PROTECTING INFORMATION IN AN UNTETHERED ASSET

Information

  • Patent Application
  • 20120070002
  • Publication Number
    20120070002
  • Date Filed
    July 16, 2010
    14 years ago
  • Date Published
    March 22, 2012
    12 years ago
Abstract
The technology described herein for protecting secure information includes a method. The method includes storing, by a plurality of data store devices, the secure information. Each of the data store devices stores at least one part of the secure information. The method further includes receiving, by at least one of a plurality of embedded sensors, a notification associated with a compromise of at least one part of the secure information. The method further includes destroying one or more parts of the secure information based on the notification. The method further includes processing, by a plurality of intelligent agent modules, one or more parts of the secure information received from one or more of the data store devices if no parts of the one or more parts of the secure information are destroyed.
Description
BACKGROUND

There has been a recognition that the United States is at risk of the delivery of weapons of mass destruction to its ports by enemies employing a strategy of hiding such a weapon in a shipping container. Various schemes have been proposed for x-raying containers or otherwise examining containers as they are loaded on ships in the foreign port. Such schemes, however, can be very limited in effectiveness since they can be defeated with x-ray shielding, vulnerable to compromise by rogue employees and the contents of the containers altered after they are loaded in the foreign port.


To a limited degree, the notion of embedding detecting devices in a container, which communicate with external systems, has been implemented in unsecure applications. For example, Sensitech, based in Beverly, Mass. (www.sensitech.com), provides solutions in the food and pharmaceuticals fields that are used for monitoring temperature and humidity for goods in-process, in-transit, in-storage, and on-display. So, temperature and humidity monitors can be placed in storage and transit containers to ensure desired conditions are maintained.


However, such data is not generally considered sensitive with respect to security issues. Rather, it is used for ensuring the products in the container do not spoil by being subjected to unfavorable temperature and humidity conditions. Consequently, secure communications, tamper resistance and detection are not particularly relevant issues in such settings. Additionally, such monitors do not monitor for the presence of suspicious content or materials, no matter where they may be introduced in the chain.


Even if detectors are introduced into a container and interfaced to an external system, an “enemy” may employ any of a variety of strategies to defeat such a detection system. For instance, an enemy may attempt to shield the suspicious materials or activities from the detectors; defeat the communication interface between the detectors and the external system, so that the interface does not report evidence of suspicious materials or activities sensed by the detectors; disconnect the detectors from the interface; surreptitiously load a container that contains an atomic weapon, but that does not contain detecting devices, onto a container ship; overcome external systems so that they incorrectly report on the status of the detectors.


The difficult aspect of the environment is that the detecting devices and the communications interface will be in the hands of the potential enemy for some period of time, at least for the period of time necessary to load the container. Also, since the potential enemy is presumed capable of constructing an atomic weapon, the enemy must be presumed able to utilize other advanced technologies suitable for defeating the detecting devices and the interface.


SUMMARY

One approach to protecting secure information is a method. The method includes storing, by a plurality of data store devices, the secure information. Each of the data store devices stores at least one part of the secure information. The method further includes receiving, by at least one of a plurality of embedded sensors, a notification associated with a compromise of at least one part of the secure information. The method further includes destroying one or more parts of the secure information based on the notification. The method further includes processing, by a plurality of intelligent agent modules, one or more parts of the secure information received from one or more of the data store devices if no parts of the one or more parts of the secure information are destroyed.


Another approach to protecting secure information is a computer program product. The computer program product is tangibly embodied in an information carrier. The computer program product including instructions being operable to cause a data processing apparatus to: store the secure information, each of a plurality of data store devices storing at least one part of the secure information; receive a notification associated with a compromise of at least one part of the secure information; destroy one or more parts of the secure information based on the notification; and process one or more parts of the secure information received from one or more of the plurality of data store devices if no parts of the one or more parts of the secure information are destroyed.


Another approach to protecting secure information is a system. The system includes a plurality of intelligent agent modules, a plurality of data store devices, and a plurality of embedded sensors. The plurality of intelligent agent modules are configured to process information if no parts of the secure information are destroyed and destroy one or more parts of the secure information based on a notification. The plurality of data store devices are configured to store the secure information, communicate the secure information to/from the plurality of intelligent agent modules, and destroy one or more parts of the secure information based on the notification. The plurality of embedded sensors are configured to provide the notification of a compromise of the system to at least one of the plurality of intelligent agent modules and/or the plurality of data store devices.


Another approach to protecting secure information is a system. The system includes means for processing information if no parts of the secure information are destroyed; means for storing the secure information; means for communicating the secure information to/from the means for processing; means for destroying one or more parts of the secure information based on the notification; and means for providing the notification of a compromise of the system to at least one of the means for destroying.


Any of the approaches described herein can include one or more of the following examples.


In some examples, no single data store device stores every part of the secure information.


In other examples, the method includes destroying, by each of the data store devices or each of the intelligent agent modules associated with the respective part of the secure information, the one or more parts of the secure information based on the notification.


In some examples, the destroying the one or more parts of the secure information based on the notification.


In other examples, the secure information includes encrypted information.


In some examples, the method includes decrypting the encrypted information based on an encryption key, the encryption key includes a plurality of parts stored on at least two of the plurality of data store devices.


In other examples, the method includes destroying one or more parts of the encryption key based on the notification, the destroying of the one or more parts of the encryption key making the encryption key unusable for decrypting the encrypted information.


In some examples, the destroying the one or more parts of the secure information based on the notification making the one or more parts unreadable by a computing device.


In other examples, the notification is associated with an event.


In some examples, the method includes detecting, by at least one of the plurality of embedded sensors, the event, the event associated with at least one of the plurality of data store devices or at least one of the plurality of intelligent agent modules.


In other examples, the method includes detecting, by at least one of the plurality of embedded sensors, an attempted modification or removal of at least one part of the secure information from at least one of the plurality of data store devices or at least one of the plurality of intelligent agent modules; and generating the notification based on the attempted modification or removal.


In some examples, the method includes detecting, by at least one of the plurality of embedded sensors, a change in a physical property associated with at least one of the plurality of data store devices or at least one of the plurality of intelligent agent modules; and generating the notification based on the change in the physical property.


In other examples, the physical property includes light, vibration, sound, movement, location, and/or temperature.


In some examples, the method includes detecting, by at least one of the plurality of intelligent agent modules, a change in the correct operation of a network of the plurality of intelligent agent modules; and generating the notification based on the detection.


In other examples, the method includes examining timing tokens communicated between two or more of the plurality of intelligent agent modules.


In some examples, the system includes an asset. The plurality of intelligent agent modules, the plurality of data store devices, and the plurality of embedded sensors are embedded within the asset.


In other examples, the asset includes an untethered military device.


In some examples, the system includes an asset. The plurality of intelligent agent modules, the plurality of data store devices, and the plurality of embedded sensors are embedded within the asset at a plurality of first locations.


In other examples, the system includes a second asset.


In some examples, the second asset includes a plurality of second intelligent agent modules configured to process second secure information if no parts of the second secure information are destroyed and destroy one or more parts of the second secure information based on a second notification.


In other examples, the second asset includes a plurality of second data store devices configured to store the second secure information, communicate the second secure information to/from the plurality of second intelligent agent modules, and destroy one or more parts of the second secure information based on the second notification.


In some examples, the second asset includes a plurality of second embedded sensors configured to provide the second notification of a compromise of the system to at least one of the plurality of second intelligent agent modules and/or the plurality of second data store devices.


In other examples, the plurality of second intelligent agent modules, the plurality of second data store devices, and the plurality of second embedded sensors are embedded within the second asset at a plurality of second locations.


In some examples, the first asset is associated with the second asset and the plurality of first locations are different from the plurality of second locations.


In other examples, the secure information includes at least one of encrypted data, unencrypted data, and/or an encryption key.


In some examples, the plurality of embedded sensors are configured to detect the compromise of the system.





BRIEF DESCRIPTION OF THE DRAWINGS

The drawing figures depict preferred embodiments by way of example, not by way of limitations. In the figures, like reference numerals refer to the same or similar elements.



FIG. 1 is a block diagram of a secure detection system network, in accordance with the present invention.



FIG. 2 is a block diagram of a portion of the block diagram of FIG. 1, with a plurality of containers.



FIG. 3 is a block diagram of a portion of the block diagram of FIG. 1, with a plurality of containers in a stacked configuration.



FIG. 4 is a block diagram of a massively scalable Secure Network, in accordance with the present invention.



FIG. 5 illustrates an exemplary asset.



FIG. 6 illustrates an exemplary data store device.



FIG. 7 illustrates an exemplary intelligent agent module.



FIG. 8 is a block diagram depicting a network of nodes.



FIG. 9 illustrates a network with nodes that have been compromised.



FIG. 10 illustrates a network with nodes that have been compromised.



FIG. 11 illustrate a network of data store devices and intelligent agent modules.



FIG. 12 illustrate a network of data store devices and intelligent agent modules.





DETAILED DESCRIPTION

The technology described herein addresses the problem of protecting critical information (also referred to as secure information) in a remote asset that is not connected (tethered) to a secure remote source that can provide cryptographic material. Such assets can include, for example, military assets, such as sensors, artillery shells, larger military hardware such as air planes, missiles, tanks and/or any other type of untethered device or apparatus. These assets can include critical/secure information (e.g., sensitive software, encryption keys, encryption software, communication software, communication protocol, data, bomb coordinates, operating procedures, etc.) that should not be revealed to adversaries. Even though the critical information can be encrypted when it is stored on these assets, if the asset is not connected to a secure remote node, the encryption key or keys will presumably have to be stored somewhere on the asset. This implies that theoretically, with sufficient time and reverse engineering skill, an adversary who had possession of the asset could find the key and decrypt the critical information stored therein. An adversary could acquire possession of a military asset containing critical information if the adversary could capture such an asset on the battlefield, steal the asset from a military depot, and/or purchase the asset from the responsible government as part of a foreign military sales program.


This technology includes a method of protecting critical information stored in such an untethered asset so that by designing and building an appropriate set of execution environments, e.g., data stores, sensors, power sources, and/or intelligent agents (also referred to as angels), military designers can achieve any arbitrary level of protection for the embedded critical information.


In some examples, the technology as described herein is accomplished using the systems and methods disclosed in U.S. Pat. No. 7,576,653; U.S. Pat. No. 7,475,428; U.S. Pat. No. 6,918,038; U.S. Pat. No. 6,532,543; U.S. Pat. No. 6,532,543; U.S. Pat. No. 6,067,582; U.S. patent application Ser. No. 12/596,971; U.S. patent application Ser. No. 12/277,100; and U.S. patent application Ser. No. 12/150,373, all of which are incorporated herein by reference.


Various aspects of the technology are described below. In other examples, the technology as described herein is accomplished using secure detection network system, secure network & system, orthogonal authentication, data packaging, network generation, network installation, massively scalable secure network, strobed encryption, and/or protecting information in an untethered asset, which are each described in turn below.


Secure Detection Network System


A system and method for providing a secure detection network system includes a plurality of nodes, each node comprising a processor and storage means. Such nodes include a plurality of remote nodes, each remote node comprising a set of detector interfaces configured for coupling to a set of detectors disposed for detecting the presence of an illegal condition. The illegal condition may include the presence of one or more suspicious materials, including chemical weapons, biological weapons, nuclear weapons, chemical agents, biological agents, radioactive materials, illegal drugs, explosive materials or devices, or shielding means. The illegal condition may also include a suspicious activity, including an attempt to defeat a remote node or detector. The remote nodes can be provided within a tamper resistant box, that could be coupled to a sensitive, for example. Sensitive assets could include, for example, assets such as a shipping container, vehicle, human, event, room, area or building. Within the box may also be provided a set of detectors. The detectors are configured to detect the illegal condition, and could also detect an attempt to compromise the detector, remote node, or sensitive asset.


To establish a secure network and each node therein, at least one server node generates and distributes to each node an intelligent agent module and a set of node specific configuration files, selectively including software and data files. For each node, the configuration files include information defining for that node a set of other nodes with which the node can communicate. This includes providing a different encryption means corresponding to each node in the set other nodes. Installation of a node includes executing the downloaded to agent and configuration files. Once installation is complete, strobing of the encryption means (e.g., key pairs) between nodes can be included.


At least one monitor node can be provided to couple to and audit other nodes in the secure network, including the remote nodes. This auditing function may include receiving signals indicating an illegal condition or tampering with a remote node. A robot node could also be provided, as another form of monitor node, which could be hosted on a portable platform. These nodes could include wired or wireless interfaces, as could the server nodes and the remote nodes.


