Patents by Inventor Alan A. Rubin
Alan A. Rubin has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20180294971Abstract: Cryptographic keys can include logging properties that enable those keys to be used only if the properties can be enforced by the cryptographic system requested to perform one or more actions using the keys. The logging property can specify how to log use of a respective key. A key can also include a mutability property for specifying whether the logging property can be changed, and if so under what circumstances or in which way(s). The ability to specify and automatically enforce logging can be important for environments where audit logs are essential. These can include, for example, public certificate authorities that must provide accurate and complete audit trails. In cases where the data is not to be provided outside a determined secure environment, the key can be generated with a property indicating not to log any of the usage.Type: ApplicationFiled: March 30, 2018Publication date: October 11, 2018Inventors: Gregory Alan Rubin, Gregory Branchek Roth
-
Publication number: 20180270251Abstract: A secret is stored in a computing device. The device generates a value determined based at least in part on a substantially random process. As a result of the value satisfying a condition, the device causes the secret to be unusable to perform cryptographic operations such that the device is unable to cause the secret to be restored. The secret may be programmatically unexportable from the device.Type: ApplicationFiled: May 23, 2018Publication date: September 20, 2018Inventors: Gregory Branchek Roth, Gregory Alan Rubin
-
Patent number: 10078687Abstract: A computer system receives a request to remove an entry from a probabilistic data structure. In response to the request, the computer system queries the probabilistic data structure to determine a current iteration value for the entry within the probabilistic data structure. The current iteration value indicates a state of the entry such that a first state corresponds to the entry being a member of a set and a second state corresponds to the absence of the entry from the set. As a result of the current iteration value denoting that the entry is a member of the set, the computer system increments the current iteration value to generate a new iteration value that corresponds to the absence of the entry from the set. The computer system uses the new iteration value and the entry to generate a new output value that is then added to the probabilistic data structure.Type: GrantFiled: September 9, 2015Date of Patent: September 18, 2018Assignee: Amazon Technologies, Inc.Inventors: Gregory Alan Rubin, Gregory Branchek Roth
-
Publication number: 20180227129Abstract: A signature authority generates a master seed value that is used to generate a seed tree of subordinate nodes. Each subordinate node of the seed tree is generated from the value of its parent node using a cryptographic hash or one-way function. The signature authority selects subordinate seed values from the seed tree which are distributed to one or more subordinates, each of which generates a set of one-time-use cryptographic keys from the provided seed. Each subordinate generates a hash tree from its set of one-time-use cryptographic keys, and returns the root of its hash tree to the signature authority. The signature authority integrates the hashes provided by the key generators into a comprehensive hash tree, and the root of the hash tree acts as a public key for the signature authority.Type: ApplicationFiled: April 5, 2018Publication date: August 9, 2018Inventors: Matthew John Campagna, Gregory Alan Rubin, Nicholas Alexander Allen, Andrew Kyle Driggs, Eric Jason Brandwine
-
Publication number: 20180198823Abstract: A client establishes a network session with a server. The network session is used to establish an encrypted communications session. The client establishes another network session with another server, such as after terminating the first network session. The client resumes the encrypted communications session over the network session with the other server. The other server is configured to receive encrypted communications from the client and forward them to the appropriate server.Type: ApplicationFiled: March 9, 2018Publication date: July 12, 2018Inventors: Jesper Mikael Johansson, Darren Ernest Canavor, Jon Arron McClintock, Gregory Branchek Roth, Gregory Alan Rubin, Nima Sharifi Mehr
-
Patent number: 10015018Abstract: Cryptographic keys can include logging properties that enable those keys to be used only if the properties can be enforced by the cryptographic system requested to perform one or more actions using the keys. The logging property can specify how to log use of a respective key. A key can also include a mutability property for specifying whether the logging property can be changed, and if so under what circumstances or in which way(s). The ability to specify and automatically enforce logging can be important for environments where audit logs are essential. These can include, for example, public certificate authorities that must provide accurate and complete audit trails. In cases where the data is not to be provided outside a determined secure environment, the key can be generated with a property indicating not to log any of the usage.Type: GrantFiled: July 21, 2017Date of Patent: July 3, 2018Assignee: Amazon Technologies, Inc.Inventors: Gregory Alan Rubin, Gregory Branchek Roth
-
