公开(公告)号：US09172532B1

公开(公告)日：2015-10-27

申请号：US14084440

申请日：2013-11-19

Applicant: Amazon Technologies, Inc.

Inventor： Erik James Fuller ,  Adam Blair Kelly ,  KMR Mumit Khan ,  Timothy Peter Munro ,  Andrew Norimasa Nishigaya ,  Kerry Michael Wright

IPC: H04L9/08

CPC classification number: H04L9/0822 ,  H04L9/0894

Abstract: A multi-tiered encryption system efficiently regulates the use of encryption keys to encrypt and decrypt data. The system can include one or more encryption tiers. Each encryption tier can include a computing node programmed to service encryption and/or decryption requests and a key store to store encryption keys. At a root encryption tier, an unencrypted root encryption key can be stored in the key store. Each subsequent encryption tier includes encryption keys that are encrypted by encryption keys stored at a lower encryption tier. The encryption tiers collectively implement an encryption policy in which keys are automatically created and rotated such that a requesting device can request encryption services from the multi-tiered encryption system and receive the encryption services independent of key creation or key rotation and without access to the unencrypted root encryption key.

Abstract translation: 多层加密系统有效地调节使用加密密钥来加密和解密数据。 该系统可以包括一个或多个加密层。 每个加密层可以包括被编程为服务加密和/或解密请求的计算节点和密钥存储器以存储加密密钥。 在根加密层，可以在密钥存储区中存储未加密的根加密密钥。 每个后续加密层包括通过存储在较低加密级别的加密密钥加密的加密密钥。 加密层共同实施加密策略，其中密钥被自动创建和旋转，使得请求设备可以从多层加密系统请求加密服务，并且独立于密钥创建或密钥旋转并且不访问未加密的密钥来接收加密服务 根加密密钥。

公开(公告)号：US09722974B1

公开(公告)日：2017-08-01

申请号：US14575906

申请日：2014-12-18

Applicant: Amazon Technologies, Inc.

Inventor： Erik James Fuller ,  Ali Mustafa Nassaje ,  Julie Anne Margaret Sparrow ,  Volker R. A. Tilgner ,  Kerry Michael Wright

IPC: H04L29/06

CPC classification number: H04L63/0428 ,  H04L9/0822 ,  H04L9/0836 ,  H04L9/14 ,  H04L63/061 ,  H04L2209/76

Abstract: A re-encryption service module in a multi-tiered encryption system that manages key rotation policies continuously or periodically re-encrypts data. Each encryption tier in the system can include a node programmed to service encryption, decryption, and/or re-encryption requests and a key store to store encryption keys. A computing node that interfaces with a requesting device may include the re-encryption service module. The re-encryption module may receive encrypted data and a key identifier identifying the key used to encrypt the data. The re-encryption module may decrypt the encrypted data using the identified key, retrieve a new key if the identified key is exhausted, and use the new key to encrypt the decrypted data. The key identifier may be updated to identify the new key and the re-encrypted data and the updated key identifier may be transmitted to the requesting device.

公开(公告)号：US09053343B1

公开(公告)日：2015-06-09

申请号：US13677212

申请日：2012-11-14

Applicant: Amazon Technologies, Inc.

Inventor： Erik James Fuller ,  David Everard Brown ,  James Alfred Gordon Greenfield ,  Peter Nicholas DeSantis

IPC: G06F21/00 ,  H04L29/06 ,  G06F21/62 ,  H04W12/04 ,  H04W12/06

CPC classification number: G06F21/6227 ,  G06F21/604 ,  G06F21/6263 ,  G06F2221/0711 ,  G06F2221/2101 ,  G06F2221/2153

Abstract: Methods and systems for allowing system administrators to effectively debug access control issues experience by users without comprising security. In some embodiment, when a user's request to access services provided by a service provider is denied, the user may be issued a token that encodes some of debugging information useful for determining the cause of the denial of access. The debugging information may be encoded such that it is inaccessible to the user. Subsequently, the user may give the token to an administrator. The administrator may submit the token to the service provider, which may decode the token and provide the administrator access to debugging information that is useful for debugging access control policies causing the denial of access.

Abstract translation: 允许系统管理员有效地调试用户的访问控制问题体验的方法和系统，而不包括安全性。 在一些实施例中，当用户访问由服务提供商提供的服务的请求被拒绝时，可以向用户发出令牌，该令牌对一些调试信息进行编码，这些调试信息有助于确定拒绝访问的原因。 可以对调试信息进行编码，使得用户不可访问调试信息。 随后，用户可以将令牌给予管理员。 管理员可以将令牌提交给服务提供商，该服务提供商可以对令牌进行解码，并向管理员提供访问对调试访问控制策略造成拒绝访问有用的调试信息。