Selectively causing one or more nodes to terminate communication and to remove itself from the secure network in response to one or more termination events may also be provided. In such a case, the one or more termination events could include detecting tampering of one or more remote nodes.


Communication between remote nodes and other nodes, such as a monitor node or server node, could be accomplished via one or more other intermediate nodes. Subnetworks may be formed from a set of remotes nodes, wherein each subnetwork could provide a portion of the communication path to the monitor node and server node for a given remote node.


As an additional form of security, orthogonal authentication could also be provided, such as by using independent biometric information about an individual.


A system and method in accordance with the technology provide a secure network having interfaces to detectors configured to detect any of a number of undesired conditions. Such a system and method provide security for network nodes against attacks, whether intentional by an enemy or inadvertent by friendly forces. Such a system and method include a plurality of nodes configured to communicate in a highly secure and robust manner. Several of the nodes include or interface with one or more detectors, monitors, or sensing devices (collectively, “detectors”) configured to sense the presence or introduction of an “illegal condition”, such as suspicious materials or activities.


Generally, suspicious materials include any material of a nature such that, if detected, would present a reason to open a container and examine it. Such materials could include drugs, nuclear, chemical, biological or other hazardous materials, devices, compositions, or agents, or any weapons or agents of mass destruction, including nuclear weapons, explosives, chemical weapons, and biological weapons, as well as shielding material that would shield radiation, explosives or biological weapons from detection. Suspicious materials could also represent materials that were at variance with the materials that the shipper states are supposed to be in the container.


Generally, suspicious activities would involve detection of any activity such that, if detected, would represent a reason to open the container and examine it or to otherwise consider a formerly trusted asset as untrusted. Suspicious activity could include electromagnetic radiation, sonar, or heat variations, or removal or tampering with a detector or remote node. For example, removing a detector or remote node from a container might be indicative of an attack on a detector, node or container. The presence of human beings inside a container after the container had been closed and was ready for shipment would also constitute suspicious activities, or the presence of a human that has not been properly authenticated.


As an overview, the Secure Network includes at least one server node that distributes intelligent agents (or agent modules) to devices, and any other software and data necessary to configure and enable the node. Each agent module is specific to the device to which it is distributed. A device properly configured with an agent module is referred to as a node. The node includes information received from the server node that identifies other nodes with which the agent's node is to communicate. Each pair of nodes that is configured to communicate will be configured with encryption means unique to that pair of nodes' communication, which may take the form of unique key pairs. These key pairs may be strobed to further enhance security. The agent module installs any applications or software distributed from the server node to the agent's node. The server node may also reinstall the network at any time, e.g., in response to loss of a node or a determination that a node has been compromised. Additionally, a monitor node can be included to audit a group of nodes.


In the case of human interaction with or auditing of a protected asset (e.g., a container) preferably authentication of the auditor is required. In such a case, the authentication could be provided, at least in part, using orthogonal authentication, i.e., at least two independent means of authentication. For example, a first means of authentication could be by entry of user ID and password. A second means of authentication could be by biometric information (or bioinformatics), such as a palm, hand, finger print, retina, or face scan. Orthogonal authentication is discussed in greater detail in Appendix B.


There are several exemplary scenarios in which the technology may be implemented. In a first scenario, a wireless device or devices (i.e., “remote nodes”) may be attached to or embedded in shipping containers. The remote nodes may couple by wired or wireless means to various detectors configured, for example, to detect weapons of mass destruction. The detectors can be located inside the container and distributed as needed to adequately perform their surveillance functions. The detectors can be packaged with remote nodes or external to the remote nodes. The remote nodes are queried by appropriate external monitor systems to determine if the nodes and detectors have sensed weapons of mass destruction or other contraband. One issue to be confronted in such a scenario is that an enemy might attempt to sabotage or reverse engineer the nodes so that they falsely report a safe status, so that the container would pass query by authorities. This scenario is referred to as the shipping container scenario.


In another scenario, wireless remote nodes may be attached to soldiers so that these nodes can be queried on the battlefield to determine whether a person is friend or foe. One issue here is that an enemy might capture the soldiers or the equipment and reverse engineer the wireless remote node, thereby allowing the enemy to masquerade as a friend. Conversely, friendly forces might mistakenly consider a soldier on the battlefield who cannot be authenticated to be the enemy and open fire. This scenario is referred to as the soldier scenario.


In yet another scenario, wireless remote nodes may be attached to equipment such as tanks or airplanes. In such a case, the remote nodes can be queried on the battlefield to determine whether the vehicle is friend or foe. This scenario is referred to as the vehicle scenario.


In still another scenario, wireless remote nodes may be attached to individuals so that the individuals can gain authorized access to a building or an event. An issue to be confronted is that an enemy may capture an authorized individual, reverse engineer the remote node, and gain unauthorized admission. This scenario is referred to as the pass holder scenario.


In each scenario above, the wireless remote node passes through the following stages:

    • (1) A secure stage or stages, where the wireless remote node will be securely provided with cryptographic material.
    • (2) An insecure stage, where the wireless remote node will be subject to attack by an enemy.
    • (3) A stage where the wireless remote node will be able to detect an attack by an enemy.
    • (4) A stage where the wireless remote node will be queried by an external responsible agent (e.g., military or civilian authorities).


Provided in accordance with one aspect of the technology, is the ability to detect in stage (4) if an enemy attack has occurred in stage (3). This goal could be achieved by providing in stage (4) a measure of the probability that an attack has or has not occurred in stage (3). An additional goal in the soldier and vehicle scenarios is to positively identify an unknown person or vehicle as friend or foe. Table 1 shows, for each scenario, a set of secure stages and a corresponding set of attack detection approaches, as examples.











TABLE 1





Scenario
Secure Stages
Attack Detection







Shipping
Manufacturing plant
Several devices monitor one


Container
Shipping Line premises
another inside the same



US Port
container



US Controlled facilities
Several devices monitor one




another across different




containers




Other sensors detect WMD




Individual device senses




attack against it


Soldier
Squad room before
Device attaches to body



mission
sensor



Presence of other soldiers




or equipment during




mission



Military
Before takeoff or before
Device attaches to sensors


vehicle or
mission
embedded in vehicle.


airplane
For vehicle, in presence
Device attaches to body



of other soldiers or
sensors or devices of



equipment
occupants


Pass
From home via
Device attaches to body


holder
telephone.
sensor



Company facility









Shipping Container Scenario. Each shipping container would contain one or more wireless remote nodes that is configured to communicate internally with one another and externally with other nodes. The remote nodes would include an interface to facilitate coupling to various sensors disposed to detect the presence of illegal conditions within the container. Such detectors could, for example, be embedded in or attached to the container, as could be the remote nodes. In addition to sensing the presence of illegal conditions, the sensors could be configured to detect access to the container, whether authorized or unauthorized. Illegal conditions could be the presence of any one or more of dangerous chemicals, biological agents or radioactive materials, explosives, drugs, or the like.


The shipping container will at various times be in facilities that are relatively secure, such as the manufacturing plant or a US Port or US controlled facility. At these times, the remote nodes can be securely provided with cryptographic materials via the Secure Network.


The wireless devices would detect an attack when they sensed prohibited substances or when an individual device sensed that it was being attacked. Several remote nodes could also continually monitor one another inside the container. Adjacent containers could also monitor one another.


Soldier Scenario. The soldier will have a wireless device connected to a body sensor. An attack will be sensed when reports from the body sensor indicate that something is amiss or when the body sensor is removed. A soldier can include a soldier, an airman or any person that formally participates in military missions. Prevention of friendly fire instances is an important goal of the soldier wireless device.


The soldier is in a relatively secure environment in the squad room before leaving for a mission and on the battlefield in the visual presence of other soldiers. At these times, the soldier can be provided with cryptographic material using Secure Network methodologies.


Military Vehicle or Airplane Scenario. The number of friendly fire instances in the Iraq war indicates the need for methods of securely identifying unknown vehicles and aircraft.


The invention described herein can be used to assure identification of vehicles and airplanes over wireless. Of course, in practice on the battlefield, it will be extremely important to have a system that tests that the wireless identification systems are correctly operating immediately before a vehicle or airplane is put into combat.


Pass Holder Scenario. A pass holder is an individual who is authorized to enter a facility or attend an event. The pass holder carries a wireless device which is queried at the point of admission. The pass holder also has a body sensor, possibly a wrist band, to which the wireless device communicates. The wireless device records an alarm when the body sensor is removed or when the body sensor records some other event. The issue with the pass holder is to deliver the cryptographic material in a secure manner.


One possibility is for the pass holder to become authenticated at home before leaving for the event. The pass holder would put on the wrist band, and have the wireless device communicate with a remote authority via wireless or wired network and receive the cryptographic material and then undergo an authentication procedure using perhaps the telephone or a biometric device in his house. This system would allow a large number of individuals to be continually monitored over a large area. It could be combined with on-site biometric devices.


In the soldier and pass holder scenarios, a body sensor is attached to an individual, the individual is carrying a handheld device, and the handheld device talks to the body sensor. If the body sensor is removed or the body sensor detects a trauma, the handheld device records this event in such a way that the handheld device cannot be later reverse engineered to omit the detection of this event. The body sensor, the handheld device, and the installation of the Secure Network assures that when the system communicates with the handheld device it can determine whether the individual carrying the handheld is alive and can authentic him or her.


Before the individual goes to the battlefield or applies for admission to a facility or event, the individual must be properly set up with a body sensor and a handheld device in some secure and known environment. This could be an assembly of soldiers before being dispatched to the battlefield or some type of telephone verification or other procedure for pass holder admittance.


Once the individual has the body sensor and the handheld device, it is then necessary to locate the handheld device in three dimensional space. One technology for doing this is to detect individuals passing through fixed screening devices, and querying the handheld device. The screening devices would talk to the handheld devices through some appropriate interface. The fixed screening devices would be appropriate for perimeter protection and building access. As an example, a technology exists for communicating via florescent lights (see e.g. www.talkinglights.com). There is also a technology for illuminating devices with light and receiving a response via retroreflection. There are numerous developments of this technology. The point is that once an individual, equipped with the handheld and his or her body sensor, is located in three dimensional space, we can be assured that the individual is authentic and has not been replaced by the enemy.


This system of securely identifying individuals could be further expanded by developing a network of individuals with body sensors and handhelds inside vehicles which communicate via wireless with remote sensors. This could be used to form a network that would authenticate vehicles entering a facility by authenticating the vehicle and its passengers. There can be a problem of detecting a rogue unauthorized individual inside a vehicle which is analogous to finding a rogue container inside a container pile on a ship.



FIG. 1 is a block diagram of one embodiment of a secure detection system network in accordance with the technology, applied to the shipping container scenario. In this embodiment, the secure detection system network implements the Secure Network in the context of protecting one or more shipping containers, such as shipping container 100. Such shipping containers can be transported by any number of means, e.g., ship, airplane, train, or truck. The secure detection system network includes remote nodes, monitors, and servers, and optionally robots, which all form nodes in the Secure Network.


A remote node, such as remote nodes 102, 104, 106, 108, includes a computer processor and storage having an agent module loaded thereon that causes the remote node to act as part of the Secure Network. In this embodiment, each remote node 102, 104, 106, 108 includes a wireless communication interface. The various communication paths are shown as wireless paths by dashed lines between the nodes. As shown, each node is configured to communicate with each other node, though it is not essential that this be the case. Also, the remote nodes are configured to communicate with at least one monitor 120, robot 130 (if included), and server 140.


Each remote node is coupled to a variety of detectors capable of detecting illegal conditions, such as atomic bombs, chemical and biological weapons, human beings and shielding materials. In FIG. 1, detector 122 is coupled to remote node 102, detector 124 is coupled to remote node 104, detector 126 is coupled to remote node 106, and detector 128 is coupled to remote node 108. Remote nodes 102, 104, 106, 108 are able to receive from the detectors signals indicative of the presence or occurrence of such illegal conditions with respect to container 100. Preferably, the detectors are also configured to detect the occurrence of suspicious activities directed against the remote nodes 102, 104, 106, 108, detectors 122, 124, 126, 128, or container 110.


Preferably, each remote node is housed within a tamper resistant box. Detectors may be included in the same box. Each remote node housed in tamper resistant box can be coupled to container 110 via brackets 112, 114, 116, 118. The set of detectors may also include detectors capable of detecting attacks against the tamper resistant box. Generally, the various detectors discussed herein are known in the art, so not disclosed in detail herein.


