公开(公告)号：US20180054309A1

公开(公告)日：2018-02-22

申请号：US15798117

申请日：2017-10-30

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna

IPC: H04L9/32 ,  H04L9/08

CPC classification number: H04L9/0637 ,  H04L9/0822 ,  H04L9/3234 ,  H04L9/3242 ,  H04L9/3271

Abstract: Data security is enhanced by receiving a request that identifies an encrypted data key, an authentication tag, and additional authenticated data that includes at least a nonce. In some cases, the authentication tag is cryptographically derivable from the encrypted data key and the additional authenticated data. A system, in some cases, determines whether the nonce is authentic and decrypts the encrypted data key by using at least a cryptographic key and the nonce, thereby resulting in a plaintext data key that is usable in various contexts.

公开(公告)号：US20170171174A1

公开(公告)日：2017-06-15

申请号：US14967214

申请日：2015-12-11

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna

IPC: H04L29/06

CPC classification number: H04L63/062 ,  H04L9/083 ,  H04L9/0841 ,  H04L9/321 ,  H04L9/3263 ,  H04L63/0442 ,  H04L63/061 ,  H04L63/0876 ,  H04L63/166

Abstract: Clients within a computing environment may establish a secure communication session. Sometimes, a client may trust a cryptography service to perform some cryptographic operations and access some cryptographic resources while simultaneously not trusting the cryptography service to perform other operations and access other resources. Two or more clients may utilize a cryptography service to perform certain authentication and verification operations to establish a secure communication session, while simultaneously denying the cryptography service access to the secure communication session.

公开(公告)号：US09602288B1

公开(公告)日：2017-03-21

申请号：US14672029

申请日：2015-03-27

Applicant: Amazon Technologies, Inc.

Inventor： Andrew Paul Mikulski ,  Gregory Branchek Roth ,  Matthew John Campagna

IPC: H04L9/32 ,  G06F21/57

CPC classification number: H04L63/1433 ,  G06F21/577 ,  G06F21/602 ,  H04L9/088 ,  H04L9/3247 ,  H04L9/3252

Abstract: A system records use of values used in cryptographic algorithms where the values are subject to uniqueness constraints. As new values are received, the system checks whether violations of a unique constraint has occurred. If a violation occurs, the system performs actions to mitigate potential compromise caused by exploitation of a vulnerability caused by violation of the uniqueness constraint.

公开(公告)号：US20160323110A1

公开(公告)日：2016-11-03

申请号：US15204927

申请日：2016-07-07

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Gregory Branchek Roth

IPC: H04L9/32 ,  G06F12/14 ,  H04L29/06

Abstract: A new version of a structured collection of information, different from a previous version, of a cryptographic domain is created. The new version is created to be verifiable as a valid successor to the previous version and to specify a new set of quorum rules, with the new set of quorum rules defining one or more conditions to be fulfilled by a plurality of operators as conditions precedent to update the structured collection. The new version is provided to the plurality of operators. Digital signatures corresponding to the new version are obtained, and, as a result of the digital signatures received fulfilling the one or more conditions defined by a previous set of quorum rules specified by the previous version, the new version is caused to replace the previous version.

Abstract translation: 创建了与旧版本不同的加密域的新版本的结构化信息集合。 新版本被创建为可验证为先前版本的有效后继者，并指定一组新的仲裁规则，新的一组法定规则定义一个或多个条件由多个运营商履行，作为先决条件的先决条件 更新结构化集合。 新版本被提供给多个操作者。 获得对应于新版本的数字签名，并且由于接收的数字签名符合由先前版本规定的先前的一组法定规则所定义的一个或多个条件，导致新版本替换以前的版本 。

公开(公告)号：US09438421B1

公开(公告)日：2016-09-06

申请号：US14318375

申请日：2014-06-27

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew John Campagna ,  Benjamin Elias Seidenberg

IPC: H04L9/08

CPC classification number: H04L9/0891 ,  H04L9/088 ,  H04L9/14 ,  H04L63/065

Abstract: A system and method for receiving requests for performing cryptographic operations with a virtual key having a plurality of actual keys associated with the virtual key, determining which actual key of the plurality of actual keys to use for the cryptographic operation, performing the cryptographic operation using the actual key, and providing the result of performing the cryptographic operation.

