EP2021969A1 - Security architectures reinforced in two or three physically separated sections - Google Patents

Security architectures reinforced in two or three physically separated sections

Info

Publication number
EP2021969A1
EP2021969A1 EP07729966A EP07729966A EP2021969A1 EP 2021969 A1 EP2021969 A1 EP 2021969A1 EP 07729966 A EP07729966 A EP 07729966A EP 07729966 A EP07729966 A EP 07729966A EP 2021969 A1 EP2021969 A1 EP 2021969A1
Authority
EP
European Patent Office
Prior art keywords
zone
black
red
cryptographic
management
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP07729966A
Other languages
German (de)
French (fr)
Inventor
Patrick Duputz
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Junghans T2M SAS
Original Assignee
Junghans T2M SAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Junghans T2M SAS filed Critical Junghans T2M SAS
Publication of EP2021969A1 publication Critical patent/EP2021969A1/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information

Definitions

  • the invention particularly relates to an improved security architecture and cryptographic equipment.
  • Cryptographic equipment is a hardware and software product that integrates cryptographic functions.
  • the partitioning of the cryptographic functions and the red / black separation are the critical points that are analyzed at the time of the security assessment.
  • the passage of this assessment determines the approval, which allows the deployment of the equipment in a client infrastructure.
  • a first technical problem is the definition of cryptographic equipment architecture.
  • the architecture must guarantee a level of partitioning and separation appropriate to the approval sought.
  • the current Recommendation [Recommendation for the Integration of Cryptographic Functions in Information Systems] promotes the physical partitioning of cryptographic functions (an autonomous cryptographic domain) and the physical separation of processing resources from sensitive and non-sensitive data. This recommendation automatically induces high hardware and software complexity.
  • a second technical problem is the optimization of development and production costs. At fixed security level, the goal is to obtain the most competitive cryptographic equipment on the market.
  • a cryptographic equipment represented in FIG. 1 generally comprises four functional subsets: the red zone 1, the black zone 2, the management zone 3 and the cryptographic resource 4.
  • the red zone 1 groups together the security functions that process the data. sensitive in clear.
  • Black zone 2 groups together the security functions that process encrypted data.
  • Management Zone 3 groups the supervisory functions that deal with non-sensitive data.
  • the cryptographic resource 4 groups the cryptographic functions.
  • the architecture of the cryptographic equipment is usually in two, three, or four physically separated parts.
  • the two-part architecture shown in FIG. 2 makes it possible to partition the security functions into a host domain 5 and a cryptographic domain 6.
  • the red, black and management zones are grouped together in a host domain formed of a single and unique domain.
  • the cryptographic resource 4 constitutes the cryptographic domain 6 of the equipment.
  • the three-part architecture shown in FIG. 3 makes it possible to partition the security functions into a cryptographic domain 6, a red host domain 7 and a black host domain 8.
  • the red zone 1 and part of the management zone 3a are grouped in the red host domain.
  • the black zone 2 and part of the management zone 3b are grouped in the black host domain.
  • the cryptographic resource 4 constitutes the cryptographic domain which is placed in a break in the equipment.
  • the two- and three-part security architectures have an insufficient level of red / black separation with respect to the levels of confidential defense and defense secrecy and are therefore not suitable for cryptographic equipment intended to protect classified defense information. .
  • the four-part security architecture has a maximum level of red / black partitioning and separation. It is ideally suited to cryptographic equipment designed to protect classified defense information. However, it generates high costs of development and production.
  • the four-part security architecture is also inadequate for the customer's mobility needs. It penalizes the performance (energy autonomy) and the ergonomics (congestion) of the equipment in a context of mobile use.
  • the object of the invention relates to a new architecture for a cryptographic device in which the level of partitioning and separation red / black architectures in two and three parts is improved in order to design cryptographic equipment, able to ensure the protection of classified defense information at lower cost.
  • the invention relates to a cryptographic device comprising at least one red zone, a black zone, a management zone, a cryptographic resource, characterized in that it comprises at least the following elements:
  • the cryptographic resource communicating with the elements of the host domain by means of the following interfaces:
  • the cryptographic resource prevents clear data exchanges between the logically or physically separated zones. cally.
  • the software / hardware virtualization-based software architecture prevents the direct exchange of data between the logically separated zones: the bypass of the overflow or memory injection cryptographic resource is detected and blocked. And the method of securely transmitting plaintext data through the cryptographic resource prevents abnormal exchanges of plaintext data from or to the management area, caused by a malfunction of one of the areas.
  • FIG. 1 a functional cutout of a cryptographic means
  • FIG. 2 a security architecture in two parts physically separated according to the prior art
  • FIG. 3 a three-part security architecture physically separated according to the prior art
  • FIG. 4a a first example of an improved security architecture in two physically separated parts according to the invention and FIG. 4b the corresponding software division,
