Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-08-06
2001-10-16
Decady, Albert (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S153000, C713S192000, C713S152000
Reexamination Certificate
active
06304973
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to a multi-level security network system. More particularly, the present invention relates to a secure communication between hosts using a network that implements a security policy, and especially a network allowing multiple levels of information to coexist on a network system.
BACKGROUND OF THE INVENTION
The National Security Agency (NSA) has set forth specific definitions and requirements that establish various levels of security in computer and network systems. These basic definitions are set forth in “Trusted Computer System Evaluation Criteria,” Department of Defense, 1985 (TCSEC) and “Trusted Network Interpretation of the Trusted computer System Evaluation Criteria,” National Computer Security Center, 1987 (TNI). These documents define the requirements for systems to be evaluated in one of six hierarchical ratings: C
1
, C
2
, B
1
, B
2
, B
3
, and A
1
, with C
1
being the least secure and A
1
the most secure.
Division B, that is, ratings B
1
, B
2
, and B
3
, introduces the requirements for multi-level secure (MLS) systems. The term “multi-level security” refers to a system in which two or more classification levels of information are processed simultaneously, and not all users are cleared for all levels of information present. This same concept was applied during the 1980's to networked systems, at which time the phrase MLS network was generally used to refer to a network that was capable of simultaneously transmitting data at multiple security levels when some hosts or users were not cleared for all levels of data.
In order for an MLS network to qualify as a B-level secure network, it must provide at least the following five security functions: (
1
) access control, (
2
) object reuse, (
3
) labeling, (
4
) identification and authentication (I&A), and (
5
) auditing. Open Systems Interconnection (OSI) sets forth industry standard definition of seven layers of network connection: (
1
) physical, (
2
) data link, (
3
) network, (
4
) transport, (
5
) session, (
6
) presentation, and (
7
) application.
The first criteria, “access control,” is concerned with the enforcement of rules (security policy) by which active subjects (e.g., processes, hosts) access passive objects (for example, files, memory, and devices). In a network system, operating at the OSI network layer of the protocol hierarchy, access control is concerned with the access of hosts to network packets. Rule-based Mandatory Access Control (MAC) is concerned with preventing each host from transmitting or receiving data at the wrong level. Discretionary Access Control (DAC), on the other hand, is concerned with ensuring that a host computer can only establish authorized connections to other hosts.
The second criteria, “object reuse” is concerned with preventing inadvertent release of residual data, typically in unused fields or at the end of a packet buffer. “Labeling” of each packet is necessary in a distributed system to convey the sensitivity of data to the various elements of the network. “Identification and Authentication” (I&A) is concerned with establishing individual accountability for authorized users. “Audit” is concerned with recording information about the use of the network's security mechanisms, to further support the requirement of user accountability.
In addition to these five basic requirements, a secure network should also provide two other capabilities, communications secrecy and communications integrity. These additional requirements support the secure transfer of MLS labeling and control information in an open environment, such as the Internet. Communications secrecy is provided by appropriate use of encryption to transform user data and control information so that it is unintelligible to wiretappers. Encryption is a process that scrambles or transforms sensitive data within messages (either an entire message, or part of a message) to make them unreadable to any recipient who does not know a secret string of characters, called a key.
Communications integrity, on the other hand, is concerned with detecting modification of data, such as security labels, and user data, as it traverses the network. Packet integrity has also been accomplished by calculating cryptographic checksums of packet headers and packet data. The receiving node can straightforwardly detect message modification to a high degree of probability by recalculating the cryptographic checksum on the received data, and comparing it to the received checksum.
The current approaches to MLS networking include Verdix VSLAN (which has subsequently changed to GKI, then to Cryptek Secure Communications VSLAN), Boeing MLS LAN and ITT networks.
The Verdix Secure Local Area Network (VSLAN) product was developed by Verdix Corporation in the 1980s. VSLAN was the first network product evaluated by the TNI criteria and the first commercial network product to provide MLS security. VSLAN is the only commercial network product available with a B
2
rating. However, VSLAN operates at the link layer (layer
2
) of the protocol stack and, thus, its security mechanisms are limited to the scope of a local area network. While VSLAN uses Data Encryption Standard (DES) for communications integrity, it cannot be used on an open network because DES is not sufficiently strong to protect classified data.
The Boeing MLS LAN has received an A
1
security rating with respect to the TNI. It does not provide any encryption, but relies on physical protection of the medium to protect data in transit.
The ITT network security is described in U.S. Pat. No. 5,577,209 to Boyle et al. (“Boyle”). Boyle uses cryptographic sealing techniques to support MLS labeling and mediation. The approach operates at the session layer (layer
5
) of the OSI protocol reference model. Boyle, however, does not provide encryption of data for purposes of secrecy. Consequently, classified data could be accessed by passive wiretapping or by use of readily available tools, such as tcpdump running on any host in any of the intermediate networks.
Most protocol architectures do not have a protocol implementation that uses a distinct session-layer protocol. Rather, for protocols commonly used on the Internet, application programs (layer
7
) interface directly to the transport layer (layer
4
) of the protocol hierarchy. For these two reasons, Boyle is not very useful with real classified data on real networks, such as the Internet.
Over the past 15 years, computer security and network security have progressed on separate tracks. Computer security has generally been concerned with the evaluation of standalone computer systems, without networking, at a time when the Internet was exploding. With the exception of a few TNI-evaluated products, network security has concentrated on the use of cryptography (particularly public key cryptography) and firewalls. Cryptography has been used to provide secrecy and integrity, largely without regard for the security of the communicating systems.
Various methods and devices have been used to enhance network security, including firewalls, identification and authentication (I&A), intrusion detectors, and virtual private networks (VPN).
Firewalls have been used to protect an organization's internal resources from the external Internet by passing certain protocols (e.g., email, name services) into the protection perimeter, but filtering out all protocols not explicitly listed. The firewalls attempt to isolate a company's intranetwork from the remainder of the Internet. Firewalls provide proxy servers that stand between the external network and internal resources and that pre-validate external requests.
However, firewalls are only intended to protect internal resources from outsiders. As a result, firewalls offer no protection against an internal attack upon those same resources. Firewalls are generally subject to impersonation, in which an intruder's host is programmed to use an IP address of one of the network computers, or an attacker may know the password of one of the trusted users. Fi
Cryptek Secure Communications, LLC
De'cady Albert
Jacobson & Holman PLLC
Kabakoff Stephen
LandOfFree
Multi-level security network system does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Multi-level security network system, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Multi-level security network system will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2614386