GB2262633A - Data security. - Google Patents
Data security. Download PDFInfo
- Publication number
- GB2262633A GB2262633A GB9127506A GB9127506A GB2262633A GB 2262633 A GB2262633 A GB 2262633A GB 9127506 A GB9127506 A GB 9127506A GB 9127506 A GB9127506 A GB 9127506A GB 2262633 A GB2262633 A GB 2262633A
- Authority
- GB
- United Kingdom
- Prior art keywords
- access
- processor
- file
- confidential
- circuit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
In a processing apparatus (1) having a number of source processors (2) and stored files (4), a security circuit (6) automatically encrypts the header of files of confidential data when an authorised processor ceases to access the file. Subsequently, if an unauthorised processor attempts to access the confidential file it does not recognise it as a data file and access is not obtained. If an authorised processor attempts to access the confidential file a decryption circuit within the security circuit (6) automatically decrypts the header so that access is obtained. A cross reference table (8) is used to determine which processor may access which files. <IMAGE>
Description
"Security of Stored Data"
The invention relates to the security of confidential data when stored in a computer system.
It is well known that increasingly widespread storage of data in computer systems leads to an increased risk of access by unauthorised persons to confidential data. For security of transmitted data, enciphering systems such as that described in European Patent Specification No. 166541B1 (Toshiba) and
Irish Patent Specification No. 49937 (Interbank) are used. To restrict access to stored confidential data, methods such as those described in British Patent Specification Nos. GB 2195477B (Russel et al) and 2123255B (Marathon) are used whereby access to the data depends on the inputting by a user of a series of temporal information, for example codes and passwords.In a multi-user system, certain circuits which are used for access to sensitive or confidential data such as that for personnel, marketing, or payroll may not be used unless password and entry code requirements are met.
The prior art generally relies on preventing operation of certain processors to prevent access to data. However effective such systems may be, they would be ineffective at preventing processors other than those for which password access is required being used in order to gain access to confidential data. While a person with relatively little skill in computer systems would generally not be able to gain access to confidential data in this manner, skilled persons could instruct different processors to gain access. This is particularly true in computer systems which are interconnected, both in local and wide area networks, in which cases there are many different processors.
The invention is directed towards providing an apparatus which prevents access to confidential data by an unauthorised processor.
According to the invention, there is provided a security apparatus for controlling access of source processors to a confidential data file stored on a storage device, the apparatus comprising:
a monitoring circuit comprising means for reading storage
device address instructions, means for identifying the
source processor of an address instruction, and means for
identifying the file which is being addressed;
a stored cross-reference table containing authorisation
or non-authorisation status indicators for cross
referenced source processors and stored files;;
an encryption circuit comprising means for determining
from the monitoring circuit and from the cross-reference
table when an authorised processor ceases to access a
confidential file, and means for subsequently encrypting
the header of the confidential file so that it may not be
recognised as a data file by any processor;
a decryption circuit comprising means for determining
from the monitoring circuit and from the cross-reference
table when an authorised source processor is attempting
to access a confidential file and means for subsequently
decrypting the header so that it may be accessed by the
source processor.
The invention will be more clearly understood from the following description of some preferred embodiments thereof, given by way of example only with reference to the accompanying drawing which shows a security apparatus of the invention connected in a computer system.
Referring to the drawing, there is illustrated portion of a computer system 1 to which several different processors 2 identified by the letters A to F may be connected in an address bus 3. The address bus 3 is connected to a fixed disk drive, on the disks of which are stored a number of files indicated generally by the numeral 4 and specifically by the letters Q to U. Each of the files 4 has a header 5 which is used for identification of the file by the processors 2.
In addition, there is illustrated a security apparatus including a security circuit 6 which is connected to the address bus 3. The security circuit 6 includes an encryption circuit 6(a), a decryption circuit 6(b), and a monitoring circuit 6(c), which are described in more detail below. The security circuit 6 is connected to a location memory 7 which stores the location of all of the files 4. A cross-reference table 8 is also connected to the security circuit 6. This stores access authorisation status indicators for all the processors 2 cross-referenced with the files 4. For example, if file T contains confidential data, the table 8 would store a status indicator which indicates that only processor D may access file T. At the same time, the table may indicate that all processors A to F may access file S.Such a table is illustrated in the drawing in which indicators "1" are used to show that access is authorised and "0" to show that access is not authorised. It will be seen from the table 8 that the processor E has restricted access to the files as files S and
R are the only ones which may be accessed, whereas the processor D is authorised to access all of the files. In practice, the processor D would have a complex security system to restrict use of the processor.
