-
公开(公告)号:US12160519B2
公开(公告)日:2024-12-03
申请号:US17465481
申请日:2021-09-02
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Branchek Roth , Graeme David Baer
Abstract: A service provider manages access control to multiple services through an authentication system. One or more services are able to fulfill requests at least in part by submitting requests to other services of the service provider. Such a service is able to obtain, from the authentication system, information that can be passed on to one or more other services to enable the one or more other services to determine request validity without having to contact the authentication system. The information may include, for example, one or more responses that the one or more other services would have received had the one or more services contacted the authentication system themselves.
-
公开(公告)号:US11811950B1
公开(公告)日:2023-11-07
申请号:US18086588
申请日:2022-12-21
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Branchek Roth , Eric Jason Brandwine
CPC classification number: H04L9/3247 , H04L9/0836 , H04L9/0841
Abstract: A system that provides responses to requests obtains a key that is used to digitally sign the request. The key is derived from information that is shared with a requestor to which the response is sent. The requestor derives, using the shared information, derives a key usable to verify the digital signature of the response, thereby enabling the requestor to operate in accordance with whether the digital signature of the response matches the response.
-
公开(公告)号:US11546169B2
公开(公告)日:2023-01-03
申请号:US16440899
申请日:2019-06-13
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Branchek Roth , Eric Jason Brandwine
Abstract: A system that provides responses to requests obtains a key that is used to digitally sign the request. The key is derived from information that is shared with a requestor to which the response is sent. The requestor derives, using the shared information, derives a key usable to verify the digital signature of the response, thereby enabling the requestor to operate in accordance with whether the digital signature of the response matches the response.
-
公开(公告)号:US11489874B2
公开(公告)日:2022-11-01
申请号:US16712587
申请日:2019-12-12
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Branchek Roth , Eric Jason Brandwine
Abstract: Custom policies are definable for use in a system that enforces policies. A user, for example, may author a policy using a policy language and transmit the system through an application programming interface call. The custom policies may specify conditions for computing environment attestations that are provided with requests to the system. When a custom policy applies to a request, the system may determine whether information in the attestation is sufficient for the request to be fulfilled.
-
公开(公告)号:US11429729B2
公开(公告)日:2022-08-30
申请号:US16943298
申请日:2020-07-30
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Branchek Roth , Eric Jason Brandwine
Abstract: Logical data containers of a data storage system are associated with policies that require data transformation of data to be stored in the logical data containers. When a data object is received to be stored in a logical data container, the data object is transformed in accordance with a policy on the logical data container. Transformation of the data object may include encryption. The logical data container may also be associated with a cryptographic key used to perform a required transformation.
-
Patent Agency Ranking
公开(公告)号:US20220166631A1
公开(公告)日:2022-05-26
申请号:US17465481
申请日:2021-09-02
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Branchek Roth , Graeme David Baer
Abstract: A service provider manages access control to multiple services through an authentication system. One or more services are able to fulfill requests at least in part by submitting requests to other services of the service provider. Such a service is able to obtain, from the authentication system, information that can be passed on to one or more other services to enable the one or more other services to determine request validity without having to contact the authentication system. The information may include, for example, one or more responses that the one or more other services would have received had the one or more services contacted the authentication system themselves.
-
公开(公告)号:US11290435B2
公开(公告)日:2022-03-29
申请号:US15665120
申请日:2017-07-31
Applicant: Amazon Technologies, Inc.
Inventor: Eric Jason Brandwine , Gregory Branchek Roth
Abstract: Data storage operation commands are digitally signed to enhance data security in a distributed system. A data storage client and a compute-enabled data storage device may share access to a cryptographic key. The data storage client uses the cryptographic key to digitally sign commands transmitted to the data storage device, which can use its copy to verify a digital signature of a command before fulfilling the command. The storage device can also determine whether to perform a transformation, such that requests authenticated to a first identity might receive cleartext while a request authenticated to a second identity might receive ciphertext. The compute-enabled storage device can also receive unauthenticated calls and attempt to retrieve the appropriate key from a key management service or other such source.
-
公开(公告)号:US11270006B2
公开(公告)日:2022-03-08
申请号:US16729759
申请日:2019-12-30
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Branchek Roth , Eric Jason Brandwine
IPC: H04L29/08 , G06F21/60 , H04L67/568 , H04L29/06 , H04L67/1097
Abstract: A storage device can include processing and cryptographic capability enabling the device to function as a hardware security module (HSM). This includes the ability to encrypt and decrypt data using a cryptographic key, as well as to perform processing using such a key, independent of whether that processing involves data stored on the device. An internal key can be provided to the drive, whether provided before customer software access or received wrapped in another key, etc. That key enables the device to perform secure processing on behalf of a user or entity, where that key is not exposed to other components in the network or environment. A key may have specified tasks that can be performed using that key, and can be discarded after use. In some embodiments, firmware is provided that can cause a storage device to function as an HSM and/or processing device with cryptographic capability.
-
公开(公告)号:US11245681B2
公开(公告)日:2022-02-08
申请号:US15977069
申请日:2018-05-11
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Branchek Roth , Eric Jason Brandwine , Bradley Jeffrey Behm
IPC: H04L29/06
Abstract: Techniques are described for enabling a Kerberos-based authentication system to provide a client with access to a plurality of unmodifiable components that require plain text passwords. Such an approach enables a user to sign into a distributed computer system using a single password, and access multiple components that require different passwords without the need to enter a second password. By using Kerberos based authentication, passwords are not unnecessarily sent throughout distributed computing system where they may be vulnerable. A proxy key distribution center can be used to manage passwords or other credentials on behalf of various clients, which can be used with various processes discussed herein.
-
公开(公告)号:US11108777B1
公开(公告)日:2021-08-31
申请号:US16431609
申请日:2019-06-04
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Branchek Roth , Graeme David Baer , Jacques Daniel Thomas , Nicholas Andrew Gochenaur
Abstract: Functionality is disclosed herein for providing temporary access to a resource. A software product that is executing in response to a request from a customer may access one or more resources of a software provider. The resources that may be accessed by a software product may be identified within an access policy. The customer is prevented from accessing the resource when the software product is not executing.
-
-
-
-
-
-
-
-
-
Search Results
384
records
(took 0.036 seconds)
