RU2130641C1 - Method and device for information protection against unauthorized access - Google Patents

Abstract

FIELD: computer engineering, information processing, in particular, personal units for information converting upon confidential communication between state, police, security, defense, industry and business parties. SUBSTANCE: information conversion method involves splitting input data file into alternating-length units and performing controlled ring shift of ASCII codes of each character in each unit. Corresponding device has interface unit, buffer memory unit, converting unit, control unit, and addressing unit. EFFECT: increased speed, minimal information losses, simplified design, decreased power consumption, increased reliability, possibility to perform both information encoding and information decoding. 2 cl

Description

 The invention relates to information systems, devices for converting digital information with the aim of protecting it from unauthorized access when transmitted through communication channels and stored on machine media and can be used in communication networks, computers, including personal ones, when exchanging data by government, law enforcement, defense, banking and industrial institutions when it becomes necessary to store and transmit confidential information.

 A known method and device for protecting information from unauthorized access (RF patent N 2022346, CL G 06 F 13/00, G 09 C 1/00, 6.20, 1994).

 The way to protect information from unauthorized access (see RF patent N 2022346, CL G 06 F 13/00, G 09 C 1/00, 6.20, 1994) is that the key code containing information about the formation of the program code conversion, is introduced into the computer. The machine generates a program code and transmits a part of such code (two or three messages) to the control unit, which from this part autonomously generates addresses of the next subprograms in the process of data transfer to replace the current subprograms and transforms in the second conversion unit. Another part of the program code remains in the computer, which during data transfer at the request of the control unit generates and transfers to the control unit new settings and subroutine addresses for the first information conversion unit. Then the key code is received, which is accepted by the computing system. By a command for transmitting information, the computing system generates a signal for transmitting data to the device. Through the computing system, the "clean" information to be transmitted is received in groups of messages by the device. The number of bits in the message is 8. The number of messages in the group is 4. The information received in the device is “distorted” and transmitted to the computer system, which transmits the “distorted” messages to the communication channel. Groups of messages are "distorted" according to different laws. On the receiving side, after entering the key code, a command is received to receive information by which the computing system generates a signal arriving at the device. By the readiness signal, the device receives “distorted” messages from the communication channel, reverse message conversions are carried out, which are then transmitted to the consumer through the computing system.

 The known method involves repeated manipulation of the source information and loss of information in the p senior and p lower ranks, which reduces its value.

 Common with the claimed method are the signs: preliminary input into the computer system of the program for converting “clean” information, on the transmitting side its division into message groups, distortion by the program for converting messages, transmission to the communication channel, and so on, until the information is completely exhausted, and on the receiving side the opposite Converting, combining message groups and presenting “clean” information to the user.

 The disadvantages of the method are the fixed volume of message groups (blocks), repeated manipulations with the source information, which leads to limited speed, i.e., the inertia of the method, the inevitability of losing part of the information in 2p digits.