  • FIG. 5a a second example of an improved security architecture in three physically separated parts and FIG. 5b the corresponding software division,
  • the security architectures in two and three parts proposed according to the invention are based in particular on the application of a coherent set of the following four security measures: 1. Physical partitioning of functional areas, intrinsic to two or three part security architectures,
  • FIG. 4a schematizes an exemplary architecture for a cryptographic means comprising a host domain 5 containing a red zone 1, a black zone 2 and a management zone 3. These three zones communicate with the outside of the cryptographic means at the same time. using three separate physical interfaces respectively an interface 10 for the sensitive data, an interface 11 for the encrypted data, an interface 12 for the management data. The three zones are separated from each other by software means, respectively 13 between the red zone and the management zone and 14 between the management zone and the black zone. It also comprises a cryptographic domain 6 comprising the cryptographic resource 4 with a secure clear channel. The cryptographic domain communicates with the outside by means of an external interface 15.
  • the cryptographic resource 4 communicates with the elements of the host domain using three physically distinct interfaces:
  • a medium / high speed red interface 16 for the sensitive data (towards the red zone)
  • a medium / high speed black interface 17 for the encrypted data (towards black zone)
  • the cryptographic resource must control two secure clear channels that result from the implementation of a method of secure transmission of data in clear between:
  • the host domain 5 and the cryptographic domain 6 are physically separate 25.
  • the cryptographic resource must be able to multiplex on the red 16 and black 17 physical interfaces user data (sensitive data or encrypted data) and non-sensitive management data.
  • the solution is compatible with a partitioning mechanism to prohibit the simultaneous transmission of data in clear between the management area and the red and black areas.
  • FIG. 4b represents the corresponding software division: the red zone software cutoff 60, the management zone software 61 and the black zone software 62, a virtualization software 63, and the microprocessor architecture 64.
  • Figure 5a shows another improved security architecture in three physically separated parts.
  • the cryptographic means comprises a red host domain 7 containing part of the management zone 3a and the red zone 1, the two zones being logically separated by a software means 19. It also comprises a black host domain 8 comprising a black zone 2 and a part of the management zone 3b, the two zones being logically separated by software means 20.
  • the cryptographic resource communicates with the elements of the red and black host domains using four physically distinct interfaces:
  • a medium / high speed red interface 16 for the sensitized data (towards the red zone),
  • the cryptographic resource must control three secure clear channels that result from the implementation of a method of secure transmission of data in clear between:
  • the 3 domains are physically separated: the red host domain is physically separated from the cryptographic domain, itself physically separated from the black host domain.
  • Figure 5b shows the corresponding software division.
  • the red zone software 1 and the management zone software 3a on a common virtualization software 65 associated with a common hardware red host domain 66, and the management zone software 3b and the black zone software 2 associated with a virtualization software common 67 associated with common domain equipment black host 68.
  • the cryptographic resource is generally an integrated (programmable) circuit integrating all the encryption and deciphering algorithms, symmetrical and asymmetric. This component offers a direct interface for the "CIK plug" (useful external memory crypto startup component) and the injection of the secret elements to confine and partition the processing of highly sensitive elements (cryptographic keys).
  • the red 30, black 31 and management 32 zones are implemented separately in software. These three programs run concurrently on a single microprocessor architecture 34 through software / hardware virtualization technology.
  • the hardware implementation of the improved three-part physically separated security architecture takes different forms depending on the level of performance of the equipment (throughput). Three typical implementation cases are shown in Figures 7, 8, and 9.
  • the red 40 (all or part), black 41 (all or part) and management areas 42 are implemented separately in software.
  • the fast processing functions of red 44/54 and black 45 are implemented in hardware.
  • the software / hardware virtualization technology ensures a separation between the red-rated management software and the red zone software (red processor) and between the black-rated management software and the black zone software (black processor).
  • the different elements are connected by interfaces 47a, 47b 47c and 47d, with a cryptographic circuit.
  • the red zone 40 is connected to a programmable FPGA 44 programmable programmable gate array) by means of an internal red interface 49, and the black zone 41 to the fast processing function by an internal black interface 50.
  • the cryptographic equipment communicates with the outside by means of a keyboard screen 51, ethernet link 52.
  • An input / output 53 makes it possible in particular to inject the key and the CIK 54.
  • the software base common to red, black, and management zone software consists of a trusted operating system and a hardware adaptation layer.
  • This operating system mainly ensures the separation of the resources of the microprocessor architecture (registers, memories, peripherals) and the computing power offered by the micropro- cessor core. Indeed, it allocates each software a fixed execution time and periodically performs the software task switching strictly and in real time.

