RU2311676C2 - Method for providing access to objects of corporate network - Google Patents

Abstract

FIELD: computing systems, possible use for protecting informational resources in corporate networks.

SUBSTANCE: in accordance to the invention, during registration of user, user identifier and user image identifier signals are assigned and memorized, user inputs identifier and creates corporate network access and service request signal, which is transferred into system core, user image identifier signals are read from memory, authentication of user and his image is performed, and, if user access rank signal is equal to or exceeds acceptable rank, signal is generated to permit execution of actions, description of which is contained in service request signal, where during registration of user, number of mobile device and/or identifier of other source of wireless communications given by user is additionally inputted into memory, prior to taking a decision about access to corporate network by user, a password which is active for one session is generated and sent to the source given by user.

EFFECT: increased protection of systems from unsanctioned access.

3 cl, 1 dwg

Description

The invention relates to computer technology, namely, information computer systems implemented in computer networks, and can be used to protect information resources in corporate networks.

Formalized knowledge based on the so-called artificial intelligence is widely used in computer systems and programs; therefore, it can be the subject of a criminal assault, i.e. object of criminal activity. Legal protection is subject, as a rule, to documented information (document) recorded on a tangible medium, with details that are clothed in a form that allows it to be “identified”. As a result of documentation, materialization and materialization of information occurs.

Any information at the time of its creation is secret or confidential and is subject to further protection by its owner, depending on the degree of secrecy.

The development of wired and wireless communications, as well as Internet technologies, has led to an increase in business applications and services available through the World Wide Web.

With the increasing use of the Internet, e-commerce and remote access technologies, it becomes vital for many companies to securely and efficiently manage access to their business applications, intranet networks, and so-called online services.

Any large company with a large number of employees and a complex intranet network structure often faces a situation when employees need, on the one hand, to extract some data from the intranet network, and on the other hand, to provide the most reliable identification of the user trying to obtain this data.

Any organization has its own production secrets, which should not be distributed not only outside this organization, but often among its employees.

Such secrets include, for example, information about new developments, forthcoming promotions, financial secrets, etc.

Leaking classified information or disclosing trade secrets can cause serious damage to the organization.

The security and protection of information in information and computing systems is provided by implementing a method for subjects to access information objects. The protection system is designed to avoid undesirable states of an information-computer system when information leakage or violation of its integrity is possible. In practice, this can only be done by restricting the client’s access to information at any given time. The concept of "object" includes any information, including databases or any other document recorded on a tangible medium.

Currently, various systems are known for providing access to data contained in a corporate network or computer operating system.

The prior art method of protecting a personal computer from unauthorized access, which consists in remembering the identification codes of various operating modes and users, comparing identification codes and using the results of comparison, they implement various types of access to the computer system (see EP, application 0478126, cl. G06F 13/12, 1992).

However, this method does not provide sufficient protection, since the client can access information called to the server by another user.

There is a method of providing access to data in an operating system operating on hardware, which consists in the fact that each user is preassigned and then stored in memory as a user identifier signal and a user image identifier signal, including at least a user admission rank signal, a rank signal user trust and signals of identifiers of user actions, for each object of the operating system, they form and then store a signal about of an object, including at least an object name signal, an object access level signal, trust level signals for object actions and object action identifier signals, the user enters a user identifier signal by which he is identified and authenticated and, when identifying, make an access decision user to the operating system (UK Patent No. 2242295, IPC G06F 12/14, 1991).

This method is more reliable than the above, however, the reliability it provides to prevent unauthorized persons from accessing objects in the operating system is low. This is due to the small number of user rights checks to perform any actions on them.

Databases are currently the primary means of storing a wide variety of information. Data is stored in a database (DB) along with service information, which allows you to organize this data according to certain rules.

In order for users to access the database, a database management system (DBMS) is used. A DBMS is a set of programs stored in the server (computer) memory that allows operating with data from a database, which for this computer can be an external device. In a DBMS, the so-called DBMS kernel is allocated, i.e. that part of it, which is constantly stored in a certain area of the main memory of the server and carries out the management functions of the entire DBMS.

When using a DBMS, one of the main tasks is to provide access to data in the database served by this DBMS. In general, access is understood as the procedure for establishing communication with the database and the areas located in it for writing or reading data. In this case, it is necessary to provide for the possibility for an authorized user to freely receive the data for which he has access, and to prohibit the user from receiving data that is closed to him.

