Patent Grant
8127145
1. Statement of the Technical Field
The inventive arrangements relate to electronic devices for storing and accessing sensitive/classified data.
2. Description of the Related Art
Electronic computers have the ability to store and process data. Computers typically include some kind of microprocessor with a commercially available operating system such as Linux, Unix, or Microsoft Windows. Many computers also have displays and keyboards for the human/machine interface. The foregoing capabilities make these devices highly useful for a various business and personal applications.
Currently, there exist a wide variety of computing devices with conventional operating systems and architectures. These commercially available computers with commercial-off-the-shelf (COTS) operating systems and COTS application programs generally satisfy the processing and data storage requirements of most users. For example, they include applications for word processing, data storage, spreadsheets, time management, and contact management. These applications generally function quite well and have interfaces that are familiar to many users.
Some commercially available computing devices and/or software applications incorporate various security measures in an effort to protect data which is stored or processed using the device. For example, encryption technology and password protection features are known in the art. Still, this level of security can be inadequate for managing information that is of a Confidential, Secret, or Top Secret nature, particularly when such information relates to matters of national security. For example, COTS operating systems and applications may not be sufficiently trustworthy for handling this type of information. Such programs can be susceptible to being compromised by various means including hacker attacks, viruses, worms, Trojan horses, and a wide variety of other means that are known to those skilled in the art.
Finally, notwithstanding the security limitations of COTS operating systems and applications, the basic architecture and interface systems of many commercial computing devices may leave these devices vulnerable to intrusion. For example, COTS devices do not employ trusted microprocessors, do not employ physical separation of classified and unclassified data processing, nor do they employ physical tamper detection and subsequent memory zeroization. Consequently, transport or processing of classified data using a commercial computer is not generally permitted.
Trusted operating systems and applications are generally designed to more rigorously address the problem of computer security. Trusted operating systems undergo evaluation of their overall design, verification of the integrity and reliability of their source code, and systematic, independent penetration evaluation. In contrast, non-trusted operating systems are generally not designed to an equally high level with regard to security precautions.
Single-level secure (SLS) is a class of systems that contain information with a single sensitivity (classification). SLS systems permit access by a user to data at a single sensitivity level without compromising data. Thus, SLS data file systems allow information at a single classification to be stored in an information system. The level of access can be limited by the current user security classification sign-on level and a security classification assigned to the secure user processor.
Multi-level secure (MLS) is a class of systems that contain information with different sensitivities (classifications). MLS systems permit simultaneous access by a user to data at multiple classification levels without compromising security. Thus, MLS data file systems allow information with different classifications to be stored in an information system. These systems are also designed to provide a user with the ability to process information in the same system. Significantly, however, these systems prevent a user from accessing information for which he is not cleared, does not have proper authorization, or does not have a need-to-know.
Users of non-trusted COTS operating systems, as may be found in commercial computers, are not generally allowed access to classified data found in secure file systems. Computers that utilize a trusted operating system (OS) which includes support for an SLS or MLS file system have been developed that are specifically designed to allow for storage of classified data. However, these devices are not generally designed to physically secure the data and zeroize the data upon tamper detection. Nor are they designed to be embedded as a secure component of a host computer system.
The invention concerns a system for providing a secure file service. The system includes a cryptographic processor and a secure file system. The cryptographic processor is comprised of a trusted microprocessor and a trusted operating system executing on the trusted microprocessor. The cryptographic processor can include one or more hardware based encryption services that facilitate the encryption and decryption of classified data files. For example, the hardware encryption services can include a hardware implemented cryptographic algorithm, a random number generator, and/or an exponentiator. The cryptographic processor includes processing facilities for encrypting and decrypting classified data files. The cryptographic processor also includes suitable hardware and software for accessing at least one classified data file from the secure file system, decrypting the data file, and serving the data file in decrypted form to a secure user processor that has requested the file.
The secure user processor is comprised of trusted microprocessor hardware. Notably, however, the secure user processor utilized in an SLS system can make use of either a trusted operating system or a non-trusted operating system while the secure user processor utilized in an MLS system must still make use of a multi-level-trusted operating system. A trusted path can be provided to define a data communication link between the secure user processor and the cryptographic processor. A secure human/machine interface can also be provided. The secure human/machine interface can be operatively connected to the secure user processor. For example, the secure human/machine interface can be configured for communicating user commands to the secure user processor and for displaying classified data files. The secure human/machine interface can also be operationally connected to the cryptographic processor. For example, the secure human/machine interface can be configured for communication user authentication information to the cryptographic processor and for displaying the results of user sign-on operations.
