GREGORY ROTH, MD
Osteopathic Medicine at 9 Ave, Seattle, WA

8640200, Jan 28, 2014

Mar 23, 2012

13/429180

Gregory B. Roth - Seattle WA, US
Kevin Ross O'Neill - Seattle WA, US

Amazon Technologies, Inc. - Reno NV

G06F 12/14, G06F 15/16, G06F 15/173, H04L 29/06

726 3, 709225, 709228, 726 18, 726 19

Techniques are described for enabling principals to inject context information into a credential (e. g. session credential). Once the credential has been issued, any arbitrary principal is allowed to inject context information into the existing credential. The injected context is scoped to the principal that made the injection. Subsequently, at authentication time, when the credential is used to request access to a particular resource, the system can verify whether the principal that made the injection is trusted and if the principal is deemed trusted, the context information can be applied to a policy that controls access to one or more resources, or can alternatively be translated into some context residing in a different namespace which can then be applied to the policy. In addition, the system enables arbitrary users to insert additional deny statements into an existing credential, which further restrict the scope of permissions granted by the credential.

2013008, Mar 28, 2013

Sep 27, 2011

13/246445

Graeme D. Baer - Seattle WA, US
Gregory B. Roth - Seattle WA, US

Amazon Technologies, Inc. - Reno NV

G06F 21/00

726 1

Access control techniques relate to verifying compliance with security policies before enabling access to the computing resources. An application is provided on a client that generates verification codes using an authentication seed. Prior to granting the client the authentication seed necessary to generate a verification code, a server may perform a policy check on the client. Some embodiments ensure that the client complies with security policies imposed by an authenticating party by retrieving a number of parameter values from the client and then determining whether those parameter values comply with the security policies. Upon determining that the client complies, the authentication seed is issued to the client. In some embodiments, the authentication seed is provided such that a policy check is performed upon the generation of a verification code. The client is given access to secure information when the client is determined to comply with the security policies.

2013008, Apr 4, 2013

Sep 29, 2011

13/248953

Gregory B. Roth - Seattle WA, US
Eric Jason Brandwine - Haymarket VA, US
Nathan R. Fitch - Seattle WA, US
Cristian M. Ilac - Sammamish WA, US
Eric D. Crahen - Seattle WA, US

Amazon Technologies, Inc. - Reno NV

H04L 9/32, G06F 21/00

726 7

Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information that, as a result of being used to generate the keys, renders the generated keys usable for a smaller scope of uses than the secret credential. Further, key generation may involve multiple invocations of a function where each of at least a subset of the invocations of the function results in a key that has a smaller scope of permissible use than a key produced from a previous invocation of the function. Generated keys may be used as signing keys to sign messages. One or more actions may be taken depending on whether a message and/or the manner in which the message was submitted complies with restrictions of the a key's use.

2013008, Apr 4, 2013

Sep 29, 2011

13/248980

Gregory B. Roth - Seattle WA, US
Eric D. Crahen - Seattle WA, US
Graeme D. Baer - Seattle WA, US
Eric J. Brandwine - Haymarket VA, US
Nathan R. Fitch - Seattle WA, US

Amazon Technologies, Inc. - Reno NV

G06Q 30/06, H04L 9/32

705 261, 713170, 713151

A support system negotiates secure connections on behalf of multiple guest systems using a set of credentials associated with the guest systems. The operation of the secure connection may be transparent to the guest system such that guest system may send and receive messages that are encrypted or decrypted by the support system, such as a hypervisor. As the support system is in between the guest system and a destination, the support system may act as a local endpoint to the secure connection. Messages may be altered by the support system to indicate to a guest system which communications were secured. The credentials may be managed by the support system such that the guest system does not require access to the credentials.

2013008, Apr 4, 2013

Sep 29, 2011

13/248973

Gregory B. Roth - Seattle WA, US
Bradley Jeffery Behm - Seattle WA, US
Eric D. Crahen - Seattle WA, US
Cristian M. Ilac - Sammamish WA, US
Nathan R. Fitch - Seattle WA, US
Eric Jason Brandwine - Haymarket VA, US
Kevin Ross O'Neill - Seattle WA, US

Amazon Technologies, Inc. - Reno NV

H04L 9/32, G06F 21/00

726 7

Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information that, as a result of being used to generate the keys, renders the generated keys usable for a smaller scope of uses than the secret credential. Further, key generation may involve multiple invocations of a function where each of at least a subset of the invocations of the function results in a key that has a smaller scope of permissible use than a key produced from a previous invocation of the function. Generated keys may be used as signing keys to sign messages. One or more actions may be taken depending on whether a message and/or the manner in which the message was submitted complies with restrictions of the a key's use.

8490162, Jul 16, 2013

Sep 29, 2011

13/248736

Cristian M. Ilac - Sammamish WA, US
Gregory B. Roth - Seattle WA, US
Eric J. Brandwine - Haymarket VA, US

Amazon Technologies, Inc. - Reno NV

G06F 21/00

726 5, 726 4, 726 19, 726 28, 713182

A system includes a memory and a processor. The memory is operable to store a credential verifier associated with a user account and a counter. The processor is coupled to the memory and the memory includes executable instructions that cause the system to receive a first authentication attempt and increment the counter if validation of the first authentication attempt against the credential verifier fails. The instructions also cause the system to receive a second authentication attempt and increment the counter only if validation of the second authentication attempt against the credential verifier fails and the second authentication attempt is distinct from the first authentication attempt.

2013008, Apr 4, 2013

Sep 29, 2011

13/248962

Gregory B. Roth - Seattle WA, US
Bradley Jeffery Behm - Seattle WA, US
Eric D. Crahen - Seattle WA, US
Cristian M. Ilac - Sammamish WA, US
Nathan R. Fitch - Seattle WA, US
Eric Jason Brandwine - Haymarket VA, US
Kevin Ross O'Neill - Seattle WA, US

Amazon Technologies, Inc. - Reno NV

G06F 21/00

726 7

Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information that, as a result of being used to generate the keys, renders the generated keys usable for a smaller scope of uses than the secret credential. Further, key generation may involve multiple invocations of a function where each of at least a subset of the invocations of the function results in a key that has a smaller scope of permissible use than a key produced from a previous invocation of the function. Generated keys may be used as signing keys to sign messages. One or more actions may be taken depending on whether a message and/or the manner in which the message was submitted complies with restrictions of the a key's use.