Publication number: 20180183601Abstract: A proof-of-work system where a first party (e.g., a client computer system) may request access to a computing resource. A second party (e.g., a service provider) may determine a challenge that may be provided to the first party. A valid solution to the challenge may be generated and provided for the request to be fulfilled. The challenge may include a message and a seed, such that the seed may be used at least in part to cryptographically derive information that may be used to generate a solution to the challenge. A hash tree may be generated as of generating the solution.Type: ApplicationFiled: December 23, 2016Publication date: June 28, 2018Inventors: Matthew John Campagna, Nicholas Alexander Allen, Gregory Alan Rubin
-
Publication number: 20180181756Abstract: A service provider provides virtual computing services using a fleet of one or more host computer systems. Each of the host computer systems may be equipped with a trusted platform module (“TPM”). The service provider, the host computer systems, and the virtual computing environments generate attestations that prove the integrity of the system. The attestations are signed with a one-time-use cryptographic key that is verifiable against the public keys of the service provider, a host computer system, and a virtual computing environment. The public key of the host computer system is integrated into a hash tree that links the public key of the host computer system to the public key of the service provider. The public key of the virtual computing environment is signed using a one-time-use graphic key issued to the host computer system that hosts the virtual computing environment.Type: ApplicationFiled: December 23, 2016Publication date: June 28, 2018Inventors: Matthew John Campagna, Gregory Alan Rubin, Eric Jason Brandwine
-
Publication number: 20180183771Abstract: A signature authority generates revocable one-time-use keys that are able to generate digital signatures. The signature authority generates a set of one-time-use keys, where each one-time-use key has a secret key and a public key derived from a hash of the secret key. The signature authority generates one or more revocation values that, when published, proves that the signature authority has the authority to revoke corresponding cryptographic keys. The signature authority hashes the public keys and the revocation values and arranges the hashes in a hash tree where the root of the hash tree acts as a public key of the signature authority. In some implementations, the one-time-use cryptographic keys are generated from a tree of seed values, and a particular revocation value is linked to a particular seed value, allowing for the revocation of a block of one-time-use cryptographic keys associated with the particular seed.Type: ApplicationFiled: December 23, 2016Publication date: June 28, 2018Inventors: Matthew John Campagna, Gregory Alan Rubin, Nicholas Alexander Allen, Andrew Kyle Driggs, Eric Jason Brandwine
-
Publication number: 20180183774Abstract: A key distribution service operated by a signature authority distributes one-time-use cryptographic keys to one or more delegates that generate digital signatures on behalf of the signature authority. The key distribution service uses a root seed value to generate subordinate seeds. The subordinate seeds are used to generate a set of cryptographic keys. Hashes are generated for each key, and the hashes are arranged into a Merkle tree with a root hash controlled by the signature authority. In response to a request from a delegate, the signature authority provides a subordinate seed to the delegate. The delegate uses the subordinate seed to generate one or more cryptographic keys. The cryptographic keys are used to generate digital signatures which are verifiable up to the root hash of the Merkle tree. Additional subordinate seeds may be distributed to entities by the signature authority when appropriate.Type: ApplicationFiled: December 23, 2016Publication date: June 28, 2018Inventors: Matthew John Campagna, Gregory Alan Rubin, Nicholas Alexander Allen, Andrew Kyle Driggs, Eric Jason Brandwine
-
Publication number: 20180183602Abstract: A signature authority generates a master seed value that is used as the root of a seed tree of subordinate nodes. Each subordinate node of the seed tree is generated from the value of its parent node using a cryptographic hash or one-way function. The signature authority selects subordinate seed values which are distributed to one or more key generators, each of which generates a set of one-time-use cryptographic keys. Each key generator generates a hash tree from its set of one-time-use cryptographic keys, and the root of its hash tree is returned to the signature authority. The signature authority integrates the hashes provided by the key generators into a comprehensive hash tree. The root of the comprehensive hash tree acts as a public key for the signature authority.Type: ApplicationFiled: December 23, 2016Publication date: June 28, 2018Inventors: Matthew John Campagna, Gregory Alan Rubin, Nicholas Alexander Allen, Andrew Kyle Driggs, Eric Jason Brandwine
-
Patent number: 10003584Abstract: Data is durably backed up for a limited amount of time. The data may be encrypted under a key and the key may be encrypted under a backup key. The backup key has a limited lifetime at the end of which the backup key is destroyed. After the backup key is destroyed, recoverability of the data depends on whether the key was deleted. In some examples, the data is a set of cryptographic keys.Type: GrantFiled: September 2, 2014Date of Patent: June 19, 2018Assignee: Amazon Technologies, Inc.Inventors: Gregory Branchek Roth, Gregory Alan Rubin
-