 The device for protecting information from unauthorized access (see RF patent N 2022346, class G 06 F 13/00, G 09 C 1/00, 6.20, 1994) contains a block for defining a program for protecting and processing data, the first and second inputs the outputs of which are the input / output data of the device, a control unit, an interface unit, two conversion units, a buffer memory unit and a group of OR elements, while the input / output channel of the system interface is connected to the input / output of the interface unit, the information output of which is connected to the first information entrances of the first and second about conversion units and a conversion control unit, and the information input of the interface unit through a group of OR elements is connected to the first information outputs of the buffer memory unit and the first conversion unit, the first information output of which is connected to the second information input of the conversion control unit, the information input of which is connected to the second information the output of the first conversion unit, the information output of which is connected to the information input of the buffer memory unit, the second information the output of which is connected to the second information input of the first conversion unit, while the control output of the interface unit is connected to the first control inputs of the buffer memory unit and the first and second conversion units, the second control inputs of which are connected respectively to the first and second control inputs of the conversion control unit, the control input of which is connected to the control output of the second conversion unit, the first and second signal outputs, as well as the input and output of the reset of the control unit conversion are connected respectively to the first and second signal inputs, as well as to the reset output of the interface unit, while the reset output of the conversion control unit is also connected to the reset inputs of the second conversion unit and the buffer memory, the readiness input of which is connected to the signal output of the interface unit, the third the signal input of which is connected to the signal output of the second conversion unit, the first signal input of which is connected to the first signal input of the buffer memory unit, the second signal the main output of which is connected to the signal input of the conversion control unit, the third signal output of which is connected to the second signal input of the second conversion unit and the signal input of the buffer memory unit, the second conversion unit containing a dispatcher, three switches and a group of conversion nodes, while the first and second information the block inputs are connected to the data information inputs of the first and second switches, the inputs of which are connected respectively with the inputs and outputs of the conversion nodes groups connected to the corresponding data inputs of the third switch, the output of which is the information output of the block, the first control input of which is connected to the control inputs of the dispatcher, the third switch and the installation inputs of the first and second switches, the control inputs of which are the second control input of the block, the control and signal outputs , and the first and second signal inputs and the reset input of which are connected respectively to the control and signal outputs, and the first and second signal the controller’s reset strokes and input, as well as the conversion control unit, contains a command issuing unit, a final operations control unit and a control signal separator, the first, second and third information inputs and the first and second signal and first control outputs of the unit are connected respectively to the first, second, and third inputs, and with the first, second and third outputs of the command issuing node, the fourth and fifth outputs and the fourth input of which are connected respectively to the first and second inputs and with the output of which the control input and the second control output of the unit, the signal and reset inputs and signal output of which are connected respectively to the first and second inputs, and to the first output of the final operations control unit, the second output of which is the block reset output and connected to the reset inputs of the command and distributor unit control signals.

 In common with the claimed device are a pairing unit, a buffer memory unit, a conversion unit and a control unit.

 The second conversion unit, the group of OR elements, three switches, a dispatcher, a command issuing unit, a control unit for final operations and a distributor of control signals and associated communications are redundant, which makes up hardware redundancy, complexity of the operation algorithm, significant energy consumption, and limited reliability in operation. In addition, the device on the transmitting side is not identical to the device on the receiving side in terms of the connections between blocks and nodes and the operating algorithm.

 The disadvantages of the known device are multi-step, multi-stage algorithm, and therefore, low speed and performance, hardware redundancy, and therefore, low reliability, and the device is not identical on the side of the sender and receiver of information.

 Closest to the technical nature of the present invention is a method of protecting information from unauthorized access and a device for its implementation (see RF patent N 2099890, CL H 04 L 9/00, 6.35, 1997).

 A method of protecting information from unauthorized access (see RF patent N 2099890, class H 04 L 9/00, 6.35, 1997) involves the use of an algorithm according to which 32-bit 64-bit characters are summed modulo 2 sequentially 16 times modulo 2 the information register and 32-bit sums n times perform the following sequence of operations: add the second p-bit to the mth p-bit character of the mp-bit information register, where m ≥ 1, p ≥ 2, or 0, m = 1 the symbol of the mp-bit information register, or 0, if m = 1,2, add to the resulting amount the next p-bit character of the key register, the result is converted by the p-bit functional transformation block f, the 2nd p-bit character of the mp-bit information register is added to the result, where 3≤r≤m - 1, or 0 if m = 1, 2, 3, the resulting sum is converted by the p-bit functional transformation block q, the first p-bit character of the mp-bit information register is added to the result, the newly obtained sum is converted by the p-bit functional conversion block h and the conversion result write in place of the m-th p-bit character of the mp-bit information register, previously shifted by p-bits in the direction of the lower bits with the loss of p lower bits.

 Common with the claimed method are the signs: distortion of the source information for the determined program on the transmitting side, transferring it to the communication channel, restoring information on the receiving side and presenting "clean" information to the user.

 Significant disadvantages of the method are the need for multiple sequential conversions, which leads to a significant inertia of the method, the inevitability of the loss of a significant part of the information due to the loss of its p least significant bits, which requires redundancy in p bits in the input information.

