FR2901939A1 - IMPROVED SECURITY ARCHITECTURES IN TWO AND THREE PHYSICALLY SEPARATED PARTS - Google Patents

Abstract

Cryptographic device comprising at least one red zone (1), a black zone (2), a management zone (3), a cryptographic resource (4), comprising at least the following elements: o a host domain (5) comprising the red zone (1), the black zone (2) and the management zone (3) logically separated, o the cryptographic resource (4) communicating with the elements of the host domain (5) by means of the following interfaces: red (10) for data sent to the red zone, o a black interface (11) for the data sent to the black zone, o a management interface (12) for the data sent to the management zone, o the three interfaces (10, 11, 12) being physically separated, where the cryptographic domain is physically separated from the host domain.

Description

IMPROVED SECURITY ARCHITECTURES IN TWO AND THREE PARTS PHYSICALLY

SEPARATED

  The invention particularly relates to an improved security architecture and cryptographic equipment. Cryptographic equipment is a hardware and software product that integrates cryptographic functions. In cryptographic equipment, the partitioning of the cryptographic functions and the red / black separation are the critical points that are analyzed at the time of the security assessment. The passage of this assessment determines the approval, which allows the deployment of the equipment in a client infrastructure. A first technical problem is the definition of cryptographic equipment architecture. The architecture must guarantee a level of partitioning and separation appropriate to the intended approval. The current recommendation [Recommendation for the Integration of Cryptographic Functions in Information Systems] promotes the physical partitioning of cryptographic functions (an autonomous cryptographic domain) and the physical separation of processing resources from sensitive and non-sensitive data. This recommendation automatically induces high hardware and software complexity. A second technical problem is the optimization of development and production costs. At fixed security level, the goal is to obtain the most competitive cryptographic equipment on the market. Cryptographic equipment shown in FIG. 1 generally comprises four functional subsets: the red zone 1, the black zone 2, the management zone 3 and the cryptographic resource 4. The red zone 1 groups together the security functions that deal with sensitive data in clear. Black zone 2 groups together the security functions that process encrypted data. Management Zone 3 groups together the supervisory functions that process non-sensitive data. And the cryptographic resource 4 groups the cryptographic functions. Depending on the level of security sought, the architecture of the cryptographic equipment is usually in two, three, or four physically separated parts. The two-part architecture shown in FIG. 2 makes it possible to partition the security functions into a host domain 5 and a cryptographic domain 6. The red, black and management zones are grouped together in a host domain formed of a single and unique domain. software component and / or hardware. The cryptographic resource 4 constitutes the cryptographic domain 6 of the equipment. The three-part architecture shown in FIG. 3 makes it possible to partition the security functions into a cryptographic domain 6, a red host domain 7 and a black host domain 8. The red zone 1 and a part of the management zone 3a are grouped in the red host domain. The black zone 2 and part of the management zone 3b are grouped in the black host domain. The cryptographic resource 4 constitutes the cryptographic domain which is placed in a break in the equipment. The two- and three-party security architectures have an insufficient level of red / black separation with respect to the levels of confidential defense and defense secrecy and are therefore not suitable for cryptographic equipment intended to protect classified information. defense. The four-part security architecture has a maximum level of partitioning and red / black separation. It is ideally suited to cryptographic equipment designed to protect classified defense information. However, it generates high costs of development and production. The four-part security architecture is also inadequate for the customer's mobility needs. It penalizes the 30 performances (energy autonomy) and the ergonomics (congestion) of the equipment in a context of mobile use.

