Patents by Inventor John A. Campagna

John A. Campagna has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20190238557
    Abstract: A system performs cryptographic operations utilizing information usable to verify validity of plaintext. To prevent providing information about a plaintext by providing the information usable to verify the validity of the plaintext, the system provides the information usable to verify validity of the plaintext to an entity on a condition that the entity is authorized to access the plaintext. The information usable to verify validity of the plaintext may be persisted in ciphertext along with the plaintext to enable the plaintext to be verified when decrypted.
    Type: Application
    Filed: April 10, 2019
    Publication date: August 1, 2019
    Inventors: Gregory Branchek Roth, Gregory Alan Rubin, Matthew John Campagna, Petr Praus
  • Publication number: 20190222583
    Abstract: Clients within a computing environment may establish a secure communication session. Sometimes, a client may trust another client to read, but not modify, a message. Clients may utilize a cryptography service to generate a message protected against improper modification. Clients may utilize a cryptography service to verify whether a protected message has been improperly modified.
    Type: Application
    Filed: March 26, 2019
    Publication date: July 18, 2019
    Inventor: Matthew John Campagna
  • Publication number: 20190205540
    Abstract: A service provider provides virtual computing services using a fleet of one or more host computer systems. Each of the host computer systems may be equipped with a trusted platform module (“TPM”). The service provider, the host computer systems, and the virtual computing environments generate attestations that prove the integrity of the system. The attestations are signed with a one-time-use cryptographic key that is verifiable against the public keys of the service provider, a host computer system, and a virtual computing environment. The public key of the host computer system is integrated into a hash tree that links the public key of the host computer system to the public key of the service provider. The public key of the virtual computing environment is signed using a one-time-use graphic key issued to the host computer system that hosts the virtual computing environment.
    Type: Application
    Filed: March 11, 2019
    Publication date: July 4, 2019
    Inventors: Matthew John Campagna, Gregory Alan Rubin, Eric Jason Brandwine
  • Patent number: 10333903
    Abstract: A device is provisioned and authorized for use on a network. The device may be required to generate a cryptographic key and provide a digital certificate the cryptographic key, a hardware identifier, and attribute information to an authorization host as part of the provisioning process. The authorization host may use attribute information to determine whether to authorize the device for use on the network, and whether the generated cryptographic key should be trusted for use on the network.
    Type: Grant
    Filed: June 16, 2015
    Date of Patent: June 25, 2019
    Assignee: Amazon Technologies, Inc.
    Inventors: Matthew John Campagna, Derek Del Miller, Nachiketh Rao Potlapally, Gregory Branchek Roth
  • Patent number: 10333708
    Abstract: A system includes a first entropy-based random number generator (RNG) circuit configured to produce a bit stream and a key generator configured to generate encryption keys using bits from the bit stream. The system also includes an encryption engine configured to encrypt bits from the bit stream and a de-multiplexer configured to receive the bit stream from the first entropy-based RNG circuit and to provide a first set of bits from the bit stream to the key generator for generation of an encryption key and a second set of bits from the bit stream to the encryption engine for encryption to produce an encrypted output value.
    Type: Grant
    Filed: February 3, 2017
    Date of Patent: June 25, 2019
    Assignee: Amazon Technologies, Inc.
    Inventors: Ron Diamant, Matthew John Campagna, Colm Gearóid MacCárthaigh
  • Patent number: 10313319
    Abstract: Performing cryptographic operations such as encryption and decryption may be computationally expensive. In some contexts, initialization vectors and keystreams operable to perform encryption operations are generated and stored in a repository, and later retrieved for use in performing encryption operations. Multiple devices in a distributed system can each generate and store a subset of a larger set of keystreams.
    Type: Grant
    Filed: April 5, 2018
    Date of Patent: June 4, 2019
    Assignee: Amazon Technologies, Inc.
