公开(公告)号：US10073980B1

公开(公告)日：2018-09-11

申请号：US15862371

申请日：2018-01-04

Applicant: AMAZON TECHNOLOGIES, INC.

Inventor： Nima Sharifi Mehr

IPC: G06F17/30 ,  G06F21/60 ,  G06F17/27

CPC classification number: G06F21/604 ,  G06F16/285 ,  G06F16/951 ,  G06F17/2705 ,  G06F21/552 ,  G06F21/554 ,  H04L29/06 ,  H04L63/1441 ,  H04L63/20

Abstract: Techniques determine and mitigate leakage of sensitive data into log data. The message is parsed to identify a first value and a first data classification tag indicative of sensitive data and that refers to the first value. Log data is accessed to determine whether the first value is present in the log data. One or more actions are performed based on the first value being present in the log data.

公开(公告)号：US10033703B1

公开(公告)日：2018-07-24

申请号：US14741387

申请日：2015-06-16

Applicant: Amazon Technologies, Inc.

Inventor： Nima Sharifi Mehr

IPC: H04L29/06 ,  H04L9/32 ,  G06F8/60

Abstract: The present document describes systems and methods that provide pluggable cipher suites. In one embodiment, a client and a server perform a secure transport handshake that negotiates a set of supported cipher suites. The server determines if the cipher suites supported by the client are acceptable. When the server determines that the cipher suites supported by the client are not acceptable, the server provides a pluggable cipher suite to the client. The client runs the pluggable cipher suite in a sandboxed environment, and uses the pluggable cipher suite to add support for one or more additional cipher suites. In some implementations, the pluggable cipher suite is provided by a third-party server.

公开(公告)号：US20180198823A1

公开(公告)日：2018-07-12

申请号：US15917471

申请日：2018-03-09

Applicant: Amazon Technologies, Inc.

Inventor： Jesper Mikael Johansson ,  Darren Ernest Canavor ,  Jon Arron McClintock ,  Gregory Branchek Roth ,  Gregory Alan Rubin ,  Nima Sharifi Mehr

IPC: H04L29/06

Abstract: A client establishes a network session with a server. The network session is used to establish an encrypted communications session. The client establishes another network session with another server, such as after terminating the first network session. The client resumes the encrypted communications session over the network session with the other server. The other server is configured to receive encrypted communications from the client and forward them to the appropriate server.

公开(公告)号：US09992327B1

公开(公告)日：2018-06-05

申请号：US14147242

申请日：2014-01-03

Applicant: Amazon Technologies, Inc.

Inventor： Nima Sharifi Mehr

IPC: H04M1/725 ,  H04W12/08

CPC classification number: H04M1/72577 ,  H04W12/08

Abstract: A user of a mobile device selects data to be shared with other users and engages a lock button installed on the mobile device. As a result of engaging the lock button installed on the mobile device, one or more regions of a display unit installed on the mobile device may be disabled such that the other users cannot access other applications and data stored on the mobile device. If a user attempts to interact with the mobile device after the lock button has been engaged, the user is presented with a PIN input box. Accordingly, a user may input a PIN into the PIN input box that, if correct, causes the one or more regions of the display unit installed on the mobile device to be restored.

公开(公告)号：US09973481B1

公开(公告)日：2018-05-15

申请号：US14741374

申请日：2015-06-16

Applicant: Amazon Technologies, Inc.

Inventor： Nima Sharifi Mehr

IPC: H04L29/06 ,  H04L9/32

CPC classification number: H04L63/045 ,  H04L9/32 ,  H04L9/321 ,  H04L63/062 ,  H04L63/10 ,  H04L63/168 ,  H04L2463/062

Abstract: The present document describes systems and methods that, in some situations, improve data security. In one embodiment, communications between a client and a server are encrypted using an envelope-based encryption scheme. The envelope includes: a data encryption key reference; and data encrypted with a corresponding data encryption key. A data encryption key server maintains a collection of data encryption keys that are accessible using corresponding data encryption key references. In another embodiment, a storage server maintains stored data using the envelope-based encryption scheme. The stored data is made available to particular clients in encrypted or plaintext form based at least in part on a trust score determined for each client's request. In yet another embodiment, as a result of a secure transport handshake, a client is provided with a pluggable cipher suite.