  The object of the invention relates to a new architecture for a cryptographic dis-positive in which the level of partitioning and separation red / black architectures in two and three parts is improved for the purpose of designing cryptographic equipment, capable of provide protection for classified defense information at a lower cost. The invention relates to a cryptographic device comprising at least one red zone, a black zone, a management zone, a cryptographic resource, characterized in that it comprises at least the following elements: a host domain comprising the red zone , the black zone and the management zone logically separated, where the cryptographic resource communicates with the elements of the host domain by means of the following interfaces: a red interface for the data transmitted to the red zone, a black interface for the data transmitted to the black zone, o a management interface for the data sent to the management zone, where the three interfaces are physically separated, where the cryptographic domain is physically separated from the host domain. The invention has the following advantages in particular: By combining the logical and physical separation of the different zones, the physical separation of the external interfaces and the internal interconnections between zones, and the use of a method for the secure transmission of data in Clear, through the cryptographic resource, a good level of partitioning and red / black separation is ensured. In the event of a failure, the cryptographic resource prevents clear data exchanges between the logically or physically separated zones. The software / hardware virtualization-based software architecture prevents the direct exchange of data between the logically separated zones: the bypass of the cryptographic resource by overflow or memory injection is detected and blocked. And the method of securely transmitting plaintext data through the cryptographic resource prevents abnormal exchanges of plaintext data from or to the management area, caused by a malfunction of one of the areas. Other features and advantages of the present invention will appear better on reading the following description given by way of illustration and not limited to the appended figures which represent: FIG. 1 a functional cutout of a cryptographic means, FIG. 2 is a two-part security architecture physically separated according to the prior art; and FIG. 3 a three-part security architecture physically separated according to the prior art. FIG. 4a is a first example of an improved security architecture. in two physically separated parts according to the invention and FIG. 4b the corresponding software division, FIG. 5a a second example of an improved security architecture 20 in three physically separated parts and FIG. 5b the corresponding software division, FIG. an example of implementation for the architecture of FIG. 4, FIGS. 7, 8 and 9 of the examples of implé for the architecture of Figure 5a. The security architectures in two and three parts proposed according to the invention are based in particular on the application of a coherent set of the following four security measures: 1. the physical partitioning of functional areas, intrinsic to security architectures in two or three parts, 2. the logical partitioning of physically clustered functional areas, brought about by the use of software virtualization / hardware and / or multi-level security software technologies known to those skilled in the art, 3. the placement of the resource cryptographic in physical cut-off on all the internally exchanged data flows of the equipment between the functional zones, 4. control of the clear data exchanges between the functional areas by the cryptographic resource, provided by the application of a secure method of transmitting data in clear form (for example, the principle of data transmission in clear through a cryptographic resource without a physical clear channel). FIG. 4a schematizes an exemplary architecture for a cryptographic means comprising a host domain 5 containing a red zone 1, a black zone 2 and a management zone 3. These three zones communicate with the outside of the cryptographic means at the same time. using three separate physical interfaces respectively an interface 10 for the sensitive data, an inter-face 11 for the encrypted data, an interface 12 for the management data. The three zones are separated from each other by software means, respectively 13 between the red zone and the management zone and 14 between the management zone and the black zone. It also comprises a cryptographic domain 25 6 comprising the cryptographic resource 4 with a secure clear channel. The cryptographic domain communicates with the outside by means of an external interface 15. The cryptographic resource 4 communicates with the elements of the host domain using three physically distinct interfaces: a medium / high speed red interface 16, for the sensitive data (to red zone), • medium / high speed black interface 17, for encrypted data (to black zone), • low / medium rate management interface 18, for management data (to management zone) .

  The cryptographic resource must control two secure clear channels that result from the implementation of a secure data transmission method in clear between: • the management zone 3 and the red zone 1, • the management zone 3 and the zone black 2. lo All the technical requirements for the clear data transmission method through the cryptographic resource without a clear channel are applicable in this context. The host domain 5 and the cryptographic domain 6 are physically separated 25. The cryptographic resource must be able to multiplex on the red 16 and black 17 physical interfaces 17 of the user data (sensitive data or encrypted data) and non-sensitive management data. The solution is compatible with a partitioning mechanism to prohibit the simultaneous transmission of data in clear between the management area and the red and black areas. FIG. 4b represents the corresponding software division: the red-zone software de-cutoff 60, the management zone software 61 and the black-zone software 62, a virtualization software 63, and the microprocessor architecture 64. FIG. another improved security architecture in three physically separated parts. In this alternative embodiment, the cryptographic means comprises a red host domain 7 containing a portion of the management area 3a and the red area 1, the two areas being logically separated by software means 19. It also includes a host domain black 8 comprising a black zone 2 and a part of the management zone 3b, the two zones being logically separated by software means 20.