Abstract

Cryptographic device consisting of at least a red zone (1), a black zone (2), a management zone (3), a cryptographic resource (4), consisting of at least the following elements: - a host domain (5) including the red zone (1), the black zone (2) and the management zone (3) logically separated, - the cryptographic resource (4) communicating with the elements of the host domain (5) via the following interfaces: - a red interface (10) for data emitted into the black zone, - a management interface (12) for data emitted into management zone, - the three interfaces (10, 11, 12), physically separated, - the cryptographic domain being physically separated from the host domain.

Description

ARCHITECTURES DE SECURITE AMELIOREES EN DEUX ET TROIS PARTIES PHYSIQUEMENT SEPAREES IMPROVED SECURITY ARCHITECTURES IN TWO AND THREE PHYSICALLY SEPARATED PARTS
L'invention concerne notamment une architecture de sécurité amélio- rée et un équipement cryptographique.The invention particularly relates to an improved security architecture and cryptographic equipment.
Sous l'expression équipement cryptographique on désigne un produit matériel et logiciel qui intègre des fonctions cryptographiques.Cryptographic equipment is a hardware and software product that integrates cryptographic functions.
Dans un équipement cryptographique, le cloisonnement des fonctions cryptographiques et la séparation rouge / noir constituent les points criti- ques qui sont analysés au moment de l'évaluation de sécurité. Le passage de cette évaluation conditionne l'obtention de l'agrément, qui autorise le déploiement de l'équipement dans une infrastructure cliente.In cryptographic equipment, the partitioning of the cryptographic functions and the red / black separation are the critical points that are analyzed at the time of the security assessment. The passage of this assessment determines the approval, which allows the deployment of the equipment in a client infrastructure.
Un premier problème technique est la définition de l'architecture de l'équipement cryptographique. L'architecture doit garantir un niveau de cloison- nement et de séparation adapté à l'agrément visé.A first technical problem is the definition of cryptographic equipment architecture. The architecture must guarantee a level of partitioning and separation appropriate to the approval sought.
La recommandation courante [Recommandation pour l'intégration des fonctions cryptographiques dans les systèmes d'information] favorise le cloisonnement physique des fonctions cryptographiques (un domaine cryptographique autonome) et la séparation physique des ressources de traitements des données sensibles et flux non sensibles. Cette recommandation induit automatiquement une forte complexité matérielle et logicielle.The current Recommendation [Recommendation for the Integration of Cryptographic Functions in Information Systems] promotes the physical partitioning of cryptographic functions (an autonomous cryptographic domain) and the physical separation of processing resources from sensitive and non-sensitive data. This recommendation automatically induces high hardware and software complexity.
Un second problème technique est l'optimisation des coûts de développement et de production. A niveau de sécurité fixé, l'objectif est d'obtenir l'équipement cryptographique le plus compétitif du marché.A second technical problem is the optimization of development and production costs. At fixed security level, the goal is to obtain the most competitive cryptographic equipment on the market.
Un équipement cryptographique représenté à la figure 1 comporte en général quatre sous ensembles fonctionnels : la zone rouge 1 , la zone noire 2, la zone de gestion 3 et la ressource cryptographique 4. La zone rouge 1 regroupe les fonctions de sécurité qui traitent des données sensibles en clair. La zone noire 2 regroupe les fonctions de sécurité qui traitent des données chif- frées. La zone de gestion 3 regroupe les fonctions de supervision qui traitent des données non sensibles. Et la ressource cryptographique 4 regroupe les fonctions cryptographiques.A cryptographic equipment represented in FIG. 1 generally comprises four functional subsets: the red zone 1, the black zone 2, the management zone 3 and the cryptographic resource 4. The red zone 1 groups together the security functions that process the data. sensitive in clear. Black zone 2 groups together the security functions that process encrypted data. Management Zone 3 groups the supervisory functions that deal with non-sensitive data. And the cryptographic resource 4 groups the cryptographic functions.
Selon le niveau de sécurité visé, l'architecture de l'équipement cryptographique est généralement en deux, trois ou quatre parties physiquement séparées.Depending on the level of security sought, the architecture of the cryptographic equipment is usually in two, three, or four physically separated parts.
L'architecture en deux parties représentée à la figure 2 permet de cloisonner les fonctions de sécurité en un domaine hôte 5 et un domaine cryptographique 6. Les zones rouge, noire et de gestion sont regroupées dans un domaine hôte formé d'un seul et unique composant logiciel et/ou matériel. La ressource cryptographique 4 constitue le domaine cryptographique 6 de l'équipement.The two-part architecture shown in FIG. 2 makes it possible to partition the security functions into a host domain 5 and a cryptographic domain 6. The red, black and management zones are grouped together in a host domain formed of a single and unique domain. software component and / or hardware. The cryptographic resource 4 constitutes the cryptographic domain 6 of the equipment.
L'architecture en trois parties représentée à la figure 3 permet de cloisonner les fonctions de sécurité en un domaine cryptographique 6, un domaine hôte rouge 7 et un domaine hôte noir 8. La zone rouge 1 et une partie de la zone de gestion 3a sont regroupées dans le domaine hôte rouge. La zone noire 2 et une partie de la zone de gestion 3b sont regroupées dans le domaine hôte noir. La ressource cryptographique 4 constitue le domaine cryptographique qui est placée en coupure dans l'équipement.The three-part architecture shown in FIG. 3 makes it possible to partition the security functions into a cryptographic domain 6, a red host domain 7 and a black host domain 8. The red zone 1 and part of the management zone 3a are grouped in the red host domain. The black zone 2 and part of the management zone 3b are grouped in the black host domain. The cryptographic resource 4 constitutes the cryptographic domain which is placed in a break in the equipment.
Les architectures de sécurité en deux et trois parties présentent un niveau insuffisant de séparation rouge/noir vis à vis des agréments pour les niveaux confidentiel défense et secret défense et ne conviennent donc pas aux équipements cryptographiques destinés à assurer la protection d'informations classifiées de défense.The two- and three-part security architectures have an insufficient level of red / black separation with respect to the levels of confidential defense and defense secrecy and are therefore not suitable for cryptographic equipment intended to protect classified defense information. .