The phrase “tamper resistant”, as used herein, refers to a structure that has been hardened against tampering, including reverse engineering, to the extent possible under the state of the art of relevant technologies. Such technologies can include physical measures and detection means, including electrical, magnetic, infrared, logical or other sensory means of protection or detection as well as software methods. The resistance to tampering can be increased by various strategies for deploying the nodes using the Secure Network. “Tamper evident” is considered to fall within the scope of the “tamper proof” or “tamper resistant” concept, in that the tamper resistant box may include means for detecting attempts by an enemy to tamper with it. Ideally, the tamper resistant box will detect tampering before the enemy realizes that the detection has been made. In this case, the box can also act as a decoy. Tamper proof refers to an ideal which, theoretically at least, is unattainable, thus use of “tamper resistant” is generally more accurate.


A robot 130 may optionally be included, and can take the form of a portable computer platform. The robot 130 could, for instance, take the form of a handheld device, remote controlled device, or pre-programmed mobile device. When included, the robot 130 forms part of the Secure Network and is configured as a monitor node. Accordingly, the robot 130 can perform auditing activity, such as counting and identifying containers that either do or do not contain remote nodes. For example, a robot could be deployed before entry and/or exit of a port.


As a node in the Secure Network, robot 130 executes an intelligent agent that configures the robot as a node capable of auditing other nodes in the Secure Network. In a wireless setting, robot 130 includes a wireless communication interface to enable communication with other wireless nodes in the Secure Network.


Like the remote nodes 102, 104, 106, 108, a robot 130 can be enclosed in its own tamper resistant box. In such a form, robot 130 includes detectors suitable for detecting attacks against its own tamper resistant box.


A monitor (or monitor node) 120 forms part of the Secure Network. Monitor node 120 includes a computer processor and storage, and is configured to host and run an intelligent agent capable of configuring the monitor, including installing any downloaded software and files. In the wireless setting, monitor 120 includes a wireless communication interface that enables it to communicate with various servers (e.g., server 140), other monitors, robots (e.g., robot 130) and remote nodes to perform auditing of the Secure Network.


The monitor node 120 may also be configured to detect suspicious activities directed against it. As with the robot and remote nodes, the monitor node 120 may also be enclosed in its own tamper resistant box. If housed within a tamper resistant box, monitor node 120 may also be configured to couple to detectors capable of detecting attacks against the tamper resistant box. Unlike remote nodes 102, 104, 106, 108, the monitor node 120 does not directly couple to container detectors, unless required as part of its auditing function. Rather, the monitor node 120 provides an auditing function with respect to the remote nodes 102, 104, 106, 108 themselves, and can also be configured to audit other nodes within the Secure Network. Therefore, the monitor node 120 can receive and process data from remote nodes indicating an illegal condition or attempt to compromise the Secure Network.


Secure Network server 140 is a computer, possibly located inside a secure United States government facility or a security management facility, which provides overall management of the Secure Network. The Secure Network server 140 is configured to generate software and data files, including initial encryption keys, for each remote node and monitor node. The software and data files (and encryption keys) are specifically generated for each node. Each node can be given an IP address, which provides a means for the Secure Network server 140 to access the nodes via, for example, the Internet and to distribute the corresponding intelligent agent modules (or agents), software and files to each node. For a given node, the agent installs the software and files, allowing the node to enter the Secure Network. In the event that the Secure Network server 140 is housed within a tamper resistant box, then the Secure Network server may also include detectors capable of detecting attacks against the tamper resistant box.


In the preferred embodiment, the technology enables an “active defense”. An “active defense” presumably goes beyond preventing an act that is already underway but either prevents other attacks from occurring or at least identifies a specific attack very early on, before the enemy knows it has been discovered. An active defense contemplates the possibility of capturing or destroying the attackers, including persons who are planning or managing the attack. Monitoring attempts to attack Secure Network nodes provides an active defense.


As is shown in FIG. 2, a plurality of, if not all, shipping containers on a single vessel could include some number of remote nodes. The presence of one or more remote nodes in each container being shipped in a vessel could be made a condition for that vessel entering US Ports (e.g., where the vessel is a ship) or crossing a US border (e.g., where the container is being transported on a truck body or by rail). In FIG. 2, eight containers are shown loaded on a vessel 200. For a first set of containers, container 202 includes remote nodes A-D, container 204 includes remote nodes E-H, container 206 includes remote nodes I-L, and container 208 includes nodes M-P. For a second set of containers, container 212 includes remote nodes Q-T, container 214 includes remote nodes U-X, container 216 includes remote nodes Y-BB, and container 218 includes nodes CC-FF.


The containers can be examined efficiently by the onboard monitor 220 through communication with the remote nodes of each container, while the container is in transit from the foreign point of origin. Such monitoring can determine if any of the containers are storing suspicious materials or are the target of suspicious activities. The remote nodes report to and can be queried by either monitors or servers. The communication path between a remote node and monitor 220 can be direct or via other remote nodes. And the path between remote nodes and server 240 can be direct or via other nodes.


For example, path 222 shows that remote node B can communicate with monitor node 220 via remote nodes E-F-H-N-P. This path can be continued to server 240 via path 242, thereby establishing a path between remote node B and server 240, via remote nodes E-F-H-N-P and monitor 220. Of course, path 242 could also represent communications between monitor 220 and server 240, independent of communications from any remote nodes. Other paths may also be formed for remote node B to communicate with monitor 220. As an example of direct communications, remote node DD is shown communicating directly with monitor 220 via path 224. FIG. 2 also illustrates how a remote node can communicate directly with a server, here remote node FF communicates directly with server 240 via path 244.



FIG. 3 shows yet another configuration of containers on vessel 200. This is a stacked configuration. In a stacked configuration, it can be difficult to maintain a wireless path between each remote node and the monitor node 220, server node 240 and, if provided, a robot (not shown). Also, there may be instances where not every container in the stack includes a remote node. For instance, in FIG. 3, container 210 does not include a remote node. As an example, a communication path between remote node K of container 206 would likely not be a direct path, since container 206 is buried in the stack. Therefore, the path may have to go through other intermediate remote nodes, while avoiding container 210. Accordingly the path between remote node K and monitor node 220 include nodes L-J-S-T-AA-BB. Other paths could also be formed. To communicate with server 240, the path may also include path 246 between monitor 220 and server 240.


Through querying various remote nodes of containers, containers that do not contain remote nodes can be readily identified by monitor 220 or a robot prior to the ship arriving at its port (e.g., a US port) or the truck or train arriving at a border (e.g., a US border). Shipping containers loaded on a ship can be examined while loading through an intermediary of a monitor 220 and after loading through the intermediary of a robot.


The technology addresses the problem of inserting detection devices into shipping containers in such a way that a determined, sophisticated enemy cannot defeat the system. In the foregoing figures, detectors and remote nodes are provided at the container. However, no doubt, there will a number of potential strategies for defeating the insertion of detectors and nodes which detect suspicious materials and activities as described above. Such potential enemy strategies may include:

    • 1. Shield the suspicious materials or activities from the detectors.
    • 2. Defeat the communication interface so that the interface does not report evidence of suspicious materials or activities reported by the detectors.
    • 3. Disconnect the detecting devices from the interface.
    • 4. Surreptitiously load a container that contains an atomic weapon but that does not contain detecting devices onto a container ship.
    • 5. Overcome the monitors so that they incorrectly report on the status of the devices.


The difficult aspect of the environment is that the detectors, nodes and the communications interface will be in the hands of the potential enemy for some period of time, at least for the period of time necessary to load the container. Also, since the potential enemy is presumed capable of constructing an atomic weapon, the enemy must be presumed able to utilize other advanced technologies suitable for defeating the detectors, remote nodes and interface. Also, if the enemy is conspiring with a disloyal employee of the shipping company, the monitors and the robots could fall into enemy hands.


Of course, there are some advantages potentially available to the side providing the detectors, remote nodes and interface (i.e., the defenders). For example, potential strategies and advantages for defenders include:

    • 1. Defenders can limit the time the detectors, remote nodes and the interface are in the hands of the enemy, thereby limiting the time available to reverse engineer the detectors or the nodes.
    • 2. Defenders will understand the defensive systems better than the enemy. Defenders can maximize this advantage by making the defensive terrain more difficult to understand, and by not repeating the same defensive terrain. This means that reverse engineering one interface will not necessarily be helpful for reverse engineering the next.
    • 3. Defenders can maintain important parts of the system physically secure from the adversary.
    • 4. Defenders can harden the physical protection around the interface.
    • 5. Defenders can use detecting devices which detect not only suspicious material but also attacks against the communication interface.
    • 6. Defenders can use multiple communications interfaces and detectors, which can continuously monitor one another, so that if one is attacked one of the others can report the attack or shut the system down.
    • 7. Defenders have many opportunities to test the system.
    • 8. Defenders have many opportunities to employ robots which can be externally controlled from remote secure locations.
    • 9. Defenders have the ability to continuously monitor each remote node from the moment a shipper begins loading the container until the container arrives at its final destination.
    • 10. Defenders have the opportunity to mount an active defense such that an enemy can be detected before the enemy realizes it has been detected, thereby allowing the defenders to perform to covert surveillance of the enemy's infrastructure.
    • 11. Defenders can implement orthogonality to significantly reduce the possibility of imposters gaining access to containers, detectors, remote nodes, monitors, or robots.
    • 12. Defenders can use a secure stage during which they can configure the battle terrain to the defenders' advantage.


A secure detection system network in accordance with the technology is particularly suited to maximizing these advantages for the defenders. The capabilities provided by such a system which are relevant to maximizing the above strategic advantages for the defenders are discussed below.


Generating network components, rapidly installing these components, and auditing the components immediately after installation provides a great deal of security. This generation/installation/audit capability can be utilized to limit the time a remote node is in the hands of an adversary, since this process is so highly automated, and the ability to dynamically configure the remote node presents unknown terrain to a potential attacker.


Strobed encryption allows for exchanging encryption keys every few seconds between nodes in the Secure Network. This capability can be exploited by constructing a system of nodes so that they can all strobe with one another and each can check on whether the other is being attacked. This makes reverse engineering more difficult because the target is continuously changing encryption keys. In this context, if the information is communicated outside to monitor nodes, information previously sent, even if it could be decrypted, is almost useless to a potential enemy. So, breaking one key does not help break the next. The time advantage between detection of an attack and an enemy's realization that detection has occurred represents an opportunity to mount a defense aimed at penetrating an enemy's infrastructure.


The Secure Network can be used to rapidly configure ad hoc networks such that several remote nodes inside a container can be securely linked to one another and to other nodes such as, (a) to a shipboard monitor which will monitor the remote nodes in all of the containers on board, (b) to possibly a monitor which will communicate with the remote nodes while the container is being loaded by the adversary, (c) to possibly nodes in other containers, and (d) to possibly a robot which will count the containers before the ship is ready to leave port.


One possible application of this embodiment of the technology is discussed below. We will assume the following organizations are involved: (a) a US Coast Guard Control organization located in the United States in a secure location; (b) a shipping company, located in a foreign country, which is known to and certified by the Coast Guard; and (c) a shipper (or seller/distributor) who will load the container with merchandise (or cargo). We assume that the shipper is hostile. We assume that the shipping company is disposed to be cooperative, that is, the shipping company is a substantial, recognized business which has a strong financial incentive to prevent a nuclear attack on the United States perpetrated through the intermediary of one of its containers. However, we may assume that the shipping company has some disloyal employees who personally are hostile to the United States.


We will assume a requirement that a container that does not contain an approved secure detection system is not allowed to enter the United States. Shipping companies who refuse to comply would not be allowed to ship containers into the United States, whether through US ports or across US borders. Shipping companies who want to comply will register with the US Coast Guard for example. As a precondition of being allowed to register, they would agree to undergo a background check, the simplicity or intensity of which would vary company by company.


A description of how the system could operate under this scenario is as follows. The remote nodes and monitors are provided to shipping companies. The remote nodes and monitors are manufactured and delivered in a tamper-resistant state for installation in containers bound for the United States. The remote node could include the detectors within its tamper resistant box. The nodes could come in different classes, depending upon the type of detectors with which the remote node is configured to interface. The class, nature, type, quantity, and capabilities of the detectors configured to couple to a remote node should remain classified and known only to the server node.


The shipper orders one or more containers. For example, the shipper needs a container to ship a particular product to the United States. The shipper arranges with the shipping company for delivery of a container to the location where the shipper will load the container. The shipper and shipping company agree on details such as the size of container desired, when the container will be delivered, the contents of the container, when the container will be ready for pickup, destination, likely weight and so forth.


The shipping company enters an order with Coast Guard. The shipping company is registered with, for example, a container control system established by the Coast Guard. Using a computer and communicating via the Internet, the shipping company connects to the Secure Network server node and inputs the appropriate information regarding the request for a container received from the shipper.