и

где S, p' ≥ 2, 1 ≤ i ≤ S двух p-разрядных сумматоров, первый из которых прибавляет к поступающему на его входы p-разрядному числу p-разрядную константу A, а второй p-разрядную константу B, и p-разрядный регистр циклического сдвига, причем S p'- разрядных выходов первых S блоков p-разрядных функциональных преобразований

где 1 ≤ i ≤ S, подключены ко входу первого p-разрядного сумматора, выход которого подключен к p-разрядному входу p-разрядного регистра циклического сдвига, p-разрядный выход которого подключен ко входу второго p-разрядного сумматора, p разрядов выхода которого подключены к S p'-разрядным входам оставшихся S блоков p-разрядных функциональных преобразований

где 1 ≤ 1 ≤ S.The device for protecting information from unauthorized access (see RF patent N 2099890, class H 04 L 9/00, 6.35, 1997) contains an interface unit, 64-bit key (control unit) and information registers (buffer memory unit), unit The 32-bit functional conversion f and the 32-bit adder modulo 2, in which the key register is made in the form of an np-bit key register, the information register is made in the form of an np-bit information register, the information register is made in the form of an mp-bit information register, where p ≥ 2 , m ≥ 1, the functional transformation block f is made in the form of a p-bit functional transformation block, which contains the first, third, and fourth p-bit adders and two blocks of p-bit functional transformations q and h, and the output of the np-bit key register connected to the first input of the second p-bit adder, to the second input of which the output of the first p-bit adder is connected, to the first input of which, at m ≥ 2, the mth p-bit output of the mp-bit information register is connected, to the second input of the first about a p-bit adder, for m ≥ 3, the second p-bit output of the mp-bit information register is connected, the output of the second p-bit adder is connected to the input of the p-bit functional conversion block f, the output of which is connected to the first input of the third p-bit the adder, to the second input of which, for m ≥ 4, the rth p-bit output of the mp-bit information register is connected, where 3≤r≤m = 1. The output of the third p-bit adder is connected to the input of the p-bit functional transformation block q, the output of which is connected to the first input of the fourth p-bit adder, the first p-bit output of the mp-bit information register is connected to the second input of it, and the fourth p -bit adder connected to the input of the p-bit functional conversion h, the output of which is connected to the m-th p-bit input of the mp-bit information register, and with p = S • p 'the block of p-bit functional conversion Nia f 2S blocks includes p-bit functional transformations

and

where S, p '≥ 2, 1 ≤ i ≤ S of two p-bit adders, the first of which adds p-bit constant A to the input p-bit number, and the second p-bit constant B, and p-bit a cyclic shift register, with S p'-bit outputs of the first S blocks of p-bit functional transformations

where 1 ≤ i ≤ S, are connected to the input of the first p-bit adder, the output of which is connected to the p-bit input of the p-bit register of cyclic shift, the p-bit output of which is connected to the input of the second p-bit adder, p bits of the output of which are connected to S p'-bit inputs of the remaining S blocks of p-bit functional transformations

where 1 ≤ 1 ≤ S.

 In common with the claimed device are a pairing unit, a buffer memory unit (information registers), a conversion unit and a control unit (key register and a cyclic shift unit).

 Blocks of f-, h-, p-, 2S p-bit transformations, four adders and corresponding functional connections are redundant, which makes significant hardware redundancy, complexity of the operation algorithm, significant energy consumption, and limited reliability in operation. In addition, this device operates according to a multi-step algorithm, which leads to its inertia, and the device on the transmitting and receiving sides is not identical to each other.

 Significant disadvantages of the device are hardware redundancy, which leads to its increased energy intensity and reduced reliability, multi-step algorithm, which significantly increases the inertia, as well as the inability to perform the reverse operation, i.e. decryption of information.

 The objective of the invention is the synthesis of a method of protecting information from unauthorized access with minimal information loss, inertia, and devices with minimal hardware and information redundancy, inertia, as well as the ability to perform both the direct task of encrypting information and the inverse task of decrypting it with maximum speed, minimum loss of information with minimal hardware and energy costs and maximum reliability.