L'architecture de sécurité en quatre parties présente un niveau de cloisonnement et de séparation rouge/noir maximum. Elle convient parfaitement aux équipements cryptographiques destinés à assurer la protection d'informations classifiées de défense. Cependant, elle engendre des coûts élevés de développement et de production. L'architecture de sécurité en quatre parties est aussi inadaptée au besoin de mobilité du client. Elle pénalise les performances (autonomie énergétique) et l'ergonomie (encombrement) de l'équipement dans un contexte d'utilisation mobile. L'objet de l'invention concerne une nouvelle architecture pour un dispositif cryptographique dans lequel le niveau de cloisonnement et de séparation rouge/noir des architectures en deux et trois parties est amélioré dans le but de concevoir des équipements cryptographiques, capables d'assurer la protection d'informations classifiées de défense, à plus faible coût.The four-part security architecture has a maximum level of red / black partitioning and separation. It is ideally suited to cryptographic equipment designed to protect classified defense information. However, it generates high costs of development and production. The four-part security architecture is also inadequate for the customer's mobility needs. It penalizes the performance (energy autonomy) and the ergonomics (congestion) of the equipment in a context of mobile use. The object of the invention relates to a new architecture for a cryptographic device in which the level of partitioning and separation red / black architectures in two and three parts is improved in order to design cryptographic equipment, able to ensure the protection of classified defense information at lower cost.
L'invention concerne un dispositif de cryptographie comprenant au moins une zone rouge, une zone noire, une zone de gestion, une ressource cryptographique, caractérisé en ce qu'il comporte au moins les éléments suivants :The invention relates to a cryptographic device comprising at least one red zone, a black zone, a management zone, a cryptographic resource, characterized in that it comprises at least the following elements:
o un domaine hôte comprenant la zone rouge, la zone noire et la zone de gestion séparées logiquement,o a host domain comprising the red zone, the black zone and the management zone logically separated,
o la ressource cryptographique communiquant avec les éléments du domaine hôte au moyen des interfaces suivantes :the cryptographic resource communicating with the elements of the host domain by means of the following interfaces:
o une interface rouge pour les donnes émises vers la zone rouge,o a red interface for the data sent to the red zone,
o une interface noire pour les données émises vers la zone noire,o a black interface for data sent to the black zone,
o une interface gestion pour les données émises vers la zone de gestion,o a management interface for the data sent to the management zone,
o les trois interfaces étant séparées physiquement,o the three interfaces being physically separated,
o le domaine cryptographique étant séparé physiquement du do- maine hôte.o the cryptographic domain being physically separated from the host domain.
L'invention présente notamment les avantages suivants :The invention particularly has the following advantages:
En combinant la séparation logique et physique des différentes zones, la séparation physique des interfaces externes et des interconnexions internes entre zones, et l'utilisation d'un procédé de transmission sécurisé de données en clair, à travers la ressource cryptographique, on assure un bon niveau de cloisonnement et de séparation rouge/noir.By combining the logical and physical separation of the different zones, the physical separation of the external interfaces and the internal interconnections between zones, and the use of a method for the secure transmission of data in the clear, through the cryptographic resource, we ensure a good level of partitioning and separation red / black.
En cas de défaillance, la ressource cryptographique empêche les échanges de données en clair entre les zones séparées logiquement ou physi- quement. L'architecture logicielle basée sur la virtualisation logicielle/matérielle empêche les échanges directs de données entre les zones séparées logiquement : le contournement de la ressource cryptographique par débordement ou injection mémoire est détecté et bloqué. Et le procédé de transmission sécuri- sée de données en clair à travers la ressource cryptographique empêche les échanges anormaux de données en clair en provenance ou à destination de la zone de gestion, engendrés par un disfonctionnement de l'une des zones.In the event of a failure, the cryptographic resource prevents clear data exchanges between the logically or physically separated zones. cally. The software / hardware virtualization-based software architecture prevents the direct exchange of data between the logically separated zones: the bypass of the overflow or memory injection cryptographic resource is detected and blocked. And the method of securely transmitting plaintext data through the cryptographic resource prevents abnormal exchanges of plaintext data from or to the management area, caused by a malfunction of one of the areas.
D'autres caractéristiques et avantages de la présente invention apparaîtront mieux à la lecture de la description qui suit donnée à titre illustratif et nullement limitatif annexé des figures qui représentent :Other features and advantages of the present invention will appear better on reading the following description given by way of illustration and in no way limiting attached to the figures which represent:
o La figure 1 une découpe fonctionnelle d'un moyen de cryptographie,FIG. 1 a functional cutout of a cryptographic means,
o La figure 2 une architecture de sécurité en deux parties physiquement séparées selon l'art antérieur,FIG. 2 a security architecture in two parts physically separated according to the prior art,
o La figure 3 une architecture de sécurité en trois parties physiquement séparées selon l'art antérieur,FIG. 3 a three-part security architecture physically separated according to the prior art,
o La figure 4a un premier exemple d'architecture de sécurité améliorée en deux parties physiquement séparées selon l'invention et la figure 4b le découpage logiciel correspondant,FIG. 4a a first example of an improved security architecture in two physically separated parts according to the invention and FIG. 4b the corresponding software division,
o La figure 5a un deuxième exemple d'architecture de sécurité améliorée en trois parties physiquement séparées et la figure 5b le découpage logiciel correspondant,FIG. 5a a second example of an improved security architecture in three physically separated parts and FIG. 5b the corresponding software division,
o La figure 6 un exemple d'implémentation pour l'architecture de la figure 4,o Figure 6 an example of implementation for the architecture of Figure 4,
o Les figures 7, 8 et 9 des exemples d'implémentation pour l'architecture de la figure 5a.o Figures 7, 8 and 9 of the implementation examples for the architecture of Figure 5a.
Les architectures de sécurité en deux et trois parties proposées selon l'invention reposent notamment sur l'application d'un ensemble cohérent des quatre mesures de sécurité suivantes : 1. le cloisonnement physique des zones fonctionnelles, intrinsèque aux architectures de sécurité en deux ou trois parties,The security architectures in two and three parts proposed according to the invention are based in particular on the application of a coherent set of the following four security measures: 1. Physical partitioning of functional areas, intrinsic to two or three part security architectures,
2. le cloisonnement logique des zones fonctionnelles physiquement regroupées, apporté par l'utilisation des technologies logicielles de virtualisation logicielle/matérielle et/ou multi-niveaux de sécurité connues de l'Homme du métier,2. the logical partitioning of the physically grouped functional areas, brought about by the use of software virtualization software technologies / hardware and / or multi-level security known to the skilled person,
