GB2262633A - Data security. - Google Patents

Data security. Download PDF

Info

Publication number
GB2262633A
GB2262633A GB9127506A GB9127506A GB2262633A GB 2262633 A GB2262633 A GB 2262633A GB 9127506 A GB9127506 A GB 9127506A GB 9127506 A GB9127506 A GB 9127506A GB 2262633 A GB2262633 A GB 2262633A
Authority
GB
United Kingdom
Prior art keywords
access
processor
file
confidential
circuit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB9127506A
Other versions
GB9127506D0 (en
GB2262633B (en
Inventor
Joseph Eustace
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
UKEN
Original Assignee
UKEN
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by UKEN filed Critical UKEN
Publication of GB9127506D0 publication Critical patent/GB9127506D0/en
Publication of GB2262633A publication Critical patent/GB2262633A/en
Application granted granted Critical
Publication of GB2262633B publication Critical patent/GB2262633B/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

In a processing apparatus (1) having a number of source processors (2) and stored files (4), a security circuit (6) automatically encrypts the header of files of confidential data when an authorised processor ceases to access the file. Subsequently, if an unauthorised processor attempts to access the confidential file it does not recognise it as a data file and access is not obtained. If an authorised processor attempts to access the confidential file a decryption circuit within the security circuit (6) automatically decrypts the header so that access is obtained. A cross reference table (8) is used to determine which processor may access which files. <IMAGE>