Abstract translation: 一种用于接收使用具有与所述虚拟键相关联的多个实际键的虚拟键执行加密操作的请求的系统和方法，确定用于所述密码操作的所述多个实际密钥中的哪个实际密钥，使用所述密码操作 实际密钥，并提供执行密码操作的结果。

公开(公告)号：US09407437B1

公开(公告)日：2016-08-02

申请号：US14225243

申请日：2014-03-25

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna

IPC: H04L9/28 ,  H04L9/14 ,  H04L9/16 ,  H04L9/06 ,  H04L9/08 ,  H04L29/06 ,  H04L9/30

CPC classification number: H04L9/16 ,  G06F21/602 ,  H04L9/0618 ,  H04L9/0637 ,  H04L9/0643 ,  H04L9/0816 ,  H04L9/14 ,  H04L9/30 ,  H04L9/3239 ,  H04L9/3242 ,  H04L63/0428 ,  H04L63/06 ,  H04L63/123

Abstract: A plaintext and cryptographic key are used to generate an initialization vector to be used in a cryptographic algorithm, such as an encryption algorithm. In some examples, the plaintext and cryptographic key are input into an effectively one-way function, such as a cryptographic hash function, the output of which is usable as an initialization vector. Cryptographic keys may be rotated probabilistically based at least in part on probabilities of output collisions of the effectively one-way function to ensure a low probability of two different plaintexts resulting in calculation of the same initialization vector for use with the same cryptographic key.

Abstract translation: 使用明文和密码密钥来产生要用于密码算法（例如加密算法）中的初始化向量。 在一些示例中，明文和密码密钥被输入到有效的单向函数中，例如密码散列函数，其输出可用作初始化向量。 密码密钥可以至少部分地基于有效单向函数的输出冲突的概率来概率地旋转，以确保两个不同明文的低概率，导致计算与相同加密密钥一起使用的相同的初始化向量。

公开(公告)号：US11620387B2

公开(公告)日：2023-04-04

申请号：US17321356

申请日：2021-05-14

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Gregory Alan Rubin ,  Eric Jason Brandwine ,  Nicholas Alexander Allen ,  Andrew Kyle Driggs

IPC: G06F21/57 ,  H04L9/40 ,  H04L9/32 ,  H04L9/08 ,  G06F21/64 ,  H04L9/14 ,  H04L67/01

Abstract: A service provider provides virtual computing services using a fleet of one or more host computer systems. Each of the host computer systems may be equipped with a trusted platform module (“TPM”). The service provider, the host computer systems, and the virtual computing environments generate attestations that prove the integrity of the system. The attestations are signed with a one-time-use cryptographic key that is verifiable against the public keys of the service provider, a host computer system, and a virtual computing environment. The public key of the host computer system is integrated into a hash tree that links the public key of the host computer system to the public key of the service provider. The public key of the virtual computing environment is signed using a one-time-use graphic key issued to the host computer system that hosts the virtual computing environment.

公开(公告)号：US11599655B1

公开(公告)日：2023-03-07

申请号：US16138875

申请日：2018-09-21

Applicant: Amazon Technologies, Inc.

Inventor： Xianrui Jeri Meng ,  Matthew John Campagna

IPC: G06F21/62 ,  H04L9/06 ,  H04L9/08 ,  G06K9/62 ,  G06F16/907 ,  G06Q50/00

Abstract: A first entity having a first set of tagged data and a second entity having a second set of tagged data share data that is selected based on a set of common tags present in both the first and second sets of tagged data. The set of common tags is determined using a private set intersection protocol that, in many examples, preserves the privacy of the two entities. In an embodiment, each entity identifies a set of data objects associated with the set of common tags, and another private set intersection protocol is performed to identify a set of common data objects available to both entities. Each entity provides, to the other entity, those data objects associated with the set of common tags that are not in the set of common data objects available to both entities thereby providing a matching set of data objects to both entities.

公开(公告)号：US11368300B2

公开(公告)日：2022-06-21

申请号：US16812085

申请日：2020-03-06

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew John Campagna ,  Benjamin Elias Seidenberg

IPC: H04L9/08 ,  H04L29/06 ,  H04L9/14 ,  H04L9/40

Abstract: A request to perform a cryptographic operation is received, the request including a first identifier assigned to a key group, the key group comprising a plurality of second identifiers, with the plurality of second identifiers corresponding to a plurality of cryptographic keys. A second identifier is determined, according to a distribution scheme, from the plurality of second identifiers, and the cryptographic operation is performed using a cryptographic key of the plurality of cryptographic keys that corresponds to the second identifier that was determined.

公开(公告)号：US10834117B2

公开(公告)日：2020-11-10

申请号：US15451204

申请日：2017-03-06

Applicant: Amazon Technologies, Inc.

Inventor： Andrew Paul Mikulski ,  Gregory Branchek Roth ,  Matthew John Campagna

IPC: H04L29/06 ,  H04L9/32 ,  G06F21/57 ,  H04L9/08 ,  G06F21/60

Abstract: A system records use of values used in cryptographic algorithms where the values are subject to uniqueness constraints. As new values are received, the system checks whether violations of a unique constraint has occurred. If a violation occurs, the system performs actions to mitigate potential compromise caused by exploitation of a vulnerability caused by violation of the uniqueness constraint.