3. le placement de la ressource cryptographique en coupure physique sur l'ensemble des flux de données échangés en interne de l'équipement entre les zones fonctionnelles,The placement of the cryptographic resource in physical cutoff on all the internally exchanged data streams of the equipment between the functional zones,
4. le contrôle des échanges de données en clair entre les zones fonctionnelles par la ressource cryptographique, apporté par l'application d'un procédé de transmission sécurisée de données en clair (par exemple le principe de « Transmission de données en clair à travers une ressource cryptographique sans canal clair phy- sique »).4. the control of clear data exchanges between the functional areas by the cryptographic resource, provided by the application of a secure data transmission method in clear data (for example the principle of "Transmission of data in clear through a cryptographic resource without physical clear channel ").
La figure 4a schématise un exemple d'architecture pour un moyen de cryptographie comprenant un domaine hôte 5 contenant une zone rouge 1 , une zone noire 2 et une zone de gestion 3. Ces trois zones communiquent avec l'extérieur du moyen de cryptographie à l'aide de trois interfaces physiques dis- tinctes respectivement une interface 10 pour les données sensibles, une interface 1 1 pour les données chiffrées, une interface 12 pour les données de gestion. Les trois zones sont séparées les unes des autres par des moyens logiciels, respectivement 13 entre la zone rouge et la zone de gestion et 14 entre la zone de gestion et la zone noire. Il comporte aussi un domaine cryptographique 6 comprenant la ressource cryptographique 4 avec un canal clair sécurisé. Le domaine cryptographique communique avec l'extérieur au moyen d'une interface externe 15.FIG. 4a schematizes an exemplary architecture for a cryptographic means comprising a host domain 5 containing a red zone 1, a black zone 2 and a management zone 3. These three zones communicate with the outside of the cryptographic means at the same time. using three separate physical interfaces respectively an interface 10 for the sensitive data, an interface 11 for the encrypted data, an interface 12 for the management data. The three zones are separated from each other by software means, respectively 13 between the red zone and the management zone and 14 between the management zone and the black zone. It also comprises a cryptographic domain 6 comprising the cryptographic resource 4 with a secure clear channel. The cryptographic domain communicates with the outside by means of an external interface 15.
La ressource cryptographique 4 communique avec les éléments du domaine hôte en utilisant trois interfaces physiquement distinctes :The cryptographic resource 4 communicates with the elements of the host domain using three physically distinct interfaces:
• une interface rouge moyen/haut débit 16, pour les données sensibles (vers zone rouge), • une interface noire moyen/haut débit 17, pour les données chiffrées (vers zone noire),A medium / high speed red interface 16, for the sensitive data (towards the red zone), A medium / high speed black interface 17, for the encrypted data (towards black zone),
• une interface gestion bas/moyen débit 18, pour les données de gestion (vers zone gestion).A low / medium rate management interface 18, for the management data (towards management zone).
La ressource cryptographique doit contrôler deux canaux clairs sécurisés qui résultent de la mise en œuvre d'un procédé de transmission sécurisée des données en clair entre :The cryptographic resource must control two secure clear channels that result from the implementation of a method of secure transmission of data in clear between:
• la zone de gestion 3 et la zone rouge 1 ,• the management zone 3 and the red zone 1,
• la zone de gestion 3 et la zone noire 2.• Management Zone 3 and Black Zone 2.
Toutes les exigences techniques relatives au « procédé de transmission de données en clair à travers la ressource cryptographique sans canal clair » sont applicables dans ce contexte. Le domaine hôte 5 et le domaine de cryptographie 6 sont physiquement séparés 25. La ressource cryptographique doit pouvoir multiplexer sur les interfaces physiques rouge 16 et noire 17 des données utilisateur (données sensibles ou données chiffrées) et des données non sensibles de gestion. La solution est compatible d'un mécanisme de cloisonnement visant à interdire la transmission simultanée de données en clair entre la zone de gestion et les zones rouges et noires.All the technical requirements relating to the "method of transmitting data in clear through the cryptographic resource without a clear channel" are applicable in this context. The host domain 5 and the cryptographic domain 6 are physically separate 25. The cryptographic resource must be able to multiplex on the red 16 and black 17 physical interfaces user data (sensitive data or encrypted data) and non-sensitive management data. The solution is compatible with a partitioning mechanism to prohibit the simultaneous transmission of data in clear between the management area and the red and black areas.
La figure 4b représente le découpage logiciel correspondant : le dé- coupage logiciel zone rouge 60, le logiciel zone de gestion 61 et le logiciel zone noire 62, un logiciel de virtualisation 63, et l'architecture à microprocesseur 64.FIG. 4b represents the corresponding software division: the red zone software cutoff 60, the management zone software 61 and the black zone software 62, a virtualization software 63, and the microprocessor architecture 64.
La figure 5a représente une autre architecture de sécurité améliorée en trois parties physiquement séparées. Dans cette variante de réalisation, le moyen de cryptographie comprend un domaine hôte rouge 7 contenant une partie de la zone de gestion 3a et la zone rouge 1 , les deux zones étant séparées logiquement par un moyen logiciel 19. Il comprend aussi un domaine hôte noir 8 comprenant une zone noire 2 et une partie de la zone de gestion 3b, les deux zones étant séparées logiquement par un moyen logiciel 20. La ressource cryptographique communique avec les éléments des domaines hôtes rouge et noir en utilisant quatre interfaces physiquement distinctes :Figure 5a shows another improved security architecture in three physically separated parts. In this variant embodiment, the cryptographic means comprises a red host domain 7 containing part of the management zone 3a and the red zone 1, the two zones being logically separated by a software means 19. It also comprises a black host domain 8 comprising a black zone 2 and a part of the management zone 3b, the two zones being logically separated by software means 20. The cryptographic resource communicates with the elements of the red and black host domains using four physically distinct interfaces:
• une interface rouge moyen/haut débit 16, pour les données sensi- blés (vers zone rouge),A medium / high speed red interface 16, for the sensitized data (towards the red zone),
• une interface noire moyen/haut débit 17, pour les données chiffrées (vers zone noire),A medium / high speed black interface 17, for the encrypted data (towards black zone),
• une interface gestion bas/moyen débit 21 , pour les données de gestion (vers zone gestion coté rouge).• a low / medium rate management interface 21, for the management data (towards management zone red side).
