Patents by Inventor Gregory B. Roth
Gregory B. Roth has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 10263994Abstract: Systems and methods are described for delegating permissions to enable account access to entities not directly associated with the account. The systems determine a delegation profile associated with a secured account of at least one customer. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.Type: GrantFiled: August 3, 2015Date of Patent: April 16, 2019Assignee: Amazon Technologies, Inc.Inventors: Gregory B Roth, Bradley Jeffery Behm
-
Publication number: 20190080099Abstract: A storage device can include processing and cryptographic capability enabling the device to function as a hardware security module (HSM). This includes the ability to encrypt and decrypt data using a cryptographic key, as well as to perform processing using such a key, independent of whether that processing involves data stored on the device. An internal key can be provided to the drive, whether provided before customer software access or received wrapped in another key, etc. That key enables the device to perform secure processing on behalf of a user or entity, where that key is not exposed to other components in the network or environment. A key may have specified tasks that can be performed using that key, and can be discarded after use. In some embodiments, firmware is provided that can cause a storage device to function as an HSM and/or processing device with cryptographic capability.Type: ApplicationFiled: November 12, 2018Publication date: March 14, 2019Inventors: Gregory B. Roth, Eric Jason Brandwine
-
Publication number: 20190036973Abstract: Techniques for processing data according to customer-defined rules are disclosed. In particular, methods and systems for implementing a data alteration service using one or resources of a distributed computing system are described. The data alteration service is flexibly configurable by entities using the distributed computing system, and may be used to augment, compress, filter or otherwise modify data crossing a customer boundary.Type: ApplicationFiled: September 24, 2018Publication date: January 31, 2019Inventors: Gregory B. Roth, Graeme D. Baer, Eric Jason Brandwine
-
Patent number: 10158670Abstract: An access control policy can be received. The access control policy can identify privileges of a client to use resources to perform authorized actions with the resources. A set of related actions that are related to the authorized actions can be determined. The access control policy can be modified to include at least one related action.Type: GrantFiled: February 12, 2016Date of Patent: December 18, 2018Assignee: Amazon Technologies, Inc.Inventors: Gregory B. Roth, Eric Jason Brandwine, Reto Kramer
-
Patent number: 10110587Abstract: Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.Type: GrantFiled: May 31, 2017Date of Patent: October 23, 2018Assignee: Amazon Technologies, Inc.Inventors: Gregory B. Roth, Nathan R. Fitch, Kevin Ross O'Neill, Graeme D. Baer, Bradley Jeffery Behm, Brian Irl Pratt
-
Patent number: 10110579Abstract: Authenticated requests can be sent without requiring the requests to include or potentially expose secret information used for the authentication process. A client device use a security credential such as a key to sign a request to be sent to a recipient. When the request is received, the recipient determines whether the request was signed using the correct key for the sender. In some embodiments a client token is included with the request that statelessly encodes the key, enabling a recipient capable of decoding the client token to determine the key and compare that key to the signature of the request. The sender can store the secret information in a secure location, such as a browser security module, such that the secret information is not exposed to the browser or script executing on the client device.Type: GrantFiled: August 24, 2015Date of Patent: October 23, 2018Assignee: Amazon Technologies, Inc.Inventors: Nathan R. Fitch, Gregory B. Roth, Graeme D. Baer
-
Patent number: 10103875Abstract: Client requests may be directed through a secret holding proxy system such that the secret holding proxy system may insert a secret into a client request before arriving at the destination. The insertion of a secret may include inserting a digital signature, token or other information that includes a secret or information based upon a secret, which may include secret exchange or authentication protocols. The secret holding proxy system may also remove secrets and/or transform incoming messages such that the client may transparently receive the underlying content of the message.Type: GrantFiled: December 20, 2011Date of Patent: October 16, 2018Assignee: Amazon Technologies, Inc.Inventors: Gregory B. Roth, Graeme D. Baer, Nathan R. Fitch, Eric D. Crahen, Eric J. Brandwine
-
Patent number: 10084818Abstract: Techniques for processing data according to customer-defined rules are disclosed. In particular, methods and systems for implementing a data alteration service using one or resources of a distributed computing system are described. The data alteration service is flexibly configurable by entities using the distributed computing system, and may be used to augment, compress, filter or otherwise modify data crossing a customer boundary.Type: GrantFiled: June 7, 2012Date of Patent: September 25, 2018Assignee: Amazon Technologies, Inc.Inventors: Gregory B. Roth, Graeme D. Baer, Eric Jason Brandwine
-
Publication number: 20180270051Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.Type: ApplicationFiled: May 18, 2018Publication date: September 20, 2018Inventors: Gregory B. Roth, Marc R. Barbour, Bradley Jeffrey Behm, Cristian M. Ilac, Eric Jason Brandwine
-
Patent number: 10044503Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.Type: GrantFiled: November 14, 2014Date of Patent: August 7, 2018Assignee: Amazon Technologies, Inc.Inventors: Gregory B. Roth, Marc R. Barbour, Bradley Jeffery Behm, Cristian M. Ilac, Eric Jason Brandwine
-
Patent number: 9928469Abstract: Techniques for administrating computing resources include identifying, dynamically and/or based at least in part on historical data, a set of server computer systems expected to have availability for at least a portion of a future time period. A pricing scheme for implementing computer system instances for the future time period based at least in part on the availability of the server computer systems is generated. Accounting records in accordance with a price, determined based at least in part on the pricing scheme, for fulfilling requests to implement computer system instances for a predetermined finite amount of time are generated.Type: GrantFiled: October 2, 2012Date of Patent: March 27, 2018Assignee: Amazon Technologies, Inc.Inventors: Gregory B. Roth, Adam K. Loghry, David John Ward, Jr.
