JP2017535871A - Autonomous system and method for secure access - Google Patents

Abstract

Secure electronic access may be provided by receiving at least one electronic certificate from an electronic device seeking access to a secure resource at a protected device that includes at least one security processor, and at least one One proof provides device information related to the security of the electronic device and compares the device information with the security requirement information at at least one autonomous processor of the autonomous system. The at least one autonomous processor may instruct the at least one security processor to provide secure resources to the device when the device information satisfies the security requirement information. The protected device may provide secure resources to the electronic device in response to the instructions.

Description

Cross-reference to related applications

  This disclosure claims priority from US Provisional Patent Application No. 62 / 078,137, filed November 11, 2014, entitled “Autonomous System for Secure Electronic System Access”. Which is hereby incorporated by reference in its entirety. This disclosure also includes US patent application Ser. No. 14 / 523,577 filed Oct. 24, 2014, and US Patent Application No. 14 / 634,562 filed Feb. 27, 2015. Are incorporated herein by reference in their entirety.

FIG. 1 is a protection system, autonomous control system, and input device according to an embodiment of the present invention. FIG. 2 is a serial interfaced autonomous control system according to an embodiment of the present invention. FIG. 3 is a flow diagram illustrating a control method according to an embodiment of the present invention. FIG. 4 is an autonomous control system interfaced in series according to an embodiment of the present invention. FIG. 5 is a schematic diagram illustrating the operation of a serially interfaced autonomous control system according to an embodiment of the present invention. FIG. 6 is an autonomous control system interfaced in series according to an embodiment of the present invention. FIG. 7 is an autonomous control system interfaced in parallel according to an embodiment of the present invention. FIG. 8 is an autonomous control system interfaced in parallel according to an embodiment of the present invention. FIG. 9 is a schematic diagram illustrating the operation of a parallel interfaced autonomous control system according to an embodiment of the present invention. FIG. 10 is an autonomous control system interfaced in series and parallel according to an embodiment of the present invention. FIG. 11 is an autonomous control system comprising a communication bus according to an embodiment of the present invention. FIG. 12 is an autonomous control system including a semiconductor multichip module according to an embodiment of the present invention. FIG. 13 is an autonomous control system installed externally on an interposer PCB according to an embodiment of the present invention. FIG. 14 is a flow diagram illustrating a tamper prevention function of an autonomous control system according to an embodiment of the present invention. FIG. 15 shows a process flow for using an autonomous control system as a system service to a host CPU for secure collaborative processing according to an embodiment of the present invention. FIG. 16 is a security module according to an embodiment of the present invention. FIG. 17 is a security score derivation according to an embodiment of the present invention. FIG. 18 is an asset breakdown according to an embodiment of the present invention. FIG. 19 is an asset evaluation according to an embodiment of the present invention. FIG. 20 is an asset subdivision according to an embodiment of the present invention. FIG. 21 is an asset subdivision according to an embodiment of the present invention. FIG. 22 is an asset subdivision according to an embodiment of the present invention. FIG. 23 is an asset subdivision according to an embodiment of the present invention. FIG. 24 is a base security score certificate according to an embodiment of the present invention. FIG. 25 is a base security score proof according to an embodiment of the present invention. FIG. 26 is a security score degradation according to an embodiment of the present invention. FIG. 27 is a security requirement proof according to an embodiment of the present invention. FIG. 28 is an exemplary base security score proof according to an embodiment of the present invention. FIG. 29 is an example security requirement proof, according to an embodiment. FIG. 30 is a normalized security score comparison according to an embodiment of the present invention. FIG. 31 is a normalized security score comparison according to an embodiment of the present invention. FIG. 32 is a security verification according to an embodiment of the present invention. FIG. 33 is a security comparison according to an embodiment of the present invention. FIG. 34 is network access verification according to an embodiment of the present invention. FIG. 35 is a mutual security verification according to an embodiment of the present invention. FIG. 36 is network access verification with reevaluation according to an embodiment of the present invention. FIG. 37 is a network access verification with fallback network access according to an embodiment of the present invention. FIG. 38 is a client side network access verification according to an embodiment of the present invention. FIG. 39 is a peripheral verification according to an embodiment of the present invention.

Detailed description of some embodiments

  Electronic systems, mechanical systems, chemical systems, and biological systems may have a state or sequence of states that can lead to catastrophic failure. Such fatal conditions can arise from internal natural forces, external accidental forces, or external intentional hostile forces. In industrial systems, devices or systems operating under remote control and monitoring are known harmful that may be tolerated by the control system as a result of malfunctions, user errors, or malicious or hostile operations. May have a state. A working device may accept and execute such commands or out-of-limit signals, and the entire associated system is harmed, degraded, or destroyed from such induced conditions. For example, the harmful system conditions that are induced are process speeds that are too fast or too slow, valves that are too open or too closed, or pressures or temperatures that are too high or too low. Many devices may lack their own internal safety devices to physically or electronically prevent operation outside these limits.

  The systems and methods described herein are autonomous capable of monitoring and modifying or blocking input and / or output signals in accordance with business rules and / or security rules to protect components critical to the system. Provide control. In order to minimize or prevent unwanted system effects, signal modifications and / or blocks ensure that no out-of-limit connection conditions occur between devices and within devices or between systems and systems. Or may only occur during a negligible amount of time. (A connection state may be any monitored signal level or command between two or more devices or systems at a particular moment at the physical layer level. , Is the lowest hardway layer where the raw signal is transferred.) When a signal that violates the rule is detected, the autonomous control system (eg, circuit) switches off the signal internally, Violated signals can be blocked. Alternatively, the circuit may not send a signal or may send a fail-safe signal to a protection system that is any device (DUP) or system protected by an autonomous control system. The circuit can be configured for use with legacy systems, for example, by designing for system upgrades, or retrofitting the system.

  In some embodiments, autonomous control may be based on a quantum security model (QSM). QSM is a security measurement and comparison methodology. QSM may provide a normalized methodology for classifying systems and evaluating key components in a consistent manner, which allows interdependence to be more accurately understood and measured. May be. The QSM may provide a method for normalizing the resulting assessment of the main component against a score that can be quantified. The QSM may allow resource owners to identify what evaluates (signs) the authorities they identify and accept. The QSM method may be used to evaluate both the current and potential future security status of the system or device. QSM may allow individual resource owners to identify and verify asset security scores before granting access. QSM may allow assets that have the computing power to authenticate each other before sharing resources or services.

  In QSM, general measurements may be reached through an evaluation process performed on a device, system, or entity (“asset”), where it is accepted, reproducible, and independently verifiable. Security level determination is desired. The quantum security unit represented by the symbol (“qS”) and pronounced (“qSec”) may be a standard unit of measurement for security of systems based on QSM. qSec may be a temporal value similar to the position of a particle in quantum physics, such that it is at best estimated and best known at the moment when the measurement is made by the observer. With accuracy that degrades over time after the measurement, the location of the particles may only be determined based on the likelihood. qSec is a quantum measurement and may share this feature. The system may be viewed as a wavy system from a security perspective, and it may be assumed that the laws of quantum mechanics can be applied. System security is a characteristic of the system. The passage of time along with the normal function and operation of the system and its environment can all affect the security of the system. As a result, the security of the system may be dynamic and the known state of security may be transient in nature. Thus, the system may be represented as a wavy system and system security as a quantum property. Similar to the location of the particles, the security of the system may be quantified and defined using quantum mechanics laws for the measurements. The measurement result may provide a security measure expressed in quantum security units, where a value of zero represents a complete lack of any security in the system and an increasing value indicates higher security .

  The value represented by one qSec may be derived from criteria that will be evaluated during the system security measurement process. Each criterion may have a common value range associated with their impact on security. Each criterion may also have an associated evaluation process that produces results within that range. A reference weighting method may be applied to each reference, and the common value range may be a security value scale for what the quantum security measurement represents, displayed in qSec. For example, the qSec value may represent an eigenvalue in matrix dynamics. Different measurers at different time periods may interpret this value theoretically differently, depending on their point of view, applying their own likelihood filter to the qSec value, or They may wish to perform their own measurement process to determine the qSec value of the system. Thus, when categorizing system security, a value may be predetermined in order to utilize qSec measurements in a meaningful way. Predetermining may be done automatically, may be set by the user, and / or may be set at or prior to system initialization.

  The systems and methods described herein include one or more computers, sometimes referred to as processors. A computer may be any programmable one or more machines capable of performing arithmetic and / or logical operations. In some embodiments, the computer comprises a processor, memory, data storage device, and / or other commonly known or new components. These components may be physically connected or may be connected through a network or wireless link. The computer may also include software that can direct the operation of the components described above. A computer may be referred to in terms commonly used by those skilled in the art, such as server, PC, mobile device, router, switch, data center, distributed computer, and other terms. The computer facilitates communication between users and / or other computers, provides a database, performs data analysis and / or transformation, and / or performs other functions. It will be understood by those skilled in the art that these terms used herein are interchangeable and any computer capable of performing the functions described may be used. The computers may be linked to each other via one or more networks. A network may be any plurality of computers that are fully or partially interconnected, and some or all of the computers can communicate with each other. The connection between computers may be wired in some cases (eg, via Ethernet, coaxial, optical, or other wired connections), or (eg, Wi-Fi). It will be appreciated by those skilled in the art that it may be wireless (via a registered trademark, WiMax®, 4G, or other wireless connection). The connection between the computers may use any protocol including a connection-oriented protocol such as TCP or a connectionless protocol such as UDP. Any connection through which at least two computers can exchange data can be the basis of a network.

  In some embodiments, the computer used in the described system and method may be a special purpose computer configured specifically for autonomous security. For example, the server may be equipped with specialized processors, memory, communication components, etc., that work together to make the electronic system described in more detail below autonomously secure. Configured to perform functions.

Autonomous control system and method

  FIG. 1 illustrates a protection system 2100. The protection system 2100 can communicate with the input device 2102. Input device 2102 sends signals to and / or receives signals from protection system 2100. The input device is, for example, an analog or digital signal port, a control knob, a touch display, a keyboard, a mouse, and / or some other peripheral device. Input device 2102 may also be a host device to protection system 2100 or a device on the network. An autonomous control system 2104, sometimes referred to as a dedicated monitoring and action device (DMAD), is in series between the input device 2102 and the protection system 2100 and / or in parallel with the input device 2102 and the protection system 2100. It is positioned. As described in more detail below, various embodiments of the autonomous control system 2104 comprise electronic circuitry, a processor and memory, or a combination thereof configured to execute software. Yes. The autonomous control system 2104 may be secure internally (eg, including encryption capabilities and tamper-proof capabilities). The autonomous control system 2104 may also appear in series or in parallel in both directions of data connection and data flow between the input device / host 102 and the protection system 2100, and the autonomous control system 2104 Can monitor input signals arriving at the protection system 2100 and output signals arriving from the protection system 2100.