• une interface gestion bas/moyen débit 22, pour les données de gestion (vers zone gestion coté noir).• a low / medium rate management interface 22, for the management data (to management zone black side).
La ressource cryptographique doit contrôler trois canaux clairs sécurisés qui résultent de la mise en œuvre d'un procédé de transmission sécurisée des données en clair entre :The cryptographic resource must control three secure clear channels that result from the implementation of a method of secure transmission of data in clear between:
• la zone de gestion coté rouge 3a et la zone rouge 1 ,• the red-rated management zone 3a and the red zone 1,
• la zone de gestion coté noir 3b et la zone noire 2,• the black management zone 3b and the black zone 2,
• la zone de gestion coté rouge 3a et la zone de gestion coté noir 3b.• the red-rated management zone 3a and the black-rated management zone 3b.
Toutes les exigences relatives au « procédé » de transmission de données en clair à travers la ressource cryptographique sans canal clair » sont applicables dans ce contexte. Dans cette architecture, les 3 domaines sont séparés physiquement : le domaine hôte rouge est séparé physiquement 27 du domaine cryptographique, lui-même séparé physiquement 28 du domaine hôte noir.All requirements relating to the "process" of transmitting data in clear through the cryptographic resource without a clear channel "are applicable in this context. In this architecture, the 3 domains are physically separated: the red host domain is physically separated from the cryptographic domain, itself physically separated from the black host domain.
La figure 5b représente le découpage logiciel correspondant. Sur cette figure le logiciel zone rouge 1 et le logiciel zone gestion 3a, sur un logiciel de virtualisation commune 65 associé à un matériel commun domaine hôte rouge 66, et le logiciel zone gestion 3b et le logiciel zone noire 2 associés à un logiciel de virtualisation commune 67 associé à un matériel commun domaine hôte noir 68.Figure 5b shows the corresponding software division. In this figure, the red zone software 1 and the management zone software 3a, on a common virtualization software 65 associated with a common hardware red host domain 66, and the management zone software 3b and the black zone software 2 associated with a virtualization software common 67 associated with common domain equipment black host 68.
Architectures matérielles :Hardware architectures:
La ressource cryptographique est en général un circuit intégré (programmable) intégrant l'ensemble des algorithmes de chiffrement et déchiffre- ment, symétriques et asymétriques. Ce composant offre une interface directe pour le « bouchon CIK » (mémoire externe utile démarrage cryptographique du composant) et l'injection des éléments secrets afin de confiner et de cloisonner le traitement des éléments très sensibles (clés cryptographiques).The cryptographic resource is generally an integrated (programmable) circuit integrating all the encryption and deciphering algorithms, symmetrical and asymmetric. This component offers a direct interface for the "CIK plug" (useful external memory crypto startup component) and the injection of the secret elements to confine and partition the processing of highly sensitive elements (cryptographic keys).
L'implémentation matérielle typique de l'architecture de sécurité améliorée en deux parties physiquement séparées est présentée figure 6.The typical hardware implementation of the enhanced security architecture into two physically separated parts is shown in Figure 6.
Les zones rouge 30, noire 31 et de gestion 32 sont implémentées séparément en logiciel. Ces trois logiciels s'exécutent de manière concurrente sur une architecture à microprocesseur unique 34 grâce à la technologie de virtualisation logicielle/matérielle.The red 30, black 31 and management 32 zones are implemented separately in software. These three programs run concurrently on a single microprocessor architecture 34 through software / hardware virtualization technology.
L'implémentation matérielle de l'architecture de sécurité améliorée en trois parties physiquement séparées prend différentes formes selon le niveau de performance de l'équipement (débit). Trois cas typiques d'implémentation sont présentés dans les figures 7, 8, et 9.The hardware implementation of the improved three-part physically separated security architecture takes different forms depending on the level of performance of the equipment (throughput). Three typical implementation cases are shown in Figures 7, 8, and 9.
Les zones rouge 40 (tout ou partie), noire 41 (tout ou partie) et de gestion 42 sont implémentées séparément en logiciel. Les fonctions de traitement rapide des zones rouge 44/54 et noire 45 sont implémentées en matériel. La technologie de virtualisation logicielle/matérielle garantit une séparation entre le logiciel de gestion coté rouge et le logiciel de la zone rouge (processeur rouge) et entre le logiciel de gestion coté noir et le logiciel de la zone noire (pro- cesseur noir).The red 40 (all or part), black 41 (all or part) and management areas 42 are implemented separately in software. The fast processing functions of red 44/54 and black 45 are implemented in hardware. The software / hardware virtualization technology ensures a separation between the red-rated management software and the red zone software (red processor) and between the black-rated management software and the black zone software (black processor).
Les différents éléments sont en liaison par des interfaces 47a, 47b 47c et 47d, avec un circuit cryptographique.The different elements are connected by interfaces 47a, 47b 47c and 47d, with a cryptographic circuit.
Sur la figure 8, la zone rouge 40 est en liaison avec un circuit programmable FPGA 44 field programmable gâte array) au moyen d'une interface rouge interne 49, et la zone noire 41 avec la fonction de traitement rapide par une interface noire interne 50. L'équipement cryptographique communique avec l'extérieur au moyen d'écran clavier 51 , de liaison ethernet 52. Une entrée/sortie 53 permet notamment d'injecter la clé et le CIK 54.In FIG. 8, the red zone 40 is connected to a programmable FPGA 44 programmable programmable gate array) by means of an internal red interface 49, and the black zone 41 to the fast processing function by an internal black interface 50. The cryptographic equipment communicates with the outside by means of a keyboard screen 51, ethernet link 52. An input / output 53 makes it possible in particular to inject the key and the CIK 54.
Architectures logicielles :Software Architectures:
Le socle logiciel commun aux logiciels des zones rouge, noire et de gestion est formé d'un système d'exploitation de confiance et d'une couche d'adaptation matérielle. Ce système d'exploitation assure principalement la séparation des ressources de l'architecture à microprocesseur (registres, mémoires, périphériques) et de la puissance de calcul offerte par le cœur micropro- cesseur. En effet, il alloue à chaque logiciel un temps d'exécution fixe et réalise de manière périodique la commutation de tache logicielle de manière stricte et en temps réel. The software base common to red, black, and management zone software consists of a trusted operating system and a hardware adaptation layer. This operating system mainly ensures the separation of the resources of the microprocessor architecture (registers, memories, peripherals) and the computing power offered by the micropro- cessor core. Indeed, it allocates each software a fixed execution time and periodically performs the software task switching strictly and in real time.