The shipping company initializes remote nodes and monitors to be used by the shipper via the Secure Network server. For example, on the day the container is to be dispatched to the shipper, the shipping company assigns a separate IP address to each of some number of remote nodes, perhaps four, and a monitor node, and also assigns a receptacle number to each remote node assigned to the container.


The server node identifies the remote nodes that should be placed in the designated container based on the nature of the cargo to be shipped, the remote nodes known to be in the inventory of the shipping company, and other factors such as, perhaps, the reputation of the shipper, the country of origin, and so forth.


A shipping company employee then couples the remote nodes and monitor node to the Internet, enters the respective IP addresses and receptacle number for each remote node and requests initialization from the server.


The server generates software and data files necessary to securely network the remote nodes and one or more monitors with the server into a Secure Network, as previously discussed. Additional random procedures can be introduced into the software so that no two remote nodes or systems will appear identical to an enemy attempting to reverse engineer them. The server will also randomly generate initial keys for use when the remote nodes or monitors connect with one another via the Secure Network.


The server will query each of the remote nodes and monitors to check system integrity. The remote nodes and monitor will all have serial numbers in their processors, which previously will have been registered with the server. The server will then automatically download and install software on the remote nodes and monitors which are still in the shipping company's possession or control. When the installation is complete, the remote nodes and the monitors will connect to one another, and immediately begin strobing the encryption keys used between each pair to exchange messages. Strobing is discussed in detail in Appendix G.


The shipping company can perform an orthogonal audit, as more fully described in the Appendicies hereof. The installation can, for example, be orthogonally authenticated perhaps by the server's downloading a randomly generated number to be displayed on the screen of shipping company's office computer and then by placing a telephone call to shipping company's office and having the number on the screen entered through the telephone key pad.


The authentication is valid even if the shipping company employee supervising the installation is personally hostile to the United States or is working for an enemy. This auditing procedure is in conformity with the methods disclosed to audit a node after installation in the Secure Network.


The shipping company installs remote nodes in the container, preferably in numbered, tamper resistant receptacles, perhaps in the four diagonal corners of the container, and delivers the container to the shipper. It would be appropriate to perform another auditing procedure when the remote nodes have been inserted into their appropriate receptacles. The four remote nodes will continue to send messages to one another and to strobe encryption keys with one another. The remote nodes optimally will also remain in contact with a monitor, which can remain in the shipping company's control, and which will remain in contact with the server.


An optimal configuration would enable any remote nodes to detect attempts to tamper with it or to remove it from the receptacle into which it has been placed. Any suspected tampering could be detected by the remote node and communicated to other remote nodes or to the monitor or monitors to which the remote nodes are connected.


The shipping company then delivers the container to the shipper. The remote nodes and detectors are installed and the remote nodes continue communicating with one another and with a monitor in the shipping company office. The remote nodes should remain connected to a power source. If they are disconnected from the power source this will represent a system violation. As an example, the remote nodes could use some type of a rechargeable battery. Containers provided with power sources have been used in global commerce for many years. These power sources could also provide power for remote nodes.


The shipper loads the cargo into the container. This is a vulnerable situation because the remote nodes are potentially under the control of the enemy at this time and must withstand attacks designed to destroy, deceive, or reverse engineer them. However, if any remote node can detect tampering, it will communicate with the monitor and could be shut down. If tampering is detected, the container will preferably not be loaded on the ship without human inspection, and the matter should escalate so that appropriate police, military, and forensic activities can be initiated with the objective of capturing and prosecuting the persons who performed the tampering.


However, if the tampering can be detected without the shipper being aware that it has been detected, additional measures may be appropriate, namely the provision of additional surveillance and intelligence resources at the site where the container is being loaded and conceivably at the site where the ship will be loaded and at the offices of the shipping company. This would represent an active defense strategy.


Depending on cost and available technology, it would be possible to install various scanning devices in the remote nodes so that the loading of the container could be viewed and monitored. These devices could be important sources of intelligence.


Once the container has been loaded and locked by the shipper, it will be picked up by the shipping company, delivered to the port of departure and then loaded onto the ship.


Prior to loading, the monitor will communicate with the remote nodes in the container, and verify (a) that the remote nodes are in place and have not been tampered with and (b) that they have not detected suspicious materials or suspicious activities. Software on the monitor can also compare the weight of the presumed cargo of the container, and the actual weight of the container. Containers that exceed their expected weights by some predetermined amount will be subject to opening and visual inspection.


If included, a robot can be tasked to examine the ship before departure. After the ship is loaded and immediately before departure the robot will traverse the ship to inspect each object that could be a container, and verify that each such object is a container equipped with appropriate remote nodes.


The purpose of the robot is to avoid a situation where terrorists, working in concert with port employees and/or employees of the shipper, somehow smuggle an additional rogue container on board. Since this rogue container would not have any remote nodes inside, there would be no way for the monitor to know it is on board or what is inside it.


Prior to departure, the shipping company can install the monitor node in a tamper-resistant holder on the ship. The monitor will communicate with at least one remote node in each container and remain in contact with each container throughout the voyage to the United States. At the same time, the monitor onboard the ship will communicate with the robot (if any), and obtain a count of the number of containers on the ship and a report as to the existence of any containers on the ship that lack remote nodes. Containers lacking remote nodes can be unloaded from the ship and refused shipment until they have been opened and inspected by the shipping company and the port authority. If they are determined to be legitimate containers, the shipping company will install properly authenticated remote nodes before permitting the containers to be sealed and shipped.


After performing the inspection, the robot can be removed from the ship, reinitialized, and be used to inspect the containers on another ship.


A robot can also be used to examine a ship before entry into a US port. When the ship reaches the US port, the Coast Guard will be able to communicate with the monitor on board the ship and will be able to verify that the ship is composed entirely of containers with remote nodes and that no sensor has detected improper materials. The robot could also re-examine the ship to determine that all containers have remote nodes, that is, that a rogue container has not been loaded on board during the voyage.


One method might be to have a robot that remains on board the ship. The robot could be reinitialized automatically and could perform its inspection without the ship having to be boarded by the Coast Guard. A second method is for the Coast Guard to board the ship and bring a robot with them. The robot would be initialized as a node and authenticated when it was on board the ship.


A shipping company could already have appropriate robots or controls on board so that the functions performed by an robot could be performed by controls already on board the ship. In this case, it would be appropriate to integrate the monitor with on board system controls in an appropriately secure manner.


If any remote nodes have found suspicious materials, the corresponding containers would need to be inspected. Containers without remote nodes, or with remote nodes that have ceased to function, will need to be inspected.


In cases where a ship uses holds to store loose cargo, one or more remote nodes could be placed inside such holds. The hold could be treated as a container. The hold is typically bigger than a container, although individual items of cargo in the hold are usually smaller than items loaded into a container, and, therefore, would generally be less capable of providing shielding against detection of suspicious materials.


Containers seeking to enter the US by truck or by rail can be held to the same requirements. That is, they could be required to contain remote nodes which could be examined by a monitor prior to being permitted US entry.


The remote nodes can be manufactured and shipped to include detectors in their tamper resistant containers. What detectors are actually located in a specific remote node should remain highly classified, since that information would aid those interested in defeating the nodes. The detectors that are introduced into any specific container should depend on the cargo that the shippers claim will be shipped. The decision as to which remote nodes should be installed into a container should be made by the server based on information which only it has.


Given a specific set of detectors in a remote node, the values which the detectors will look for should be dynamically configured by the server immediately before the container is shipped. This is essentially an arms race, wherein as the enemy becomes more sophisticated in ways of shielding bombs the detectors are improved to overcome the shielding. It is assumed that whatever the current state of detection and shield technology, that detection can be improved by getting detectors inside the container. Also, deploying an inside-the-container detection system provides an additional layer of protection that augments and backs up whatever detection is possible from satellites or other out-of-the-container scanning methods.


To the extent that these detectors could be mounted on chips and built into a circuit board, more detectors could be deployed more inexpensively. Indeed, there is some discussion in the literature as to the need for scanning large areas of the earth with broad area passive sensors and then focusing on potential targets with narrowly focused active sensors. Presumably, if one could get close enough to the potential target, the need for broad area sensors would be lessened and the detecting ability of more narrowly focused sensors would be greater.


For example, considerable protection could be achieved if each remote node contained one or more Geiger counters and/or other detectors and possibly a way of detecting if the remote node were moved from its brackets. Just beating this system would require time and design on the part of potential enemies. Buying time is important because in the meanwhile perhaps the bomb manufacturing plant could be discovered and destroyed. Perhaps better sensors could be developed which could then defeat any improved shielding the enemy had developed. In any event, the Secure Network provides a significantly higher degree of security than might otherwise be available


One of the strategies of the secure detection system is to limit the ability of the enemy to experiment with the detectors. A second, somewhat related strategy, is to detect an attack on the remote nodes before the enemy knows that it has been detected, thereby pinpointing the existence and location of enemy facilities. It is possible using a system that includes the Secure Network with detectors to detect attempted enemy attack before the enemy knows that his attack is detected. This actually represents an active defense.


Detecting an enemy attack before the enemy is aware that the attack has been detected has many important possibilities, such as militarily raiding the location where the container is being loaded, adding additional intelligence gathering capability to that particular site and so forth. Of course a shipper who attempts to attack a remote node or to surreptitiously ship weapons should not again be allowed to ship containers to the United States.


The detecting strategy can be improved to correspond to the cargo which the shipper claims will be present. The system proposed in this invention is particularly well suited to dynamically modifying the detection strategy to suit the proposed cargo. In the first place, the decision as which remote nodes are selected to be included in the container can be dynamically made, by the server, at the moment the remote nodes are prepared for subsequent insertion in the container. Secondly, the detection strategy that will be used by the remote nodes, given a specific set of detectors, can be dynamically configured at this moment. The selection of the remote nodes and detectors, and the configuration of the detection strategies, can be made on the basis of information available only to the server.


Certain cargoes might be of such a nature that it would be impossible to determine whether a bomb was hidden inside, in which case these cargoes would require manual inspection. Examples of such cargoes could be the legitimate shipment of nuclear materials or legitimate shipment of nuclear shielding materials.


It is also potentially important to assure that the detectors remain located at both ends of the container rather than, say, being moved to one corner. But, this can be a function of the detectors' range and density of the cargo loaded in the container. The detectors may be located in the same box as the remote nodes, or in other embodiments detectors could external to whatever box holds the remote nodes. There are a variety of methods of determining where the remote nodes are in the container and also of detecting any attempts to relocate them while under the control of the shipper. However, it is important to detect movement of the remote nodes from their original position. In the first place, movement of the detectors can be evidence of an attempt to attack the remote nodes, particularly when they are in the same tamper resistant box. Secondly, movement of the remote nodes may impair the ability of any enclosed detectors to detect suspicious materials.


The technology is structured so that actions taken by human beings can be independently verified by other means. Since the system does not rely on any human action that cannot be separately verified it can therefore be orthogonally secure.


APPENDIX A
Secure Network & System Overview

A Secure Network in accordance with the technology is composed of nodes, which can be objects that run as threads and which are capable of securely connecting to other nodes and of interfacing to a wide variety of other computer executables and libraries running on Windows or UNIX.


Strobed encryption is the procedure for dynamically changing encryption keys every 30 to 60 seconds, for example. The details of one implementation of strobed encryption are provided in Appendix G. The parties begin with randomly generated startup or initial keys, which are hidden from everyone, including the parties themselves. By contrast, key exchange protocols such as EKE or kerberos, start with only a remembered password and have no mechanism for changing keys during a particular session. Strobed encryption in accordance with the technology depends on other technologies of the Secure Network, such as automatic network generation, automatic installation, orthogonal authentication (see Appendix B) and audit, and data packaging (see Appendix C). The Secure Network uses only encryption primitives that are public, standard, and tested. New encryption primitives can be added as they become available.


Packaging, as used in the Secure Network, is an object-oriented framework for creating and compressing packages suitable for use over TCP/IP. The packaging framework include an Item class, which allows derived objects to model virtual any data format, and to apply compression on a field by field basis. Items and packages can be inserted into and extracted from packages and packages can be inserted into warehouses, which are disk resident files. The Secure Network uses its packaging methodology for general data transport and for storage and transport of encryption keys.


The Secure Network has a network generation program, which automatically generates configuration information needed to install a node. This program randomly generates the startup keys for all nodes. These keys will strobe immediately after the first connection. The network generation program also builds the executables and dynamically embeds randomly generated keys into the executables. See Appendix D.


The Secure Network has an installation procedure which permits automatic installation of an entire network or parts of a network and allows for orthogonal audit and authentication of every network node, discussed in Appendix E.


