Systems, methods, and computing platforms for executing credential-less network-based communication exchanges
US-12184638-B2 · Dec 31, 2024 · US
Credential management
US9319392B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-9319392-B1 |
| Application number | US-201314040373-A |
| Country | US |
| Kind code | B1 |
| Filing date | Sep 27, 2013 |
| Priority date | Sep 27, 2013 |
| Publication date | Apr 19, 2016 |
| Grant date | Apr 19, 2016 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A credential management system is described that provides a way to disable and/or rotate credentials, such as when a credential is suspected to have been compromised, while minimizing potential impact to various systems that may depend on such credentials. The credentials may be disabled temporarily at first and the availability of various resources is monitored for changes. If no significant drop of availability in the resources has occurred, the credential may be disabled for a longer period of time. In this manner, the credentials may be disabled and re-enabled for increasingly longer time intervals until it is determined with sufficient confidence/certainty that disabling the credential will not adversely impact critical systems, at which point the credential can be rotated and/or permanently disabled. This process also enables the system to determine which systems are affected by a credential in cases where such information is not known.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer implemented method, comprising: at a credential management system including at least one processor and memory, the memory communicatively coupled to the processor and storing instructions, the at least one processor executing the instructions to perform the operations of: identifying a set of credentials, each credential of the set of credentials capable of being used to authenticate a corresponding user of the credential against one or more computer-based authentication systems in order to access one or more first computing resources in a distributed computing environment; detecting that a suspect credential to be rotated was not rotated within a determined period of time; temporarily disabling the suspect credential; monitoring, while the suspect credential is disabled, an availability of one or more second computing resources related to the suspect credential; re-enabling the suspect credential, using the at least one processor of the credential management system, in response to at least one of the availability remaining substantially unchanged or an expiration of a first time interval; disabling the suspect credential for a second time interval that is longer than the first time interval in response to determining that the availability of the one or more second computing resources remained at least at a minimum threshold while the suspect credential was temporarily disabled; detecting that the availability of the one or more second computing resources decreased under the minimum threshold during at least one of the first time interval or the second time interval; and re-enabling the suspect credential. 2. The computer implemented method of claim 1 , further comprising: arranging the set of credentials based on criticality of permissions associated with each credential of the set of credentials; and selecting one credential of the set of credentials as the suspect credential based on the criticality of permissions. 3. The computer implemented method of claim 2 , further comprising: generating a notification for the corresponding user of the suspect credential, wherein the notification includes instructions to rotate the suspect credential. 4. A computer implemented method, comprising: at a credential management system including at least one processor and memory, the memory communicatively coupled to the processor and storing instructions, the at least one processor executing the instructions to perform the operations of: identifying a set of credentials, each credential of the set of credentials capable of being used to authenticate a user of the credential against one or more authentication systems in order to access one or more first computing resources in a distributed computing environment; determining that a suspect credential to be rotated was not rotated within a determined period of time; temporarily disabling the suspect credential; monitoring, while the suspect credential is disabled, an availability of one or more second computing resources related to the suspect credential; re-enabling the suspect credential in response to at least one of the availability remaining substantially unchanged or an expiration of a first time interval; disabling the suspect credential for a second time interval that is longer than the first time interval in response to determining that the availability of the one or more second computing resources remained at least at a minimum threshold while the suspect credential was temporarily disabled; and permanently disabling the suspect credential if the availability of the one or more second computing resources remains at least at the minimum threshold during both the first time interval and the second time interval. 5. A non-transitory computer-readable storage medium storing instructions that, when executed by at least one processor of a computing system, cause the computing system to: monitor an availability of one or more computing resources accessible using a credential, the credential capable of being used to authenticate against one or more authentication systems to access the one or more first computing resources; disable use of the credential; and determine a change in the availability of one or more second computing resources related to the credential after disabling use of the credential; determine that the availability of the one or more second computing resources remained at least at a minimum threshold during a first time interval during which use of the credential was disabled; disable the credential for a second time interval that is longer than the first time interval; determine that the availability of the one or more second computing resources remained at least at the minimum threshold during at least the first time interval and the second time interval; and permanently disable the credential. 6. The non-transitory computer-readable storage medium of claim 5 , wherein the instructions when executed further cause the computing system to: re-enable the credential in response to at least one of the availability remaining substantially unchanged or an expiration of a first time interval. 7. The non-transitory computer-readable storage medium of claim 5 , wherein the instructions when executed to cause the computing system to monitor the availability of the one or more computing resources, further cause the computing system to: determine an availability of the one or more second computing resources based at least in part on information contained in one or more logs. 8. The non-transitory computer-readable storage medium of claim 5 , wherein the credential includes at least one of: a username, a password, or a public key infrastructure (PKI) certificate. 9. The non-transitory computer-readable storage medium of claim 5 , wherein the instructions when executed further cause the computing system to: identify a plurality of credentials that are likely to have been compromised by executing automated searches across one or more specified locations. 10. The non-transitory computer-readable storage medium of claim 5 , wherein the instructions when executed further cause the computing system to: identify at least one user using the credential and at least one first computing resource that is being accessed by the user using the credential. 11. A non-transitory computer-readable storage medium storing instructions that, when executed by at least one processor of a computing system, cause the computing system to: monitor an availability of one or more computing resources accessible using a credential, the credential capable of being used to authenticate against one or more authentication systems to access the one or more first computing resources; disable use of the credential; determine a change in the availability of one or more second computing resources related to the credential after disabling use of the credential; detect, in response to use of the credential being disabled, that the availability of a critical second resource has decreased below the minimum threshold; and re-enable the credential in response to detecting that the availability of the critical second resource has decreased. 12. A computing system, comprising: at least one processor; and memory including instructions that, when executed by the at least one processor, cause the computing system to: temporarily disable a credential, the credential capable of being used to authenticate against one or more authentication systems to access one or more first computing resources; monitor an availability of one or more second computing resources related to the credential; and determine a c
Assignees
Inventors
Classifications
for detecting or protecting against malicious traffic · CPC title
- H04L63/08Primary
for authentication of entities (cryptographic mechanisms or cryptographic arrangements for entity authentication H04L9/32) · CPC title
Applying verification of the received information (cryptographic mechanisms or cryptographic arrangements for data integrity or data verification H04L9/32) · CPC title
using revocation of authorisation · CPC title
for controlling access to devices or network resources · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9319392B1 cover?
- A credential management system is described that provides a way to disable and/or rotate credentials, such as when a credential is suspected to have been compromised, while minimizing potential impact to various systems that may depend on such credentials. The credentials may be disabled temporarily at first and the availability of various resources is monitored for changes. If no significant d…
- Who is the assignee on this patent?
- Amazon Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/08. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Apr 19 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).