Claims

REVENDICATIONS
1 - Dispositif de cryptographie comprenant au moins une zone rouge (1 ), une zone noire (2), une zone de gestion (3), une ressource cryptographique (4), caractérisé en ce qu'il comporte au moins les éléments suivants :1 - Cryptographic device comprising at least one red zone (1), a black zone (2), a management zone (3), a cryptographic resource (4), characterized in that it comprises at least the following elements:
o un domaine hôte (5) comprenant la zone rouge (1 ), la zone noire (2) et la zone de gestion (3) séparées logiquement,a host domain (5) comprising the red zone (1), the black zone (2) and the management zone (3) logically separated,
o la ressource cryptographique (4) communiquant avec les éléments du domaine hôte (5) au moyen des interfaces suivantes :the cryptographic resource (4) communicating with the elements of the host domain (5) by means of the following interfaces:
o une interface rouge (10) pour les donnes émises vers la zone rouge,o a red interface (10) for the data sent to the red zone,
o une interface noire (1 1 ) pour les données émises vers la zone noire,o a black interface (1 1) for data sent to the black zone,
o une interface gestion (12) pour les données émises vers la zone de gestion,o a management interface (12) for the data sent to the management zone,
o les trois interfaces (10, 11 , 12) étant séparées physiquement,the three interfaces (10, 11, 12) being physically separated,
o le domaine cryptographique étant séparé physiquement du domaine hôte.the cryptographic domain being physically separated from the host domain.
2 - Dispositif selon la revendication 1 , caractérisé en ce qu'il comporte un moyen de séparation logicielle (13, 14) entre chacune des trois zones : la zone rouge, la zone de gestion et la zone noire.2 - Device according to claim 1, characterized in that it comprises a software separation means (13, 14) between each of the three zones: the red zone, the management zone and the black zone.
3- Dispositif selon la revendication 1 , caractérisé en ce qu'il comprend un moyen de séparation matériel (25) entre le domaine hôte et le domaine cryptographique.3- Device according to claim 1, characterized in that it comprises a material separation means (25) between the host domain and the cryptographic domain.
4 - Dispositif de cryptographie comprenant au moins une zone rouge (1 ), une zone noire (2), une zone de gestion (3a, 3b), une ressource cryptographique (4), caractérisé en ce qu'il comporte au moins les éléments suivants :4 - Cryptographic device comprising at least one red zone (1), a black zone (2), a management zone (3a, 3b), a cryptographic resource (4), characterized in that it comprises at least the elements following:
o un domaine hôte rouge (7) comprenant la zone rouge et la zone de gestion (3a) séparées logiquement (19), o un domaine hôte noir (8) comprenant la zone noire (2) et la zone de gestion (3b) séparées logiquement (20),a red host domain (7) comprising the red zone and the management zone (3a) logically separated (19), a black host domain (8) comprising the black zone (2) and the management zone (3b) logically separated (20),
o la ressource cryptographique communiquant avec les éléments des domaines hôtes rouge et noir au moyen des interfaces suivantes :the cryptographic resource communicating with the elements of the red and black host domains by means of the following interfaces:
o une interface rouge (16) pour les donnes émises vers la zone rouge,o a red interface (16) for the data sent to the red zone,
o une interface noire (17) pour les données émises vers la zone noire,o a black interface (17) for data sent to the black zone,
o une interface gestion (21 ) pour les données émises vers la zone de gestion coté rouge,o a management interface (21) for data sent to the red-listed management zone,
o une interface gestion (22) pour les données émises vers la zone de gestion coté noir,o a management interface (22) for the data sent to the black-listed management zone,
o les quatre interfaces (16, 17, 21 , 22) étant séparées physiquement,the four interfaces (16, 17, 21, 22) being physically separated,
o le domaine cryptographique étant séparé physiquement (27, 28) des domaines hôtes rouge et noir.the cryptographic domain being physically separated (27, 28) from the red and black host domains.
5 - Dispositif selon la revendication 4 caractérisé en ce qu'il comporte un moyen de séparation logicielle (19) entre la zone rouge et la zone de gestion du côté rouge, et (20) entre la zone noire et la zone de gestion du côté noir.5 - Device according to claim 4 characterized in that it comprises a software separation means (19) between the red zone and the management zone of the red side, and (20) between the black zone and the management zone of the side. black.
6 - Dispositif selon la revendication 4 caractérisé en ce qu'il comprend un moyen de séparation matériel entre les trois domaines : une séparation (27) entre le domaine hôte rouge et le domaine cryptographique, une séparation (28) entre le domaine hôte noir et le domaine cryptographique et une séparation entre le domaine hôte rouge et le domaine hôte noir.6 - Device according to claim 4 characterized in that it comprises a material separation means between the three domains: a separation (27) between the red host domain and the cryptographic domain, a separation (28) between the black host domain and the cryptographic domain and a separation between the red host domain and the black host domain.
7 - Dispositif selon l'une des revendications 1 et 4 caractérisé en ce qu'il comprend une ressource cryptographique placée en coupure sur l'ensemble des flux de données sensibles, chiffrées et non sensibles échangées entre les zones rouge, noire et de gestion. 7 - Device according to one of claims 1 and 4 characterized in that it comprises a cryptographic resource placed in cut on all sensitive, encrypted and non-sensitive data flows exchanged between the red, black and management areas.
EP07729966A 2006-06-06 2007-06-06 Security architectures reinforced in two or three physically separated sections Withdrawn EP2021969A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR0605009A FR2901939B1 (en) 2006-06-06 2006-06-06 IMPROVED SECURITY ARCHITECTURES IN TWO AND THREE PHYSICALLY SEPARATED PARTS
PCT/EP2007/055593 WO2007141302A1 (en) 2006-06-06 2007-06-06 Security architectures reinforced in two or three physically separated sections