Publication number: 20180157853Abstract: A data storage service redundantly stores data and keys used to encrypt the data. Data objects are encrypted with first cryptographic keys. The first cryptographic keys are encrypted by second cryptographic keys. The first cryptographic keys and second cryptographic keys are redundantly stored in a data storage system to enable access of the data objects, such as to respond to requests to retrieve the data objects. The second cryptographic keys may be encrypted by third keys and redundantly stored in the event access to a second cryptographic key is lost.Type: ApplicationFiled: February 5, 2018Publication date: June 7, 2018Inventors: Sandeep Kumar, Gregory Branchek Roth, Gregory Alan Rubin, Mark Christopher Seigle, Kamran Tirdad
-
Patent number: 9992027Abstract: Cryptographic keys can include logging properties that enable those keys to be used only if the properties can be enforced by the cryptographic system requested to perform one or more actions using the keys. The logging property can specify how to log use of a respective key. A key can also include a mutability property for specifying whether the logging property can be changed, and if so under what circumstances or in which way(s). The ability to specify and automatically enforce logging can be important for environments where audit logs are essential. These can include, for example, public certificate authorities that must provide accurate and complete audit trails. In cases where the data is not to be provided outside a determined secure environment, the key can be generated with a property indicating not to log any of the usage.Type: GrantFiled: September 14, 2015Date of Patent: June 5, 2018Assignee: AMAZON TECHNOLOGIES, INC.Inventors: Gregory Alan Rubin, Gregory Branchek Roth
-
Publication number: 20180150646Abstract: A data storage management process is directed to aspects of managing encrypted data via data storage volumes in conjunction with a service provider computer network that hosts virtual machine instances. A volume can be created and configured for managing encrypted data with an encrypted version of a volume key. The volume can be attached to a virtual machine instance such that the virtual machine instance accesses the volume in a transparent fashion based on the volume key. Encrypted data specific to the volume can be copied across multiple regions of data storage each associated with distinct encrypted versions of a volume key corresponding to the volume.Type: ApplicationFiled: January 8, 2018Publication date: May 31, 2018Inventors: Gregory Branchek Roth, Gautam Shanbhag, Gregory Alan Rubin, Christopher H. Fant
-
Patent number: 9985975Abstract: A hardware secret is securely maintained in a computing device. The device operates in accordance with a usage limit corresponding to a limited number of operations using the hardware secret that the device is able to perform. Once the device reaches a usage limit, the device becomes temporarily or permanently unable to perform additional operations using the hardware secret.Type: GrantFiled: March 11, 2016Date of Patent: May 29, 2018Assignee: Amazon Technologies, Inc.Inventors: Gregory Branchek Roth, Gregory Alan Rubin
-
Patent number: 9967249Abstract: A distributed passcode verification system includes devices that each have a secret and that are each able to perform a limited number of verifications using their secrets. Passcode verifiers receive passcode information from a passcode information manager. The passcode information provides information usable, with a secret, to verify passcodes provided to a verifier.Type: GrantFiled: June 20, 2016Date of Patent: May 8, 2018Assignee: Amazon Technologies, Inc.Inventors: Gregory Branchek Roth, Gregory Alan Rubin
-
Patent number: 9961055Abstract: A client negotiates multiple cryptographic keys with a server. One of the cryptographic keys is used to encrypt communications that the server can decrypt. Another of the cryptographic keys is used to encrypt communications that, while sent to the server, are not decryptable to the server. The server is configured to forward communications that it is unable to decrypt to another computer system having an ability to decrypt the communications.Type: GrantFiled: December 18, 2014Date of Patent: May 1, 2018Assignee: AMAZON TECHNOLOGIES, INC.Inventors: Jesper Mikael Johansson, Darren Ernest Canavor, Jon Arron McClintock, Gregory Branchek Roth, Gregory Alan Rubin, Nima Sharifi Mehr
-
Patent number: 9930067Abstract: A client establishes a network session with a server. The network session is used to establish an encrypted communications session. The client establishes another network session with another server, such as after terminating the first network session. The client resumes the encrypted communications session over the network session with the other server. The other server is configured to receive encrypted communications from the client and forward them to the appropriate server.Type: GrantFiled: December 18, 2014Date of Patent: March 27, 2018Assignee: Amazon Technologies, Inc.Inventors: Jesper Mikael Johansson, Darren Ernest Canavor, Jon Arron McClintock, Gregory Branchek Roth, Gregory Alan Rubin, Nima Sharifi Mehr
-
Patent number: 9906552Abstract: System load, such as load caused by a denial of service attack, is managed by requiring those requesting access to the system to provide proof of work. A system receives, from a requestor, a request for access to the system. Before the request can be processed, the system provides a challenge to the requestor. The requestor obtains a solution to the challenge and provides proof of having obtained the solution. The system verifies the correctness of the solution and, if the correct solution is verified, the system services the request.Type: GrantFiled: February 13, 2013Date of Patent: February 27, 2018Assignee: AMAZON TECHNOLOGIES, INC.Inventors: Nicholas Howard Brown, Gregory Branchek Roth, Gregory Alan Rubin