  In some embodiments, the autonomous control system 2104 creates a deterministic race condition for enforcing the rules. The deterministic race condition may be a deliberately induced race condition between the injected signal and the incoming signal, and only the injected signal will have a high level that will affect the output. Certainty exists. When a signal that violates a rule appears on the data bus to or from the protection system 2100, the autonomous control system 2104 races to detect the violation and is interfaced in series. May switch off the signal internally to replace it with a fail-safe signal, or may attempt to modify the signal when interfaced in parallel. Buffer incoming and / or outgoing signals to provide more detection time and only validated signals are sent by autonomous control system 2104 to protection system 2100 and vice versa You may be guaranteed that.

  In some embodiments, the autonomous control system 2104 includes a silicon dion die, integrated circuit package on package, modular system module on module, fiber optic, radio frequency, wire, printed circuit board trace, quantum entanglement, Or may be physically represented in the protection system 2100 in various ways, such as molecular, thermal, atomic, or chemical connections, or physically connected to the protection system 2100 or control device. It may be.

  In some embodiments, the autonomous control system 2104 is in series, in parallel, or both in series and parallel between one or more devices or systems (eg, input device 2102 and protection system 2100). It has a physical interface to be connected. Each physical connection type may have a different set of design considerations and tradeoffs for a given application and system type, such as organic, electronic, or radio frequency. For example, in an electronic system, voltage interface levels, signal integrity, driving power, tamper proof, and / or induced propagation delay are evaluated to determine connection methods.

  In some embodiments, the autonomous control system 2104 is designed, programmed and positioned to autonomously enforce specific security rules and business rules on the host system or device. A computer system having an encrypted memory storage function and a falsification preventing function. The autonomous control system 2104 may comprise components such as processing logic, memory storage, input / output buffers, communication ports, and / or reprogramming ports. The autonomous control system 2104 can continually analyze the connection state between any number of devices or systems in real time, and can implement predefined business rules and security rules. When an out-of-limit state is detected, the autonomous control system 2104 can block, disable, or change to a known good state forbidden connection state. Similar methods can be applied, for example, to electrical, optical, electromechanical, electromagnetic, thermal, biological, chemical, molecular, gravity, atomic, or quantum mechanical systems.

  In some embodiments, the autonomous control system 2104 comprises a programmable device that can be programmed to behave autonomously in response to a stimulus deterministically. For example, autonomous control system 2104 includes field programmable gate array (FPGA), microcontroller (MCU), microprocessor (MPU), software defined radio, electro-optic device, quantum computing device, organic compound, programmable Contains material or programmable biological virus. The autonomous control system 2104 may be connected directly to the protection system 2100 or may be connected to one or more control devices operating on the protection system 2100. Autonomous control system 2104 can be, for example, silicon dion die, integrated circuit package on package, modular system module on module, optical fiber, radio frequency, wire, printed circuit board trace, quantum entanglement, or molecule, thermal Are physically connected by atomic or chemical means.

  In some embodiments, the autonomous control system 2104 securely stores data away from the protection system 2100 memory (such as cryptographic credentials or system logs) and is more powerful than the protection system 2100 provides. Allow data to be accessed or modified only by the authentication method and access control. For example, autonomous control system 2104 is used by a computer system to implement a security scoring methodology (eg, autonomous control system 2104 is used for storage of security credentials and requirement information). Further, the security scoring method can utilize the autonomous control system 2104 for outer resource verification / verification, authentication, and authorization based on security score information. For example, the stored data may be used for security integrity verification in combination with other systems.

  In some embodiments, an autonomous control system 2104 is used to ensure the integrity and authenticity of internal system components, data and / or externally interfaced devices, and electronically. Implement a cryptographic public key infrastructure (PKI) inside the electronic system. In addition, these credentials may be utilized for secure communications to ensure message confidentiality, integrity, and / or authenticity. For example, an autonomous control system 2104 that implements and implements electronic cryptography PKI includes a read-only memory (ROM) partition that contains a public key or globally unique identifier (GUID) that can be programmed during initial manufacture of the system. Yes. In that case, at the first activation of the autonomous control system 2104, for example, RSA and X. The private key may be generated internally by the autonomous control system 2104 using industry standard cryptographic methods such as 509 certification. This private key can then be used to generate a certification request, which may be signed by the manufacturer's certification authority (CA) or an approved third party CA. The signed proof may then be securely stored on the autonomous control system 2104 ROM. This proof can then be used to allow digital signing and encryption / decryption of the data. The autonomous control system 2104 that implements the electronic cipher PKI may be retrofitted to a protection system 2100 that does not implement the electronic cipher PKI to add such capabilities. This has the advantage of storing the private key in a location that is not accessible to the protection system 2100 for added security.

  In some embodiments, the autonomous control system 2104 may be used with an electronic cryptographic PKI to verify that the components of the internal protection system 2100 are authentic and others (the internal protection system 2100 and / or A PKI can also be implemented so that components of the external input device 2102) can also exchange, store and authenticate public keys. If the protection system 2100 or input device 2102 component that implements PKI has been tampered with and replaced with a counterfeit version, either the signature of the counterfeit device does not exist or is different from the original one As such, the autonomous control system 2104 may be able to detect counterfeiting.

  In some embodiments, the autonomous control system 2104 (such as PKI) may be used to ensure data integrity within the protection system 2100 and other system components (eg, external input device 2102). ) Use encryption method. The autonomous control system may also implement a cryptographic method that confirms that the data has not been altered in any way. In addition, the authenticity of the data may be guaranteed when the originator of the data is known or verified. For example, the autonomous control system 2104 uses the peripheral device's public key to encrypt messages destined for the peripheral device and validate messages received from the peripheral device.

  In some embodiments, the autonomous control system 2104 implements an electronic cryptographic PKI and also generates cryptographically signed hashes of the virtual system (or its components) and stores those hashes. Can ensure the integrity and authenticity of a virtual machine and / or hypervisor (commonly referred to as a “virtual system”). In that case, the autonomous control system 2104 can verify the authenticity and integrity of the virtual system by recalculating the hash and comparing it to the stored value. Further, the autonomous control system 2104 may receive any command received at all times, for a predetermined or randomized time period, and / or for a predetermined or randomized duration. May emulate the protection system 2100 so that it does not reach the protection system 2100, thereby preventing any impact on the protection system 2100. This mode of operation may be used for testing or to give the attacker the impression that the attack was successful when the malicious intent was never actually activated in the protection system 2100. May be used. The autonomous control system 2104 may include aggressive means that can disable the threat when a prohibited connection state, command, and / or sequence of commands is detected. For example, if an unauthorized connection is detected on a USB port, the autonomous control system 2104 injects a signal into the USB peripheral input device 2102 to damage or invalidate it. Can do.

  In some embodiments, the autonomous control system 2104 is serially connected to the physical interface of the second integrated circuit chip in the control device in such a manner as to have a negligible impact on system performance and functionality. An electronic circuit design on an integrated circuit chip that may be connected. At the same time, the first integrated circuit chip may be able to inhibit certain connection states to the second integrated circuit chip. A connection state may be a signal level on all connection points between two devices at a given moment, such as a voltage level on all digital I / O connections. Alternatively, with some or all external constant monitoring of signal levels or signal conditions between one or more electronic devices or systems to ensure that undesirable system effects do not occur, between devices or systems An electronic device is inserted at the signal interface that operates to prevent out-of-limit signal conditions from occurring or to only occur during a negligible amount of time. Or may be added on the signal interface. An electronic device implementing this method may be connected between one or more devices or systems in series, in parallel, or both in series and in parallel, and is independent of the computer-implemented security scoring method. Or with external monitoring and control.

  In some embodiments, the autonomous control system 2104 operates as a hardware-based serial “middle man” (MITM). Communication between the protection system 2100 and the input device 2102 (eg, a peripheral device) typically signals a preprogrammed prohibited signal pattern, packet, or access attempt by the monitoring logic of the autonomous control system 2104. Continue until detected on line. When a prohibited signal is detected, the autonomous control system 2104 may completely disable the main signal bus by selecting an alternative signal bus (or interrupt bus). An alternative signal bus may be used for recording, interruption, or total disconnection from peripheral devices. For example, an alternative signal bus may be selected while maintaining communication with the protection system 2100 to notify the protection system 2100 that it is under attack. For example, by using an internal parameterized multiplexer instantiation whose channel selection line is controlled by application specific monitoring and action logic programmed into the protection system 2100, the autonomous control system 2104 May maintain this communication.

  FIG. 2 illustrates an embodiment of an autonomous control system 2104 comprising a processor 2200 and a memory 2202 in a serial arrangement of an input device 2102 (not shown) and a protection system 2100 (not shown). . The processor 2200 receives an input signal on the node 2204. Node 2204 may be connected to input device 2102. The processor generates an output signal on node 2206. Node 2206 may be routed to protection system 2100. Memory 2202 can store prohibited input signal states. The processor 2200 may compare the input signal with the prohibited input signal state and generate a match signal or a mismatch signal. In response to the mismatch signal, an input signal may be provided to the protection system 2100. In response to the match signal, a replacement input signal may be provided to the protection system 2100. The replacement input signal is a signal that does not cause damage to the protection system 2100. For example, an input to the protection system 2100 that instructs the motor of the protection system 2100 to operate at its maximum speed may be detrimental to a particular process operation and should not be allowed. When such a command is input from the input device 2102, the autonomous control system 2104 can intercept the signal and take immediate action to prevent an unauthorized state. In this example, the autonomous control system 2104 fully controls the speed selection and sends an appropriate signal to the protection system 2100 that maintains the previous authorized speed selection. In addition, the autonomous control system 2104 may create a log entry or send an alert that an unauthorized connection state has been attempted. The response of the autonomous control system 2104 may be application dependent or programmed in advance. The autonomous control system 2104 may also be programmed to stop the physical process, for example, instead of maintaining the current speed.