The monitoring circuit 6(c) is constructed to continuously monitor the address bus 3 and read addressing instructions for the files 4. The monitoring circuit is also constructed to identify the source processor of an address instruction and to identify from the address instruction the file to which access is sought.
The encryption circuit 6(a) is connected to both the monitoring circuit 6(c) and to the cross-reference table 8 and is constructed to determine when an authorised processor 2 ceases to access a confidential file 5. For example, it may determine when processor D is finished accessing file Q, which contains confidential data. When access is finished, the encryption circuit 6(a) transmits signals on the address bus 3 and encrypts the header 5 of the file so that it may not be recognised by any processor as a data file. Thus, without exception, any processor which attempts to obtain access to that file will not succeed in doing so because it will not be recognised as a data file. This includes not only the normally used processors 2, but also any additional processor connected to the bus 3.The important point is that details of the processor need not be stored in the table 8 to prevent retrieval of confidential files.
The decryption circuit 6(b) continuously operates to monitor address instructions for the files. If access is being attempted to a file for which access is not authorised by at least one of the processors (i.e. files Q, T and U), the source processor of the instruction is identified and a fetch cycle is made to the cross-reference table 8 to determine if that processor is authorised access to the file.
If not, the encryption circuit does not do anything and the processor will not access the file because the header is encrypted. However, if the source processor is authorised, the decryption circuit will immediately decrypt the file header so that access is obtained. It will be appreciated that because the decryption circuit does not need to carry out any action unless the processor is positively authorised, the chances of an unauthorised processor gaining access because of a fault in the security circuit are avoided. If the decryption circuit is inactive for some reason, the worst that can happen is that authorised processors will not gain access.
In such circumstances, it is envisaged that back-up files will be stored which will be accessible to only a limited number of personnel who could use these for access to the data.
The invention operates on the principle that all files for which there is confidentiality regarding at least one of the processors may not be accessed unless a positive action is taken by the security apparatus. This is important for maintaining confidentiality of personnel or marketing information. It will also be appreciated that the invention is extremely simple in operation, and relatively simple and readily available circuits such as monitoring and encryption circuits are required for it's implementation.
The invention is not limited to the embodiments hereinbefore described, but may be varied in construction and detail.
Claims (2)
1. A security apparatus for controlling access of source
processors to a confidential data file stored on a
storage device, the apparatus comprising:
a monitoring circuit comprising means for reading
storage device address instructions, means for
identifying the source processor of an address
instruction, and means for identifying the file
which is being addressed;
a stored cross-reference table containing
authorisation or non-authorisation status indicators
for cross-referenced source processors and stored
files;
an encryption circuit comprising means for
determining from the monitoring circuit and from the
cross-reference table when an authorised processor
ceases to access a confidential file, and means for
subsequently encrypting the header of the
confidential file so that it may not be recognised
as a data file by any processor; ;
a decryption circuit comprising means for
determining from the monitoring circuit and from the
cross-reference table when an authorised source
processor is attempting to access a confidential
file and means for subsequently decrypting the
header so that it may be accessed by the source
processor.
2. An apparatus substantially as hereinbefore described with
reference to and as illustrated in the accompanying
drawing.