    Inventor: Matthew John Campagna
  • Patent number: 10291408
    Abstract: A proof-of-work system where a first party (e.g., a client computer system) may request access to a computing resource. A second party (e.g., a service provider) may determine a challenge that may be provided to the first party. A valid solution to the challenge may be generated and provided for the request to be fulfilled. The challenge may include a message and a seed, such that the seed may be used at least in part to cryptographically derive information that may be used to generate a solution to the challenge. A hash tree may be generated as of generating the solution.
    Type: Grant
    Filed: December 23, 2016
    Date of Patent: May 14, 2019
    Assignee: Amazon Technologies, Inc.
    Inventors: Matthew John Campagna, Nicholas Alexander Allen, Gregory Alan Rubin
  • Publication number: 20190138736
    Abstract: A tiered credentialing approach provides assurance to customers having virtual machines running in a remote environment that the virtual images for these machines are in a pristine state and running in a trusted execution environment. The environment can be divided into multiple subsystems, each having its own cryptographic boundary, secure storage, and trusted computing capabilities. A trusted, limited subsystem can handle the administrative tasks for virtual machines running on the main system of a host computing device. The limited system can receive a certificate from a certificate authority, and can act as a certificate authority to provide credentials to the main system. Upon an attestation request, the subsystems can provide attestation information using the respective credentials as well as the certificate chain. An entity having the appropriate credentials can determine the state of the system from the response and verify the state is as expected.
    Type: Application
    Filed: January 1, 2019
    Publication date: May 9, 2019
    Inventors: Matthew John Campagna, Gregory Alan Rubin, Eric Jason Brandwine, Matthew Shawn Wilson, Cristian M. Ilac
  • Patent number: 10263997
    Abstract: A system performs cryptographic operations utilizing information usable to verify validity of plaintext. To prevent providing information about a plaintext by providing the information usable to verify the validity of the plaintext, the system provides the information usable to verify validity of the plaintext to an entity on a condition that the entity is authorized to access the plaintext. The information usable to verify validity of the plaintext may be persisted in ciphertext along with the plaintext to enable the plaintext to be verified when decrypted.
    Type: Grant
    Filed: July 22, 2016
    Date of Patent: April 16, 2019
    Assignee: Amazon Technologies, Inc.
    Inventors: Gregory Branchek Roth, Gregory Alan Rubin, Matthew John Campagna, Petr Praus
  • Publication number: 20190108343
    Abstract: A trusted co-processor can provide a hardware-based observation point into the operation of a host machine owned by a resource provider or other such entity. The co-processor can be installed via a peripheral card on a fast bus, such as a PCI bus, on the host machine. The co-processor can execute malware detection software, and can use this software to analyze data and/or code obtained from the relevant resources of the host machine. The trusted co-processor can notify the customer or another appropriate entity of the results of the scan, such that an appropriate action can be taken if malware is detected. The results of the scan can be trusted, as malware will be unable to falsify such a notification or modify the operation of the trusted co-processor.
    Type: Application
    Filed: November 19, 2018
    Publication date: April 11, 2019
    Inventors: Eric Jason Brandwine, Matthew John Campagna, Gregory Alan Rubin
  • Patent number: 10243968
    Abstract: Clients within a computing environment may establish a secure communication session. Sometimes, a client may trust another client to read, but not modify, a message. Clients may utilize a cryptography service to generate a message protected against improper modification. Clients may utilize a cryptography service to verify whether a protected message has been improperly modified.
    Type: Grant
    Filed: December 11, 2015
    Date of Patent: March 26, 2019
    Assignee: AMAZON TECHNOLOGIES, INC.