The secure user processor can also include hardware or software processing means for communicating the classified data file from the secure user processor to the cryptographic processor. The cryptographic processor has hardware and/or software processing facilities for encrypting the classified data file, for accessing the secure file system with the cryptographic processor, and for storing the classified data file after encryption in the secure file system. The secure file system can be either a single-level secure file system or a multi-level secure file system.
In addition to the encrypted classified data files stored in the secure file system hosted by the cryptographic processor, the secure file system can be used to store non-encrypted unclassified data. The cryptographic processor can include suitable hardware and/or software processing facilities for accessing the unclassified data file, system responsive to a request from the secure user processor. The cryptographic processor can also include processing means for serving the unclassified data files to the secure user processor.
The cryptographic processor can also include hardware and/or software processing facilities that can be used for authenticating a user. For example, such authentication can be performed responsive to user authentication information.
The invention also concerns a method for authenticating a user to the cryptographic processor before any data files are served to the secure user processor. The authentication can be performed by communicating at least one type of user authentication information to the cryptographic processor.
The method can also include the step of receiving at a cryptographic processor a request from a secure user processor for a non-encrypted unclassified data file. In response to the request, the cryptographic processor can access a secure file system containing the non-encrypted unclassified data file. Thereafter, the cryptographic processor can serve the unclassified data file to the secure user processor.
A block diagram of a single-level secure (SLS) computing device 100 is shown in
The computing device 100 also includes a user SLS file system 108 in a data store that is used for storing user executable programs and data. Classified data stored in the SLS file system 108 is stored in an encrypted format. A cryptographic engine 104 is provided with trusted hardware and trusted software for providing encryption and decryption services. A crypto file system 110 is also maintained in a data store. The crypto file system 110 is used to store classified data and files used by the cryptographic engine 104. In contrast to the user SLS file system 108, user data and applications are not generally stored in the crypto file system 110. Instead, the crypto file system 110 generally contains cryptographic algorithms, security keys and certificates, audit data, policy profiles, and application data specific to the processing performed by the cryptographic engine 104.
A secure human/machine interface (HMI) 106 is also provided for the SLS computing device 100. The secure HMI 106 can be comprised of trusted hardware and can provide a trusted path to applications executing on secure processor 102. Consequently, secure HMI 106 can prevent invasive or unauthorized applications from monitoring user inputs and system outputs. Secure HMI devices are known in the art and typically can include one or more features to ensure trusted communications between the user and the secure user processor. For example, the secure HMI 106 can provide a suitable interface by which a user can enter data and commands to the computing device 100. Secure HMI 106 can also include a user display for showing data and information processed by the computing device 100.
A user can request access to a classified data file using the secure HMI 106. Encrypted files in the user SLS files system 108 are accessed by the secure user processor 102 and provided to the cryptographic engine 104 for decryption. After the file has been decrypted, the cryptographic engine passes the decrypted file back to the secure user processor 102. Upon completion of any necessary user processing associated with the decrypted classified date file, the secure user processor 102 passes the file back to the cryptographic engine 104 for re-encryption. Thereafter, the encrypted file is returned to the secure user processor 102, which stores the file in the user SLS file system 108.
Notably, the secure user processor 102 can generally satisfy the security requirements for accessing the single-level secure file system 108. However, the operating system and applications can be expensive as compared to COTS systems. In particular, the secure user processor must be developed specifically to include trusted software for managing secure files, and especially for managing encryption and decryption services provided by the cryptographic processor. Another disadvantage of this arrangement is that the user single-level secure file system is not generally designed to physically secure the data and zeroize the data upon tamper detection.
Referring now to
The MLS computing device 200 also includes a user MLS file system 208 in a data store that is used for storing user executable programs and data. Classified data stored in the MLS file system 208 is stored in an encrypted format. A cryptographic engine 204 is provided with trusted hardware and multi-level trusted software for providing encryption and decryption services. A crypto MLS file system 210 is used to store classified data and files used by the cryptographic engine 104. For example, the MLS file system can separately store and control access to data that is designated as Classified, Secret, or Top Secret. In contrast to the user MLS file system 208, user data and applications are not generally stored in the crypto MLS file system 210. Instead, the crypto MLS file system 210 generally contains cryptographic algorithms, security keys, and application data that is specific to the processing performed by the cryptographic engine 204.