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
IE447491A IE914474A1 (en) | 1991-12-20 | 1991-12-20 | Security of stored data |
Publications (3)
Publication Number | Publication Date |
---|---|
GB9127506D0 GB9127506D0 (en) | 1992-02-19 |
GB2262633A true GB2262633A (en) | 1993-06-23 |
GB2262633B GB2262633B (en) | 1995-04-26 |
Family
ID=11039455
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
GB9127506A Expired - Fee Related GB2262633B (en) | 1991-12-20 | 1991-12-31 | Security of stored data |
Country Status (3)
Country | Link |
---|---|
BE (1) | BE1003739A6 (en) |
GB (1) | GB2262633B (en) |
IE (1) | IE914474A1 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE19983331B4 (en) * | 1998-06-30 | 2006-01-19 | Emc Corporation, Hopkinton | Method and apparatus for providing data management for a network coupled storage system |
US7260636B2 (en) | 2000-12-22 | 2007-08-21 | Emc Corporation | Method and apparatus for preventing unauthorized access by a network device |
US7752316B1 (en) * | 1998-06-30 | 2010-07-06 | Emc Corporation | Method and system for securing network access to data stored in a data storage system |
EP2696305A2 (en) * | 2011-08-15 | 2014-02-12 | Huawei Device Co., Ltd. | Method and device for file protection |
-
1991
- 1991-12-20 IE IE447491A patent/IE914474A1/en unknown
- 1991-12-31 GB GB9127506A patent/GB2262633B/en not_active Expired - Fee Related
-
1992
- 1992-01-20 BE BE9200051A patent/BE1003739A6/en not_active IP Right Cessation
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE19983331B4 (en) * | 1998-06-30 | 2006-01-19 | Emc Corporation, Hopkinton | Method and apparatus for providing data management for a network coupled storage system |
US7752316B1 (en) * | 1998-06-30 | 2010-07-06 | Emc Corporation | Method and system for securing network access to data stored in a data storage system |
US7756986B2 (en) | 1998-06-30 | 2010-07-13 | Emc Corporation | Method and apparatus for providing data management for a storage system coupled to a network |
US7260636B2 (en) | 2000-12-22 | 2007-08-21 | Emc Corporation | Method and apparatus for preventing unauthorized access by a network device |
EP2696305A2 (en) * | 2011-08-15 | 2014-02-12 | Huawei Device Co., Ltd. | Method and device for file protection |
EP2696305A4 (en) * | 2011-08-15 | 2014-04-02 | Huawei Device Co Ltd | Method and device for file protection |
Also Published As
Publication number | Publication date |
---|---|
GB9127506D0 (en) | 1992-02-19 |
GB2262633B (en) | 1995-04-26 |
IE914474A1 (en) | 1993-06-30 |
BE1003739A6 (en) | 1992-06-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US4262329A (en) | Security system for data processing | |
US7278016B1 (en) | Encryption/decryption of stored data using non-accessible, unique encryption key | |
EP0583140B1 (en) | System for seamless processing of encrypted and non-encrypted data and instructions | |
AU2002326226B2 (en) | Method and device for encryption/decryption of data on mass storage device | |
CA2417516C (en) | Method and apparatus for automatic database encryption | |
KR100323604B1 (en) | Method for controlling access to electronically provided services and system for implementing such method | |
JPH0260009B2 (en) | ||
EP0421409A2 (en) | Transaction system security method and apparatus | |
CA2272894A1 (en) | Information security method and apparatus | |
KR980010810A (en) | Storage and information transmission system and information transmission and reading method | |
AU2002326226A1 (en) | Method and device for encryption/decryption of data on mass storage device | |
EP0238537A1 (en) | System for preventing software piracy employing multi-encrypted keys and single decryption circuit modules. | |
WO2000017731A1 (en) | Volatile key apparatus for safeguarding confidential data stored in a computer system memory | |
US6839837B1 (en) | Cryptosystem key updating system and method for preventing illegal use of software | |
US5710817A (en) | Method and device for preventing unauthorized access to a computer system | |
US20030046564A1 (en) | Storage medium and method for storing data decrypting algorithm | |
US7080261B1 (en) | Computer-readable medium with microprocessor to control reading and computer arranged to communicate with such a medium | |
US20050005128A1 (en) | System for controlling access to stored data | |
GB2262633A (en) | Data security. | |
KR100407692B1 (en) | Hard Disk Real Time Security System and Preservation Method of Hard Disk Real Time Security System | |
Wang et al. | Fast and secure magnetic worm storage systems | |
US20040221164A1 (en) | Method for the encryption and decryption of data by various users | |
EP0624267A1 (en) | Method and device for preventing unauthorised access to a computer system | |
EP1130494A2 (en) | Distributed cryptography technique for protecting removable data storage media | |
JPH08509087A (en) | File encryption structure |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PCNP | Patent ceased through non-payment of renewal fee |
Effective date: 19951231 |