There is a method of providing access to data in a database management system (DBMS), which consists in storing an individual identifier signal and an admission rank signal to a database previously assigned to each database user, generating a user request signal containing an individual identifier signal for this user and signal for describing the requested data, transmit the generated request signal to the core of the database management system, read the signal of the rank of admission to the database by its signal for an individual identifier contained in the user request signal, the signals corresponding to the labels of these data characterizing the signals of the access level to the database partitions and subsections are read from the database to the database management system kernel by the description signal signals of the requested data contained in the request signal actions that the user can perform on this data, and compare them with the signal of the rank of admission to the database, and if the signal of the rank of admission to the database is not lower than the signal In addition to the access to the database section containing the requested data, the data signals can be transmitted over the communication channel from the database, and in the core of the database management system, the generated request signal is divided into separate actions or groups of actions designed to perform actions on the requested data, the signals are compared access for these actions or groups of actions and access signals to subsections of the database with a signal of the rank of admission to the database, if the signal of the rank of admission to the database is not lower than the signal access to perform actions or a group of actions and not lower than the signal of the access level to the corresponding subsections of the database, perform actions or groups of actions in the database management system on signals of links to the requested data, register the performed actions or groups of actions in the core of the database management system, form a response signal to a user’s request in the core of the database management system based on the results of actions or groups of actions on the signals of links to the requested data, comp there are data access signals, the reference signals to which are contained in the generated response signal, with a signal of rank of admission to the database, if the signal of rank of admission to the database is not lower than the signal of the level of access to the corresponding data, read into the core of the database management system from the database on an open communication channel, the signals of the requested data according to the signals of links to this data contained in the response signal to the user's request, compare the access signals to the data read from the database with the signal of the admission rank to b If the signal of the rank of admission to the database is not lower than the signal of the level of data access, the read data is transmitted from the core of the database management system to the user, if the signal of the rank of admission to the database does not match the access level signal and / or if unauthorized actions are detected, the results of all operations preceding the occurrence of this discrepancy are deleted from the core of the database management system and the request is stopped (RF Patent No. 2130643).

In the method under consideration, the individual identifier signal includes the user’s registration name and its confirming password, and when generating a user request signal in a multi-terminal network, the current request time and an indication of the specific network node from which the request is made are added.

This method provides greater reliability than the above, but, despite the complexity of security measures, nevertheless, the degree of prevention of access to the database by unauthorized persons is low. This is due to the fact that after verifying the rights of the user to receive data and perform any actions on them, upon the positive completion of all checks, the data is provided to the user in full according to his request. In addition, if the signal of the rank of admission to the database does not match the signal of the access level to the requested data, the user is notified about this, thereby indirectly receiving information, at least about the existence of data inaccessible to him. The closest technical solution to the claimed technical solution is a method of providing access to objects in the operating system of corporate networks, described in RF patent No. 2134931.

According to the specified invention, in contrast to existing similar methods, a user identifier signal and a service request signal are generated, comprising a user image identifier signal, including at least an object name signal and description signals of requested actions on the object, transmit the generated service request signal in the kernel of the operating system, in the kernel of the operating system by a user ID signal is read from a memory that is made inaccessible to unauthorized persons In this call, the signals of the identifiers of the user image, in accordance with the signal of the name of the object and the signals of the description of the requested actions on the object contained in the signal of the service request, are read into the kernel of the operating system from memory that is inaccessible for unauthorized use, the signals of the object’s labels compare the signal the user admission rank with the object access level signal, if the user admission rank signal is higher than the object access level signal, a signal is allowed To perform actions on the object, the descriptions of which are contained in the service request signal, if the user admission rank signal is equal to the object access level signal, then the user confidence rank signal is compared with the confidence level signals for actions intended to be performed on the object, if the trust rank signal of the user above the signals of confidence levels for the actions of the object, then compare the signals of the identifiers of the actions of the object with the signals of the identifiers of the actions of the user, form the signal is allowed I perform an action on an object for which the user action identifier signals are not the signals of the object below the action identifiers.

In addition, if there is a “rewrite” action description signal in the description signal of the requested actions on the object, after the formation of permission signals for the execution of actions, the access conditions to the recording object are checked.