  FIG. 3 is a flow diagram illustrating a control method according to an embodiment of the present invention. This diagram presents an exemplary process flow for the serial autonomous control system 2104 embodiment described above. The exemplary process flow also applies to the additional serial and / or parallel autonomous control system 2104 embodiments described below with or without the processor 2200 and memory 2202 of FIG. Can be applied. An autonomous control system 2104 monitors 3405 the connection status between the protection system 2100 and the input device 2102. The state is checked to determine if it is out of bounds 3410 (eg, maximum speed command from the example of FIG. 2 above). If the condition is acceptable, monitoring continues normally 3405. If the condition is out of bounds, the autonomous control system 2104 maintains its current speed (eg, by setting the speed to a speed lower than the commanded speed or in the protection system 2100 Take action on the state 3415). The autonomous control system 2104 determines 3420 whether its intervention has set or restored the protection system 2100 to an acceptable state. For example, the autonomous control system 2104 determines whether the motor has actually been returned to a lower speed without damage. If the protection system 2100 is OK, monitoring continues as normal 3405. However, in some cases it may not be possible to return the protection system 2100 to an acceptable state. For example, the protection system 2100 is locked and it receives a command to unlock before the autonomous control system 2104 can intervene (eg, in a parallel arrangement as described with respect to FIG. 7 below). In some cases, the door controlled by the lock may already be open. Locking the lock again will not repair this situation. In this case, the protection system 2100 is separated from further external inputs and an alert is generated 3425.

  FIG. 4 is a block diagram of an autonomous control system 2104 connected by a serial interface between the protection system 2100 and the input device 2102 according to an embodiment of the present invention. This embodiment may function similarly to the embodiment of FIG. 2 described above, but may have other elements in addition to the processor 2200 and memory 2202 within the autonomous control system 2104. And / or other elements instead of the processor 2200 and the memory 2202 may be included. In this example, autonomous control system 2104 comprises a programmable logic device (PLD) or other device (eg, circuit, processor, etc.) that provides monitoring logic 2140. Monitoring logic 2140 typically passes all signals between protection system 2100 and peripheral device 2102 through a bidirectional multiplexer (MUX) 2160. The same signal may also be supplied to monitoring and action circuitry that provides control logic 2150. The monitoring and action circuitry that provides control logic 2150 may be part of the PLD, circuit, or processor that provides monitoring logic 2140, or may be remote from monitoring logic 2140 (eg, a remote PLD). , Circuits, processors, etc.). The embodiment illustrated in this figure is a hardware-based serial “Middle Man” (MITM) implementation of the autonomous control system 2104. In this embodiment, communication between the protection system 2100 and the peripheral device 2102 typically continues until the monitoring logic 2140 detects a preprogrammed prohibited signal pattern, packet, or access attempt on the signal line. To do. When a forbidden signal is detected, control logic 2150 in autonomous control system 2104 may use an alternate internal I / O bus (or for recording, interrupting, or total disconnect from peripheral device 2102). The main peripheral device I / O bus can be completely disabled. This method may be implemented in the autonomous control system 2104 while maintaining communication with the protection system 2100 to notify the protection system 2100 that it is under attack. By using an internal parameterized multiplexer instantiation whose channel selection lines are controlled by application specific monitoring and action logic programmed into the protection system 2100, the autonomous control system 2104 allows this communication. May maintain.

  In the physical layer between the protection system 2100 CPU and a connected peripheral device 2102 that may be internal or external to the protection system 2100, the autonomous control system 2104 of FIG. 4 may be connected in series. Absent. The communication bus may pass through an autonomous control system 2104 comprising monitoring logic 2140 and MUX 2160 that is programmed to detect signals that violate the rules for a given application. When such signals are detected, the autonomous control system 2104 may prevent them from reaching the protection system 2100, or they may be undesired for the process in the protection system 2100. May at least prevent the assertion for a period of time. In the example of FIG. 4, bus A typically passes through autonomous control system 2104 between protection system 2100 CPU and peripheral device 2102, and signals to and from protection system 2100 CPU. In doing so, bus A may pass through the output multiplexer of autonomous control system 2104. Whether bus A arrives at protection system 2100 or bus B can be determined by the “S0” control port of the multiplexer. When the S0 port is logic 0, bus A may pass through. When the S0 port is logic 1, bus B may pass through. The value of each line on bus B is controlled by state machine control logic 2150 of autonomous control system 2104, which is configured to enforce the rules. In this example, S0 can be asserted to logic 1 when all of the lines on bus A are high. In response, a 4-input AND gate may toggle S0 to switch to bus B. The AND gate may be a hardware gate and the propagation time through the hardware AND gate may be on the order of nanoseconds. An almost instantaneous switch can therefore be performed. S0 can also be controlled directly by the state machine logic 2150 of the autonomous control system 2104 via a two-input OR gate fed to S0. Multiple instances of the autonomous control system 2104 can be placed between various inputs and / or outputs of the protection system 2100 and the input device 2102 to implement various rules on different interfaces.

  Also shown in FIG. 4 is a secure memory that can store and encrypt data. The memory may be used as a system service of the autonomous control system 2104 to the host CPU and / or from the host CPU, such as a log of rule violation events that may be read from a secure application or external peripheral device. It may contain separated data.

  In the example of FIG. 4, using a programmable logic device that has the capability that the signal propagation delay induced through the control system 2104 that is autonomous for the monitored line is negligible relative to the system timing requirements. The illustrated autonomous control system 2104 may be located at a serial interface. The PLD in the autonomous control system 2104 may include a normal “pass” mode that adds a small amount of propagation delay, eg, a delay on the order of 20 nanoseconds. The added delay is insignificant for many systems and therefore does not affect normal system operation.

  The serial interface of the autonomous control system 2104 illustrated in the example of FIG. 4 partially or completely disconnects the protection system 2100 from the peripheral device 2102 to electrically isolate the protection system 2100 as a means of tampering prevention. can do. Thereafter, the autonomous control system 2104 may output some aggressive, defensive, or diagnostic / repair signal to the attacking or malfunctioning peripheral device 2102 or may simply hold the state. unknown.

  FIG. 5 is a schematic diagram illustrating the operation of an electronic autonomous control system 2104 having a serial interface to prevent an unauthorized connection state according to an embodiment of the present invention. The autonomous control system 2104 is positioned between a speed selection input device (peripheral device 2102) and an actuation device (protection system 2100) that accepts a binary encoded speed applied to the physical process. The autonomous control system 2104 includes monitoring logic 2140 that monitors the inputs and passes them to a multiplexer (MUX) or switch 2160. If inputs are allowed, they may proceed from the MUX 2160 to the protection system 2100. If the input is not allowed, the state machine monitoring and control action logic 2150 may instead intervene and cause the MUX 2160 to pass the output generated by the state machine monitoring and control action logic 2150 to the protection system 2100. Absent. In this example, the maximum speed represented by the binary “1111” is detrimental to the specific process operation and should not be tolerated. The device illustrated in FIG. 5 can be scaled to monitor and operate on a large number of connection states that encode a wide variety of different functions. The autonomous control system 2104 in this example may also be programmed to prevent an unauthorized sequence of speed selections, such as an immediate jump from the lowest allowable speed to the highest allowable speed. The autonomous control system 2104 logic may be application specific, so in this example “1111” is a prohibited input, while in other embodiments other inputs are prohibited. May be. The input to the autonomous control system 2104 is not limited to the 4-bit embodiment of this example.

  In FIG. 5.1, the speed selection bus passes signals in series through the autonomous control system 2104, and passes on the actuation device via the “bus switch” of the autonomous control system 2104. The autonomous control system 2104 can monitor the speed selection bus for programmable unauthorized speed (connection state) and take pre-programmed actions, which in this example control the bus switch. In FIG. 5.1, the selected speed is the authorized speed, and thus the autonomous control system 2104 allows the selection to pass to the actuation device.

  FIG. 5.2 illustrates an unauthenticated signal “1111” for speed that is transmitted either accidentally or maliciously to the autonomous control system 2104 through the input device 2102. The autonomous control system 2104 can intercept the signal and take immediate action to prevent an unauthorized state. In this example, a preprogrammed program for toggling the bus switch so that the autonomous control system 2104 fully controls the speed selection and sends the appropriate signal to the protection system 2100 to maintain the previous authorized speed selection. The autonomous control system 2104 may include the action logic that is being performed. In addition, the autonomous control system 2104 may create a log entry or send an alert that an unauthorized connection state has been attempted. The response of the autonomous control system 2104 may be application dependent or pre-programmed. The autonomous control system 2104 may also be programmed to stop the physical process, for example, instead of maintaining the current speed.

  FIG. 5.3 illustrates that by toggling the bus switch back to the default steady state position when the input device 2102 is readjusted by the user or control system to select the authorized speed. It illustrates that the autonomous control system 2104 logic can be switched back to the input device 2102.

  FIG. 6 illustrates an embodiment of an autonomous control system 2104 that is similar to the embodiment of FIG. 5 but includes a processor 2200 and memory 2202 instead of hardware logic. In this embodiment, the input signal on node 2204 is routed to processor 2200 via link 2300. The processor 2200 may compare the input signal with the prohibited input signal state stored in the memory 2202 to generate a match signal or a mismatch signal. The processor 2200 can generate a selection signal on line 2302 that can control the MUX 2304. In the case of a mismatch signal, the select signal may allow the signal on line 2204 to pass through multiplexer 2304 to protection system 2100. In the case of a match signal, a replacement input signal may be applied to line 2306 and the selection signal on line 2302 may pass the replacement input signal through MUX 2304.

  FIG. 7 is a block diagram of an autonomous control system 2104 comprising a programmable logic device (PLD) connected to a protection system 2100 by a parallel interface in accordance with an embodiment of the present invention. The input and / or output of the protection system 2100 can be monitored via an input of a PLD in the autonomous control system 2104 or via a processor embedded in the autonomous control system 2104. In the embodiment shown in FIG. 5, the autonomous control system 2104 may be connected to the protection system 2100 by a parallel interface and may comprise at least one bidirectional signal driver. At least one bidirectional signal driver can monitor the input, cause the state for the output to change internally, and cause an interruption if no additional connections are required. The driver may be coupled to monitoring logic 2140 so that the input received via the driver's switch 2160 is monitored. If input is allowed, the driver may maintain its state. If input is not allowed, action logic 2150 may place switch 2160 on the action bus output. The action bus output can be, for example, grounded or a high signal. As in the serial interface example described above, communication between the protection system 2100 and the peripheral device 2102 typically proceeds until the monitoring logic detects an unauthorized signal pattern, packet, or access attempt. In a parallel configuration, the control logic reroutes or disconnects the I / O bus internally by recording, interrupting, or switching in an alternate I / O path for total disconnect from the peripheral device 2102. I can't. Instead, the signal to the protected device 2100 is grounded or set high by the switch 2160. However, a parallel approach may be useful for very high speed systems with communication and signal speeds where propagation delay may not be acceptable (eg, systems operating in the GHz range). In addition, the parallel autonomous control system 2104 requires less total I / O connections than the serial interface because it does not need to pass signals through itself (which requires a matching output for all inputs). It may be.

