公开(公告)号：US20200067791A1

公开(公告)日：2020-02-27

申请号：US16672146

申请日：2019-11-01

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  James E. Scharf, JR. ,  Rajiv Ramachandran ,  Anders Samuelsson ,  Keith A. Carlson

IPC: H04L12/24

Abstract: Methods and apparatus for a client account versioning metadata manager for cloud computing environments are disclosed. A system includes a plurality of resources, a plurality of service managers coordinating respective multitenant network-accessible services, and a metadata manager. The metadata manager receives a multi-service account state view request. The metadata manager generates a representation of an administrative state of a client account indicated by the request with respect a plurality of services accessible by the client account, as of a time indicated in the request. The administrative state with respect to a particular service comprises an indication of an assignment to the client account of resources participating in implementation of the particular service.

公开(公告)号：US10313112B2

公开(公告)日：2019-06-04

申请号：US14980033

申请日：2015-12-28

Applicant: Amazon Technologies, Inc.

Inventor： Nathan R. Fitch ,  Gregory B. Roth ,  Graeme D. Baer

IPC: H04L9/08 ,  H04L9/32 ,  H04L29/06 ,  H04L29/08

Abstract: Authenticated requests can be sent without requiring the requests to include or potentially expose secret information used for the authentication process. A client device use a security credential such as a key to sign a request to be sent to a recipient. When the request is received, the recipient determines whether the request was signed using the correct key for the sender. In some embodiments a client token is included with the request that statelessly encodes the key, enabling a recipient capable of decoding the client token to determine the key and compare that key to the signature of the request. The sender can store the secret information in a secure location, such as a browser security module, such that the secret information is not exposed to the browser or script executing on the client device.

公开(公告)号：US10110579B2

公开(公告)日：2018-10-23

申请号：US14834218

申请日：2015-08-24

Applicant: Amazon Technologies, Inc.

Inventor： Nathan R. Fitch ,  Gregory B. Roth ,  Graeme D. Baer

IPC: G06F21/30 ,  H04L9/32 ,  H04L29/06 ,  H04L9/08 ,  G06F21/31

Abstract: Authenticated requests can be sent without requiring the requests to include or potentially expose secret information used for the authentication process. A client device use a security credential such as a key to sign a request to be sent to a recipient. When the request is received, the recipient determines whether the request was signed using the correct key for the sender. In some embodiments a client token is included with the request that statelessly encodes the key, enabling a recipient capable of decoding the client token to determine the key and compare that key to the signature of the request. The sender can store the secret information in a secure location, such as a browser security module, such that the secret information is not exposed to the browser or script executing on the client device.

公开(公告)号：US09872067B2

公开(公告)日：2018-01-16

申请号：US15063331

申请日：2016-03-07

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Marc R. Barbour ,  Bradley Jeffery Behm ,  Cristian M. Ilac ,  Eric Jason Brandwine

IPC: G06F21/00 ,  H04N21/4405 ,  G06F21/60 ,  G06F21/62 ,  G06F21/64 ,  H04L9/08 ,  H04L9/32 ,  H04N21/4627

CPC classification number: H04N21/44055 ,  G06F21/60 ,  G06F21/602 ,  G06F21/6218 ,  G06F21/64 ,  H04L9/0819 ,  H04L9/088 ,  H04L9/3242 ,  H04L2209/24 ,  H04L2209/38 ,  H04N21/4627

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

公开(公告)号：US20170272423A1

公开(公告)日：2017-09-21

申请号：US15610295

申请日：2017-05-31

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Nathan R. Fitch ,  Kevin Ross O'Neill ,  Graeme D. Baer ,  Bradley Jeffery Behm ,  Brian Irl Pratt

IPC: H04L29/06 ,  G06F21/62

CPC classification number: H04L63/08 ,  G06F21/62 ,  G06F2221/2141 ,  H04L63/10

Abstract: Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.

公开(公告)号：US09727743B1

公开(公告)日：2017-08-08

申请号：US15012639

申请日：2016-02-01

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Nathan R. Fitch ,  Bradley Jeffery Behm ,  Patrick J. Ward ,  Graeme D. Baer ,  Eric Jason Brandwine

IPC: G06F21/62 ,  G06F21/60 ,  G06F17/30

CPC classification number: G06F21/6227 ,  G06F17/30389 ,  G06F17/30427 ,  G06F17/30477 ,  G06F21/602 ,  G06F21/6218 ,  H04L9/3247 ,  H04L9/3263

Abstract: A database access system may protect a field by storing the field as one or more underlying fields within a database. The database engine may not have access to keys used to protect the underlying fields within the database, such as by encryption, while the database access system may have access to the keys. Underlying fields may be used to store protected data and aid in the querying of protected data. The database access system may modify queries to use the underlying fields, which may include encrypting query terms and/or modifying query terms to fit the use of the underlying fields. The database access system may modify query results to match the format of the original query, which may include decrypting protected results and/or removing underlying fields.

公开(公告)号：US10341359B2

公开(公告)日：2019-07-02

申请号：US14822586

申请日：2015-08-10

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Cristian M. Ilac

IPC: H04L9/08 ,  H04L29/06

Abstract: Secret information, such as seeds, codes, and keys, can be automatically renegotiated between at least one sender and at least one recipient. Various mechanisms, such as counters, events, or challenges, can be used to trigger automatic renegotiations through various requests or communications. These changes can cause the current secret information to diverge from older copies of the secret information that might have been obtained by unintended third parties. In some embodiments, a secret can be configured to “decay” over time, or have small changes periodically introduced that can be determined to be valid by an authorized party, but can reduce the effectiveness of prior versions of the secret information.

公开(公告)号：US10044503B1

公开(公告)日：2018-08-07

申请号：US14542492

申请日：2014-11-14

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Marc R. Barbour ,  Bradley Jeffery Behm ,  Cristian M. Ilac ,  Eric Jason Brandwine

IPC: H04L9/08 ,  H04L9/14

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

公开(公告)号：US20170331808A1

公开(公告)日：2017-11-16

申请号：US15601914

申请日：2017-05-22

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Graeme D. Baer

IPC: H04L29/06 ,  H04L9/08 ,  G06F21/62

CPC classification number: H04L63/08 ,  G06F21/31 ,  G06F21/45 ,  G06F21/6218 ,  H04L9/0861 ,  H04L9/0863 ,  H04L9/3228 ,  H04L63/06 ,  H04L63/083 ,  H04L2463/061

Abstract: A credential, such as a password, for an entity is used to generate multiple keys. The generated keys are distributed to credential verification systems to enable the credential verification systems to perform authentication operations. The keys are generated such that access to a generated key allows for authentication with a proper subset of the credential verification systems. Thus, unauthorized access to information used by one authentication system does not, by itself, allow for successful authentication with other authentication systems.

公开(公告)号：US20170223014A1

公开(公告)日：2017-08-03

申请号：US15488357

申请日：2017-04-14

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Nathan R. Fitch ,  Graeme D. Baer

IPC: H04L29/06 ,  H04L9/32

Abstract: In certain embodiments, a web services system receives a request to provision a device, such as a telephone, as an authentication device. The web services system initiates display of an image communicating a key to allow the telephone to capture the image and to send key information associated with the key. The web services system receives the key and determines that the key information is valid. In response to the determination, the web services system sends a seed to the telephone to provision the telephone to be an authentication device. The telephone can use the seed to generate one-time passcodes to access a service of the web services system.