Encrypted files in the user MLS files system 208 are accessed by the secure user processor 202 and provided to the cryptographic engine 204 for decryption. After the file has been decrypted, the cryptographic engine passes the decrypted file back to the secure user processor 202. Upon completion of any necessary user processing associated with the decrypted classified date file, the secure user processor 202 passes the file back to the cryptographic engine 204 for re-encryption. Thereafter, the encrypted file is returned to the secure user processor 202, which stores the file in the user MLS file system 208.
The secure user processor 202 can generally satisfy the security requirements for accessing the multi-level secure user file system 208. However, the operating system and applications' can be expensive as compared to COTS systems. In particular, the secure user processor must be developed specifically to include trusted software for managing multiple levels of classified files, and especially for managing encryption and decryption services provided by the cryptographic processor. Another disadvantage of this arrangement is that the user multi-level secure user file system 208 is not generally designed to physically secure the data and zeroize the data upon tamper detection.
Referring now to
The files comprising classified information 306 stored in the user SLS file system can be decrypted by the secure cryptographic processor 302 and served to a client processor using client SLS access interface 310. In the opposite direction, files comprising classified information 306 processed by the client processor are presented through client SLS access interface 310 to the cryptographic processor 302 for encryption. Once encrypted, the the cryptographic processor 302 stores the files in the SLS file system as classified information 306. Consequently, SLS file service module 300 can provide a client processor with unencrypted read/write access to classified information 306 after user authentication.
The files included in the unclassified information 308 stored in the user SLS file system can be read by the secure cryptographic processor 302 and served to the client processor through client SLS access interface 310. Advantageously, the cryptographic processor 302 can limit access by a client processor so that the client processor is permitted read only access to files which contain unclassified information.
An interesting and important aspect of the arrangement in
The cryptographic processor 302 can be one of several commercially available cryptographic engines. According to one embodiment, the cryptographic engine can be a Sierra II Crypto processor available from Harris Corporation of Melbourne, Fla. The cryptographic processor 302 can include configurable key lengths and can be programmed with one or more encryption algorithms. As illustrated in
The cryptographic processor 302 can include one or more security features. For example, in addition to providing secure access to an SLS file system, the cryptographic engine 302 can provide security auditing, security policy enforcement, file integrity checking and/or trusted boot software loading.
A client SLS access interface 310 can provide communications support for a communication path between the SLS file service 300 and the client processor. Any suitable physically-secure data communication path can be used for this purpose. Requests from the client processor for access to files and the decrypted data files can be communicated over this interface. A file system control interface 312 can be provided for user authentication, sign on, and sign off. This interface can provide a trusted communication link with the client processor. However, in an alternative arrangement, this file system control interface 312 can provide communications directly with a secure HMI. For example, this alternative arrangement can be desirable where the client processor operates using non-trusted software and therefore cannot support a trusted path.
Referring now to
The secure user processor 402 also communicates with the SLS service module 300. In particular, the secure user processor 402 can communicate with the client SLS access interface 310 and the file system control interface 312. The client SLS access interface 310 provides services as described above. The file system control interface 312 can provide a path for trusted user sign-on and authentication for user access to the SLS file services provided by SLS file service module 300.
The architecture in
Referring now to
The secure user processor 502 also communicates with the SLS service module 300. In particular, the secure user processor 502 can communicate with the client SLS access interface 310 (but not the file system control interface 312). The client SLS access interface 310 provides services as described above.
The architecture in
Referring now to
The classified information files stored in the user MLS file system can be decrypted by the secure cryptographic processor 602 and served to a client processor using client MLS access interface 614. In the opposite direction, classified information processed by the client processor is presented by means of client MLS access interface 614 to the cryptographic processor 602. The cryptographic processor 602 encrypts the classified data file and stores it in the classified section of the user MLS file system as Top Secret information 606, Secret information 606, or Confidential information 610. In this way, the MLS file service module 600 can provide a client processor with unencrypted read/write access to such files at a particular security classification level after user authentication. Additionally, the cryptographic processor 602 can ensure that information loaded into the MLS file system has been provided by a trusted source and that the integrity of the information has been checked by using checksum/hashing technology.