  FIG. 8 is a block diagram of an embodiment of an autonomous control system 2104 connected to the protection system 2100 by a parallel interface and comprising at least one tri-state output 2160 (instead of the switch of FIG. 7). At least one tri-state output 2160 is connected to a peripheral bus from the autonomous control system 2104 and can be toggled to a logic high or low in an attempt to cause an I / O interruption when commanded. This tri-state output can be used for an autonomous control system 2104 that does not have a bidirectional I / O interface.

  FIG. 9 is a schematic diagram illustrating the operation of an electronic autonomous control system 2104 having a parallel interface, in accordance with an embodiment of the present invention. The autonomous control system 2104 includes a parallel interface in which signals between the input device 2102 and the protection device 2100 do not pass directly through the autonomous control system 2104. Instead, the autonomous control system 2104 monitors the input signal by tapping off each line with an electrically high impedance input, as shown in FIG. 9.1. When an unauthorized input attempt is made, the parallel autonomous control system 2104 toggles the bus switch to an output bus with the appropriate driving power (current sinking and sourcing) to disable the host bus. By doing so, the input which is not authorized can be interrupted. In the example of FIG. 9.2, grounding the speed_select_3 line internally may prevent it from reaching the logic high state that will next select the highest process speed. In FIG. 9.2, the autonomous control system 2104 returns the bus switch to position 3 to monitor the input from the input device 2102 without interference from the action bus output of the autonomous control system 2104. Toggle periodically. When the autonomous control system 2104 detects that the authorized speed is selected, it can move back to a stable state, as shown in FIG. 9.3. Unlike the autonomous control system 2104 having a serial interface, the autonomous control system 2104 having a parallel interface may not monitor signals simultaneously.

  FIG. 10 is a block diagram of an embodiment in which an autonomous control system 2104 is connected to the protection system 2100 using both a serial interface and a parallel interface. The serial interface includes monitoring logic 2140A, action logic 2150A, and switch 2160A. The parallel interface includes monitoring logic 2140B, action logic 2150B, and switch 2160B. In this embodiment, when certain communication paths are too fast to pass in series without degrading normal system operation, those paths can be handled by the parallel interface. Slower paths can be handled by the serial interface.

  FIG. 11 is a block diagram of an embodiment in which the autonomous control system 2104 includes a communication bus 2170 between the autonomous control system 2104 and the protection system 2100 regardless of the interface. Communication bus 2170 may optionally include a function for flagging protection system 2100 when a malicious or unauthorized authorization is detected. The communication bus may also include functionality for logging at least one peripheral device 2102, alerting at least one peripheral device 2102, or disabling at least one peripheral device 2102. . Further, the communication bus 2170 may autonomously log events and report such events to a security scoring system implemented by a computer.

  FIG. 12 is a diagram of an embodiment in which the autonomous control system 2104 includes a semiconductor multichip module. The semiconductor multichip module may comprise at least two interconnected processor dies that are functionally connected in a stack or in a planar array. The module may also include an interposer board and / or direct wire bonding that is mounted directly to a printed circuit board (PCB) inside a single semiconductor package. This arrangement may make it difficult to visually detect an autonomous control system 2104 that can provide protection against malicious tampering.

  FIG. 13 is a diagram of an embodiment in which an autonomous control system 2104 is installed externally on an interposer PCB. The interposer PCB may include custom socket assemblies that may be functionally arranged in a stack either above or below the protection system 2100. In this embodiment, the autonomous control system 2104 can be used to secure an existing CPU and use existing motherboards and sockets made to the CPU. This implementation is sometimes referred to as a package-on-package implementation because it involves connecting two individually packaged components to form one.

  In some embodiments, the autonomous control system 2104 includes an electronic circuit that may be a surface mounted on a printed circuit board (PCB) that may include a protection system 2100. The autonomous control system 2104 is operatively connected to the protection system 2100 using, for example, one or more PCB traces, flying leads, coaxial cables, or optical fibers.

  In some embodiments, the autonomous control system 2104 comprises a modular stackable single board computing platform that may be operatively installed on the protection system 2100. For example, the platform is a PC 104, EPIC, EBX, Raspberry Pi, Parallala, or similar modular computing platform. In this embodiment, the autonomous control system 2104 may include a modular carrier attached to the modular computing stack header and performing the security protection functions described above. This is sometimes referred to as a module-on-module implementation.

  FIG. 14 is a flow diagram illustrating the falsification prevention function of the autonomous control system 2104 according to an embodiment of the present invention. As noted above, data for enabling the encryption control check of the autonomous control system 2104 may be stored. Periodic or upon user request, an anti-tamper check is initiated 1305. The autonomous control system 2104 signs 1310 a message to the system that communicates with the autonomous control system 2104 (ie, the system that performs the check of the autonomous control system 2104) with a private key. The system performing the check attempts 1315 to verify the signature. If the signature is invalid, an alert is generated 1320 indicating that the autonomous control system 2104 may have been tampered with. If the signature is valid, the system performing the check signs 1325 with the private key. The autonomous control system 2104 attempts 1330 to verify the signature. If the signature is invalid, an alert is generated 1335 indicating that the system performing the check may have been tampered with. If the signature is valid, all tamper checks are declared safe (ie, both the check system and the autonomous control system 2104 may not be tampered) 1340. Thus, to provide mutual security, the autonomous control system 2104 checks another system and is checked by that system.

  FIG. 15 shows a process flow for using the autonomous control system 2104 as a system service to the host CPU for secure collaborative processing, in accordance with an embodiment of the present invention. Since the processor of the autonomous control system 2104 may have multiple instantiations of the autonomous control system, the architecture described above for the autonomous control system 2104 also provides system services for the host CPU. As a safe process. In this embodiment, the autonomous control system 2104 receives 1505 instructions. In order for the autonomous control system 2104 to find a match with a pre-programmed opcode that resides in the memory associated with the memory subsystem of the autonomous control system 2104, the compiler enters the machine language. 1510 Compare received instructions (eg, from input device 2102) that have been reduced, ie reduced to opcodes. If there is a match, the autonomous control system 2104 performs a preprogrammed function of the opcode 1515 and the protection system 2100 may not receive the opcode. The autonomous control system 2104 accesses a secure storage device 1520 and returns a result 1525. Alternatively, if there is no match with the received opcode in the pre-programmed memory of the autonomous control system 2104, the opcode is passed to the protection system 2100 for execution 1530, and the protection system 2100 Return 1535. Autonomous control for software applications running on the input device 2102 specifically designed to work with the autonomous control system 2104 to access the secure collaborative processing capabilities of the autonomous control system 2104 May be required to accommodate opcodes or instruction sets specific to system 2104. For example, if an opcode or series of opcodes specific to such autonomous control system 2104 requires a cryptographic signature on the data set, the processor 2200 responds by first performing a cryptographic hash on the data set. The processor 2200 then digitally signs the hashed data set using its private key (stored in the secure storage device 2202) and then via the input device 2102 The signed data set may be returned to return to the application specific to the autonomous control system 2104 that generated the opcode in question.

Autonomous control system and method using QSM

  FIG. 16 is a security module 2100 according to an embodiment of the present invention. The security module 2100 may include a processor 2110 and physical memory 2115, for example, a rules database 2112 and / or a certification database 2124. Accordingly, the processor 2110 and modules 2132, 2134 and 2136 may be coupled to a portion of the processor 2200 of the autonomous control system 2104 or to the same elements. Similarly, rules database 2122 and / or proof database 2124 and / or memory 2115 may be stored in secure storage 2202 of autonomous control system 2104.

  The rules database 2122 may store various access control rules, as described in further detail below. Certificate database 2124 may store various certificates for devices, documents, users, etc., as described in further detail below. The security module 2100 can be a scoring module 2132 that can derive and / or update security scores, a verification module 2134 that can determine whether security rules are satisfied, and / or security rules and / or access permissions. May also include sub-modules, such as a permission module 2136 that may be defined automatically or manually. Any device described herein as performing security verification, or as a QSM-capable device, or as a QSM device may include a security module 2100, and verification related to QSM as described, and Note that a security module 2100 may be used to perform other processes.

  FIG. 17 is a security score derivation 2200 according to an embodiment of the invention. An evaluation process may be performed on the asset to determine its security level. In order to achieve this result, a normalized security score representing the security level of the asset may be generated at the end of the evaluation. Apply a pre-determined set of security criteria (security objectives) 2210 to the asset's main functions (what it does, its purpose) separated by a predefined grouping (security category) 2220 for assessment purposes Throughout the process, the score may be normalized. For each security objective 2210, an assessment may be performed on each of the asset's security categories, and a security score ("Security Objective Score, SOS") that is within the range assigned to the security objective is generated. Also good. The degree of severity for each score can vary from asset to asset, or even from instance to instance. When all of the goal scores have been generated, these may be combined using a predefined goal score aggregation method (eg, weighted average), resulting in a normalized security score (“NSS”). ) 2230.

  FIG. 18 is a specific example of a security category 2220 and a security goal 2210 that is an asset (and its classification) 2230 according to an embodiment of the present invention that may be used in some embodiments. For example, asset 2230 may have a storage device, process, and transport security category 2220 that corresponds to the main functions performed by asset 2230 (eg, data storage, data processing, data transport). obtain. Each of the security categories 2220 has an authorization (AZ), confidentiality (C), integrity (I), availability (AV), non-repudiation (NR), and authentication (AI) security objective 2210. obtain. Based on how well each of the functional categories associated with the security category 2220 score on the score security goal 2210, the NSS for the asset 2230 will determine how well the set 2230 meets the overall security goal 2210. Indications may be provided.