When checking the conditions of access to the recording object, the recording signal of the recording object’s label, including at least the recording object’s signal and the access level signal to the recording object, is read from the memory, which is inaccessible for unauthorized access, to the operating system kernel; the access level signal is compared to the object and the signal of the level of access to the recording object, and if the level of access to the object is not less than the signal of the level of access to the recording object, then a signal of permission to perform the "overwrite" action on the object is generated. In practice, this invention differs little from the previous analogue, although it somewhat expands the capabilities of the method by using it not only to access databases, but to any kind of information, and also provides for the ability to overwrite information on a user’s device to store information on a physical medium, but he has the same flaws.

However, like the previous analogue, the method is difficult to implement, because includes many operations that cannot provide a sufficient degree of user authentication, as uses standard primitives of well-known protocols without direct communication with the user.

The disadvantages of the prototype include the fact that it requires in the initial request for access to work on the corporate network to simultaneously reflect both the user name and password, and the identifiers of the user’s image, i.e. actions on objects that may not coincide in time, therefore the versatility of the method is reduced.

The technical task of the invention is to develop a method of user access to objects of corporate networks, which would be free from the above disadvantages inherent in existing methods of access, by increasing security from unauthorized access to it by third parties.

The technical result is achieved due to the fact that in a known way of providing access to objects of corporate networks, which consists in the fact that during registration, each user is preassigned and then stored the user identifier signal and the image identifier signal of the user, including a certain set of user data and allowed him actions with each of the corporate network objects, the user generates a request signal for access to the corporate network and a service request signal by and the signals of the identifiers of the user image, containing at least a signal of the name of the object and signals of the description of the requested actions on the object, the generated signal of the request for service is transmitted to the core of the system, where the signal of the individual user identifier is read from a memory that is inaccessible for unauthorized use in system core, user image identifier signals, in accordance with the object name signal and description signals of requested actions on objects, contains that are contained in the service request signal, it is identified and authenticated, and if the signal of the user’s admission to the objects is higher or higher than the permissible one, a permission signal is generated to perform the actions described in the service request signal at the same time or after making an access decision user to the corporate network, changes and additions have been made, namely:

- in the memory, made inaccessible to unauthorized use, simultaneously with the signals of the identifiers of the user image, additionally enter the number of the mobile device and / or the identifier of another wireless device specified by the user;

- before making a decision on user access to the corporate network, a password is valid for the duration of the session, and it is sent to the user to the wireless source specified by him;

- at the same time, the password valid for the duration of one session is fixed in the memory of the kernel of the system for additional user authentication;

- this password, generated stochastically before being sent to the user, can be encrypted with one of the known protocols, for example DES;

- taking into account the fact that a user can generate a service request both simultaneously with a request for access to the corporate network, and after permission to access the network, as well as the possibility of a user changing the service request, during operation during one session, control access and user actions with corporate network objects in accordance with identifiers included in the user image.

In addition, if there are actions with especially important information in the user's request, they ask the user, at the wireless source indicated by him, to confirm the request and, only after receiving such confirmation, allow the user to perform these actions.

From the current level of technology has not been identified objects that would contain a combination of the above distinctive features of the considered method.

Before proceeding to the description of an example implementation of the claimed method, it is advisable to provide general information explaining the essence and terms used of the present invention.

The functioning of any application package is based on interaction with a certain operating environment, which is understood as an operating system. The operating system provides application tools with service tools that allow the efficient use of equipment resources, and isolates them from these resources using a special interface. By an operating system we mean a set of interfaces that make it possible to efficiently use hardware resources and move all functions not related to this task to the level of executable processes.

A process is the work performed by a processor. The operating system should ensure that the workload of the technical means on which it operates is effective, and the "process" acts as an elementary unit with which the processor can be loaded. Being active consumers of resources, "processes" in relation to the operating system play a subordinate role - they are controlled by the system. The central part of the operating system that controls the processes is called the core of the system.

The execution of the "process" in the operating system is divided into two parts - the system and user phases. Each phase has its own logical address space, and their execution is always sequential. The core of the system is a set of functions performed by a process in the system phase. The transition to the system phase is performed using, for example, a software interrupt, and the change of processes on the processor occurs by means of the coroutine call of the system phase of the process, ready to be executed.