 The algorithmic implementation of the problem is that the original data file is divided into blocks of variable length i (i = 1, 2, ...), after which the ASCII code of each character of the block is shifted by t in each block (t = 1, 2 , ...) discharges. The shift can be carried out both to the left and to the right, while to prevent information loss, the shift is carried out in a closed ring in the block.

 For example: 1. before the shift - 0000000011101101 shift to the right by 5 digits, after the shift - 0110100000000111, when shifting to the left, the lower shifted bits are written in the place of the highest. 2. Before the shift - 0000000011001111 left shift by 8 digits, after the shift - 1100111100000000.

 The user-defined key is a w (w = 1,2, ...) bit unsigned integer. The converted file can be quickly restored by reverse shifting the characters of the file blocks.

 The technical result of the invention is to reduce the algorithmic complexity and inertia of the method and device for protecting information while eliminating the loss of information, reducing hardware redundancy and energy consumption and increasing reliability.

 The technical result of the proposed method is achieved by the fact that on the transmitting side, the original information is distorted using a key, while the source file of "clean" information is divided into blocks of variable length, in each block a shift of the ASCII code of each character in the ring specified on the transmitting side is performed along the ring direction, and on the receiving side, distorted information is restored using the same key, while the reverse shifts of each character in each block are carried out, the conversion result is fixed It is stored in memory at the address of the source file.

 The technical result of the proposed device is achieved by the fact that in it the interface unit with the first inputs and outputs is connected to the inputs and outputs of the device, the buffer memory unit with the first inputs and outputs is connected with the second inputs and outputs of the interface unit, the conversion unit with the first inputs and outputs is connected with the second inputs - outputs of the buffer memory unit, the control unit of the first input-output is connected to the third input-output of the interface unit, and the second input-output is connected to the second input-output of the conversion unit, and the unit is input addressing, connected by the input to the output of the interface unit, the output - with the input of the buffer memory unit, and the input-output - with the third input-output of the conversion unit, and the interface unit performs the functions of managing internal hardware resources and transferring data between the computing system and the device, the buffer unit memory performs the functions of storing data received from the interface unit and the conversion unit, in accordance with the address received from the addressing unit, the conversion unit performs the functions of reading data from a buffer memory unit, a shift, read data, the direction and magnitude of the shift being determined by the control unit, writing the shift result to the buffer memory unit, the addressing unit performs the functions of addressing data written to the buffer memory or read from the buffer memory unit, the control unit performs functions for controlling the operation of the conversion unit.

 The scheme of the device for protecting information from unauthorized access is shown in the drawing.

 The device for protecting information from unauthorized access contains a pairing unit 1, a buffer memory unit 2, a conversion unit 3, a control unit 4 and an addressing unit 5, while the interface unit 1 is connected by the first inputs / outputs 6 to the inputs / outputs of the device, the buffer memory unit 2 is connected the first inputs-outputs 7 with the second inputs-outputs 8 of the interface unit 1, the conversion unit 3 is connected by the first inputs-outputs 9 with the second inputs-outputs 10 of the buffer memory 2, the control unit 4 is connected by the first input-output 11 with the third by the way-output 12 of the interface unit 1, and the second input-output 13 - with the second input-output 14 of the conversion unit 3, and the addressing unit 5 is connected by input 15 to the output 16 of the interface unit 1, output 17 - with the input 18 of the buffer memory 2, and input-output 19 - with the third input-output 20 of the conversion unit 3, and the interface unit 1 performs the functions of controlling internal hardware resources and transferring data between the computing system and the device, the buffer memory unit 2 performs the functions of storing data received from the interface unit 1 and blo as conversion 3, in accordance with the address received from the addressing unit 5, the conversion unit 3 performs the functions of reading data from the buffer memory unit 2, the shift, the read data, the direction and magnitude of the shift is determined by the control unit 4, write to the buffer memory 2 the result of the shift, the addressing unit 5 performs the function of addressing data written to the buffer memory unit 2 or read from the buffer memory unit 2, the control unit 4 performs the functions of controlling the operation of the conversion unit 3.

