Abstract: A delegation request is submitted to a session-based authentication service, fulfillment of which involves granting an entity an access privilege to a computing resource. A session key is received from the session-based authentication service. The session key having been generated based at least in part on a restriction and a secret credential shared with the session-based authentication service and usable at least in part to prove possession of the access privilege to the computing resource. The session key is provided to the entity without providing the shared secret credential.

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

Abstract: A delegation request is submitted to a session-based authentication service, fulfillment of which involves granting an entity an access privilege to a computing resource. A session key is received from the session-based authentication service. The session key having been generated based at least in part on a restriction and a secret credential shared with the session-based authentication service and usable at least in part to prove possession of the access privilege to the computing resource. The session key is provided to the entity without providing the shared secret credential.

Abstract: A delegation request is submitted to a session-based authentication service, fulfillment of which involves granting an entity an access privilege to a computing resource. A session key is received from the session-based authentication service. The session key having been generated based at least in part on a restriction and a secret credential shared with the session-based authentication service and usable at least in part to prove possession of the access privilege to the computing resource. The session key is provided to the entity without providing the shared secret credential.

Abstract: Session-specific information stored to a cookie or other secure token can be selected and/or caused to vary over time, such that older copies will become less useful over time. Such an approach reduces the ability of entities obtaining a copy of the cookie from performing unauthorized tasks on a session. A cookie received with a request can contain a timestamp and an operation count for a session that may need to fall within an acceptable range of the current values in order for the request to be processed. A cookie returned with a response can be set to the correct value or incremented from the previous value based on various factors. The allowable bands can decrease with age of the session, and various parameter values such as a badness factor for a session can be updated continually based on the events for the session.

Abstract: A tiered credentialing approach provides assurance to customers having virtual machines running in a remote environment that the virtual images for these machines are in a pristine state and running in a trusted execution environment. The environment can be divided into multiple subsystems, each having its own cryptographic boundary, secure storage, and trusted computing capabilities. A trusted, limited subsystem can handle the administrative tasks for virtual machines running on the main system of a host computing device. The limited system can receive a certificate from a certificate authority, and can act as a certificate authority to provide credentials to the main system. Upon an attestation request, the subsystems can provide attestation information using the respective credentials as well as the certificate chain. An entity having the appropriate credentials can determine the state of the system from the response and verify the state is as expected.

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

Abstract: Secret information, such as seeds, codes, and keys, can be automatically renegotiated between at least one sender and at least one recipient. Various mechanisms, such as counters, events, or challenges, can be used to trigger automatic renegotiations through various requests or communications. These changes can cause the current secret information to diverge from older copies of the secret information that might have been obtained by unintended third parties. In some embodiments, a secret can be configured to “decay” over time, or have small changes periodically introduced that can be determined to be valid by an authorized party, but can reduce the effectiveness of prior versions of the secret information.

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

Abstract: A plurality of keys is obtained, with each obtained key of the plurality of keys being based at least in part on an information set for the plurality of keys and at least one other key distinct from the plurality of keys. A signing key is calculated by inputting a combination of the plurality of keys into a function with the information set for the plurality of keys, and the signing key is used to evaluate whether access to one or more computing resources is to be granted, with the information set preventing access from being granted when a request for the access is submitted out of compliance with the information set for the plurality of keys.

Abstract: Secret information, such as seeds, codes, and keys, can be automatically renegotiated between at least one sender and at least one recipient. Various mechanisms, such as counters, events, or challenges, can be used to trigger automatic renegotiations through various requests or communications. These changes can cause the current secret information to diverge from older copies of the secret information that might have been obtained by unintended third parties. In some embodiments, a secret can be configured to “decay” over time, or have small changes periodically introduced that can be determined to be valid by an authorized party, but can reduce the effectiveness of prior versions of the secret information.

Abstract: A tiered credentialing approach provides assurance to customers having virtual machines running in a remote environment that the virtual images for these machines are in a pristine state and running in a trusted execution environment. The environment can be divided into multiple subsystems, each having its own cryptographic boundary, secure storage, and trusted computing capabilities. A trusted, limited subsystem can handle the administrative tasks for virtual machines running on the main system of a host computing device. The limited system can receive a certificate from a certificate authority, and can act as a certificate authority to provide credentials to the main system. Upon an attestation request, the subsystems can provide attestation information using the respective credentials as well as the certificate chain. An entity having the appropriate credentials can determine the state of the system from the response and verify the state is as expected.

Abstract: A tiered credentialing approach provides assurance to customers having virtual machines running in a remote environment that the virtual images for these machines are in a pristine state and running in a trusted execution environment. The environment can be divided into multiple subsystems, each having its own cryptographic boundary, secure storage, and trusted computing capabilities. A trusted, limited subsystem can handle the administrative tasks for virtual machines running on the main system of a host computing device. The limited system can receive a certificate from a certificate authority, and can act as a certificate authority to provide credentials to the main system. Upon an attestation request, the subsystems can provide attestation information using the respective credentials as well as the certificate chain. An entity having the appropriate credentials can determine the state of the system from the response and verify the state is as expected.

Abstract: An application executing on a user device can receive a request to access a remote computer system. The application can automatically obtain an authentication code that is generated based at least in part on a seed value, which can be stored in the user device. The application can automatically generate an authentication request based at least in part on the access information and the authentication code, and transmit the authentication request to remote computer system.

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

Abstract: A delegation request is submitted to a session-based authentication service, fulfilment of which involves granting an entity an access privilege to a computing resource. A session key is received from the session-based authentication service. The session key having been generated based at least in part on a restriction and a secret credential shared with the session-based authentication service and usable at least in part to prove possession of the access privilege to the computing resource. The session key is provided to the entity without providing the shared secret credential.

Abstract: A delegation request is submitted to a session-based authentication service, fulfilment of which involves granting an entity an access privilege to a computing resource. A session key is received from the session-based authentication service. The session key having been generated based at least in part on a restriction and a secret credential shared with the session-based authentication service and usable at least in part to prove possession of the access privilege to the computing resource. The session key is provided to the entity without providing the shared secret credential.

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

Abstract: Secret information, such as seeds, codes, and keys, can be automatically renegotiated between at least one sender and at least one recipient. Various mechanisms, such as counters, events, or challenges, can be used to trigger automatic renegotiations through various requests or communications. These changes can cause the current secret information to diverge from older copies of the secret information that might have been obtained by unintended third parties. In some embodiments, a secret can be configured to “decay” over time, or have small changes periodically introduced that can be determined to be valid by an authorized party, but can reduce the effectiveness of prior versions of the secret information.