The user MLS file system 601 can also contain files comprising unclassified information 612. The files comprising unclassified information 612 stored in the user MLS file system 601 can be read by the secure cryptographic processor 602 and served to the client processor by means of client MLS access interface 614. In the opposite direction, unclassified information processed by the client processor is presented through client MLS access interface 614 to the cryptographic processor 602 for storage in the unclassified section 612 of the user MLS file system. The MLS file service module 600 can provide read/write access to files comprising unclassified information 612.
The cryptographic processor 602 can be one of several commercially available cryptographic engines. According to one embodiment, the cryptographic processor can be a Sierra II Crypto processor available from Harris Corporation of Melbourne, Fla. The cryptographic processor 602 can include configurable key lengths and can be programmed with one or more encryption algorithms. As illustrated in FIG. 6, the MLS file service module 600 can include several control and data ports that are useful for controlling the operation of the cryptographic processor 602. For example, these can include a crypto ignition key port, a key and certificate fill port, a zeroize switch, and a software load port. The software load port can be used for loading software from a trusted source for executing on the cryptographic processor 602 or a client processor. The zeroize switch can be used to clear the encryption keys and/or the classified information contained in the user MLS file system and the crypto MLS file system 604. The various control and data ports can be controlled by the client processor or by any other suitable means.
The cryptographic processor 602 can include one or more security features. For example, in addition to providing secure access to an MLS file system, the cryptographic engine 602 can provide security auditing, security policy enforcement, file integrity checking and/or trusted boot software loading.
The client MLS access interface 614 can provide communications support for a communication path between the MLS file service 600 and a client processor. Any suitable physically-secure data communication path can be used for this purpose. Requests from the client processor for access to files and the decrypted data files can be communicated over this interface. A file system control interface 616 can be provided for user authentication, sign on, and sign off. This interface can provide a trusted communication link with the client processor.
Referring now to
The secure user processor 702 also communicates with the MLS file service module 600. In particular, the secure user processor 702 can communicate with the client MLS access interface 614 and the file system control interface 616. The client MLS access interface 614 provides services as described above. The file system control interface 616 can provide a path for trusted user sign-on and authentication for user access to the MLS file services provided by MLS file service module 600.
The architecture in
It is noted that although the software executing on secure user processor 702 is simpler and potentially less expensive than the software utilized by the secure user processor 202 in the prior art, the software executing on secure user processor 702 still needs to be designed, developed, and tested/certified to multi-level secure standards. The software on secure user processor 702 still needs to be ML-trusted so that it can provide the trusted path to the file system control interface 616 to support trusted user sign-on services.
Aside from these distinctions, the MLS computing device 700 operates similar to the device 200 as previously described. For example, a user can be authenticated to the cryptographic processor 602 by means of a sign-on process which involves communicating with the secure user processor 702. Such sign on process will also include a user communication with the secure user processor 702 using secure HMI 704. Once authenticated to a particular security level, the user can be permitted to access classified/unclassified files hosted by the MLS file service module 600.
In
As an alternative to the direct connection approach described above, the file service module 300, 600 can be embedded in the computer on an I/O bus (e.g. PCI) to provide the appearance of a local disk drive, but within the same physically secure enclosure. In this way, a secure path can be provided between the secure user processor and the file service module. Yet another alternative can include embedding the file service module 300, 600 on a host computer motherboard. Consequently, the data communication can occur over a data communication link within the same physically secure enclosure to establish a secure path.