 The device operates as follows. When working with a computer system, the user selects a file that must be protected from unauthorized access, enters a key, and issues a command to convert the file. A computer system, having received a command to convert a file, transmits data to be converted, a key and a command to convert data through the interface bus to the device. Information from the bus enters the interface unit 1. The interface unit 1 transfers the data to be converted to the buffer memory unit 2, the amount of data in the addressing unit 5, the data conversion command to the control unit 4. The control unit 4 sends the conversion command to the conversion unit 3 data and key code. The conversion unit 3, having received a command from the control unit 4, sends a command to the addressing unit 5 to generate and transfer the address to the buffer memory unit 2, after which the conversion unit 3 reads the symbol code from the buffer memory unit 2 and shifts it by defined by the key code. The conversion unit 3, after shifting the symbol code, writes it to the buffer memory unit 2 at the address of the source symbol code, after which the conversion unit 3 generates and transfers to the addressing unit 5 commands for generating and transmitting the address of the next symbol code to the buffer memory 2 The addressing unit 5, having received a command to form and transfer the address, increments the memory address and decrements the file size and transfers the address to the buffer memory unit 2. The conversion unit 3 reads from the buffer memory unit 2 to q the next character and carries out its processing as described above. After processing all the characters, the addressing unit 5 transmits a message about this to the conversion unit 3, from which the message is transmitted to the control unit 4, after which the message is transmitted through the interface unit 1 to the inputs and outputs of the device, the interface bus, and then to the computing system. The computing system, upon the signal of completion of the data conversion, reads from the buffer memory unit 2 through the interface unit 1 and the converted data interface bus, followed by transmission to the communication channel. To perform authorized data viewing, a similar sequence of actions is carried out, while an authorized user must select a file that must be opened for authorized access by entering the key with which the file is protected and issue a command to reverse the file.

 Positive results of the proposed device are: minimal information redundancy and inertia, the ability to perform both encryption and decryption of information with maximum speed, no information loss with minimal hardware and energy costs and maximum reliability.

 Example.

жзХж5ХаЪЯжи5гдЪеХлЭ

5ХайХ5гзбЪвЪвХ;
.................................................. ...........;
i)!+

бАбмжл

Дпжб+й+Абм+

бАп

нжожоб;
.................................................. ............ .File on the transfer side:
EUSTAS ALEXU ALPHA OPERATION CANCELED
File on the receiving side (in the communication channel) for an unauthorized user, with various encoding options:
1) □ reversal of the open end of the block;
2)

zhKhzh5HaYazhi5gdёehle

5HaiH5gzbvvvh;
.................................................. ...........;
i)! +

abmzhl

DPJB + th + Abm +

bap

jojoba;
.................................................. .............

Hosted File for Authorized User:
EUSTAS ALEXU ALPHA OPERATION CANCELED
The number of variants of this file for an unauthorized user exceeds 12,000 and grows with increasing file size, which seems to be a difficult task for a reasonable time.

Claims (2)

 1. A method of protecting information from unauthorized access, namely, that on the transmitting side the original information is distorted using a key, and on the receiving side, the distorted information is restored using the same key, characterized in that the original information file is divided into information blocks of variable length , in each block, a variable shift along the ring of the ASCII code of each symbol is carried out, and the shift on the transmitting and receiving sides is carried out in opposite directions, the result of the conversion fixed in memory at the address of the source file.  2. A device for protecting information from unauthorized access, comprising a pairing unit connected by first inputs / outputs to device inputs / outputs, a buffer memory unit connected by first inputs / outputs and second inputs / outputs of a pairing unit, a conversion unit and a control unit, characterized in that an addressing unit is connected to it, connected by an input to the output of the interface unit, an output - with the input of the buffer memory unit, and input-output - with the third input-output of the conversion unit, and the conversion unit with The uniform first input-output with the second input-output buffer memory unit, and a control unit connected to the first input-output of the third input-output interface unit, and the second input-output - to a second input-output of the transform block.