Nodes in the Secure Network connect to other nodes using TCP/IP. Nodes can directly connect to some arbitrary number of nodes. By connecting nodes going through intermediate hops, an arbitrarily large Secure Network can be constructed. As an example, the node can be modeled in C++ as a class derived from an node thread class. The node class is inserted into an executable or a COM object by means of a pointer. The node class has an embedded package, and this package contains the information generated by the generator which allows the node to connect to other nodes.


The process that manages a node can do other things. For example, database servers can be nodes. A process that runs a browser can be a node. Intermediary routers that are used in a massive Secure Network can be nodes. (See Appendix F). The network diagram of the massively scalable Secure Network (see FIG. 4) shows some 27 different nodes. Each node has a different number, which is located in the lower right hand corner of the box on the diagram.


The server has a generator program, which, using a template, supplies all of the values needed for the various nodes in a Secure Network to connect to one another. The formal, exact definition of a node is that a node is an object created by the generator, which has the characteristic of being able to connect to other nodes. To define the relationship between a process and a node, at least one process is required to manage a node. Although, a process could manage more than one node.


There appear to be three unstated implicit assumptions in the present security system practice and the current security literature that are not followed in the Secure Network system. These assumptions are (1) that one cannot look to verify the identity of the other side; (2) that one cannot frequently reinstall the network; and (3) that one cannot frequently rebuild the network or the software. It would appear that these assumption have constrained approaches to the security problem so as to make the solution more, rather than less, difficult. Usually, of course, constraining a problem leads more readily to a solution, but in this case it appears to be the other way around.


Assumption One: No looking. The first assumption is that, when authenticating humans, one cannot go and “look” to see and verify the identity of the person at the other end of the connection. Using orthogonality the Secure Network system goes and “looks” (using biometrics, physical facilities, human audit, telephones, cross checking with other databases, and business procedures) to “see” that the person on the other end of the connection is actually who he/she claims to be.


Corollary to Assumption One: Only verify once per day. There appears to be a corollary to the “no looking” assumption, i.e. that once you have verified the person on the other side, it would be unseemly to verify her again, at least that same day. As we have indicated, Secure Network system is capable of (and interested in) verifying that person's identity many times per day.


Assumption Two: No reinstallations. Assumption two, which the Secure Network does not accept, is that installation is something that happened in the past and will not happen again for many months. Since the procedure can be automated and because it is easy to accomplish, the Secure Network is designed on the principle that critical applications will be installed and orthogonally authenticated frequently, e.g., every morning. The principles of the orthogonal authentication have been outlined herein, as have the principles of automatic installation.


It may be argued that reinstalling critical applications would overtax corporate computing resources. However, a large organization typically will have most of its employees working during a single daytime shift, and it will have computers available to support that work during that shift. During off-shift hours, under this assumption, unused computing resources are idle. The Secure Network can install a crucial application in a few seconds, so there is no significant impact to a large network.


It may be argued that daily reinstallation would be expensive. However, automatic reinstallation every morning saves organizations time and money. Conversely, manual installation is an inconvenient, time consuming, expensive, insecure, and error prone process. A new manual installation is usually required for each new client for a major system. A manual installation might cost, for example, $10,000 for a system installed in a foreign country. By assuming that all critical systems will always be automatically installed, a company would eliminate ever doing a manual installation, and thereby avoid the costs of manual installations.


Another important aspect of machine generated automatic installation of applications is that it takes installation out of the hands of system administrators, who, if they are corrupt, may install software which is not allowed. While reinstalling, the Secure Network installation procedure will destroy possibly infected examples of its own software. While reinstalling, the Secure Network will check for other examples of unauthorized software.


Assumption Three: No rebuilding. A final assumption, not accepted by the Secure Network, is that the code build and network configuration is something which happened in the past and will not happen again for many months. If frequently reinstalling, the software and network can be rebuilt at the same time. The advantage of rebuilding is that the Secure Network can randomly generate new keys and embed these keys in the executables. Also, the Secure Network can build new network connections, so can randomly generate keys for each connection, and randomly change IP addresses.


As long as rebuilding, it would be appropriate to check the source code for hidden back doors, and to verify that the source code has not changed.


One effect on system design of abandoning these assumptions, i.e., one cannot verify identity by “looking” and can not reinstall or rebuild executables and networks daily, is that there is no need for digital certificates. By eliminating these assumptions, the Secure Network is able to provide each node pair with starting session keys and one-time pads in each direction. A one-time pad is advantageous because it requires only an XOR to encrypt, which means that encryption is very fast. After the initial startup, the Secure Network immediately changes all of these keys through strobed encryption.


APPENDIX B
Orthogonal Authentication

Orthogonal authentication as implemented within the context of the Secure Network strengthens security by requiring multiple inputs from unrelated sources as a constant check on security decisions. Orthogonal authentication also eliminates the need for digital certificates and extends security procedures into the machine layer so as to mitigate the potential failings of human guards.


As an example, the problem that digital certificates are designed to solve is to determine whether the person on the other end of the connection is Alice or some imposter such as Eve. Assume that Alice is a person with sufficient authority to access computer networks that would enable her, if she were so inclined, to perform some devastating action, such as crashing a NASA mission, siphoning off enough money to put a bank out of business, releasing nuclear materials to terrorists or loading weapons of mass destruction into a container. If we know Alice well, and we do want to know Alice well or else we will not admit her to our network, we find that she has many characteristics that can be verified. Alice works somewhere, for example in Building 302 in Acme Complex in Anytown, AnyCountry. Assume that Acme Complex has installed a facial scanner at the building entrance. If Alice has not successfully passed through the facial scanner in Building 302 today, or if she has already left the building, a person on the other end of the connection seeking access is not Alice.


Further assume that Alice works in Room 412, and that there is a hand geometry scanner at the entrance to this room. If Alice has not successfully passed through the hand scanner in Room 412, the person on the other end of the connection is not Alice.


Further assume that Alice has a specific workstation in Room 412, and that she has a fingerprint scanner on her desk. If Alice's fingerprint has not successfully passed that fingerprint scanner, the person on the other end of the connection is not Alice.


Further assume that Alice has a telephone on her desk. If we call that number, and no one answers, or the person who answers does not pass a voice print scan, we can say that the person requesting access to our system is not Alice.


Further assume that Alice has a supervisor named Bob. If we contact Bob to verify that the person at Alice's desk is Alice, and he fails to do so within some period of time, we may conclude that the person at the other end of the connection is not Alice.


We can call Alice at various times during the day, and have Bob audit her to determine that the person at the other end of the line is still Alice. Also, we can be notified by the hand scanner when Alice leaves Room 412 and by the facial scanner when Alice leaves the building. We can even require Alice to put her finger in the fingerprint scanner every few hours. So we have a variety of strategies to verify that it is still Alice who is at the other end of the connection.


These strategies are “orthogonal” in the sense that, for Eve to be accepted as Alice, Eve will have to beat multiple unrelated systems and corrupt unrelated people. All of these strategies are more powerful and reliable than the fact that at some point in the past Alice has been issued a digital certificate. First, the fact that a digital certificate is properly presented does not conclusively prove that Alice is at the other side of the connection. The certificate could be stolen or phony or someone else could be sitting at the computer where the certificate was installed.


Second, digital certificates can be stolen. Third, if someone can steal the secret key, the digital certificate can be remanufactured at will. Since the key can be stolen through copying, the theft of the key may not be detected for months. Fourth, a digital certificate has a lifetime and therefore a vulnerability of approximately six months, during which time it could be stolen or broken. A security device with a long period of vulnerability is not an optimal situation. For example, the digital certificate has such a long lifetime that a terrorist could defeat the digital certificate in some way and still have time to defeat another system such as a biometric device. Fifth, digital certificates are often issued by third party authorities, which means the organization has to rely on the security of a third party it does not control.


With the exception of Bob's audit of Alice, the orthogonal authentication procedures do not depend upon on-the-spot decisions made by human beings. The procedures described above will work as well at 4:00 pm in the afternoon, when humans become tired, as they worked at 8:00 am in the morning, when humans are alert. The procedures will work the same way whether Alice is a clerk or is the CEO. Bob is primarily called upon to perform the audit. His only “decision” is determine whether the person sitting at the desk is Alice or not Alice.


APPENDIX C
Data Packaging

The Secure Network system sends Secure Network packages directly over TCP/IP. A package is an object which will turn itself into a stream and unpack itself from a stream. A stream is a set of bits that can be sent over TCP/IP. The Secure Network packaging software also contains an Item class. Objects derived from the Item class can model any data format. Items can be inserted into and extracted from packages. Through the use of virtual functions, a package can insert and extract a derived Item which it has never seen before.


The advantage of the Item class is that one can develop specific data formats for specific purposes, and also that compression can be applied at the Item level for data that is highly repetitive. Items can contain longs, integers, bytes, bits, strings, and streams. Packages can be inserted into and extracted from packages. Packages have their own compression methods. Keys are typically generated inside Items as streams; items are inserted into packages, the package is compressed, and then encrypted with another key. No keys are stored in the clear. Keys are generally not stored on disk, and certainly not on the same disk where the files they encrypt are located.


The Secure Network can contain warehouses. A warehouse is a file into which packages can be inserted and extracted. Packages are always compressed and usually encrypted. Warehouses permit fast searches for packages.


The compression ratio for a package depends on the type of data that is inserted. Keys and random numbers are changed but not made smaller after compression. Certain other types of data can be compressed up to 10 times. Packages are also used to send application data and for key strobing. Any data loss or alteration will render the entire package unusable and unrecoverable and therefore immediately noticeable.


APPENDIX D
Network Generation

The Secure Network generator generates all of the executables and data files necessary to start a process at a particular IP address, and usually executed on the Secure Network server. Most of the data files are Secure Network warehouses, which store packages encrypted with a hard key, just randomly generated, which is embedded within the executables.


The Secure Network generator generates network parts from a template. The generator is critical for implementing strobed encryption and for extending the Secure Network system back through system design, testing and build. By putting the template and the generator under orthogonal audit control, control over who can design, build, test, and install a given network and who approves the design is possible. As part of each build, the source code is checked for network calls other than through the Secure Network API and for hidden back doors by other methods.


By generating network parts immediately before the node is installed, the Secure Network can provide start up keys that are only minutes old. If 10,000 employees in a large facility were due to access the computer facilities at 8:00 AM, a portion of the network generation might occur half an hour earlier. The last operation to occur would be the generation of the startup keys, which could be arranged to be within minutes rather than hours of the time a node was downloaded and installed.


APPENDIX E
Network Installation

Network installation means delivery of software and data files to a particular computer, starting a process to manage each Secure Network node on that computer, and providing some type of orthogonal authentication when the nodes have begun to connect. Nodes know all of the other nodes to which they are allowed to connect. When a node is started by a process, it automatically connects with all other allowable nodes with which it can establish a TCP/IP connection, and immediately begins strobing encryption keys. A node has available to it an initial set of encryption keys for each allowable connection.


Under the preferred installation procedure, the generator delivers the node files to an Secure Network database, and then creates a self-executing file called an intelligent agent. The intelligent agent is downloaded to a target site or device. When it is run, it knows how to connect to the database, and downloads and installs the files from the Secure Network database. This has a number of advantages. One advantage is that only the agent knows how to find the installation database. This is a prevention against denial of service attacks. It is difficult to conduct a denial of service attack against a database which is hidden. Secondly, this design facilitates a single installation at a known site. The agent knows where it is supposed to be, and if it is not where it is supposed to be, will not work at all. The database knows that a given agent is allowed to install only once, so if the same agent tries to install twice, something is wrong. This use of the agent might alleviate the need to telephone a password to the target site, although perhaps it is not a bad idea to add this embellishment anyway.


Other safeguards are programmed into the Secure Network node that is the target site. A Secure Network node listens on a port/IP address which has been randomly generated seconds before the installation and which is never made public; the node only accepts one connection to any other node; it knows what it is supposed to be listening for and can determine a fraudulent connection immediately if the IP address is wrong and after a single packet exchange, if the keys are wrong.


If a package is not correct (it cannot be decrypted, or after decryption, it cannot be inflated, or the check digit is wrong, or it cannot be unpacked), the package is rejected, and after a small number of such packages, the connection is closed.


If, despite these precautions, an intelligent agent were to be stolen, and installed fraudulently and it managed to connect successfully to the Secure Network server, the problem would become immediately apparent, if the installation needs to be orthogonally audited before any data is permitted to pass over the new connection. Also, when the real node attempted to install, the problem would again be obvious because the Secure Network permits only one connection between nodes. The optimal procedure is to generate the software for a node, install the node, and audit it within a matter of minutes.