Description

"Security of Stored Data" The invention relates to the security of confidential data when stored in a computer system.
It is well known that increasingly widespread storage of data in computer systems leads to an increased risk of access by unauthorised persons to confidential data. For security of transmitted data, enciphering systems such as that described in European Patent Specification No. 166541B1 (Toshiba) and Irish Patent Specification No. 49937 (Interbank) are used. To restrict access to stored confidential data, methods such as those described in British Patent Specification Nos. GB 2195477B (Russel et al) and 2123255B (Marathon) are used whereby access to the data depends on the inputting by a user of a series of temporal information, for example codes and passwords.In a multi-user system, certain circuits which are used for access to sensitive or confidential data such as that for personnel, marketing, or payroll may not be used unless password and entry code requirements are met.
The prior art generally relies on preventing operation of certain processors to prevent access to data. However effective such systems may be, they would be ineffective at preventing processors other than those for which password access is required being used in order to gain access to confidential data. While a person with relatively little skill in computer systems would generally not be able to gain access to confidential data in this manner, skilled persons could instruct different processors to gain access. This is particularly true in computer systems which are interconnected, both in local and wide area networks, in which cases there are many different processors.
The invention is directed towards providing an apparatus which prevents access to confidential data by an unauthorised processor.
According to the invention, there is provided a security apparatus for controlling access of source processors to a confidential data file stored on a storage device, the apparatus comprising: a monitoring circuit comprising means for reading storage device address instructions, means for identifying the source processor of an address instruction, and means for identifying the file which is being addressed; a stored cross-reference table containing authorisation or non-authorisation status indicators for cross referenced source processors and stored files;; an encryption circuit comprising means for determining from the monitoring circuit and from the cross-reference table when an authorised processor ceases to access a confidential file, and means for subsequently encrypting the header of the confidential file so that it may not be recognised as a data file by any processor; a decryption circuit comprising means for determining from the monitoring circuit and from the cross-reference table when an authorised source processor is attempting to access a confidential file and means for subsequently decrypting the header so that it may be accessed by the source processor.
The invention will be more clearly understood from the following description of some preferred embodiments thereof, given by way of example only with reference to the accompanying drawing which shows a security apparatus of the invention connected in a computer system.
Referring to the drawing, there is illustrated portion of a computer system 1 to which several different processors 2 identified by the letters A to F may be connected in an address bus 3. The address bus 3 is connected to a fixed disk drive, on the disks of which are stored a number of files indicated generally by the numeral 4 and specifically by the letters Q to U. Each of the files 4 has a header 5 which is used for identification of the file by the processors 2.
In addition, there is illustrated a security apparatus including a security circuit 6 which is connected to the address bus 3. The security circuit 6 includes an encryption circuit 6(a), a decryption circuit 6(b), and a monitoring circuit 6(c), which are described in more detail below. The security circuit 6 is connected to a location memory 7 which stores the location of all of the files 4. A cross-reference table 8 is also connected to the security circuit 6. This stores access authorisation status indicators for all the processors 2 cross-referenced with the files 4. For example, if file T contains confidential data, the table 8 would store a status indicator which indicates that only processor D may access file T. At the same time, the table may indicate that all processors A to F may access file S.Such a table is illustrated in the drawing in which indicators "1" are used to show that access is authorised and "0" to show that access is not authorised. It will be seen from the table 8 that the processor E has restricted access to the files as files S and R are the only ones which may be accessed, whereas the processor D is authorised to access all of the files. In practice, the processor D would have a complex security system to restrict use of the processor.
The monitoring circuit 6(c) is constructed to continuously monitor the address bus 3 and read addressing instructions for the files 4. The monitoring circuit is also constructed to identify the source processor of an address instruction and to identify from the address instruction the file to which access is sought.
The encryption circuit 6(a) is connected to both the monitoring circuit 6(c) and to the cross-reference table 8 and is constructed to determine when an authorised processor 2 ceases to access a confidential file 5. For example, it may determine when processor D is finished accessing file Q, which contains confidential data. When access is finished, the encryption circuit 6(a) transmits signals on the address bus 3 and encrypts the header 5 of the file so that it may not be recognised by any processor as a data file. Thus, without exception, any processor which attempts to obtain access to that file will not succeed in doing so because it will not be recognised as a data file. This includes not only the normally used processors 2, but also any additional processor connected to the bus 3.The important point is that details of the processor need not be stored in the table 8 to prevent retrieval of confidential files.
The decryption circuit 6(b) continuously operates to monitor address instructions for the files. If access is being attempted to a file for which access is not authorised by at least one of the processors (i.e. files Q, T and U), the source processor of the instruction is identified and a fetch cycle is made to the cross-reference table 8 to determine if that processor is authorised access to the file.
If not, the encryption circuit does not do anything and the processor will not access the file because the header is encrypted. However, if the source processor is authorised, the decryption circuit will immediately decrypt the file header so that access is obtained. It will be appreciated that because the decryption circuit does not need to carry out any action unless the processor is positively authorised, the chances of an unauthorised processor gaining access because of a fault in the security circuit are avoided. If the decryption circuit is inactive for some reason, the worst that can happen is that authorised processors will not gain access.
In such circumstances, it is envisaged that back-up files will be stored which will be accessible to only a limited number of personnel who could use these for access to the data.
The invention operates on the principle that all files for which there is confidentiality regarding at least one of the processors may not be accessed unless a positive action is taken by the security apparatus. This is important for maintaining confidentiality of personnel or marketing information. It will also be appreciated that the invention is extremely simple in operation, and relatively simple and readily available circuits such as monitoring and encryption circuits are required for it's implementation.
The invention is not limited to the embodiments hereinbefore described, but may be varied in construction and detail.

Claims (2)

1. A security apparatus for controlling access of source processors to a confidential data file stored on a storage device, the apparatus comprising: a monitoring circuit comprising means for reading storage device address instructions, means for identifying the source processor of an address instruction, and means for identifying the file which is being addressed; a stored cross-reference table containing authorisation or non-authorisation status indicators for cross-referenced source processors and stored files; an encryption circuit comprising means for determining from the monitoring circuit and from the cross-reference table when an authorised processor ceases to access a confidential file, and means for subsequently encrypting the header of the confidential file so that it may not be recognised as a data file by any processor; ; a decryption circuit comprising means for determining from the monitoring circuit and from the cross-reference table when an authorised source processor is attempting to access a confidential file and means for subsequently decrypting the header so that it may be accessed by the source processor.
2. An apparatus substantially as hereinbefore described with reference to and as illustrated in the accompanying drawing.
GB9127506A 1991-12-20 1991-12-31 Security of stored data Expired - Fee Related GB2262633B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
IE447491A IE914474A1 (en) 1991-12-20 1991-12-20 Security of stored data

Publications (3)