  FIG. 19 is an asset evaluation 2300 flow diagram according to an embodiment of the present invention. Some assets may be complex (eg, made up of many subcomponents). For these complex assets, a measurement technique, such as technique 2300 of FIG. 19, may be performed on each subcomponent independently to derive an NSS value for each subcomponent. These subcomponent values may be combined to generate the highest asset NSS. Assets may be selected for evaluation and evaluation may begin 2305. One or more security categories 2220 may be identified, and each security category 2220 may be evaluated 2310. Each security category 2220 may include one or more security objectives 2210, and each security objective 2210 may be evaluated 2315. Security module 2100 may determine 2320 whether a security goal score may be calculated for security goal 2210. If so, the security goal score calculation may begin 2325 and the security goal score may be generated 2330. An example of security goal score calculation is discussed in more detail below. When the score is calculated 2335, the next security goal 2210 may be selected 2315. If a security goal score cannot be calculated for security goal 2210 2320, security module 2100 may determine 2340 whether the asset should be subdivided. Some assets may be too complex to derive a security goal score directly, or may comprise previously evaluated components, devices, and / or systems. Assets may be subdivided to accommodate these situations.

  20-23 are asset segmentation examples 3200 and 3250 according to an embodiment of the present invention. FIG. 20 depicts this rule using a laptop as an example, where the laptop is divided into a CPU, an operating system, and a GPU component. FIG. 21 depicts a water purification plant as another example, where the plant is divided into a water collection system, a purification system, and a potable water system component. As shown, some sub-assets may only contribute to a single security category score, while others may contribute to multiple security categories. FIG. 22 shows how the laptop sub-asset from FIG. 20 can be further classified into a specific driver under the driver sub-asset and a specific application under the application sub-asset. In the description, the virtual machine (VM) sub-asset of the application sub-asset is further classified as an application running under the VM. This process may be repeated as necessary until each sub-asset can be accurately evaluated. FIG. 23 shows further classification of the clean water sub-assets of the sub-asset from FIG. 21, regardless of asset type, for any critical infrastructure component or asset that needs to be evaluated. That it can be applicable. An informed person in the area to which the asset belongs will follow this methodology to make any complex system a sub- You may recursively classify assets. In the water plant example, these may be sub-assets such as fences, guards, and locks, and their physical security impact may be well documented or quantized.

  Referring back to FIG. 19, if there are no possible subdivisions, a default security goal score may be assigned 2345 and the rating 2300 may move to the next security goal 2315. If subdivision is performed 2340, the security module 2100 may define a sub-asset 2350 and a sub-asset weighting equation 2355. As described above, the sub-assets may be further divided by themselves, in which case the analysis may be performed on the further divided sub-assets. For each sub-asset 2360, an asset evaluation 2365 may be performed and a security goal score 2370 may be generated. All security goal scores may be evaluated 2375, and security category scores may be evaluated 2380. If there are more security categories 2220 to evaluate, the next security category 2220 may be selected 2310, and the evaluation described above may be performed against the security objective 2210 of the next security category 2220. Good. When all security categories 2220 have been evaluated, asset evaluation may end 2385. A total of 18 evaluations may be performed on the assets 2230 of FIG. 18 in three security categories 2220 each having six security objectives 2210.

Utilizing NSS, target score sets, and derived security rules, along with encryption techniques such as public key certification, digital assets can be used together with the time the asset assessment was performed in Base Security Score Certification (BSSC). The security level may be stored safely. FIG. 24 is a BSSC 2700 according to an embodiment of the present invention. BSSC 2700 may include a score for each security goal 2210 and category 2220. The example asset 2230, BSSC 700 of FIG. 18 may be a 3-tuple security category 2220 score (SCS), each of which may then be a 6-tuple security goal 2210 score. FIG. 25 is an exemplary BSSC 2700 for asset 2230 of FIG. This exemplary BSSC 2700 may have a base security score (BSS), and BSS = ((Transport SCS)), (Storage SCS), (Process SCS)), or BSS = ((T _C , T _I , T _AZ , T _AI , T _AV , T _NR ), (S _C , S _I , S _AZ , S _AI , S _AV , S _NR ), (P _C , P _I , P _AZ , P _AI , P _AV , _PNR )) where C = confidentiality, I = integrity, AZ = authorization, AI = authentication, AV = utilization Availability, and NR = non-repudiation. BSSC 2700 may be signed by, for example, an individual, a corporation, a regulatory agency, or a government agency. BSSC 2700 may include the date / time that the certificate was issued and the date / time that the certificate expired. BSSC 2700 may also include an attenuation factor for NSS, which is described in further detail below.

  Taking into account the transient nature of security, it means that security may have a high potential to degrade later measurements, so the last NSS assessment noted in BSSC has been made. A security decay rate (ROD) algorithm may be used to account for the likely security degradation that has occurred. ROD can be used to determine a real security score for a system given the time elapsed since the BSSC was first issued. The algorithm for calculating ROD may depend on the metric chosen to score the system. By using the NSS and target score set as input along with the time of the last evaluation (and optionally other security rules or recorded asset usage history), the new NSS score is more accurate. It may be calculated and used for a common security comparison.

  The security goal score may provide a likelihood-based assessment determined by calculating a security metric, which may describe a potential compromise. This likelihood-based equation may be expressed as SOS = P (compromise | security measure ≠ threat). SOS is a possibility based on a potential asset compromise, with realized security measures that do not protect against threats, where threats may be exploited by actors with a given motivation This is a probable expression over time. Threat = P (Time | Actor | Motivation | Development).

  In order to allow the SOS to be a set of values, time may be derived and carried in the BSSC and represented as ROD. ROD may indicate how sensitive the SOS is to time exposure. A higher ROD may indicate that the threat to the asset increases over time than a lower ROD.

  For example, the NSS may have a range from 0 to 10, with zero indicating no security and 10 indicating complete security. Calculate ROD if a given asset has a retention period of 770 days (or time until a patch or update is required) and there are no other factors that contribute to reducing or extending this retention period One way to do this may be by taking the maximum NSS value of 10 and dividing it by 770 days. ROD = 10 (maximum NSS value) / (day to 100% compromise possibility) = 10/770 =. 013 / day. Regardless of the security of the system, at the end of 770 days, by reducing the NSS calculated by ROD ×, the change in time (days), the score will be zero. In other words, the system may be considered insecure without any action. In fact, there may be some minimum value above zero that the system may be considered unsafe, and this value may be represented as the minimum NSS in the SRC.

Another example might relate to ammunition depots in military installations. A vault door on the ammunition cabinet may contribute to _one component of security (“S ₁ ”). The vault is rated at the 6-hour penetration level, and the vendors tested show a 60% penetration rate against skilled attackers with unrestricted access after a 6-hour period that then increases by 5% every hour. And Therefore, _{S 1} is a ROD step in 6 hours. 95, 0.6, and then steady every hour. 05 attenuation. This, as clearly stated in the vault's BSS, may direct the guard to walk around the ammunition every 3 hours (essentially resetting the ROD as a door). These two factors were consistent. Both can contribute S ₁ to 95 doors.

  FIG. 26 is a security score degradation 900 according to an embodiment of the invention. Line 910 shows security for a system without an ROD value that remains constant over time. However, the longer the system runs, the more likely it is to compromise. This drop in security is indicated by line 920, which indicates a linear ROD of 0.01 per unit of time. Lines 930 and 940 show the security of the system over time while taking into account events that can negatively impact the security of the system. Line 930 represents four security events, which reduce the security of the system but do not cause a change in ROD. Line 940 depicts the same four events, but assume that each of these events also changes the ROD value. The events depicted in FIG. 26, for example, result in connecting a USB device to the system, connecting the system to an untrusted network, browsing to a malicious website, or installing a downloaded application. It may be.

  In order to allow assets to maintain a history of significant events, QSM may support the concept of a certification chain or a security score chain (SSC). The BSSC may provide a base certificate at any SSC. The asset can modify the score and sign a new proof with the BSSC, thereby creating an SSC. When creating an SSC, the asset may include a record of why the modification was made. In FIG. 26, after each event on line 930 or 940, updates to the SSC are made by recording the events that caused these changes to reflect changes to the ROD. If the BSSC is given ROD, the new security score will be May be adjusted. The expiration date / time cannot be extended beyond the expiration of the BSSC, but may be shortened if appropriate. Further, where appropriate, the ROD may be modified to reflect new risks and threats.

  FIG. 27 is a security requirement certificate (SRC) 3400 according to an embodiment of the present invention. The SRC, such as BSSC, can provide security requirement weighting (SRW) for each of the security objectives 2210 score (SOS), security weighting for each of the security objectives 2210, authorized BSSC and SSC signers, and / or minimal normalization. It may be a cryptographically protected and signed record containing a security score (NSS).

  The SRC may specify which signers are recognized and accepted by the resource when evaluating the BSSC of the asset being viewed to gain access to the resource. This may protect resources against attempts to alter the security score by generating a BSSC signed by an unauthorized signer. Furthermore, the ability to identify trusted signers may allow for variations in the security metric used and the rating scale for NSS. For example, the security metric may be based on a Sandia RAM series evaluation, and such a specification may allow a conversion from Sandia RAM series evaluation to NSS in the range of 0-100. Similarly, another embodiment may use CARVER methodology, or some pair-wise comparison evaluation, and may use the QSM 0-10 scale. Similarly, embodiments can utilize ownership metrics and scales from 0.00 to 1.00. Any and all of the above combinations may be utilized in the evaluation of complex systems, and NSS and QSM methodologies may allow their inclusion. QSM may take into account known deficiencies in the methodology by increasing the decay rate and reducing NSS due to metric uncertainty. Thus, existing systems and evaluations may be leveraged in the short term until a valid QSM evaluation can be performed.

  Improved authentication between assets and the authorization process may take advantage of the common security measurement and comparison methods described above. By forcing real-time assessments to derive NSS and asset target score sets, or by using information stored in BSSCs from past assessments and optionally using asset decay rate algorithms This may be done. Additional security rules, such as those stored at the BSSC, may also be used as an authentication or authorization criterion. The security level variation may be performed in one direction for one of the assets engaged in the authentication or authorization process, as shown in the exemplary security verification described above. In some embodiments, bi-directional variations (or omni-directional variations when two or more assets are attempting to authenticate or authorize each other) may be performed, where each Assets verify the security level of others.

The NSS may be the highest level score in the QSM and may be calculated by applying the security requirement weighting in the security requirement proof to the security goal score in the base security score. Mathematically, the SRW may be similar to the BSSC (eg, a 3-tuple security category weighting (SCW) (which may be percentage weighting, each of which contributes to the NSS) SCW is a 6-tuple value of security target weighting (SOW) (this is a percentage weighting attributed to each of the SOS values) For example, SRW = SRW = (Transfer SCW ( transfer SOW), storage device SCW (storage SOW), process SCW (process SOW)) or _{SRW = (SCW (T C,} T I, T AZ, T AI, T AV, T NR), SCW (S C, _{S I, S AZ, S AI} , S AV, S NR), SCW (P C, P I, P AZ, P AI, P AV, P May be represented by that can as _R)).