-
Patent number: 9898618Abstract: A database access system may protect a field by storing the field as one or more underlying fields within a database. The database engine may not have access to keys used to protect the underlying fields within the database, such as by encryption, while the database access system may have access to the keys. Underlying fields may be used to store protected data and aid in the querying of protected data. The database access system may modify queries to use the underlying fields, which may include encrypting query terms and/or modifying query terms to fit the use of the underlying fields. The database access system may modify query results to match the format of the original query, which may include decrypting protected results and/or removing underlying fields.Type: GrantFiled: June 28, 2017Date of Patent: February 20, 2018Assignee: Amazon Technologies, Inc.Inventors: Gregory B. Roth, Nathan R. Fitch, Bradley Jeffery Behm, Patrick J. Ward, Graeme Baer, Eric Jason Brandwine
-
Patent number: 9872067Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.Type: GrantFiled: March 7, 2016Date of Patent: January 16, 2018Assignee: Amazon Technologies, Inc.Inventors: Gregory B. Roth, Marc R. Barbour, Bradley Jeffery Behm, Cristian M. Ilac, Eric Jason Brandwine
-
Publication number: 20170373840Abstract: Authenticated requests can be sent without requiring the requests to include or potentially expose secret information used for the authentication process. A client device use a security credential such as a key to sign a request to be sent to a recipient. When the request is received, the recipient determines whether the request was signed using the correct key for the sender. In some embodiments a client token is included with the request that statelessly encodes the key, enabling a recipient capable of decoding the client token to determine the key and compare that key to the signature of the request. The sender can store the secret information in a secure location, such as a browser security module, such that the secret information is not exposed to the browser or script executing on the client device.Type: ApplicationFiled: December 28, 2015Publication date: December 28, 2017Inventors: Nathan R. Fitch, Gregory B. Roth, Graeme D. Baer
-
Publication number: 20170331808Abstract: A credential, such as a password, for an entity is used to generate multiple keys. The generated keys are distributed to credential verification systems to enable the credential verification systems to perform authentication operations. The keys are generated such that access to a generated key allows for authentication with a proper subset of the credential verification systems. Thus, unauthorized access to information used by one authentication system does not, by itself, allow for successful authentication with other authentication systems.Type: ApplicationFiled: May 22, 2017Publication date: November 16, 2017Inventors: Gregory B. Roth, Graeme D. Baer
-
Publication number: 20170272423Abstract: Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.Type: ApplicationFiled: May 31, 2017Publication date: September 21, 2017Inventors: Gregory B. Roth, Nathan R. Fitch, Kevin Ross O'Neill, Graeme D. Baer, Bradley Jeffery Behm, Brian Irl Pratt
-
Patent number: 9756031Abstract: Systems and methods provide a storage media on a portable physical object associated with a set of credentials that enables access to a set of computing resources associated with a set of Web services. In some embodiments, information including a set of credentials is prepackaged onto the storage media of the portable physical object. A pre-activated subscription to the set of Web services in a distributed system is provisioned. Access to the set of Web services is enabled when the portable physical object is coupled with a computing device and the set of credentials is authenticated. In some embodiments, the portable physical object is purchased by a user on a prepaid basis without requiring the user to register an account with the set of Web services, allowing the user to remain anonymous with respect to interaction with the set of Web services.Type: GrantFiled: October 13, 2014Date of Patent: September 5, 2017Assignee: Amazon Technologies, Inc.Inventors: Gregory B. Roth, Cristian M. Ilac, James E. Scharf, Jr., Nathan R. Fitch, Graeme D. Baer, Brian Irl Pratt, Kevin Ross O'Neill
-
Patent number: 9727743Abstract: A database access system may protect a field by storing the field as one or more underlying fields within a database. The database engine may not have access to keys used to protect the underlying fields within the database, such as by encryption, while the database access system may have access to the keys. Underlying fields may be used to store protected data and aid in the querying of protected data. The database access system may modify queries to use the underlying fields, which may include encrypting query terms and/or modifying query terms to fit the use of the underlying fields. The database access system may modify query results to match the format of the original query, which may include decrypting protected results and/or removing underlying fields.Type: GrantFiled: February 1, 2016Date of Patent: August 8, 2017Assignee: Amazon Technologies, Inc.Inventors: Gregory B. Roth, Nathan R. Fitch, Bradley Jeffery Behm, Patrick J. Ward, Graeme D. Baer, Eric Jason Brandwine
-
Publication number: 20170223014Abstract: In certain embodiments, a web services system receives a request to provision a device, such as a telephone, as an authentication device. The web services system initiates display of an image communicating a key to allow the telephone to capture the image and to send key information associated with the key. The web services system receives the key and determines that the key information is valid. In response to the determination, the web services system sends a seed to the telephone to provision the telephone to be an authentication device. The telephone can use the seed to generate one-time passcodes to access a service of the web services system.Type: ApplicationFiled: April 14, 2017Publication date: August 3, 2017Inventors: Gregory B. Roth, Nathan R. Fitch, Graeme D. Baer
-
Publication number: 20170187521Abstract: Authenticated requests can be sent without requiring the requests to include or potentially expose secret information used for the authentication process. A client device use a security credential such as a key to sign a request to be sent to a recipient. When the request is received, the recipient determines whether the request was signed using the correct key for the sender. In some embodiments a client token is included with the request that statelessly encodes the key, enabling a recipient capable of decoding the client token to determine the key and compare that key to the signature of the request. The sender can store the secret information in a secure location, such as a browser security module, such that the secret information is not exposed to the browser or script executing on the client device.Type: ApplicationFiled: December 28, 2015Publication date: June 29, 2017Inventors: Nathan R. Fitch, Gregory B. Roth, Graeme D. Baer