From the point of view of an employee, this procedure might be as follows: the employee enters the building, passing through a biometric device such as a facial scanner or hand scanner; the employee enters his or her work area, passing through another biometric device. The employee turns on his or her computer, and uses a finger print scanner located on his or her desk. A minute later the telephone rings and the employee answers it. The computer then admits the employee to the applications on the network he or she is authorized to use.


APPENDIX F
Massively Scalable Secure Network

The Secure Network can connect two nodes or dozens of nodes, or even thousands of nodes. A portion of a massively scalable Secure Network architecture is shown below in FIG. 4. Under the architecture, the Secure Network has two parts. One side is used for strobing and the other side for sending application data. The top level node, node 1, controls which side is used for strobing and which side is used for sending data. After a strobe on one side is completed, and after waiting for some amount of time, node 1 sends messages so that the side previously used for strobing is now used to send data, and the side previously used to send data is now used for strobing. The amount of time after completion of a strobe on one side is dynamically configurable and can be used to control the amount of resources used by the system.


Under this architecture, any two nodes can be directly connected; otherwise nodes connect to nodes by going through various intermediary hops. The design possibilities are very flexible. As a package passes through the hops, it is protected by end-to-end strobed encryption, in which the keys strobe between the node at which the package originated and the node that is its destination.


Application nodes have been arbitrarily numbered in a sequences beginning with 32261 and 65441 in order to illustrate a hypothetical network of approximately 10,000 application nodes. Nodes at indenture levels 0 though 4, that is all nodes with numbers less than 9999, are router nodes. The system has two separate networks of router nodes, a system with positive numbers and a system with negative numbers. Nodes at indenture level five can communicate by sending packages through either side of the network. Nodes can also be directly connected with one another. For example, 32262 directly connects with 65447.


APPENDIX G
Strobed Encryption

Strobed encryption is a proprietary protocol which changes both asymmetric and symmetric keys periodically. A strobe occurs at the moment a connection is made and then periodically thereafter.


The First Exchange


The first strobing exchange starts with a set of keys that are present on network installation. Network keys and all files and software needed to connect to nodes are generated automatically by the Secure Network generator and downloaded through one of the Secure Network installation methods.


For example, suppose that we want to connect node A and B under the Secure Network. Go through the following steps.

    • 1. Generate the software and software files necessary to connect A and B, including symmetric keys needed to encrypt data between A and B. At the present time, use a 448 bit Blowfish key and a one-time pad of 2000 or more bytes. The generator randomly generates two sets of keys, one set for each direction, for each connection.
    • 2. Download the software to the computers on which A and B are to be located. (For this example we are assuming that A and B are to be located on different computers). There are several ways of doing this, as explained below.
    • 3. Start the process managing the connection. The nodes will automatically connect when the other side comes up assuming that the two processes are connected via TCP/IP.
    • 4. The two connections will immediately strobe all encryption keys.
    • 5. Audit the connection.
    • 6. Continue to strobe every so often, maybe every 30 seconds.


The time between generating the network parts and the first connection could be only a few minutes. Immediately the node will be “audited” by being orthogonally authenticated in some way. If someone in the minute or so between the generation of the A/B connection parts and the real installation of A and B, could steal all of the parts to make the A connection, and could install A, and spoof the IP address, and could somehow connect to B, and do the first strobe, when it comes time for the actual A to connect, B will not connect a second time to A. It will become immediately obvious that something is wrong. The Secure Network is designed so that only one connection between two nodes is possible.


Details of One Example of Strobed Encryption


This is an example of strobing as currently implemented.


Notation:

    • [ ] is a compressed ANGEL package;
    • { } refers to a non-compressed ANGEL package.
    • (key) means encrypt what is to the right with key.
    • , a comma separates packages and items that have been inserted into a package.
    • Index means an item that usually appears at the front of the payload package.


A package is a C++ object which is capable of turning itself into a stream suitable for transport over TCP/IP and of recovering itself from a TCP/IP stream. The package is also a container into which other packages can be inserted and from which other packages can be extracted. Items can also be inserted into and extracted from packages. Extraction from and insertion into a package is only possible if the containing package is non-compressed. Compressed packages can be inserted into and extracted from non-compressed packages. An Item is a C++ object which, through derivation, can model any data format. Packages have their own compression methods. It is also possible to selectively compress data as the data is added to an item.


Initial keys are first generated. In the preferred implementation, the following initial keys are generated for encrypting packages sent between two sides of a TCP/IP connection. These keys are already installed either by the installation program or by the previous strobe. Strobing involves randomly generating and changing these keys. The initial keys include:

    • eout Blowfish 448 bit key to encrypt outbound packages
    • kout one-time pad (2000 or more bytes) to encrypt outbound packages
    • ein Blowfish 448 bit key to encrypt inbound packages
    • kin one-time pad (2000 or more bytes) to encrypt inbound packages


Package encryption is also used. The package actually sent over TCP/IP is referred to as the payload package. This package consists of an Index item plus some number of other packages and items.


The Strobe sequence is as follows:


State0

    • State® is the initial state after two nodes have been installed.


Node A

    • (1) Create keys:
    • sA RSA secret key.
    • pA RSA public key.
    • (2) Prepare a payload package and send it to the other side:
    • kout(eout([Index, pA]))


This notation indicates that we have inserted Index, and pA into a payload package, which is compressed, and then encrypted first with eout and then with kout. We only use as much of kout as is necessary to XOR the payload package. If we used up kout before we have a chance to do another strobe, we are forced to commit the cryptographic sin of reusing some part of kout. However, we can avoid this problem by making kout large enough for potential needs.


Node B

    • Node B listens for a connection.


State1


Node A





    • Node A waits for a response from Node B.





Node B





    • (1) Extract pA from the incoming data stream.





Node B will decrypt the incoming stream with kin, then with ein, then inflate the package. The package will now be {Index, pA}, that is, it is a non-compressed package containing two objects, an Index object, the public key from Node A, pA.


kin and ein are identical to kout and eout used on the connect side. If this is the first strobe, this match up will be performed by the generator and the installation procedure. If this is an ongoing strobe, this match would have been performed by the previous strobe.

    • (2) Generate keys:
    • eB Blowfish 448 bit key
    • sB RSA secret key
    • pB RSA public key
    • kB One time key pad
    • (3) Make the payload package and send it to the other side.
    • kout(eout([Index, pA ([eB, kB, pB])]))
    • (4) Install new keys as follows:
    • eB as eout
    • kB as kin


State2


Node A





    • (1) Decrypt the incoming package with kin and ein, and extract pA ([eB, kB, pB]). Use sA to decrypt [eB, kB, pB] Decompress and extract eB, kB, and pB.

    • (2) Generate keys:

    • eA 448 Blowfish key

    • kA A one-time pad

    • (3) Install

    • kA as kout

    • kB as kin

    • (4) Make and send the payload package to the accept side

    • kout(eout([Index, pB([eA, kA])]))

    • (4) Install

    • eB in ein

    • eA as eout





Node B





    • Node B waits for a response from Node A.





State3


Node A





    • Node A waits for a response from Node B.





Node B





    • (1) Decrypt and inflate the payload package and extract pB ([eA, kA]).

    • (2) use sB to decrypt ([eA, kA]).

    • (3) Install:

    • kA as eout

    • eA as ein

    • (4) Send a notification message to Node A.





State4


Strobing is complete, and nodes A and B may now begin transmitting data to each other encrypted using their respective kout, kin, eout, ein keys.


Use of the One-Time Pad


In one embodiment, the Secure Network system can send a one-time pad encrypted with other one-time pads and other session keys. If an enemy were to attempt a brute force attack on encrypted “text”, when the enemy had guessed the correct method of decryption, the enemy would realize that it had succeeded because the encrypted text would be plaintext and identifiable as such. However, applying a brute force attack to recover an encrypted one-time pad is more difficult because of the problem of distinguishing between a correctly and incorrectly decrypted one-time pad. The one-time pad is merely a sequence of random numbers. The “correctly decrypted one-time pad” can only be identified as correctly decrypted when it is applied to some cipher text and produces something recognizable as plaintext. Under the Secure Network system, the cipher text that can be used to identify a correctly decrypted one-time pad will not be sent until later, so at the very least a brute force attack cannot be successfully implemented against the one-time pad until the plaintext is sent.


The problem that the one-time pad must be as long as the message is real; however, we have methods for strobing the one-time pad on one channel while sending messages on the other. For continuous encryption there is a danger of running out of the old one-time pad before a new one arrives. The one-time pad cannot be reused. However, many applications do not require continuous encryption, and it you want to send a smaller amount of data, and you want to encrypt that data as fast as possible, a one-time pad is very rapid. For example, a radar looks at the sky and sees nothing for days at a time. Suddenly something appears.


It would be appropriate to use a one-time pad to transfer that small amount of critical data. Many applications, such as, for example, money transfer, send relatively tiny amounts of data interspersed with relatively large periods of inactivity. For these applications, there is a relatively small danger of running out of a one-time pad.


Of course, if the application does run out of the old one-time pad, in the time before the next one-time pad arrives, the application has to use other encryption methods and must not reuse the old one-time pad.


Protecting Information in an Untethered Asset


FIG. 5 illustrates an exemplary asset 500. The asset 500 includes a plurality of intelligent agent modules A 512a through Z 512z, a network 510 of the intelligent agent modules, multiple embedded sensors A 502a through Z 502z, a power source 530, multiple data store devices A 522a through Z 522z, and a network 520 of the multiple data store devices.


Each of the plurality of intelligent agent modules A 512a through Z 512z process information if no parts of the secure information are destroyed or otherwise rendered unusable. Alternatively or in addition, each of the plurality of intelligent agent modules A 512a through Z 512z is configured to destroy or otherwise render unusable one or more parts of the secure information. Such destruction is indicated in response to a suitable notification. For example, the secure information (e.g., communication protocol, target coordinates, etc.) is divided into ten parts and the intelligent agent module A 512a requires all ten parts to process (e.g., assemble the ten parts of the secure information to the communication protocol, decrypt other encrypted information, etc.). In this example, if one of the ten parts is destroyed, the intelligent agent module A 512 is unable to process the information.


Each of the plurality of data store devices A 522a through Z 522z store the secure information (e.g., store on an internal storage device, coordinate storage on an external storage device, etc.). Each of the plurality of data store devices A 522a through Z 522z communicate the secure information to/from the plurality of intelligent agent modules A 512a through Z 512z. Each of the plurality of data store devices A 522a through Z 522z destroy one or more parts of the secure information based on the notification (e.g., notification of an attempted unauthorized access to the asset 500, notification of a time-out associated with the asset 500, etc.).


Each of the plurality of embedded sensors A 502a through Z 502z provides the notification of a compromise of the system to at least one of the plurality of intelligent agent modules A 512a through Z 512z and/or the plurality of data store devices A 522a through Z 522z. For example, the embedded sensor A 502a is a contact sensor on a physical access, such as a door, to the asset 500. In this example, the embedded contact sensor A 502a detects an attempted entry via the door and transmits a notification to one or more of the intelligent agent modules A 512a through Z 512z and the data store devices A 522a through Z 522z to destroy the secure information.


In some examples, the plurality of intelligent agent modules A 512a through Z 512z, the plurality of data store devices A 522a through Z 522z, and the plurality of embedded sensors A 502a through Z 502z are embedded within the asset 500. For example, one or more of the embedded sensors A 502a through Z 502z are integrated into the housing of the asset 500 (e.g., part of a plastic housing, part of a metal housing, etc.). As another example, one or more of the data store devices A 522a through Z 522z are mounted on the asset 500.


In some examples, the plurality of intelligent agent modules A 512a through Z 512z, the plurality of data store devices A 522a through Z 522z, and the plurality of embedded sensors A 502a through Z 502z are embedded within the asset 500 at a plurality of distributed locations. Other assets (not shown) can, for example, include intelligent agent modules, data store devices, and embedded sensors embedded with the assets at other locations. Table 2 illustrates exemplary locations of the intelligent agent modules, the data store devices, and the embedded sensors in two assets (e.g., Missile A and Missile B, Navigation Unit A and Navigation Unit B, etc.).









TABLE 2







Exemplary Locations









Module/Device/Sensor
Location in Asset A
Location in Asset B





Intelligent Agent
Door Panel A4
Door Panel B5


Module A




Intelligent Agent
Screw V3
Door Panel A2


Module B




Data Store Device A
Circuit Board TR3
Navigation




Subsystem U4


Data Store Device B
Fuel Subsystem RT3
Fuel Subsystem RT3


Data Store Device C
Door Panel C4
Circuit Board TR3


Embedded Sensor A
Door Screw RT5
Door Hinge FG3


Embedded Sensor B
Arming Circuitry
Navigation



YU3
Subsystem ER1










FIG. 5 illustrates an example of a configuration of the asset 500 and it should be understood that the asset 500 can be, for example, configured according to a variety of different techniques (e.g., a single data store device, a single intelligent agent module, a data store device integrated into each intelligent agent module, multiple power sources, redundant communication pathways).