The NSS may provide a metric (ΔT) that can be used to evaluate the security status of a given asset over time. This score may be used to authenticate the asset, authorize access, compare asset security utilities, or determine, for example, where improvements are made to a given asset. NSS may be calculated as NSS = (BSS * SRW) − (ROD * ΔT). Thus, for the example of FIG. 3 and 7, NSS _{is, NSS = (SCW T * (} T C * TW C + T I * TW I + T AZ * TW AZ + T AI * TW AI + T AV * TW AV + T NR * TW NR _{) + SCW S * (S C} * SW C + S I * SW I + S AZ * SW AZ + S AI * SW AI + S AV * SW AV + S NR * SW NR) + SCW P * (P C * PW C + P I * PW I + P _AZ * PW _AZ + P _AI * PW _AI + P _AV * PW _AV + P _NR * PW _NR ))-(ROD * (T _CURRENT -T _ISSUED )).

  FIG. 28 is a base security score proof 3500 according to an embodiment of the present invention. In this example, BSS = ((6.05, 3.47, 3.83, 4.89, 5.42, 3.46), (6.52, 4.45, 5.78, 5.09, 6.43, 4.80), (4.52, 4.89, 2.69, 3.68, 6.79, 2.64)). ROD is. 013 / day, the certificate was issued on February 22, 2014 and expires on August 24, 2014.

  FIG. 29 is a security requirement certificate 3600 according to an embodiment of the present invention. In this example, SRW = (0% (0%, 0%, 0%, 0%, 0%, 0%), 65% (25%, 40%, 5%, 5%, 25%, 0%) 35% (17%, 17%, 17%, 16%, 17%, 16%)). A 0.0 weighting in the transport security goal weighting indicates that this particular asset owner does not care about or use the transport activity. Such a scenario may exist as a stand-alone machine or smart card, which may not have any means of transporting data, but has storage and processing power. The minimum required NSS listed in the SRC is 5.0 and issuance date or TCURRENT = March 22, 2014. The following is a detailed calculation of the storage device portion, and other detailed calculations are omitted.

Memory part = 0.65 * (0.25 * 6.05 + 0.4 * 3.47 + 0.05 * 3.83 + 0.05 * 4.89 + 0.25 * 5.42 + 0.0 * 3.46) = 3. 05
NSS = (0 + 3.05 + 1.93) − (0.013 * (23 March 2014-22 February 2014) = (4.98− (0.013 * 29)) = 4.6
This calculated NSS may be compared against the minimum stored NSS value, and if it exceeds the minimum NSS value, it may be approved. In the above example, the calculated NSS of 4.6 is lower than the SRC permits (5.0), so the device is rejected.

  NSS values may be compared and contrasted so that a security level index can be applied to asset security. FIG. 30 is an NSS comparison 2400 according to an embodiment of the invention. The NSS value 2410 may be compared to the NSS index 2420 to determine whether the NSS for the asset indicates that the asset has the minimum required security level. For example, NSS index 2420 indicates that an asset with a score of 5.5 or higher has an acceptable security level, and an asset with a score lower than 5.5 does not have an acceptable security level. Also good. In the example of FIG. 30, the asset has an NSS of 6.8, thus exceeding the 5.5 requirement. Further, two or more assets may be compared to determine if they have the same or contrasting security level, or to determine which assets are more secure. FIG. 31 is an NSS comparison 2500 according to an embodiment of the present invention. In this example, asset 1 is considered more secure than asset 1 because asset 1 has an NSS value 2510 of 6.8 and asset 2 has an NSS value 2520 of 7.2. May be. Based on approved, predetermined security objectives and categories, along with a predetermined score aggregation process and common security measurement method, transition is a security comparison that is approved, reproducible, and independent. May suggest that this is a verifiable security comparison.

  Using the NSS and the target score set, an extended security comparison may be performed, which may typically measure a more specific security contribution of the asset. FIG. 32 is a security verification 2600 according to an embodiment of the present invention. The asset 2610 (eg, USB device) may have a calculated NSS (eg, 6.8), and the QSM capable system 2620 may validate the asset security 2600 before interacting with the asset. Good. System 2620 may be asked to perform an operation that uses the asset (eg, a write operation to a USB device) 2630, eg, via user input. Asset 2610 may send its NSS 2640 to system 2620. System 2620 may evaluate the NSS (eg, by performing a comparison as shown in FIG. 30). If the NSS evaluation indicates adequate security, operation may continue. Otherwise, operation can be hindered.

  In the example of FIG. 33, a security comparison 2100 according to an embodiment of the present invention, in which two different systems are compared. System # 1 has a lower NSS score than system # 2, but system # 1 has a higher category score for storage confidentiality than system # 2. Such a comparison can be used to determine which products to buy (eg, which products best meet the user's security needs) or to determine which systems should be upgraded first. Or it may be used to inform other decisions about system security.

  FIG. 34 is a security verification 2800 according to an embodiment of the present invention, where an asset BSSC (laptop 2810) may be used for interaction with the corporate network 2820. Asset 2810 may attempt to subscribe to network 2820 and may provide BSSC 2830. The network 2820 may evaluate the BSSC to determine 2840 whether the asset 2810 is secure. In this example, network 2820 denies access to asset 2810 because asset 2810 has an NSS in its BSSC that falls below the threshold required by network 2820.

  FIG. 35 is a mutual security verification 3000 according to an embodiment of the present invention. In this example, the laptop 3010 may verify the BSSC of the corporate network 3020, the corporate network 3020 may verify the BSSC of the laptop 3010, and each asset will allow the other to accept the interaction. It may be determined separately whether or not it has sufficiently high security to permit.

  In some embodiments, security rule enforcement during the verification process may facilitate re-evaluation of one or more of the assets participating in the authentication or authorization.

  FIG. 36 is a security verification 3100 according to an embodiment of the present invention. The asset's BSSC (laptop 3110) may be used for interaction with the corporate network 3120. Asset 3110 may attempt to join network 3120 and may provide its BSSC 3130. The network 3120 may evaluate the BSSC to determine 3140 that the asset 3110 is not secure. In this example, asset 3110 denies access to asset 3110 because it has an NSS in its BSSC below the threshold required by network 3120. Asset 3110 may be re-evaluated 3150 by security module 2100 in response. As mentioned above, the NSS value may decrease over time. Furthermore, new security functions may be realized on the asset over time. Accordingly, the reevaluation 3150 may generate a new NSS value for the updated BSSC. In this example, the new value indicates that asset 3110 is secure enough to interact with network 3120. Asset 3110 may make a second attempt to join network 3120 and may provide its updated BSSC 3160. Network 3120 may evaluate the BSSC and determine 3170 that asset 3110 is secure. QSM evaluation of devices with built-in processing power, such as servers, PCs, and routers, may be performed automatically. This may be accomplished by running a QSM process that utilizes a combination of backend databases, scanning configuration information on a computer, and / or automated penetration testing tools to generate NSS. . This may allow a service provider or network to request at least a minimum security status for devices that wish to connect to those services that may not have undergone a full QSM evaluation.

  This automation may be further stepped to protect the QSM device on a preempt basis. As new developments or other threats are identified, the backend database may search for registered devices that are susceptible and take preemptive action. This action may reduce their NSS, cancel their cert and / or disable asset specific services, for example, their particular service, or patch or You may advise that the update be installed or that the system administrator advise the threat. Due to the nature of many computer networks, these preemptive services may require periodic communication between the device and the backend service in some embodiments.

  Automated evaluation and proof generation may be performed, for example, for access to a system that may have certain high security requirements that may not be acceptable even for proofs that are several days old. These high security systems may require proof that is currently valid (eg, that day, that week, etc.). This may be handled automatically in some embodiments. The automated QSM evaluation process may, in some embodiments, allow the system to request a re-evaluation and re-certification at each request to utilize system resources.

  The following additional examples illustrate scenarios where QSM may be used for authentication and / or authorization. For the purposes of this section, it may be assumed that devices in QSM have SSC. Devices or systems that have their own computing resources may be assumed to also have SRC. An example of a device that cannot have an SRC is a USB memory stick. Many USB memory sticks do not have their own computing resources, so they may not be able to compare their SRC with the SSC they received, so why they have SRC There may not be. Furthermore, the SSC for a device that does not have its own computational resources may simply be a BSSC because the device cannot update the SSC from the BSSC.

  A device using QSM may leverage SSC to perform device authentication and authorize network access. As described above, this authentication and authorization may be mutual and allow each entity to authenticate and authorize the other. Utilizing an automated QSM assessment tool, this mutual authentication can be used to temporarily or network resources such as subscribing to Wi-Fi access points at joint offices, accessing online commerce, etc. It may be extended to external devices that may require occasional access. Resource owners may not be able to request physical assessments of each device, which may require occasional access to their resources, where they request download or access to the QSM assessment tool as part of the registration or contract process It may be feasible to do. The QSM tool may then generate an automated BSSC based on the automated scan as discussed above, after which the devices may interact with each other before access to network resources is granted. You may participate in the authentication exchange.

  FIG. 37 is a security verification 3800 according to an embodiment of the present invention. When connecting to a network, the device can provide the network with its SSC 3810. Since the SSC is a cryptographically signed proof, the SSC may be unique to the device. As a result, this may be exploited to authenticate the device (rather than the user) to the network. The network can leverage SSC for logging purposes to identify any device that may behave in a malicious or suspicious manner. A network administrator can leverage the SSC in some embodiments to determine whether a device is allowed to join the network based on the current security level of the device. Devices that meet the requirements may be allowed to join the network 3820. Apart from simply allowing or not allowing access, the SSC may be utilized to determine which network segment the device is authorized to access. For example, devices that do not meet corporate security requirements may be placed on the guest network so that the devices can access the Internet while preventing access to corporate resources 3830.

  FIG. 38 is a security verification 3900 according to an embodiment of the present invention. Devices can also leverage SSC to authenticate and authorize the network itself. Since the networks themselves may have cryptographically signed SSCs, the device may be able to identify the network it is trying to join. This methodology can eliminate the possibility of network spoofing, whether wired, wireless, or cellular. Users and / or system administrators can leverage the SSC to limit which networks the device uses. For example, an enterprise administrator can configure a laptop so that the laptop can only connect to the enterprise network, a designated telecommuter router in the employee's home, and a designated cellular network. Employees may not be able to connect their devices to any other network. In this example, the laptop may send its SSC to the network 3910. The network may ignore the SSC if this is not evaluated for NSS compliance 3920. In this case, the laptop may refuse to connect to the network 3930 because the SRC is not met.

