Modern computer systems typically have different services and resources that can be accessed by users of the computer system. When users request access to the services and resources, such requests is generally verified before access is granted so that a user does not gain access to services and resources outside of that user's set of permissions. One system typically used for providing secure access to services and resources is based on creating short-term session credentials that are associated with a user. Once a session is established, a user can use the session credentials associated with the session to issue multiple requests over the life of that session. Typically, session credentials are encrypted and include a secret key that is used to sign each of the multiple requests over the life of the session.
A drawback of such sessions and the associated session credentials is that any service that can decrypt the session credentials can have access to the secret key. Since decrypting the session credentials is typically required to verify a request, when the secret key is a symmetric key, the secret key can be used by services to improperly sign additional requests. Additionally, when a secret key is compromised or otherwise out of date, it may be difficult to invalidate all current access and rapidly issue one or more new secret keys. For example, a secret key associated with a user account can be used to access a large number of services and, if compromised, quickly and efficiently invalidating all of that access can be time consuming and computationally expensive.