  The cryptographic resource communicates with the elements of the red and black host domains using four physically distinct interfaces: • a medium / high speed red interface 16, for sensi-5 data (towards red zone), • a medium / high black interface flow rate 17, for the encrypted data (to black zone), • a low / medium flow management interface 21, for the management data (to management zone red side). to ^ a low / medium rate management interface 22, for the management data (to management zone black side). The cryptographic resource must control three secure clear channels that result from the implementation of a secure data transmission method in clear between: • the red-rated management zone 3a and the red zone 1, • the rated management zone black 3b and black zone 2, • the red-rated management zone 3a and the black-rated management zone 3b. All the requirements for the clear data transmission method through the clear channel cryptographic resource are applicable in this context. In this architecture, the 3 domains are physically separated: the red host domain is physically separated from the cryptographic domain, itself physically separated from the black host domain. Figure 5b shows the corresponding software division. In this figure the red zone software 1 and the management zone software 3a, on a common virtualization software 65 associated with a common hardware red host domain 66, and the management zone software 3b and the black zone software 2 associated with a software of common virtualization 67 associated with a common hardware black host domain 68. Hardware architectures: The cryptographic resource is generally an integrated (programmable) circuit integrating all the encryption and deciphering algorithms, symmetrical and asymmetric. This component provides a direct interface for the CIK plug (useful external memory crypto startup component) and the injection of secret elements to confine and compartmentalize the processing of highly sensitive elements (cryptographic keys). The typical hardware implementation of the improved security architecture lo in two physically separated parts is shown in FIG. 6. The red 30, the black 31 and the management 32 zones are implemented separately in software. These three programs run concurrently on a single microprocessor architecture 34 through software / hardware virtualization technology.

The hardware implementation of the improved three-part physically separated security architecture takes different forms depending on the performance level of the equipment (throughput). Three typical implementation cases are shown in FIGS. 7, 8, and 9. The red 40 (all or part), black 41 (all or part) and management areas 42 are implemented separately in software. Fast processing functions for red 44/54 and black 45 are implemented in hardware. The software / hardware virtualization technology ensures a separation between the red-rated management software and the red zone software (red processor) and between the black-side management software and the black zone software (black processor) . The different elements are connected by interfaces 47a, 47b 47c and 47d, with a cryptographic circuit. In FIG. 8, the red zone 40 is connected to a programmable FPGA 44 field programmable gate array) by means of an internal red interface 49, and the black zone 41 to the fast processing function via a black interface. internal 50. The cryptographic equipment communicates with the outside by means of keyboard screen 51, ethernet link 52. An input / output 53 allows in particular to inject the key and the CIK 54. Software architectures: The software base common to red, black and management area software is formed of a trusted operating system and a hardware adaptation layer. This operating system mainly ensures the separation of the resources of the microprocessor architecture (registers, memories, peripherals) and the computing power offered by the microprocessor core. Indeed, it allocates each software a fixed execution time and periodically performs the software task switching strictly and in real time. 15

Claims (2)

  1 - Cryptographic device comprising at least one red zone (1), a black zone (2), a management zone (3), a cryptographic resource (4), characterized in that it comprises at least the following elements: o a host domain (5) comprising the red zone (1), the black zone (2) and the management zone (3) logically separated, o the cryptographic resource (4) communicating with the elements of the host domain (5) at using the following interfaces: o a red interface (10) for the data sent to the red zone, o a black interface (11) for the data sent to the black zone, o a management interface (12) for the data sent to the red zone. the management zone, where the three interfaces (10, 11, 12) are physically separated, where the cryptographic domain is physically separated from the host domain. 2 - Device according to claim 1, characterized in that it comprises a software separation means (13, 14) between each of the three zones: the red zone 20, the management zone and the black zone. 3. Device according to claim 1, characterized in that it comprises a material separation means (25) between the host domain and the cryptographic domain. 4 - Cryptographic device comprising at least one red zone (1), a black zone (2), a management zone (3a, 3b), a cryptographic resource (4), characterized in that it comprises at least the the following elements: a red host domain (7) comprising the red zone and the management zone (3a) logically separated (19), o a black host domain (8) comprising the black zone (2) and the management zone ( 3b) logically separated (20), where the cryptographic resource communicating with the elements of the red and black host domains by means of the following interfaces: a red interface (16) for the data transmitted towards the red zone, a black interface (17) ) for data sent to the black zone, o a management interface (21) for the data sent to the red-listed management zone lo, o a management interface (22) for the data sent to the black-rated management zone, o the four interfaces (16, 17, 21, 22) being physically separated, 15 o cryptographic hand being physically separated (27, 28) from the red and black host domains. 5 - Device according to claim 4 characterized in that it comprises a software separation means (19) between the red zone and the management zone of the red side, and (20) between the black zone and the management zone of the side. black. 6. Device according to claim 4 characterized in that it comprises a means of material separation between the three domains: a separation (27) between the red host domain and the cryptographic domain, a separation (28) between the black host domain and the cryptographic domain and a separation between the red host domain and the black host domain. 7. Device according to one of claims 1 and 4 characterized in that it comprises a cryptographic resource placed in a cut on all the sensitive, encrypted and non-sensitive data flows exchanged between the red, black and management areas. .