Publication Number Publication Date
GB9127506D0 GB9127506D0 (en) 1992-02-19
GB2262633A true GB2262633A (en) 1993-06-23
GB2262633B GB2262633B (en) 1995-04-26

Family

ID=11039455

Family Applications (1)

Application Number Title Priority Date Filing Date
GB9127506A Expired - Fee Related GB2262633B (en) 1991-12-20 1991-12-31 Security of stored data

Country Status (3)

Country Link
BE (1) BE1003739A6 (en)
GB (1) GB2262633B (en)
IE (1) IE914474A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19983331B4 (en) * 1998-06-30 2006-01-19 Emc Corporation, Hopkinton Method and apparatus for providing data management for a network coupled storage system
US7260636B2 (en) 2000-12-22 2007-08-21 Emc Corporation Method and apparatus for preventing unauthorized access by a network device
US7752316B1 (en) * 1998-06-30 2010-07-06 Emc Corporation Method and system for securing network access to data stored in a data storage system
EP2696305A2 (en) * 2011-08-15 2014-02-12 Huawei Device Co., Ltd. Method and device for file protection

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19983331B4 (en) * 1998-06-30 2006-01-19 Emc Corporation, Hopkinton Method and apparatus for providing data management for a network coupled storage system
US7752316B1 (en) * 1998-06-30 2010-07-06 Emc Corporation Method and system for securing network access to data stored in a data storage system
US7756986B2 (en) 1998-06-30 2010-07-13 Emc Corporation Method and apparatus for providing data management for a storage system coupled to a network
US7260636B2 (en) 2000-12-22 2007-08-21 Emc Corporation Method and apparatus for preventing unauthorized access by a network device
EP2696305A2 (en) * 2011-08-15 2014-02-12 Huawei Device Co., Ltd. Method and device for file protection
EP2696305A4 (en) * 2011-08-15 2014-04-02 Huawei Device Co Ltd Method and device for file protection

Also Published As

Publication number Publication date
GB9127506D0 (en) 1992-02-19
GB2262633B (en) 1995-04-26
IE914474A1 (en) 1993-06-30
BE1003739A6 (en) 1992-06-02

Similar Documents

Publication Publication Date Title
US4262329A (en) Security system for data processing
US7278016B1 (en) Encryption/decryption of stored data using non-accessible, unique encryption key
EP0583140B1 (en) System for seamless processing of encrypted and non-encrypted data and instructions
AU2002326226B2 (en) Method and device for encryption/decryption of data on mass storage device
CA2417516C (en) Method and apparatus for automatic database encryption
KR100323604B1 (en) Method for controlling access to electronically provided services and system for implementing such method
JPH0260009B2 (en)
EP0421409A2 (en) Transaction system security method and apparatus
CA2272894A1 (en) Information security method and apparatus
KR980010810A (en) Storage and information transmission system and information transmission and reading method
AU2002326226A1 (en) Method and device for encryption/decryption of data on mass storage device
EP0238537A1 (en) System for preventing software piracy employing multi-encrypted keys and single decryption circuit modules.
WO2000017731A1 (en) Volatile key apparatus for safeguarding confidential data stored in a computer system memory
US6839837B1 (en) Cryptosystem key updating system and method for preventing illegal use of software
US5710817A (en) Method and device for preventing unauthorized access to a computer system
US20030046564A1 (en) Storage medium and method for storing data decrypting algorithm
US7080261B1 (en) Computer-readable medium with microprocessor to control reading and computer arranged to communicate with such a medium
US20050005128A1 (en) System for controlling access to stored data
GB2262633A (en) Data security.
KR100407692B1 (en) Hard Disk Real Time Security System and Preservation Method of Hard Disk Real Time Security System
Wang et al. Fast and secure magnetic worm storage systems
US20040221164A1 (en) Method for the encryption and decryption of data by various users
EP0624267A1 (en) Method and device for preventing unauthorised access to a computer system
EP1130494A2 (en) Distributed cryptography technique for protecting removable data storage media
JPH08509087A (en) File encryption structure

Legal Events

Date Code Title Description
PCNP Patent ceased through non-payment of renewal fee

Effective date: 19951231