    Inventor: Matthew John Campagna
  • Patent number: 10243939
    Abstract: A key distribution service operated by a signature authority distributes one-time-use cryptographic keys to one or more delegates that generate digital signatures on behalf of the signature authority. The key distribution service uses a root seed value to generate subordinate seeds. The subordinate seeds are used to generate a set of cryptographic keys. Hashes are generated for each key, and the hashes are arranged into a Merkle tree with a root hash controlled by the signature authority. In response to a request from a delegate, the signature authority provides a subordinate seed to the delegate. The delegate uses the subordinate seed to generate one or more cryptographic keys. The cryptographic keys are used to generate digital signatures which are verifiable up to the root hash of the Merkle tree. Additional subordinate seeds may be distributed to entities by the signature authority when appropriate.
    Type: Grant
    Filed: December 23, 2016
    Date of Patent: March 26, 2019
    Assignee: Amazon Technologies, Inc.
    Inventors: Matthew John Campagna, Gregory Alan Rubin, Nicholas Alexander Allen, Andrew Kyle Driggs, Eric Jason Brandwine
  • Publication number: 20190089541
    Abstract: A host machine operated for a specific purpose can have restricted access to other components in a multi-tenant environment in order to provide for the security of the host machine. The access restriction can prevent the host machine from obtaining updates to critical system-level configurations, but such information can be obtained through a signed command received to an API for the host machine. The command can be signed by a quorum of operators, and the host machine can be configured to verify the signatures and the quorum before processing the command. The host machine can store the updates to ephemeral storage as well as persistent storage, such that upon a reboot or power cycle the host machine can operate with current configuration data.
    Type: Application
    Filed: November 2, 2018
    Publication date: March 21, 2019
    Inventors: Justin Lee Werner, Gregory Alan Rubin, Matthew John Campagna, Michael Bentkofsky
  • Patent number: 10237249
    Abstract: A signature authority generates revocable one-time-use keys that are able to generate digital signatures. The signature authority generates a set of one-time-use keys, where each one-time-use key has a secret key and a public key derived from a hash of the secret key. The signature authority generates one or more revocation values that, when published, proves that the signature authority has the authority to revoke corresponding cryptographic keys. The signature authority hashes the public keys and the revocation values and arranges the hashes in a hash tree where the root of the hash tree acts as a public key of the signature authority. In some implementations, the one-time-use cryptographic keys are generated from a tree of seed values, and a particular revocation value is linked to a particular seed value, allowing for the revocation of a block of one-time-use cryptographic keys associated with the particular seed.
    Type: Grant
    Filed: December 23, 2016
    Date of Patent: March 19, 2019
    Assignee: Amazon Technologies, Inc.
    Inventors: Matthew John Campagna, Gregory Alan Rubin, Nicholas Alexander Allen, Andrew Kyle Driggs, Eric Jason Brandwine
  • Patent number: 10229270
    Abstract: A service provider provides virtual computing services using a fleet of one or more host computer systems. Each of the host computer systems may be equipped with a trusted platform module (“TPM”). The service provider, the host computer systems, and the virtual computing environments generate attestations that prove the integrity of the system. The attestations are signed with a one-time-use cryptographic key that is verifiable against the public keys of the service provider, a host computer system, and a virtual computing environment. The public key of the host computer system is integrated into a hash tree that links the public key of the host computer system to the public key of the service provider. The public key of the virtual computing environment is signed using a one-time-use graphic key issued to the host computer system that hosts the virtual computing environment.
    Type: Grant
    Filed: December 23, 2016
    Date of Patent: March 12, 2019
    Assignee: Amazon Technologies, Inc.
    Inventors: Matthew John Campagna, Gregory Alan Rubin, Eric Jason Brandwine
  • Patent number: 10230525
    Abstract: An organizational signature authority delegates signature authority to one or more subordinate signature authorities by rolling up public keys from the subordinate signature authorities into a public key for the organization. A subordinate signature authority of the organizational signature authority generates cryptographic keys for use by the subordinate signature authority, and cryptographically derives a public key for the subordinate signature authority based at least in part on the cryptographic keys. In some examples, the subordinate signature authority acquires public keys from a lower subordinate signature authority, and the public key of the subordinate signature authority is cryptographically derived in part from the public key of the lower subordinate signature authority. The public key of the subordinate signature authority is provided to the organizational signature authority.
