| 发明名称 | Key derivation techniques | ||
| 摘要 | Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information that, as a result of being used to generate the keys, renders the generated keys usable for a smaller scope of uses than the secret credential. Further, key generation may involve multiple invocations of a function where each of at least a subset of the invocations of the function results in a key that has a smaller scope of permissible use than a key produced from a previous invocation of the function. Generated keys may be used as signing keys to sign messages. One or more actions may be taken depending on whether a message and/or the manner in which the message was submitted complies with restrictions of the a key's use. | ||
| 申请公布号 | US9197409(B2) | 申请公布日期 | 2015.11.24 |
| 申请号 | US201113248973 | 申请日期 | 2011.09.29 |
| 申请人 | Amazon Technologies, Inc. | 发明人 | Roth Gregory B.;Behm Bradley Jeffery;Crahen Eric D.;Ilac Cristian M.;Fitch Nathan R.;Brandwine Eric Jason;O'Neill Kevin Ross |
| 分类号 | H04L9/32;H04L9/08;G06F21/31;H04L29/06 | 主分类号 | H04L9/32 |
| 代理机构 | Davis Wright Tremaine LLP | 代理人 | Davis Wright Tremaine LLP |
| 主权项 | 1. A computer-implemented method of authentication for providing access to one or more computing resources of a computing resource provider, the one or more computing resources of the computing resource provider being part of a logical grouping of computing resources in a key zone of a plurality of key zones, the method comprising: under the control of one or more computer systems configured with executable instructions, receiving, by the one or more computer systems, a message and a signature of the message from an authenticating party; generating, by the one or more computer systems and based at least in part on the received message, an expected signature by at least invoking a hash-based message authentication code function multiple times such that: at least one invocation of the hash-based message authentication code function involves an input to the hash-based message authentication code function that is based at least in part on a secret credential shared with the authenticating party, the secret credential being received from a central key authority and corresponding to the key zone; andat least another invocation of the hash-based message authentication code function involves a result from a previous invocation of the hash-based message authentication code function as an input to the hash-based message authentication code function; determining, by the one or more computer systems, whether the received signature matches the expected signature; and taking, by the one or more computer systems, when determined that the received signature matches the expected signature, one or more actions for which authentication of the received message is required. | ||
| 地址 | Seattle WA US | ||