The invention described and claimed herein is not to be limited in scope by the preferred embodiments herein disclosed, since these embodiments are intended as illustrations of several aspects of the invention. Any equivalent embodiments are intended to be within the scope of this invention. Indeed, various modifications of the invention in addition to those shown and described herein will become apparent to those skilled in the art from the foregoing description. Such modifications are also intended to fall within the scope of the appended claims
| Number | Name | Date | Kind |
|---|---|---|---|
| 4227253 | Ehrsam et al. | Oct 1980 | A |
| 4493031 | Silverio | Jan 1985 | A |
| 4918728 | Matyas et al. | Apr 1990 | A |
| 5263168 | Toms et al. | Nov 1993 | A |
| 5283828 | Saunders et al. | Feb 1994 | A |
| 5369702 | Shanton | Nov 1994 | A |
| 5548646 | Aziz et al. | Aug 1996 | A |
| 5596718 | Boebert et al. | Jan 1997 | A |
| 5748744 | Levy et al. | May 1998 | A |
| 5802178 | Holden et al. | Sep 1998 | A |
| 5887064 | Seysen | Mar 1999 | A |
| 5956404 | Schneier et al. | Sep 1999 | A |
| 6081895 | Harrison et al. | Jun 2000 | A |
| 6092202 | Veil et al. | Jul 2000 | A |
| 6148401 | Devanbu et al. | Nov 2000 | A |
| 6282653 | Berstis et al. | Aug 2001 | B1 |
| 6378071 | Sasaki et al. | Apr 2002 | B1 |
| 6378072 | Collins et al. | Apr 2002 | B1 |
| 6671804 | Kent | Dec 2003 | B1 |
| 6775778 | Laczko, Sr. et al. | Aug 2004 | B1 |
| 7003674 | Hamlin | Feb 2006 | B1 |
| 7028149 | Grawrock et al. | Apr 2006 | B2 |
| 7047405 | Mauro | May 2006 | B2 |
| 7069447 | Corder | Jun 2006 | B1 |
| 7072937 | Neebe et al. | Jul 2006 | B2 |
| 7185249 | Tkacik et al. | Feb 2007 | B2 |
| 7210009 | Gulick et al. | Apr 2007 | B2 |
| 7290288 | Gregg et al. | Oct 2007 | B2 |
| 7302698 | Proudler et al. | Nov 2007 | B1 |
| 7322042 | Srinivasan et al. | Jan 2008 | B2 |
| 7380275 | Srinivasan et al. | May 2008 | B2 |
| 7496347 | Puranik | Feb 2009 | B2 |
| 7543144 | Rensin et al. | Jun 2009 | B2 |
| 7698552 | Wilson et al. | Apr 2010 | B2 |
| 7765399 | O'Brien | Jul 2010 | B2 |
| 7779252 | O'Brien et al. | Aug 2010 | B2 |
| 7818574 | Fayad et al. | Oct 2010 | B2 |
| 7979714 | Borsa et al. | Jul 2011 | B2 |
| 8041947 | O'Brien et al. | Oct 2011 | B2 |
| 8060744 | O'Brien et al. | Nov 2011 | B2 |
| 20010044886 | Cassagnol et al. | Nov 2001 | A1 |
| 20020059238 | Saito | May 2002 | A1 |
| 20020099950 | Smith | Jul 2002 | A1 |
| 20030046589 | Gregg | Mar 2003 | A1 |
| 20030126434 | Lim et al. | Jul 2003 | A1 |
| 20030163740 | Thjai et al. | Aug 2003 | A1 |
| 20040039924 | Baldwin et al. | Feb 2004 | A1 |
| 20040044902 | Luthi | Mar 2004 | A1 |
| 20040103288 | Ziv et al. | May 2004 | A1 |
| 20050114687 | Zimmer et al. | May 2005 | A1 |
| 20050132186 | Khan et al. | Jun 2005 | A1 |
| 20060021007 | Rensin et al. | Jan 2006 | A1 |
| 20060041755 | Pemmaraju | Feb 2006 | A1 |
| 20060078109 | Akashika et al. | Apr 2006 | A1 |
| 20060195907 | Delfs et al. | Aug 2006 | A1 |
| 20060248599 | Sack et al. | Nov 2006 | A1 |
| 20060251258 | Lillie et al. | Nov 2006 | A1 |
| 20060253711 | Kallmann | Nov 2006 | A1 |
| 20070214364 | Roberts | Sep 2007 | A1 |
| 20070226493 | O'Brien et al. | Sep 2007 | A1 |
| 20070226494 | O'Brien et al. | Sep 2007 | A1 |
| 20070250411 | Williams | Oct 2007 | A1 |
| 20070283159 | Borsa et al. | Dec 2007 | A1 |
| 20080022136 | Mattsson et al. | Jan 2008 | A1 |
| 20090150899 | Tahan | Jun 2009 | A1 |
| Number | Date | Country |
|---|---|---|
| 196 33 919 | Jun 1997 | DE |
| 0 471 538 | Feb 1992 | EP |
| 0657 820 | Jun 1995 | EP |
| 1 085 396 | Mar 2001 | EP |
| 233 6005 | Oct 1999 | GB |
| WO 9839876 | Mar 1998 | WO |
| Number | Date | Country | |
|---|---|---|---|
| 20070226517 A1 | Sep 2007 | US |