In other examples, the asset 500 includes an untethered military device and/or any other untethered device. The asset 500, as described herein, can include, for example, an item of military hardware such as a free standing sensor, artillery shells, airplanes, missiles, tanks and other such items. An execution environment can be, for example, an environment in which software instructions can be executed. Numerous devices are available on the market which can provide such an environment.



FIG. 6 illustrates an exemplary data store device 600. The data store device 600 includes a transceiver 611, a processor 612, a storage device 613, a power source 614, an embedded sensor 615, a destruction mechanism 616, and at least one encryption key 617. The modules and devices described herein can, for example, utilize the processor 612 to execute computer executable instructions and/or include a processor to execute computer executable instructions (e.g., an encryption processing unit, a field programmable gate array processing unit, etc.). It should be understood that the data store device 600 can include, for example, other modules, devices, and/or processors known in the art and/or varieties of the illustrated modules, devices, and/or processors.


The transceiver 611 communicates data to/from the data store device 600. The processor 612 executes the operating system and/or any other computer executable instructions for the data store device 600 (e.g., data management system, etc.). The storage device 613 stores secure information and/or any other type of data. The storage device 613 can include a plurality of storage devices. The storage device 613 can include, for example, long-term storage (e.g., a hard drive, a tape storage device, flash memory, etc.), short-term storage (e.g., a random access memory, a graphics memory, etc.), and/or any other type of computer readable storage.


The power source 614 provides power to the data store device 600 (e.g., power transformer, battery, solar cell, etc.). In some embodiments, the power source 614 can be external to the data store device 600.


The embedded sensor 615 is any type of sensor as described herein (e.g., motion, temperature, optical, electromagnetic, capacitive, etc.) and detects compromises, whether attempted or actual, of the data store device 600. The destruction mechanism 616 is capable of destroying or rendering unusable (e.g., magnetically erases, renders unreadable, explodes, etc.) the secure information and/or any other data stored by and/or received by the data store device 600. The encryption key 617 can be utilized to encrypt and/or decrypt data for storage and/or retrieval by the data store device 600.



FIG. 6 illustrates an example of a configuration of the data store device 600 and it should be understood that the data store device 600 can be, for example, configured according to a variety of different techniques (e.g., no transceiver, a specialized processor, a single function processor, multiple power sources, redundant communication pathways, multiple embedded sensors, and multiple storage devices).


The embedded sensor, as described herein, can be, for example, a device embedded in an asset which can detect an event, such as, for example, an attempt to modify a data store device or remove a data store device from its location in an asset (also referred to as a compromise of the information). The embedded sensors can be embedded within the asset, embedded within the data store device, and/or embedded within the intelligent agent modules. In some embodiments, the sensor detects one or more physical properties, such as light, vibration, sound, movement, location, and/or temperature.



FIG. 7 illustrates an exemplary intelligent agent module 700. The intelligent agent module 700 includes a transceiver 711, a processor 712, a data processor 713, a power source 714, an embedded sensor 715, a destruction mechanism 716, and at least one encryption key 717. The modules and devices described herein can, for example, utilize the processor 712 to execute computer executable instructions and/or include a processor to execute computer executable instructions (e.g., an encryption processing unit, a field programmable gate array processing unit, etc.). It should be understood that the intelligent agent module 700 can include, for example, other modules, devices, and/or processors known in the art and/or varieties of the illustrated modules, devices, and/or processors.


The transceiver 711 communicates data to/from the data store device 600. The processor 712 executes the operating system and/or any other computer executable instructions for the intelligent agent module 700 (e.g., environmental monitoring system, etc.).


The data processor 713 processes the unencrypted data and/or any other data associated with the intelligent agent 700.


The power source 714 provides power to the intelligent agent module 700 (e.g., power transformer, battery, etc.). In some embodiments, the power source 714 can be external to the intelligent agent module 700.


The embedded sensor 715 is any type of sensor as described herein (e.g., motion sensor, temperature sensor, etc.) and detects compromises, whether attempted or actual, of the intelligent agent module 700. The destruction mechanism 716 destroys (e.g., magnetically erases, renders unreadable, physically disrupts, explodes, etc.) the secure information and/or any other data stored by and/or received by the intelligent agent module 700.


The encryption key 717 can be utilized to encrypt and/or decrypt data for processing by the data processor 713. In other examples, the intelligent agent module 700 processes unencrypted data.


Although FIG. 7 illustrates an example of a configuration of an intelligent agent module 700 and it should be understood that the intelligent agent module 700 can be, for example, configured in a variety of different techniques (e.g., no transceiver, a specialized processor, a single function processor, multiple power sources, redundant communication pathways, etc.).


The intelligent agent module 700 can be, for example, executables (e.g., computer executable instructions). An executable can be, for example, a software item which can execute instructions in an execution environment. If two or more executables communicate with one another, either in the same or different execution environments, the executables can form a network. Each executable associated with a respective node on the network. The intelligent agent module 700 can be, for example, difficult to reverse engineer. The intelligent agent module 700 can be referred to as an angel.


Executables run on one or more processors that require power to execute in an execution environment. The source of this power can be an embedded battery. In some examples, power can be supplied when the asset or part of the asset is moved or illuminated with electromagnetic radiation.


The critical information to be protected can be stored encrypted on the asset (e.g., in the data store device). If an adversary can obtain the key (e.g., encryption key A), the adversary can decrypt the critical information and “capture” it. Some software on the asset is configured to assist with location of the key and decryption the critical information in order for the asset to fulfill its military objective. If an adversary can determine how the asset finds the key and decrypts the critical information, the adversary could presumably apply the same procedure and obtain the critical information in its decrypted form. In order to determine how the asset finds and decrypts the critical information, an adversary would need to exercise the asset in a laboratory environment and observe how the asset functions. At least one objective of defending critical information in an asset is to detect when the asset is being examined, for example, in a laboratory environment and to destroy at least part of the key before the key can be discovered by the adversary.


An initial part of the protection of critical information can include use of the network to develop the key. For example, various different nodes can work together to execute a single function. In this exemplary embodiment, the nodes would utilize cryptographic material in various data store devices and use this material to modify the next step, so that the exact nature of the function being performed would be difficult to determine from examination the code being run by a single node. As a further example, the encryption key in each data store device and each intelligent agent module is needed to determine critical information. If a node (e.g., data store device, intelligent agent module) is compromised, the critical information cannot be determined because all of the parts are not available to determine the critical information.



FIG. 8 is a block diagram depicting a network of nodes 800. The network includes data store devices A 812a, B 812b, and C 812c and intelligent agent modules A 816a, B 816b, and C 816c working together to execute a single function (in this example, the assembly of the critical information 820). The data store devices A 812a and B 812b store stored data A 814a and B 814b, respectively. The data store devices A 812a and B 812b communicate the stored data A 814a and B 814b, respectively, to the intelligent module A 816a. The intelligent module A 816a processes the stored data A 814a and B 814b and communicates the processed data to the intelligent agent module C 816c. The data store device C 812c stores stored data C 814c and communicates the stored data C 814c to the intelligent agent module B 816b. The intelligent agent module B 816b processes the stored data C 814c and communicates the processed data to the intelligent agent module C 816c. The intelligent agent module C 816c processes the received processed data to form the critical information 820.



FIG. 9 illustrates a network 900 with nodes that have been compromised and thus, the critical information cannot be determined. The network 900 includes data store devices A 912a, B 912b, and C 912c and intelligent agent modules A 916a, B 916b, and C 916c working together to execute a single function (in this example, the assembly of the critical information 920). The data store devices A 912a and B 912b store stored data A 914a and B 914b, respectively. The data store devices A 912a and B 912b communicate the stored data A 914a and B 914b, respectively, to the intelligent module A 916a. The intelligent module A 916a processes the stored data A 914a and B 914b and communicates the processed data to the intelligent agent module C 916c.


The data store device C 912c stores stored data C 914c and communicates the stored data C 914c to the intelligent agent module B 916b. The intelligent agent module B 916b receives a notification (e.g., from an external sensor, from an internal sensor, etc.) and destroys (930) the stored data C 914c. The intelligent agent module C 916c cannot process (934) the data without the processed data from the intelligent agent module B 916b, which was destroyed. As such, the intelligent agent module C 916c cannot determine (932) the critical information 920 due to the lack of all of the parts of the critical information.



FIG. 10 illustrates a network 1000 with nodes that have been compromised and thus, the critical information cannot be determined. The network 1000 includes data store devices A 1012a, B 1012b, and C 1012c and intelligent agent modules A 1016a, B 1016b, and C 1016c working together to execute a single function (in this example, the assembly of the critical information 1020). The data store devices A 1012a and B 1012b store stored data A 1014a and B 1014b, respectively. The data store device A 1012a communicates the stored data A 1014a to the intelligent module A 1016a. The data store device B 1012b receives a notification and destroys (103) the stored data B1014. As such, the data store device B 1012b is unable to retrieve (1032) the stored data B 1014b, since the stored data B 1014b was destroyed. The intelligent agent A 1016a cannot process (1032) the data without the stored data B 1014b, which was destroyed.


The data store device C 1012c stores stored data C 1014c and communicates the stored data C 1014c to the intelligent agent module B 1016b. The intelligent agent module B 1016b processes the stored data C 1014c and communicates the processed data to the intelligent agent module C 1016c.


The intelligent agent module C 1016c cannot process (1034) the data without the processed data from the intelligent agent module A 1016b, which has been destroyed. As such, the intelligent agent module C 1016c cannot determine (1036) the critical information 1020 due to the lack of all of the parts of the critical information.


Consequently, an adversary would have to simultaneously debug multiple nodes which would be very difficult, if not impossible, to accomplish on the asset itself. An adversary would need to somehow set up the network on a separate machine and experiment with the network in that environment. If the network when running on the asset can determine that it is being exercised in a falsified environment, the network itself can destroy data in the key stores with the result that the asset thereafter is useless as a means of obtaining the critical program information. The more nodes that are used to develop the key, the more difficult the problem. At some number of nodes the problem cannot be managed by an adversary except by simulating the network on separate machine. It is envisioned that the number of nodes can be arbitrarily large (e.g., 1000, 4000, 10,000, 20,000).


In order to simulate the asset on an external machine, an adversary would have to copy data from the data store devices in order to recreate an appropriate environment. In some examples, the data store devices are embedded in some type of medium, are physically separated, and are surrounded by some type of membrane that will notify (e.g., alarm) if the data store is gouged out of or otherwise removed from its environment. For example, the data store device can provide notification if the power source is removed. Data store devices can check on the condition of other data store devices. If a data store device is found missing, the discoverer can notify the network. The consequence of a notification can be destruction of material that is needed for the key to decrypt the critical information (e.g., destroy the data, destroy the encryption key, destroy the device, destroy the software, destroy everything, etc.).


An adversary cannot, generally, defeat a network of angels (i.e., intelligent agent modules) by reverse engineering the angels one node at a time. As the angels communicate with one another, the angels can detect changes in the correct operation of the network (e.g., timing tokens are out of sync, network communication is delayed, too many angels communicating on the network, etc.). The angels can communicate messages (e.g., timing tokens) between each other (e.g., multicast timing tokens, timing token for each peer node, etc.). The other angels on the network (i.e., further upstream) can determine whether the earlier messages were generated in a timely fashion by, for example, examining timing tokens communicated between the angels. Many schemes can be devised to enhance such detection (e.g., abnormalities in the network communication, falsified network addresses, etc.). For example, in FIG. 8, the intelligent agent modules A 816a and B 816b can send messages with timing tokens to the intelligent agent module C 816c. In this example, if an adversary attempted to reverse engineer the intelligent agent module A 816a, which might take several minutes, or hours, or days, the intelligent agent module C 816c could detect the difference in timing tokens received from the intelligent agent modules A 816a and B 816b. The difference in the timing tokens can indicate a compromise, whether actual or potential, and the intelligent agent module C 816c can generate a notification based on the compromise and/or destroy any secure information.


In at least some embodiments, a protection scheme of the technology can include two networks: a network of data store devices and a network of angels (i.e., intelligent agent modules). The network of data store devices can be a network in which the data store devices check on one another. The network of angels can be used to build the key to decrypt the critical information and to find the critical information and to decrypt it at the appropriate time. Angels can check on one another.