  Furthermore, since the SSC may be updated from time to time, the system administrator may permit the device to join a less secure network. The SSC of the device may be updated to indicate which insecure network it has joined. With the resulting reduction in SSC, the enterprise network may force the device to be re-evaluated before allowing it to re-join the network. For example, such techniques may be useful when employees move with their laptops. In addition, the user or system administrator may leverage the network's SSC to authorize which device resources may be made accessible to the network. For example, a device firewall may prevent a network that does not meet a certain security level from being allowed to access a file share or web server running on the device.

  FIG. 39 is a security verification 4000 according to an embodiment of the present invention. Apart from authenticating and authorizing the network, the computer may authenticate and authorize the device based on their SSC. For example, a USB storage device may include an SSC and send 4010 to the computer when connected to the computer. If the SSC does not meet certain criteria (eg, has stopped and has not properly encrypted the data), the host computer may prevent the user from copying information to the USB stick 4020. Further, if the host computer can detect the nature of the data being copied, the decision 4020 as to whether a copy can occur may be based on the combination of the data itself and the SSC of the destination device. Similar examples may exist for many other types of devices. In some embodiments, handshaking between devices may be modified to ensure that the SSC is always transmitted. For example, both host and slave devices may share their SSC as part of the USB handshaking protocol. This may allow the device to perform mutual authentication and authorization.

  The device may also utilize SSC to allow access to sensitive information on the device itself. For example, a device with a trusted computing space may be configured to only allow access to encrypted information on the device if the SSC meets certain criteria. A trusted computing processor may detect an attempt to access an encrypted volume and then determine whether the current SSC meets the criteria for that encrypted volume. Even if the user knows the decryption key, the devices may prevent them from decrypting information because the devices (which may have been compromised) are no longer reliable. This may allow a computing device specifically designed to take advantage of separate components for sensitive storage, which may require the SSC to be SRC compliant. In essence, sensitive storage components may be viewed as separate devices by the system.

  Hardware and software products utilize user-provided SRCs and desired SSCs (to the extent available) to automatically configure parameters and settings to establish SOS to ensure compliance. Also good. Removing burden from the user to determine what parameter combinations are available in the product configuration may provide functionality and security. Similarly, resource owners may require certain services or devices to be disabled or stopped while accessing their resources. Utilizing both automatic configuration and QSM automatic evaluation processes may allow this type of dynamic configuration to match security requirements.

  The SSC may provide product purchase information. Product manufacturers may provide SSC for product online, allowing consumers to perform direct comparisons between products in their specific security environment. Similarly, in order to learn what products meet their security requirements, the website may allow potential consumers to submit SRCs. This may allow the consumer to determine which products produce the desired security enhancement or performance before making a purchase. It may even be possible to develop a system to perform a simulation of the system to learn how implementing a new product or configuration can impact overall security. . Manufacturers may be able to quantify the amount of security they can provide to their users and indicate to a given security SRC how much security they add beyond their competitors.

  While various embodiments have been described above, it should be understood that they have been presented by way of example and not limitation. It will be apparent to those skilled in the art that various changes in form and detail can be made there without departing from the spirit and scope. In fact, after reading the above description, it will be apparent to those skilled in the art how to implement alternative embodiments.

  In addition, it should be understood that any drawing that highlights functionality and advantages is presented for illustrative purposes only. Each of the disclosed methodologies and systems are sufficiently flexible and can be configured to utilize them in ways other than those shown.

  The term “at least one” is often used in the description, claims, and drawings, but the terms “a”, “an”, “the”, “said”, etc. are also used in the specification, patent, “At least one” or “the least one” in the claims and in the drawings.

  Finally, it is Applicants' intention that only claims that contain the expression language “means for” or “steps for” should be construed under 35 USC 112 (f). A claim not explicitly including the phrase “means for” or “step for” should not be construed under 35 USC 112 (f).

Utilizing NSS, target score sets, and derived security rules, along with encryption techniques such as public key certification, digital assets can be used together with the time the asset assessment was performed in Base Security Score Certification (BSSC). The security level may be stored safely. FIG. 24 is a BSSC 2700 according to an embodiment of the present invention. BSSC 2700 may include a score for each security goal 2210 and category 2220. The example asset 2230, BSSC 2700 of FIG. 18 may be a 3-tuple security category 2220 score (SCS), each of which may then be a 6-tuple security goal 2210 score. FIG. 25 is an exemplary BSSC 2700 for asset 2230 of FIG. This exemplary BSSC 2700 may have a base security score (BSS), and BSS = ((Transport SCS)), (Storage SCS), (Process SCS)), or BSS = ((T _C , T _I , T _AZ , T _AI , T _AV , T _NR ), (S _C , S _I , S _AZ , S _AI , S _AV , S _NR ), (P _C , P _I , P _AZ , P _AI , P _AV , _PNR )) where C = confidentiality, I = integrity, AZ = authorization, AI = authentication, AV = utilization Availability, and NR = non-repudiation. BSSC 2700 may be signed by, for example, an individual, a corporation, a regulatory agency, or a government agency. BSSC 2700 may include the date / time that the certificate was issued and the date / time that the certificate expired. BSSC 2700 may also include an attenuation factor for NSS, which is described in further detail below.

Finally, it is Applicants' intention that only claims that contain the expression language “means for” or “steps for” should be construed under 35 USC 112 (f). A claim not explicitly including the phrase “means for” or “step for” should not be construed under 35 USC 112 (f).
The invention described in the scope of claims at the time of filing the present application will be appended.
[1] A system for secure electronic access,
The protected device including at least one security processor that receives at least one electronic certificate from an electronic device seeking access to a secure resource on the protected device, wherein the at least one certificate Provides device information related to the security of the electronic device,
An autonomous system including at least one autonomous processor and at least one autonomous memory, wherein the at least one autonomous memory stores security requirement information and the at least one autonomous A processor that compares the device information with the security requirement information, and the at least one autonomous processor sends the secure information to the at least one security processor when the device information satisfies the security requirement information. Instructing the device to provide resources,
The protected device provides the secure resource to the electronic device in response to the command;
A system comprising:
[2] The system according to [1], wherein the secure resource includes a digital file or a collection of digital files.
[3] The system according to [1], wherein the secure resource includes a hardware resource.
[4] The system according to [1], wherein the at least one autonomous processor controls a condition of use of the secure resource by the electronic device based on the comparison.
[5] The at least one autonomous processor creates a compressed archive including the digital file or collection of digital files, a security requirement certificate including the security requirement information, and a set of permission key value pairs. The system according to [2], wherein the at least one electronic certificate of the security system is verified.
[6] The at least one autonomous processor applies an encrypted digital signature to each of the digital files or digital files in the digital file collection to provide authentic authentication and author authentication; The digital signature is applied when a file is created, and updated or applied as a second encrypted digital signature each time the digital file or the digital file collection changes. system.
[7] The at least one autonomous processor controls printing, copying, displaying, editing, and / or sending the digital file or the digital file collection based on the security requirement information. The system according to [2], which implements attributes, settings, and permissions.
[8] The autonomous system includes an autonomous system private key arranged in the autonomous system, and the autonomous system signs a message with the autonomous system private key, and the autonomous system A message signed by a local system is sent to the source, which determines whether there has been unauthorized access to the autonomous system or whether there has been tampering with the autonomous system The system according to [1].
[9] The source includes a source private key located within the source, the source signs a message with the source private key, and sends a message signed with the source to the autonomous system; The system of [8], wherein the autonomous system determines whether there is unauthorized access to the source or whether there is tampering at the source.
[10] A system for secure electronic access,
At least one security processor that receives at least one electronic certificate that describes the security of the protected device, the at least one electronic certificate, and resources in a form that is unusable for the protected device; Outputting the security requirement information, and the protected device;
Providing an autonomous system including at least one autonomous processor and at least one memory storing the at least one electronic certificate, wherein the at least one electronic certificate is provided to the protected device;
Receiving the at least one electronic certificate, the resource in an unusable form for the protected device, and the security requirement information from the protected device; and receiving the at least one electronic certificate When the at least one electronic certificate indicates that the security system satisfies the security requirement information, as compared to security requirement information, transforms the resource into a form usable for the protected device, and An authorizer system configured and designed to perform at least one authorizer process by providing the protected device with the resources in a form usable for the protected device;
A system comprising:
[11] The system according to [10], wherein the resource includes a digital file or a collection of digital files.
[12] The system according to [10], wherein the at least one autonomous processor controls a condition of use of the resource by the security system based on the comparison.
[13] The system of [11], wherein the digital file or the digital file collection in a form usable by the protected device is stored in the at least one autonomous memory.
[14] The system according to [10], wherein the at least one autonomous processor controls a condition of use of the resource by the protected device based on information from the autonomous system.
[15] The at least one autonomous processor controls printing, copying, displaying, editing, and / or sending the digital file or the digital file collection based on the security requirement information. The system according to [11], wherein the attribute, setting, and permission are performed.
[16] The autonomous system includes an autonomous system private key arranged in the autonomous system, and the autonomous system signs a message with the autonomous system private key, and the autonomous system A message signed by a local system is sent to the source, which determines whether there has been unauthorized access to the autonomous system or whether there has been tampering with the autonomous system The system according to [10].
[17] The source includes a source private key located within the source, the source signs a message with the source private key, and sends a message signed with the source to the autonomous system; The system of [16], wherein the autonomy determines whether there has been unauthorized access to the source or whether there has been tampering with the source.
[18] A method of securing electronic access,
Receiving at least one electronic certificate from an electronic device seeking access to a secure resource at a protected device including at least one security processor, wherein the at least one certificate is the electronic device Provides device information related to the security of
Comparing the device information with the security requirement information by at least one autonomous processor of the autonomous system;
The at least one autonomous processor instructing the at least one security processor to provide the secure resource to the device when the device information satisfies the security requirement information;
The protected device providing the secure resource to the electronic device in response to the instructions;
A method comprising:
[19] The method according to [18], wherein the secure resource includes a digital file or a collection of digital files.
[20] The method according to [18], wherein the secure resource includes a hardware resource.
[21] The method of [18], further comprising the at least one autonomous processor that controls a condition of use of the secure resource by the device based on the comparing.
[22] Create a compressed archive containing the digital file or collection of digital files, the security requirement information, and a set of permission key value pairs, and verify that the device information satisfies the security requirement information The method of [19], further comprising the at least one autonomous processor.
[23] The at least one autonomous processor further applying an encrypted digital signature to each of the digital file and each digital file in the digital file collection to provide authentic authentication and authorship authentication. The digital signature is applied at the time of file creation and updated or applied as a second encrypted digital signature each time the digital file or the digital file collection changes. [22] the method of.
[24] Based on the security requirement information, perform at least attributes, settings, and permissions to control printing, copying, display, editing, and / or transmission of the digital file or the digital file collection. The method of [19], further comprising one autonomous processor.
[25] The method further comprises an autonomous system that signs a message with an autonomous system private key and sends a message signed by the autonomous system to a source, the source not authorized to the control system The method according to [18], wherein it is determined whether there has been access or whether there has been tampering with the control system.
[26] further comprising a source signing a message with a source private key and sending the message signed at the source to the autonomous system, the autonomous system having unauthorized access to the source The method according to [25], wherein it is determined whether or not there has been tampering with the source.
[27] A method for securing electronic access,
Storing at least one electronic certificate describing the security of the protected device in at least one autonomous memory of the autonomous system;
At least one autonomous processor of the autonomous system providing the at least one proof to the protected device;
The autonomous system outputting the at least one electronic certificate, resources in a usable form for the protected device, and security requirement information to an authorizer system;
At least one authorizer process of the authorizer system that compares the at least one proof with the security requirement information;
The at least one authorizer that transforms the resource into a usable form for the protected device when the at least one electronic certificate indicates that the protected device satisfies the security requirement information. Process,
The at least one authorizer process that provides the resource in a form usable for the autonomous system to the protected device.
[28] The method according to [27], wherein the resource includes a digital file or a collection of digital files.
[29] The method of [27], wherein the at least one autonomous process controls conditions of use of the resource by the protected device based on the comparing.
[30] The method of [28], further comprising storing the resource in a form usable for the electronic system in the at least one autonomous memory.
[31] The method of [27], further comprising the at least one autonomous processor that controls conditions of use of the resource by the protected device based on information from the authorizer system.
[32] The autonomous system that implements attributes, settings, and permissions to control printing, copying, display, editing, and / or transmission of the digital file or the digital file collection based on the security requirement information The method of [28], further comprising a general system.
[33] The method further comprises an autonomous system that signs a message with an autonomous system private key and sends the message signed by the autonomous system to a source, the source being authorized to the autonomous system. The method according to [27], wherein it is determined whether there has been an access that has not been made, or whether there has been a tampering in the autonomous system.
[34] further comprising a source signing a message with a source private key and sending the message signed at the source to the autonomous system, wherein the autonomy has received unauthorized access to the source; Alternatively, the method according to [33], wherein it is determined whether or not the source has been tampered with.

