Cryptography – Particular algorithmic function encoding
Reexamination Certificate
1992-11-04
2004-12-28
Gregory, Bernarr E. (Department: 3662)
Cryptography
Particular algorithmic function encoding
C380S255000, C380S257000, C380S277000, C380S287000, C713S150000, C713S168000, C713S170000, C713S182000, C713S152000, C713S152000
Reexamination Certificate
active
06836548
ABSTRACT:
This invention relates to securing data from misappropriation, unauthorised change as well as ensuring the integrity of data that is prepared and communicated internally and externally of a data processing device or network, whether the network is trusted or not.
BACKGROUND
In the context of information technology IT security equates to confidentiality, integrity: and availability and every IT product and network, has its own level of security. To achieve and maintain a particular level of security, the product or every element of a network will involve the implementation of one or more security functions, for example, control of access to the product or network, both physically and in the data sense, transaction auditing and detection and recovery from breaches of the security which is in place.
However, even if a particular level of security exists, there must also be a commensurate assurance in these security functions, i.e. confidence in the correctness of the security functions (development and operation functions) and confidence in the effectiveness of the security functions.
There exists a number of IT security evaluation criteria which address these security function issues, for example the Trusted Computer Systems Evaluation Criteria (TCSEC) “Orange Book” used by the US Department of Defence, the UK CESG3, the German ZSiEc as well as the Joint European Information Technology Security Evaluation Criteria (ITSEC).
To provide a realistic requirement for applying any form of security evaluation criteria there should also exist a realistic description of the operational requirements and the security threats that are to be countered (real world and assumed). These considerations along with the overall security objectives and well known security mechanisms becomes the security evaluation target of the IT security product or system that will be suitable for use in a security environment.
It is an aspect of this invention to provide an IT product which equals or exceeds the ITSEC security evaluation criteria level E6 which will allow the product to be used in a wide variety of security environments.
One such security target relates to the aim of providing an IT product which will allow the interconnection of networks with differing classification levels. For example, there is a defence requirement for top secret compartmented networks to be interconnected with secret networks (
FIG. 1
) so that appropriately classified data (e.g. unclassified to secret) may flow from the top secret network to the secret network while maintaining a bar to the flow of top secret data from the top secret network to the secret network. There must be a high level of assurance that both the hardware and software will not compromise data held in the top secret network by passing inappropriate data items to the secret network which includes the possibility of malicious logic (e.g. trojan horses) or security flaws in computer hardware or software in the top secret network which may be used to leak data to the secret network.
One way of achieving the necessary assurance for the aforementioned target is to ensure that all computing equipment, hardware and software, is evaluated to an appropriate ITSEC level, in this case at least E6.
Due to the stringent nature of the evaluation criteria at E6 level, it is unlikely that a product of similar utility to that of, for example, a general purpose workstation which is classified as an untrusted device by all security evaluation criteria, could be made available. However, with the ever increasing complexity of the message content and level of communications between workers involved with classified material it is desirable that such equipment be available. Ideally, a product such as a workstation would meet the requirements of level E6 and still remain functionally similar to an untrusted workstation.
As well as complex data there is often the need to prepare for transmission, data which is seemingly of a simple nature, but for which the highest level of integrity is required. An example of a message which must have high integrity is of the nature of an order from a commander to “launch a missile at target 23511”. The message must be verifiable as to its source and must have the highest level of integrity in respect of the content of the message.
Ideally there must exist a secure means of controlling the transfer of messages input to a display, so that only the message displayed which must be visually verified by the sender will be transmitted, thereby ensuring the integrity of its content. This then leaves the user to be responsible for taking appropriate steps to verify themselves as a legitimate source of the message.
Thus it is a desirable aspect of security related devices when used with a non E6 level compliant (which for the purposes of this discussion is considered as untrusted) device, for example a workstation, to have provided a trusted path between the message input, the display, the human verifier, and the message output of the device. A trusted path for high integrity information is then created using elements of a previously untrusted devices and its normal functions for their preparation.
However, having prepared a high integrity message, there still exist many security threats, in relation to message interception and unauthorised interpretation. To counter these threats, apart from well known physical security measures, there exist a number of security functions which can be applied to the message itself, to remove or reduce these threats.
The most common and typically most easily applied is the use of an encryption algorithm, having a predetermined key. When the encrypted message is received at its destination, a decryption algorithm is applied using the same predetermined key to extract the original message.
There are many encryption and decryption algorithms, however, only the “one time pad” key system has an unquestionable assurance of confidence and effectiveness against unauthorised decryption. A “one time pad” system uses a random key for each matching data item sent.
Currently, this approach is only used in very limited circumstances and is impractical for widespread use, due to the unmanageable nature of the large number of keys that would be used and the difficulty of coordinating the use of the same random key at each end of the information exchange.
Thus it is a further desirable aspect of the invention to provide a data encryption device which uses the preferable “one time pad” encryption system, but which overcomes the mass storage, coordination, and distribution problems of the typical implementation of this type of scheme while still meeting a security evaluation criteria level of E6 or greater.
Thus the combined use of data integrity and encryption elements would provide a message having a high integrity with regards to its content and unquestionable assurance that the message has not been decrypted.
The invention thus may comprise two devices, an encryption device and a trusted path device. A encryption device for encryption of an input data may comprise a mass storage device adapted to store a plurality of random keys for use in the encryption process as required.
A trusted path device may be incorporated or retrofitted to standard data processing devices. The device will provide an assurance that various security critical functions carried out by a user cannot be bypassed or tampered with by the hardware or software of the untrusted device which could otherwise compromise the function of the data processing device to which the trusted path device is attached.
In a broad aspect, the invention is
a trusted path device for controlling the transfer of received data between an untrusted data input means, an untrusted visual display means adapted to display signals from an external source and a data output means, comprising,
a trusted visual display interface control means for transferring said received data from said untrusted data input means to said untrusted visual display means and controlling said display to display said rece
Anderson Mark Stephen
Beahan Brendan
Hayman Ken
Marriott Damian
Nayda Lisa
Gregory Bernarr E.
Oblon & Spivak, McClelland, Maier & Neustadt P.C.
The Commonwealth of Australia
LandOfFree
Communications security and trusted path method and means does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Communications security and trusted path method and means, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Communications security and trusted path method and means will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3285972