公开(公告)号：US12218923B1

公开(公告)日：2025-02-04

申请号：US17547909

申请日：2021-12-10

Applicant: Amazon Technologies, Inc.

Inventor： Neha Shetty ,  Steven Collison ,  Andrew Hourselt ,  James Christopher Sorenson, III ,  Douglas Stewart Laurence ,  Colm MacCárthaigh

IPC: H04L9/40 ,  G06F21/60

Abstract: Contents of client-initiated handshake messages of a security protocol are obtained at a handshake processing offloader configured for an application. The offloader uses a first security artifact (which is inaccessible from a front-end request processor of the application) and the contents of the handshake messages to generate a second security artifact. The second security artifact is transmitted to the front-end request processor, which uses it to perform cryptographic operations for client-server interactions of the application.

公开(公告)号：US11831638B1

公开(公告)日：2023-11-28

申请号：US17234372

申请日：2021-04-19

Applicant: Amazon Technologies, Inc.

Inventor： Evgeniy Retyunskiy ,  Colm MacCárthaigh ,  Maciej Broda ,  Matthew Schwartz

IPC: H04L29/06 ,  H04L9/40 ,  H04L9/06 ,  H04L9/32

CPC classification number: H04L63/083 ,  H04L9/0643 ,  H04L9/3218

Abstract: Methods, systems, and computer-readable media for single-packet authorization using proof of work are disclosed. An access control service receives, from a client, a single-packet authorization (SPA) request. The (SPA) request comprises output of a proof-of-work task, wherein completion of the proof-of-work task requires computational resources or memory resources of the client. The access control service performs verification of the output of the proof-of-work task using fewer computational or memory resources of the access control service than were used by the client. In response to determining that verification of the output of the proof-of-work task succeeds, the access control service performs authentication of the SPA request. In response to determining that authentication of the SPA request succeeds, the access control service allows access by the client device to a service.

公开(公告)号：US11146569B1

公开(公告)日：2021-10-12

申请号：US16022509

申请日：2018-06-28

Applicant: Amazon Technologies, Inc.

Inventor： Marc John Brooker ,  Ajay Nair ,  Colm MacCárthaigh

IPC: H04L29/06 ,  G06F9/455 ,  G06F21/33

Abstract: Systems and methods are described for providing escalation-resistant network-accessible services by providing the service through a set of service instances, each executing in an environment with privileges scoped based on a user requesting to access the service. Each service instance can be implemented by code on a serverless code system, executed in response to a user request to access the service. Because the code is executed in an environment with privileges scoped to those of a requesting user, the code itself need not attempt to limit the privileges or a requesting user. For that reason, potential for privilege escalations of the service are reduced, even if vulnerabilities in the code might otherwise allow for such escalations.