Publications (1)

Publication Number Publication Date
EP2021969A1 true EP2021969A1 (en) 2009-02-11

Family

ID=37944395

Family Applications (1)

Application Number Title Priority Date Filing Date
EP07729966A Withdrawn EP2021969A1 (en) 2006-06-06 2007-06-06 Security architectures reinforced in two or three physically separated sections

Country Status (3)

Country Link
EP (1) EP2021969A1 (en)
FR (1) FR2901939B1 (en)
WO (1) WO2007141302A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2973974B1 (en) 2011-04-11 2013-09-27 Thales Sa CRYPTOGRAPHIC EQUIPMENT.

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5946399A (en) * 1997-02-18 1999-08-31 Motorola, Inc. Fail-safe device driver and method
US5995628A (en) * 1997-04-07 1999-11-30 Motorola, Inc. Failsafe security system and method
US6754819B1 (en) * 2000-07-06 2004-06-22 General Dynamics Decision Systems, Inc. Method and system for providing cryptographic services in a distributed application
US7885409B2 (en) * 2002-08-28 2011-02-08 Rockwell Collins, Inc. Software radio system and method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2007141302A1 *

Also Published As

Publication number Publication date
FR2901939B1 (en) 2012-11-16
WO2007141302A1 (en) 2007-12-13
FR2901939A1 (en) 2007-12-07

Similar Documents

Publication Publication Date Title
EP1095491B1 (en) Method, server system and device for making safe a communication network
JP4828551B2 (en) Split communication system
US7958351B2 (en) Method and apparatus for multi-level security implementation
FR2971599A1 (en) SECURE TRANSACTION METHOD FROM UNSECURED TERMINAL
WO2013110857A1 (en) Privileged access auditing
FR2939540A1 (en) SECURITY EQUIPMENT
FR2929733A1 (en) Computer securing method, involves verifying that predefined access rules at external unit are validated by communication between external unit and operating system and transmitting communication to recipient if rules are validated
WO2015008143A2 (en) Methods and devices for protecting private data
EP2077515A1 (en) Device, systems and method for securely starting up a computer system
EP2021969A1 (en) Security architectures reinforced in two or three physically separated sections
EP1352523B1 (en) Method for storing encrypted data
KR20220014315A (en) Data processing system and method
EP2192515B1 (en) Electronic circuit for securing data exchanges between a computer terminal and a network
EP2149223B1 (en) System and device for parallelised processing
Karnouskos Security implications of implementing active network infrastructures using agent technology
FR2923041A1 (en) METHOD OF OPENING SECURED TO THIRDS OF A MICROCIRCUIT CARD.
Dimitrov et al. Challenges and new technologies for addressing security in high performance distributed environments
Kucera et al. FPGA-Rootkits hiding malicious code inside the hardware
EP1526431A1 (en) Microprocessor's peripherals access control
EP1510904B1 (en) Method and system for evaluating the level of security of an electronic equipment and for providing conditional access to resources
Prakash et al. Ensemble of AES-RSA Cryptographic Model for Securing Sensitive Laptop Data
Hwang Wireless PKI and distributed IDS for securing intranets and M-commerce
CA2594797A1 (en) Security method for an electronic device using a smart card
ANNANE SECURE POLICIES FOR THE DISTRIBUTED VIRTUAL MACHINES IN MOBILE CLOUD COMPUTING
Pfitzmann et al. Striking a Balance between Cyber-Crime Prevention and Privacy

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20081215

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC MT NL PL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL BA HR MK RS

DAX Request for extension of the european patent (deleted)
17Q First examination report despatched

Effective date: 20130725

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20140205