Federated key management
US-9705674-B2 · Jul 11, 2017 · US
Federated key management
US10666436B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10666436-B2 |
| Application number | US-201615376451-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 12, 2016 |
| Priority date | Feb 12, 2013 |
| Publication date | May 26, 2020 |
| Grant date | May 26, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A system uses information submitted in connection with a request to determine if and how to process the request. The information may be electronically signed by a requestor using a key such that the system processing the request can verify that the requestor has the key and that the information is authentic. The information may include information that identifies a holder of a key needed for processing the request, where the holder of the key can be the system or another, possibly third party, system. Requests to decrypt data may be processed to ensure that a certain amount of time passes before access to the decrypted data is provided, thereby providing an opportunity to cancel such requests and/or otherwise mitigate potential security breaches.
First claim
Opening claim text (preview).
What is claimed is: 1. A first computer system, comprising: one or more processors; and memory including instructions that, when executed by the one or more processors, cause the first computer system to: store a set of one or more keys on the first computer system in association with a first key stored on a third party computer system different than the first computer system; receive a request that requires use of the first key for fulfillment; and as a result of the first key being held by the third party computer system, cause the third party computer system to: use a second key from the set of one or more keys to determine whether the request should be fulfilled; and as a result of determining that the request should be fulfilled, use the first key to perform one or more cryptographic operations. 2. The first computer system of claim 1 , wherein the request specifies that the holder of the first key is the third party computer system. 3. The first computer system of claim 1 , wherein the set of one or more keys includes a subset of administrative keys, each usable for electronic signature verification required for changing the set of one or more keys. 4. The first computer system of claim 1 , wherein the first computer system is hosted by an entity and the entity lacks access to the first key in plaintext form. 5. The first computer system of claim 1 , wherein the request specifies the first key. 6. The first computer system of claim 1 , wherein using the second key from the set of one or more keys to determine whether the request should be fulfilled includes using the second key to verify an electronic signature submitted in connection with the request. 7. One or more computer-readable storage media, having stored thereon instructions that, when executed by one or more processors of a first computer system, cause the first computer system to: associate a set of one or more keys with a first key; use a second key from the set of one or more keys to determine whether to enable fulfillment of a request that requires the use of the first key for fulfillment; and cause a holder of the first key to use the first key in one or more cryptographic operations as a result of determining that fulfillment of the request should be enabled, wherein the holder is a third party computer system different than the first computer system. 8. The one or more computer-readable storage media of claim 7 , wherein the request specifies that the holder of the first key is the third party computer system. 9. The one or more computer-readable storage media of claim 7 , wherein: the request is submitted in connection with request information; the instructions further cause the first computer system to verify that one or more conditions on the request information are satisfied; and satisfaction of the one or more conditions are required for enabling fulfillment of the request. 10. The one or more computer-readable storage media of claim 7 , wherein: the set of one or more keys includes a subset of administrative keys; and each administrative key in the subset of administrative keys is usable to determine whether to fulfill a request to change the set of one or more keys. 11. The one or more computer-readable storage media of claim 10 , wherein changing the set of one or more keys includes adding or removing a key from the set of one or more keys. 12. The one or more computer-readable storage media of claim 7 , wherein the request is submitted in connection with information identifying the holder of the first key. 13. The one or more computer-readable storage media of claim 7 , wherein the holder of the first key is identified based at least in part on a key access annotation, wherein the key access annotation comprises information indicative of a policy for fulfilling the request. 14. A method implemented by a first computer system, comprising: associating a set of one or more keys with a first key; using a second key from the set of one or more keys to determine whether to enable fulfillment of a request that requires the use of the first key for fulfillment; and causing a holder of the first key to use the first key in one or more cryptographic operations as a result of determining that fulfillment of the request should be enabled, wherein the holder of the first key is a third party computer system different than the first computer system. 15. The method of claim 14 , further comprising causing the third party computer system to use a third key to determine whether the request should be fulfilled. 16. The method of claim 14 , wherein: the request is submitted in connection with request information; the instructions further cause the computer system to verify that one or more conditions on the request information are satisfied; and satisfaction of the one or more conditions are required for enabling fulfillment of the request. 17. The method of claim 14 , wherein: the set of one or more keys includes a subset of administrative keys; and each administrative key in the subset of administrative keys is usable to determine whether to fulfill a request to change the set of one or more keys. 18. The method of claim 17 , wherein changing the set of one or more keys includes adding or removing a key from the set of one or more keys. 19. The method of claim 14 , wherein the request is submitted in connection with information identifying the holder of the first key. 20. The method of claim 14 , wherein the first key is associated with information indicative of conditions for fulfilling the request.
Assignees
Inventors
Classifications
involving digital signatures · CPC title
- H04L9/088Primary
Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms (network architectures or network communication protocols for using time-dependent keys in a packet data network H04L63/068) · CPC title
Revocation or update of secret information, e.g. encryption key update or rekeying · CPC title
involving a third party or a trusted authority · CPC title
using a plurality of keys or algorithms · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10666436B2 cover?
- A system uses information submitted in connection with a request to determine if and how to process the request. The information may be electronically signed by a requestor using a key such that the system processing the request can verify that the requestor has the key and that the information is authentic. The information may include information that identifies a holder of a key needed for pr…
- Who is the assignee on this patent?
- Amazon Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/088. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 26 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).