公开(公告)号：US09935769B1

公开(公告)日：2018-04-03

申请号：US14569612

申请日：2014-12-12

Applicant: Amazon Technologies, Inc.

Inventor： Nima Sharifi Mehr

IPC: H04L29/06 ,  G06F17/30 ,  H04L9/14 ,  H04L9/12

CPC classification number: H04L63/00 ,  H04L9/14

Abstract: Cipher suites and/or other parameters for cryptographic protection of communications are dynamically selected to more closely match the intended uses of the sessions. A client indicates a planned use of a session to a server. The client's indication of the planned use may be explicit or implicit. The server selects an appropriate set of parameters for cryptographic protection of communications based at least in part on the indicated planned use and the client and server complete a handshake process to establish a cryptographically protected communications session to use the selected set of parameters.

公开(公告)号：US09930067B1

公开(公告)日：2018-03-27

申请号：US14576146

申请日：2014-12-18

Applicant: Amazon Technologies, Inc.

Inventor： Jesper Mikael Johansson ,  Darren Ernest Canavor ,  Jon Arron McClintock ,  Gregory Branchek Roth ,  Gregory Alan Rubin ,  Nima Sharifi Mehr

IPC: H04L29/00 ,  H04L29/06

CPC classification number: H04L63/166 ,  H04L63/0281 ,  H04L63/0428 ,  H04L63/0478 ,  H04L63/06 ,  H04L63/123 ,  H04L2463/061

Abstract: A client establishes a network session with a server. The network session is used to establish an encrypted communications session. The client establishes another network session with another server, such as after terminating the first network session. The client resumes the encrypted communications session over the network session with the other server. The other server is configured to receive encrypted communications from the client and forward them to the appropriate server.

公开(公告)号：US20180026950A1

公开(公告)日：2018-01-25

申请号：US15712005

申请日：2017-09-21

Applicant: Amazon Technologies, Inc.

Inventor： Muhammad Wasiq ,  Nima Sharifi Mehr

IPC: H04L29/06

CPC classification number: H04L63/0428 ,  H04L63/0478 ,  H04L63/06 ,  H04L63/061 ,  H04L63/166 ,  H04L63/168

Abstract: A client application cryptographically protects application data using an application-layer cryptographic key. The application-layer cryptographic key is derived from cryptographic material provided by a cryptographically protected network connection. The client exchanges the cryptographically protected application data with a service application via the cryptographically protected network connection. The client and service applications acquire matching application-layer cryptographic keys by leveraging shared secrets negotiated as part of establishing the cryptographically protected network connection. The shared secrets may include information that is negotiated as part of establishing a TLS session such as a pre-master secret, master secret, or session key. The application-layer cryptographic keys may be derived in part by applying a key derivation function, a one-way function or a cryptographic hash function to the shared secret information.

公开(公告)号：US20170359329A1

公开(公告)日：2017-12-14

申请号：US15688692

申请日：2017-08-28

Applicant: Amazon Technologies, Inc.

Inventor： Nima Sharifi Mehr ,  Eric Desmond Keith Villiers

IPC: H04L29/06 ,  G06F21/44

CPC classification number: G06F21/44 ,  G06F21/606 ,  H04L63/126 ,  H04L63/1441

Abstract: A destination server communicates with a computer system using cryptographically protected communications utilizing a first negotiable feature. The destination server detects a triggering event and, in response to the triggering event, causes the cryptographic protected communications with the computer system to change from the first negotiable feature to a second negotiable feature. As a result of stored data indicating that the computer system fails to support the second negotiable feature, the destination server initiates a security measure.

公开(公告)号：US09742758B1

公开(公告)日：2017-08-22

申请号：US13965415

申请日：2013-08-13

Applicant: Amazon Technologies, Inc.

Inventor： Nima Sharifi Mehr

IPC: H04L9/00 ,  H04L29/06

CPC classification number: H04L63/0823 ,  H04L63/166 ,  H04L67/141

Abstract: Disclosed are various embodiments for validating the identity of network sites. A communication session is established with a network site using a credential for the network site. A validation of the communication session is generated based at least in part upon a profile for the network site. The profile is derived from at least one previous communication session with the network site. An action is initiated in response to the validation when the validation indicates a discrepancy exists between the profile for the network site and the communication session with the network site.