Abstract: A request is obtained that, if fulfilled, is operable to access a computing resource, with the request including an indication to evaluate the request in a verification mode while inhibiting fulfilment of the request. Responsive to the request, a policy applicable to the request is determined, decision data that is relevant to the policy is obtained, and the request is evaluated based at least in part on the policy and the decision data to produce an evaluation result. Further responsive to the request, fulfillment of the request is inhibited, a verification report is generated based at least in part on the evaluation result, and a notification is provided indicating that the verification report is generated.

Abstract: Techniques are described for enabling a Kerberos-based authentication system to provide a client with access to a plurality of unmodifiable components that require plain text passwords. Such an approach enables a user to sign into a distributed computer system using a single password, and access multiple components that require different passwords without the need to enter a second password. By using Kerberos based authentication, passwords are not unnecessarily sent throughout distributed computing system where they may be vulnerable. A proxy key distribution center can be used to manage passwords or other credentials on behalf of various clients, which can be used with various processes discussed herein.

Abstract: A request is obtained that, if fulfilled, is operable to access a computing resource, with the request including an indication to evaluate the request in a verification mode while inhibiting fulfilment of the request. Responsive to the request, a policy applicable to the request is determined, decision data that is relevant to the policy is obtained, and the request is evaluated based at least in part on the policy and the decision data to produce an evaluation result. Further responsive to the request, fulfillment of the request is inhibited, a verification report is generated based at least in part on the evaluation result, and a notification is provided indicating that the verification report is generated.

Abstract: A policy is incorporated into a first set of policies at least in part by generating a second set of policies corresponding to the policy. An index of the first set of policies is generated based at least in part on a policy element of a normal form. Based at least in part on the index, a subset of the first set of policies that is relevant to at least one of a plurality of policy enforcement components is identified and provided to at least one of the plurality of policy enforcement components of a virtual resource provider identified as relevant. A request subject to the policy is received, and the policy is enforced at least in part by evaluating the request with respect to the subset of the first set of policies.

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

Abstract: A plurality of keys is obtained, with each obtained key of the plurality of keys being based at least in part on an information set for the plurality of keys and at least one other key distinct from the plurality of keys. A signing key is calculated by inputting a combination of the plurality of keys into a function with the information set for the plurality of keys, and the signing key is used to evaluate whether access to one or more computing resources is to be granted, with the information set preventing access from being granted when a request for the access is submitted out of compliance with the information set for the plurality of keys.

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

Abstract: Techniques are described for enabling a Kerberos-based authentication system to provide a client with access to a plurality of unmodifiable components that require plain text passwords. Such an approach enables a user to sign into a distributed computer system using a single password, and access multiple components that require different passwords without the need to enter a second password. By using Kerberos based authentication, passwords are not unnecessarily sent throughout distributed computing system where they may be vulnerable. A proxy key distribution center can be used to manage passwords or other credentials on behalf of various clients, which can be used with various processes discussed herein.

Abstract: Techniques are described for enabling a Kerberos-based authentication system to provide a client with access to a plurality of unmodifiable components that require plain text passwords. Such an approach enables a user to sign into a distributed computer system using a single password, and access multiple components that require different passwords without the need to enter a second password. By using Kerberos based authentication, passwords are not unnecessarily sent throughout distributed computing system where they may be vulnerable. A proxy key distribution center can be used to manage passwords or other credentials on behalf of various clients, which can be used with various processes discussed herein.

Abstract: A policy is incorporated into a first set of policies at least in part by generating a second set of policies corresponding to the policy. An index of the first set of policies is generated based at least in part on a policy element of a normal form. Based at least in part on the index, a subset of the first set of policies that is relevant to at least one of a plurality of policy enforcement components is identified and provided to at least one of the plurality of policy enforcement components of a virtual resource provider identified as relevant. A request subject to the policy is received, and the policy is enforced at least in part by evaluating the request with respect to the subset of the first set of policies.

Abstract: A plurality of keys is obtained, with each obtained key of the plurality of keys being based at least in part on an information set for the plurality of keys and at least one other key distinct from the plurality of keys. A signing key is calculated by inputting a combination of the plurality of keys into a function with the information set for the plurality of keys, and the signing key is used to evaluate whether access to one or more computing resources is to be granted, with the information set preventing access from being granted when a request for the access is submitted out of compliance with the information set for the plurality of keys.

Abstract: A database access system may protect a field by storing the field as one or more underlying fields within a database. The database engine may not have access to keys used to protect the underlying fields within the database, such as by encryption, while the database access system may have access to the keys. Underlying fields may be used to store protected data and aid in the querying of protected data. The database access system may modify queries to use the underlying fields, which may include encrypting query terms and/or modifying query terms to fit the use of the underlying fields. The database access system may modify query results to match the format of the original query, which may include decrypting protected results and/or removing underlying fields.