It may be possible that information can be extracted from a data store device by illuminating the chip containing the data store with a focused ion beam system (FIBS) or some similar system. There are known coatings that can be applied to such a chip to detect this type of illumination, and sound an alarm. This capability could also be built into the data store device. However, if significant number of physically separated data store device were utilized, and the data from all of them were required to obtain the key, it would present an adversary with a formidable challenge to extract all of that data, even with FIBS technology. To further confound an adversary, military designers could use decoy data store devices, thereby forcing an adversary to extract data from large numbers of data stores, and to simulate the system in a separate environment, only to discover that the data was not used.


Although the asset is described as untethered, the asset can communicate with other assets or with a remote monitor located in a secure environment. If the asset communicates with other assets and with a secure remote monitor, the security of the asset can be further enhanced by receiving and sending communication with the other assets (e.g., notifications) and/or remote monitor (e.g., security alerts).


In large scale assets, such as airplanes and tanks, the asset can be configured to use various different circuit boards, which are mounted into various chassis. In such environments, there are numerous data paths and data store devices, which are hard-wired into the system.



FIG. 11 illustrate a network of data store devices 1120 and intelligent agent modules 1130 that utilize the various boards and various chassis of an asset 1110.



FIG. 12 illustrate a network of data store devices 1220 and intelligent agent modules 1230 that utilize the various boards and various chassis of an asset 1210.


In smaller scale assets, such as sensors and artillery shells, handheld weapons, and the like, the infrastructure can be much more sparse. The best approach in these environments can be to fabricate new materials that include large numbers of data store devices embedded in appropriate media with embedded power sources and surrounding membranes and with embedded data buses.


The protection scheme for such assets can be installed in a secure factory. The technology as proposed allows complexity to be introduced at the factory which can be difficult for an adversary to reverse engineer. For example, the critical information can be encrypted with a randomly generated key. The encrypted critical information and the key itself can be distributed into various data store devices, and a network can be generated that with multiple nodes working together can find the encrypted critical information and the key and can reconstitute the critical information in unencrypted form at the appropriate time to achieve mission goals.


For identical assets, the distribution and reconstitution schemes can be different. For example, different examples of the same shell could have different methods of distributing the encrypted critical information and reconstituting it. This would deprive an adversary of the advantage of using multiple copies of an asset to conduct its reverse engineering effort.


By testing, probabilities can be obtained that a data store device can detect an attempt to remove it from the media in which it is embedded, that it can detect removal of its power source, that it can detect hostile illumination and so forth. Probabilities can also be obtained that it will falsely report an attack. These probabilities can be combined to determine the overall probability that one or more data store devices in the asset can detect a reverse engineering attack with an appropriately low level of false positives. Assuming the network of angels is sufficiently complex as to be incapable of reverse engineering in the asset. The probability of detection can be made arbitrarily high by utilizing more data store devices; however, the greater number of data store devices would increase the probability of a false positive. These are issues that need to be balanced in the design of the protection scheme for the asset; however, if the false positives can be managed, the probability of protection can be increased to any arbitrary level by increasing the number of data store devices.


The above-described systems and methods can be implemented in digital electronic circuitry, in computer hardware, firmware, and/or software. The implementation can be as a computer program product (i.e., a computer program tangibly embodied in an information carrier). The implementation can, for example, be in a machine-readable storage device, for execution by, or to control the operation of, data processing apparatus. The implementation can, for example, be a programmable processor, a computer, and/or multiple computers.


A computer program can be written in any form of programming language, including compiled and/or interpreted languages, and the computer program can be deployed in any form, including as a stand-alone program or as a subroutine, element, and/or other unit suitable for use in a computing environment. A computer program can be deployed to be executed on one computer or on multiple computers at one site.


Method steps can be performed by one or more programmable processors executing a computer program to perform functions of the invention by operating on input data and generating output. Method steps can also be performed by and an apparatus can be implemented as special purpose logic circuitry. The circuitry can, for example, be a FPGA (field programmable gate array) and/or an ASIC (application specific integrated circuit). Subroutines and software agents can refer to portions of the computer program, the processor, the special circuitry, software, and/or hardware that implement that functionality.


Processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer. Generally, a processor receives instructions and data from a read-only memory or a random access memory or both. The essential elements of a computer are a processor for executing instructions and one or more memory devices for storing instructions and data. Generally, a computer can include, can be operatively coupled to receive data from and/or transfer data to one or more mass storage devices for storing data (e.g., magnetic, magneto-optical disks, or optical disks).


Data transmission and instructions can also occur over a communications network. Information carriers suitable for embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices. The information carriers can, for example, be EPROM, EEPROM, flash memory devices, magnetic disks, internal hard disks, removable disks, magneto-optical disks, CD-ROM, and/or DVD-ROM disks. The processor and the memory can be supplemented by, and/or incorporated in special purpose logic circuitry.


To provide for interaction with a user, the above described techniques can be implemented on a computer having a display device. The display device can, for example, be a cathode ray tube (CRT) and/or a liquid crystal display (LCD) monitor. The interaction with a user can, for example, be a display of information to the user and a keyboard and a pointing device (e.g., a mouse or a trackball) by which the user can provide input to the computer (e.g., interact with a user interface element). Other kinds of devices can be used to provide for interaction with a user. Other devices can, for example, be feedback provided to the user in any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback). Input from the user can, for example, be received in any form, including acoustic, speech, and/or tactile input.


The above described techniques can be implemented in a distributed computing system that includes a back-end component. The back-end component can, for example, be a data server, a middleware component, and/or an application server. The above described techniques can be implemented in a distributing computing system that includes a front-end component. The front-end component can, for example, be a client computer having a graphical user interface, a Web browser through which a user can interact with an example implementation, and/or other graphical user interfaces for a transmitting device. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a local area network (LAN), a wide area network (WAN), the Internet, wired networks, and/or wireless networks.


The system can include clients and servers. A client and a server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.


Packet-based networks can include, for example, the Internet, a carrier internet protocol (IP) network (e.g., local area network (LAN), wide area network (WAN), campus area network (CAN), metropolitan area network (MAN), home area network (HAN)), a private IP network, an IP private branch exchange (IPBX), a wireless network (e.g., radio access network (RAN), 802.11 network, 802.16 network, general packet radio service (GPRS) network, HiperLAN), and/or other packet-based networks. Circuit-based networks can include, for example, the public switched telephone network (PSTN), a private branch exchange (PBX), a wireless network (e.g., RAN, Bluetooth, code-division multiple access (CDMA) network, time division multiple access (TDMA) network, global system for mobile communications (GSM) network), and/or other circuit-based networks.


The transmitting device can include, for example, a computer, a computer with a browser device, a telephone, an IP phone, a mobile device (e.g., cellular phone, personal digital assistant (PDA) device, laptop computer, electronic mail device), and/or other communication devices. The browser device includes, for example, a computer (e.g., desktop computer, laptop computer) with a World Wide Web browser (e.g., Microsoft® Internet Explorer® available from Microsoft Corporation, Mozilla® Firefox available from Mozilla Corporation). The mobile computing device includes, for example, a Blackberry®.


Comprise, include, and/or plural forms of each are open ended and include the listed parts and can include additional parts that are not listed. And/or is open ended and includes one or more of the listed parts and combinations of the listed parts.


One skilled in the art will realize the invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The foregoing embodiments are therefore to be considered in all respects illustrative rather than limiting of the invention described herein. Scope of the invention is thus indicated by the appended claims, rather than by the foregoing description, and all changes that come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.

Claims
  • 1. A method for protecting secure information, the method comprising: storing, by a plurality of data store devices, the secure information, each of the data store devices storing at least one part of the secure information;receiving, by at least one of a plurality of embedded sensors, a notification associated with a compromise of at least one part of the secure information;destroying one or more parts of the secure information based on the notification; andprocessing, by a plurality of intelligent agent modules, one or more parts of the secure information received from one or more of the data store devices if no parts of the one or more parts of the secure information are destroyed.
  • 2. The method of claim 1, wherein no single data store device stores every part of the secure information.
  • 3. The method of claim 1, wherein the destroying the one or more parts of the secure information based on the notification further comprising destroying, by each of the data store devices or each of the intelligent agent modules associated with the respective part of the secure information, the one or more parts of the secure information based on the notification.
  • 4. The method of claim 1, wherein the secure information comprising encrypted information, and the method further comprising: decrypting the encrypted information based on an encryption key, the encryption key comprising a plurality of parts stored on at least two of the plurality of data store devices.
  • 5. The method of claim 4, further comprising destroying one or more parts of the encryption key based on the notification, the destroying of the one or more parts of the encryption key making the encryption key unusable for decrypting the encrypted information.
  • 6. The method of claim 1, wherein the destroying the one or more parts of the secure information based on the notification making the one or more parts unreadable by a computing device.
  • 7. The method of claim 1, wherein the notification is associated with an event, and the method further comprising: detecting, by at least one of the plurality of embedded sensors, the event, the event associated with at least one of the plurality of data store devices or at least one of the plurality of intelligent agent modules.
  • 8. The method of claim 1, further comprising: detecting, by at least one of the plurality of embedded sensors, an attempted modification or removal of at least one part of the secure information from at least one of the plurality of data store devices or at least one of the plurality of intelligent agent modules; andgenerating the notification based on the attempted modification or removal.
  • 9. The method of claim 1, further comprising: detecting, by at least one of the plurality of embedded sensors, a change in a physical property associated with at least one of the plurality of data store devices or at least one of the plurality of intelligent agent modules; andgenerating the notification based on the change in the physical property.
  • 10. The method of claim 9, wherein the physical property comprising light, vibration, sound, movement, location, or temperature.
  • 11. The method of claim 1, further comprising: detecting, by at least one of the plurality of intelligent agent modules, a change in the correct operation of a network of the plurality of intelligent agent modules; andgenerating the notification based on the detection.
  • 12. The method of claim 11, wherein the detecting the change in the correct operation of the network of the plurality of intelligent agent modules further comprising examining timing tokens communicated between two or more of the plurality of intelligent agent modules.
  • 13. A computer program product, tangibly embodied in an information carrier, the computer program product including instructions being operable to cause a data processing apparatus to: store the secure information, each of a plurality of data store devices storing at least one part of the secure information;receive a notification associated with a compromise of at least one part of the secure information;destroy one or more parts of the secure information based on the notification; andprocess one or more parts of the secure information received from one or more of the plurality of data store devices if no parts of the one or more parts of the secure information are destroyed.
  • 14. A system for protecting secure information, the system comprising: a plurality of intelligent agent modules configured to process information if no parts of the secure information are destroyed and destroy one or more parts of the secure information based on a notification;a plurality of data store devices configured to store the secure information, communicate the secure information to/from the plurality of intelligent agent modules, and destroy one or more parts of the secure information based on the notification; anda plurality of embedded sensors configured to provide the notification of a compromise of the system to at least one of the plurality of intelligent agent modules and/or the plurality of data store devices.
  • 15. The system of claim 14, further comprising an asset, wherein the plurality of intelligent agent modules, the plurality of data store devices, and the plurality of embedded sensors are embedded within the asset.
  • 16. The system of claim 15, wherein the asset comprises an untethered military device.
  • 17. The system of claim 14, further comprising an asset, wherein the plurality of intelligent agent modules, the plurality of data store devices, and the plurality of embedded sensors are embedded within the asset at a plurality of first locations.
  • 18. The system of claim 17, further comprising a second asset, the second asset comprising: a plurality of second intelligent agent modules configured to process second secure information if no parts of the second secure information are destroyed and destroy one or more parts of the second secure information based on a second notification;a plurality of second data store devices configured to store the second secure information, communicate the second secure information to/from the plurality of second intelligent agent modules, and destroy one or more parts of the second secure information based on the second notification; anda plurality of second embedded sensors configured to provide the second notification of a compromise of the system to at least one of the plurality of second intelligent agent modules and/or the plurality of second data store devices,wherein the plurality of second intelligent agent modules, the plurality of second data store devices, and the plurality of second embedded sensors are embedded within the second asset at a plurality of second locations.
  • 19. The system of claim 18, wherein the first asset is associated with the second asset and the plurality of first locations are different from the plurality of second locations.
  • 20. The system of claim 14, wherein the secure information comprises at least one of encrypted data, unencrypted data, and/or an encryption key.
  • 21. The system of claim 14, further comprising the plurality of embedded sensors further configured to detect the compromise of the system.
  • 22. A system for protecting secure information, the system comprising: means for processing information if no parts of the secure information are destroyed;means for storing the secure information;means for communicating the secure information to/from the means for processing;means for destroying one or more parts of the secure information based on the notification; andmeans for providing the notification of a compromise of the system to at least one of the means for destroying.
RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional Application No. 61/226,733, filed on Jul. 19, 2009. The entire teachings of the above application are incorporated herein by reference.

Provisional Applications (1)
Number Date Country
61226733 Jul 2009 US