Claims (34)

A system for secure electronic access,
The protected device including at least one security processor that receives at least one electronic certificate from an electronic device seeking access to a secure resource on the protected device, wherein the at least one certificate Provides device information related to the security of the electronic device,
An autonomous system including at least one autonomous processor and at least one autonomous memory, wherein the at least one autonomous memory stores security requirement information and the at least one autonomous A processor that compares the device information with the security requirement information, and the at least one autonomous processor sends the secure information to the at least one security processor when the device information satisfies the security requirement information. Instructing the device to provide resources,
The protected device provides the secure resource to the electronic device in response to the command;
A system comprising:   The system of claim 1, wherein the secure resource comprises a digital file or a collection of digital files.   The system of claim 1, wherein the secure resource includes a hardware resource.   The system of claim 1, wherein the at least one autonomous processor controls conditions for use of the secure resource by the electronic device based on the comparison.   The at least one autonomous processor creates a compressed archive that includes the digital file or collection of digital files, a security requirement certificate that includes the security requirement information, and a set of permission key value pairs, and the security The system of claim 2, wherein the at least one electronic certificate of the system is verified.   The at least one autonomous processor applies an encrypted digital signature to each of the digital files or digital files in the digital file collection to provide authentic authentication and author authentication; 6. The system of claim 5, applied during file creation and updated or applied as a second encrypted digital signature each time the digital file or the collection of digital files changes.   The at least one autonomous processor is configured with attributes and settings to control printing, copying, displaying, editing, and / or sending of the digital file or the collection of digital files based on the security requirement information. The system of claim 2, wherein the authorization is performed.   The autonomous system includes an autonomous system private key located in the autonomous system, the autonomous system signing a message with the autonomous system private key, and the autonomous system Sending a message signed in to the source, wherein the source determines whether there has been unauthorized access to the autonomous system or whether there has been tampering with the autonomous system. Item 4. The system according to Item 1.   The source includes a source private key located within the source, the source signs a message with the source private key, sends a message signed with the source to the autonomous system, and the autonomous 9. The system of claim 8, wherein the secure system determines whether there is unauthorized access to the source or whether there is tampering at the source. A system for secure electronic access,
At least one security processor that receives at least one electronic certificate that describes the security of the protected device, the at least one electronic certificate, and resources in a form that is unusable for the protected device; Outputting the security requirement information, and the protected device;
Providing an autonomous system including at least one autonomous processor and at least one memory storing the at least one electronic certificate, wherein the at least one electronic certificate is provided to the protected device;
Receiving the at least one electronic certificate, the resource in an unusable form for the protected device, and the security requirement information from the protected device; and receiving the at least one electronic certificate When the at least one electronic certificate indicates that the security system satisfies the security requirement information, as compared to security requirement information, transforms the resource into a form usable for the protected device, and An authorizer system configured and designed to perform at least one authorizer process by providing the protected device with the resources in a form usable for the protected device;
A system comprising:   The system of claim 10, wherein the resource comprises a digital file or a collection of digital files.   The system of claim 10, wherein the at least one autonomous processor controls conditions of use of the resource by the security system based on the comparison.   The system of claim 11, wherein the digital file or the digital file collection in a form usable by the protected device is stored in the at least one autonomous memory.   The system of claim 10, wherein the at least one autonomous processor controls conditions for use of the resource by the protected device based on information from the autonomous system.   The at least one autonomous processor is configured with attributes and settings to control printing, copying, displaying, editing, and / or sending of the digital file or the collection of digital files based on the security requirement information. The system of claim 11, wherein the authorization is implemented.   The autonomous system includes an autonomous system private key located in the autonomous system, the autonomous system signing a message with the autonomous system private key, and the autonomous system Sending a message signed in to the source, wherein the source determines whether there has been unauthorized access to the autonomous system or whether there has been tampering with the autonomous system. Item 11. The system according to Item 10.   The source includes a source private key located within the source, the source signs a message with the source private key, sends a message signed with the source to the autonomous system, 17. The system of claim 16, determining whether there has been unauthorized access to the source or whether there has been tampering with the source. A method of securing electronic access,
Receiving at least one electronic certificate from an electronic device seeking access to a secure resource at a protected device including at least one security processor, wherein the at least one certificate is the electronic device Provides device information related to the security of
Comparing the device information with the security requirement information by at least one autonomous processor of the autonomous system;
The at least one autonomous processor instructing the at least one security processor to provide the secure resource to the device when the device information satisfies the security requirement information;
The protected device providing the secure resource to the electronic device in response to the instructions;
A method comprising:   The method of claim 18, wherein the secure resource comprises a digital file or a collection of digital files.   The method of claim 18, wherein the secure resource comprises a hardware resource.   The method of claim 18, further comprising the at least one autonomous processor that controls conditions of use of the secure resource by the device based on the comparing.   Creating a compressed archive that includes the digital file or the collection of digital files, the security requirement information, and a set of permission key value pairs, and verifying that the device information satisfies the security requirement information; The method of claim 19, further comprising two autonomous processors.   Further comprising the at least one autonomous processor that applies an encrypted digital signature to each of the digital file and each of the digital files in the digital file collection to provide authentic authentication and authorship authentication; 23. The method of claim 22, wherein a signature is applied during file creation and updated or applied as a second encrypted digital signature each time the digital file or collection of digital files changes.   The at least one autonomous entity that implements attributes, settings, and permissions to control printing, copying, display, editing, and / or transmission of the digital file or collection of digital files based on the security requirement information The method of claim 19, further comprising a general processor.   Further comprising an autonomous system for signing a message with an autonomous system private key and sending a message signed with the autonomous system to a source, wherein the source has unauthorized access to the control system; The method of claim 18, wherein it is determined whether or not there has been tampering with the control system.   Further comprising a source signing a message with a source private key and sending the message signed at the source to the autonomous system, the autonomous system having received unauthorized access to the source; 26. The method of claim 25, wherein it is determined whether there has been tampering at the source. A method of securing electronic access,
Storing at least one electronic certificate describing the security of the protected device in at least one autonomous memory of the autonomous system;
At least one autonomous processor of the autonomous system providing the at least one proof to the protected device;
The autonomous system outputting the at least one electronic certificate, resources in a usable form for the protected device, and security requirement information to an authorizer system;
At least one authorizer process of the authorizer system that compares the at least one proof with the security requirement information;
The at least one authorizer that transforms the resource into a usable form for the protected device when the at least one electronic certificate indicates that the protected device satisfies the security requirement information. Process,
The at least one authorizer process that provides the resource in a form usable for the autonomous system to the protected device.   28. The method of claim 27, wherein the resource comprises a digital file or a collection of digital files.   28. The method of claim 27, wherein the at least one autonomous process controls conditions of use of the resource by the protected device based on the comparing.   29. The method of claim 28, further comprising storing the resource in a form usable for the electronic system in the at least one autonomous memory.   28. The method of claim 27, further comprising the at least one autonomous processor that controls conditions of use of the resource by the protected device based on information from the authorizer system.   The autonomous system that implements attributes, settings, and permissions to control printing, copying, display, editing, and / or transmission of the digital file or collection of digital files based on the security requirement information The method of claim 28, further comprising:   Further comprising an autonomous system for signing a message with an autonomous system private key and sending a message signed with the autonomous system to a source, wherein the source is an unauthorized access to the autonomous system 28. The method of claim 27, wherein it is determined whether or not there has been a tampering in the autonomous system.   Further comprising a source signing a message with a source private key and sending the message signed at the source to the autonomous system, wherein the autonomy has had unauthorized access to the source, or 34. The method of claim 33, wherein it is determined whether there has been tampering at the source.

Images