公开(公告)号：US09722974B1

公开(公告)日：2017-08-01

申请号：US14575906

申请日：2014-12-18

Applicant: Amazon Technologies, Inc.

Inventor： Erik James Fuller ,  Ali Mustafa Nassaje ,  Julie Anne Margaret Sparrow ,  Volker R. A. Tilgner ,  Kerry Michael Wright

IPC: H04L29/06

CPC classification number: H04L63/0428 ,  H04L9/0822 ,  H04L9/0836 ,  H04L9/14 ,  H04L63/061 ,  H04L2209/76

Abstract: A re-encryption service module in a multi-tiered encryption system that manages key rotation policies continuously or periodically re-encrypts data. Each encryption tier in the system can include a node programmed to service encryption, decryption, and/or re-encryption requests and a key store to store encryption keys. A computing node that interfaces with a requesting device may include the re-encryption service module. The re-encryption module may receive encrypted data and a key identifier identifying the key used to encrypt the data. The re-encryption module may decrypt the encrypted data using the identified key, retrieve a new key if the identified key is exhausted, and use the new key to encrypt the decrypted data. The key identifier may be updated to identify the new key and the re-encrypted data and the updated key identifier may be transmitted to the requesting device.

公开(公告)号：US09172532B1

公开(公告)日：2015-10-27

申请号：US14084440

申请日：2013-11-19

Applicant: Amazon Technologies, Inc.

Inventor： Erik James Fuller ,  Adam Blair Kelly ,  KMR Mumit Khan ,  Timothy Peter Munro ,  Andrew Norimasa Nishigaya ,  Kerry Michael Wright

IPC: H04L9/08

CPC classification number: H04L9/0822 ,  H04L9/0894

Abstract: A multi-tiered encryption system efficiently regulates the use of encryption keys to encrypt and decrypt data. The system can include one or more encryption tiers. Each encryption tier can include a computing node programmed to service encryption and/or decryption requests and a key store to store encryption keys. At a root encryption tier, an unencrypted root encryption key can be stored in the key store. Each subsequent encryption tier includes encryption keys that are encrypted by encryption keys stored at a lower encryption tier. The encryption tiers collectively implement an encryption policy in which keys are automatically created and rotated such that a requesting device can request encryption services from the multi-tiered encryption system and receive the encryption services independent of key creation or key rotation and without access to the unencrypted root encryption key.

Abstract translation: 多层加密系统有效地调节使用加密密钥来加密和解密数据。 该系统可以包括一个或多个加密层。 每个加密层可以包括被编程为服务加密和/或解密请求的计算节点和密钥存储器以存储加密密钥。 在根加密层，可以在密钥存储区中存储未加密的根加密密钥。 每个后续加密层包括通过存储在较低加密级别的加密密钥加密的加密密钥。 加密层共同实施加密策略，其中密钥被自动创建和旋转，使得请求设备可以从多层加密系统请求加密服务，并且独立于密钥创建或密钥旋转并且不访问未加密的密钥来接收加密服务 根加密密钥。