    Type: Grant
    Filed: December 23, 2016
    Date of Patent: March 12, 2019
    Assignee: Amazon Technologies, Inc.
    Inventors: Matthew John Campagna, Eric Jason Brandwine, Andrew Kyle Driggs
  • Publication number: 20190068363
    Abstract: A cryptographic key management service receives a request to import a first cryptographic key. In response to the request, the service creates a public cryptographic key and a private cryptographic key. The private cryptographic key is encrypted using a second cryptographic key to create an import key token. The import key token and the public cryptographic key are provided in response to the request. The service receives an encrypted first cryptographic key, which the service decrypts using the private cryptographic key to obtain the first cryptographic key. The service stores the first cryptographic key and enables its use for the performance of cryptographic operations.
    Type: Application
    Filed: October 29, 2018
    Publication date: February 28, 2019
    Inventors: Aleksandrs J. Rudzitis, Alexis Lynn Carlough, Gregory Alan Rubin, Matthew John Campagna
  • Patent number: 10218511
    Abstract: A signature authority generates a master seed value that is used as the root of a seed tree of subordinate nodes. Each subordinate node of the seed tree is generated from the value of its parent node using a cryptographic hash or one-way function. The signature authority selects subordinate seed values which are distributed to one or more key generators, each of which generates a set of one-time-use cryptographic keys. Each key generator generates a hash tree from its set of one-time-use cryptographic keys, and the root of its hash tree is returned to the signature authority. The signature authority integrates the hashes provided by the key generators into a comprehensive hash tree. The root of the comprehensive hash tree acts as a public key for the signature authority.
    Type: Grant
    Filed: December 23, 2016
    Date of Patent: February 26, 2019
    Assignee: Amazon Technologies, Inc.
    Inventors: Matthew John Campagna, Gregory Alan Rubin, Nicholas Alexander Allen, Andrew Kyle Driggs, Eric Jason Brandwine
  • Patent number: 10187202
    Abstract: Methods, systems, and computer programs for performing key agreement operations in a communication system are described. In some aspects, a wireless network operator receives a mobile device identifier and accesses a secret key associated with the mobile device. A message authentication code function is evaluated based on the secret key to produce an output value. A session key and a challenge value are obtained based on the output value. In some aspects, a mobile device accesses a secret key in response to receiving the challenge value from the wireless network operator. A message authentication code function is evaluated based on the secret key to produce an output value. A response value and a session key are obtained based on the output value. The response value is transmitted to the wireless network operator.
    Type: Grant
    Filed: October 20, 2017
    Date of Patent: January 22, 2019
    Assignee: Certicom Corp.
    Inventors: Matthew John Campagna, Daniel Richard L. Brown, Nevine Maurice Nassif Ebeid
  • Patent number: 10169591
    Abstract: A tiered credentialing approach provides assurance to customers having virtual machines running in a remote environment that the virtual images for these machines are in a pristine state and running in a trusted execution environment. The environment can be divided into multiple subsystems, each having its own cryptographic boundary, secure storage, and trusted computing capabilities. A trusted, limited subsystem can handle the administrative tasks for virtual machines running on the main system of a host computing device. The limited system can receive a certificate from a certificate authority, and can act as a certificate authority to provide credentials to the main system. Upon an attestation request, the subsystems can provide attestation information using the respective credentials as well as the certificate chain. An entity having the appropriate credentials can determine the state of the system from the response and verify the state is as expected.
    Type: Grant
    Filed: December 7, 2015
    Date of Patent: January 1, 2019
    Assignee: Amazon Technologies, Inc.
    Inventors: Matthew John Campagna, Gregory Alan Rubin, Eric Jason Brandwine, Matthew Shawn Wilson, Cristian M. Ilac