全级别和/或隔间相关联的一个或多个策略来控制数据使用的限制。 控制服务可以监视流量以执行相应的规则或策略，并且在某些情况下可以防止加密流量超出指定的出口点，除非加密是由具有适当权限的受信任资源执行的。

公开(公告)号：US20160065549A1

公开(公告)日：2016-03-03

申请号：US14938403

申请日：2015-11-11

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Marc R. Barbour ,  Bradley Jeffrey Behm ,  Cristian M. Ilac ,  Eric Jason Brandwine

IPC: H04L29/06

CPC classification number: H04L63/062 ,  G06F21/64 ,  H04L9/0836 ,  H04L9/321 ,  H04L9/3242 ,  H04L9/3247 ,  H04L63/06 ,  H04L63/08 ,  H04L2209/38 ,  H04L2209/60 ,  H04L2463/061

Abstract: A plurality of keys is obtained, with each obtained key of the plurality of keys being based at least in part on an information set for the plurality of keys and at least one other key distinct from the plurality of keys. A signing key is calculated by inputting a combination of the plurality of keys into a function with the information set for the plurality of keys, and the signing key is used to evaluate whether access to one or more computing resources is to be granted, with the information set preventing access from being granted when a request for the access is submitted out of compliance with the information set for the plurality of keys.

Abstract translation: 获得多个密钥，其中多个密钥的每个获得的密钥至少部分地基于针对多个密钥的信息集和至少一个与多个密钥不同的其他密钥。 通过将多个密钥的组合输入到具有为多个密钥设置的信息的功能中来计算签名密钥，并且使用签名密钥来评估是否允许对一个或多个计算资源的访问，其中 当不满足为多个密钥设置的信息而提交访问请求时阻止访问的信息设置。

公开(公告)号：US20140258732A1

公开(公告)日：2014-09-11

申请号：US14282386

申请日：2014-05-20

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Marc R. Barbour ,  Bradley Jeffery Behm ,  Cristian M. Ilac ,  Eric Jason Brandwine

IPC: G06F21/62

CPC classification number: H04N21/44055 ,  G06F21/60 ,  G06F21/602 ,  G06F21/6218 ,  G06F21/64 ,  H04L9/0819 ,  H04L9/088 ,  H04L9/3242 ,  H04L2209/24 ,  H04L2209/38 ,  H04N21/4627

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

Abstract translation: 用于认证的系统和方法从认证方和认证者之间共享的秘密凭证生成密钥。 密钥的生成可以涉及利用用于专门化密钥的参数形式的专门信息。 可以使用由多个机构保存的密钥导出的密钥和/或信息来生成其他密钥，使得可以在不访问密钥的情况下验证需要这样的密钥和/或信息的签名。 还可以导出密钥以形成分配的密钥的层次结构，使得密钥持有者解密数据的能力取决于密钥在层级中相对于用于加密数据的密钥的位置的位置。 密钥层次也可以用于将密钥集分配给内容处理设备，以使得设备能够解密内容，使得未经授权的内容的源或潜在来源可以从解密的内容中识别。

公开(公告)号：US12113788B2

公开(公告)日：2024-10-08

申请号：US17087347

申请日：2020-11-02

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Nathan R. Fitch ,  Graeme D. Baer

IPC: H04L9/40 ,  G06F21/35 ,  G06F21/36 ,  H04L9/32 ,  H04Q5/22 ,  H04W12/06 ,  H04W12/30 ,  G06F15/173 ,  H04W12/77 ,  H04W88/02

CPC classification number: H04L63/0838 ,  G06F21/35 ,  G06F21/36 ,  H04L9/3228 ,  H04L9/3234 ,  H04L9/3268 ,  H04L63/061 ,  H04L63/08 ,  H04L63/0853 ,  H04Q5/22 ,  H04W12/06 ,  H04W12/068 ,  H04W12/35 ,  G06F15/173 ,  H04W12/77 ,  H04W88/02

Abstract: In certain embodiments, a web services system receives a request to provision a device, such as a telephone, as an authentication device. The web services system initiates display of an image communicating a key to allow the telephone to capture the image and to send key information associated with the key. The web services system receives the key and determines that the key information is valid. In response to the determination, the web services system sends a seed to the telephone to provision the telephone to be an authentication device. The telephone can use the seed to generate one-time passcodes to access a service of the web services system.

公开(公告)号：US20210211419A1

公开(公告)日：2021-07-08

申请号：US17087347

申请日：2020-11-02

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Nathan R. Fitch ,  Graeme D. Baer

IPC: H04L29/06 ,  H04Q5/22 ,  H04W12/06 ,  G06F21/36 ,  G06F21/35 ,  H04L9/32 ,  H04W12/30

Abstract: In certain embodiments, a web services system receives a request to provision a device, such as a telephone, as an authentication device. The web services system initiates display of an image communicating a key to allow the telephone to capture the image and to send key information associated with the key. The web services system receives the key and determines that the key information is valid. In response to the determination, the web services system sends a seed to the telephone to provision the telephone to be an authentication device. The telephone can use the seed to generate one-time passcodes to access a service of the web services system.

公开(公告)号：US10931442B1

公开(公告)日：2021-02-23

申请号：US16152885

申请日：2018-10-05

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Graeme D. Baer ,  Nathan R. Fitch ,  Eric D. Crahen ,  Eric J. Brandwine

IPC: H04L9/08 ,  H04L9/06

Abstract: Client requests may be directed through a secret holding proxy system such that the secret holding proxy system may insert a secret into a client request before arriving at the destination. The insertion of a secret may include inserting a digital signature, token or other information that includes a secret or information based upon a secret, which may include secret exchange or authentication protocols. The secret holding proxy system may also remove secrets and/or transform incoming messages such that the client may transparently receive the underlying content of the message.

公开(公告)号：US10911428B1

公开(公告)日：2021-02-02

申请号：US14634513

申请日：2015-02-27

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Kevin Ross O'Neill ,  Eric Jason Brandwine ,  Brian Irl Pratt ,  Bradley Jeffery Behm ,  Nathan R. Fitch

IPC: H04L29/06 ,  H04L9/32

Abstract: Systems and methods for controlling access to one or more computing resources relate to generating session credentials that can be used to access the one or more computing resources. Access to the computing resources may be governed by a set of policies and requests for access made using the session credentials may be fulfilled depending on whether they are allowed by the set of policies. The session credentials themselves may include metadata that may be used in determining whether to fulfill requests to access the one or more computing resources. The metadata may include permissions for a user of the session credential, claims related to one or more users, and other information.