An operating system that supports multi-user mode of operation provides itself from erroneous user actions and mutual protection of users from each other. The classic objects to be protected are memory areas and files. Memory protection is based on hardware capabilities, file protection is traditionally performed by the operating system. The linearly addressed address space is protected entirely as the program work space related to a specific user. The most common are three types of access: reading, writing, overwriting, and also performing other actions, for example, data modification. Operating system objects receive object label signals, including object name signals, which are indicated in the routed service request signal. Moreover, the objects (files, directories, etc.) of the operating system may belong to different users, who may be concerned that their information is not available to other users. A user is understood not only as a specific creator or consumer of information, but also as a system user, i.e. the owner of the operating system, providing it to specific users, who may be interested in restricting the access of users or user groups to a particular object of the operating system.

In accordance with the proposed invention, each new client of the operating system (individual or organization) must acquire the status of a user. The user is created by the system administrator (system user) and is the process of assigning a user identifier signal to this user. The user identifier signal includes, in addition to standard types of authorization by means of a user name, password (s) and other necessary information for user identification and authentication, another number of your mobile device and / or identifier of another wireless source, which are recorded in the system core memory, the introduction of which the user confirms his authenticity, i.e. the right to appeal to the system.

This user ID signal marks any service request signal. In addition, in the case of operation in a multi-terminal network, this user identifier signal may contain other information, for example, the time of receipt of the service request signal by the network server and the indication of the specific network node from which the request is made.

Objects have different access level signals, and subjects have different tolerance level signals. Permission for a specific subject to access a specific object is a function of the level of access of that subject (user) and the level of access of this object. Signals of the access level to the object can be subdivided - by access rights - into: reading of the object by the subject, i.e. receipt by the subject of the data contained in the object; record, modification of object data after their preliminary reading; execution by the subject of the object, i.e. an action that is not associated with either reading or modifying data; modification of the data of the object by the subject without their preliminary reading; rewriting etc.

The operating system operates on hardware comprising at least read-only memory (ROM), random access memory (RAM) and a processor, as well as at least one input device. The program of operation of the operating system of the network server is pre-recorded in the ROM and upon initialization of the hardware, the kernel of this operating system is loaded from the ROM into the RAM. All further functioning of the operating system is controlled by this kernel.

The implementation of the method of the present invention is as follows

When registering for access to work with objects in the operating system, each new user is assigned and stored in a memory that is inaccessible for unauthorized use, a user identifier signal, including, in addition to the standard set (name, password), also mobile or other data wireless communication devices, and a user image identifier signal including at least a user tolerance rank signal, a user confidence rank signal, and action identifier signals nth user, which together form an access matrix.

To work on the corporate network, the user enters his identification data (name, password, etc.) and can simultaneously enter a service request, including information about objects and actions on them.

After receiving the user identifier signal and the signals corresponding to the request generated by it, the server (network administrator) authenticates the user and identifies his image in accordance with the specified criteria, for example, admission and trust ranks, actions on objects, etc. At the same time, the presence of the number of a mobile or other wireless communication device registered in the kernel of the system, specified by the user during registration, is checked and a specially generated password is sent to it, which can be encrypted using one of the encryption algorithms (DES, IDEA, RC ^* , RSA, LOKI-97, Rijndael etc.). An additional password for one session is recorded in the system kernel memory. The decision on the user’s admission is made after entering an additional password.

The request for access to the corporate network and the service request may not be entered into the server operating system (network administrator) simultaneously. In this case, user authentication and user image identification are performed as requests are received.

During a user’s session on a corporate network, the actions performed by him are controlled by the operating system depending on the importance of the information to which access is requested. This is done to ensure that important information is not leaked.

So, if a user’s request contains a request for access and / or actions with objects containing especially important information, then at the same time an additional password is generated to confirm the request and only after receiving confirmation, the user is allowed to implement them.

The drawing shows one of the possible variants of the device for implementing the proposed method.

At least it includes: a corporate network (intranet) 1, a system block for inputting a request and outputting a response 2, a device 3 (server) for authenticating a user and identifying his image, a wireless communication network 4 (the communication network is shown as such communication in the drawing GSM), mobile phone 5, user computer 6.

When accessing the corporate network, the user generates a request signal for access to work in the corporate network 1. The request signal is entered using an input device (keyboard, magnetic card reader, etc.), for example, computer 6. In the request for access to the network, the user indicates his name and password, and possibly a number or other code that corresponds to the mobile phone number 5. In device 2, the request is processed (this may be the server’s operating system 3. If the identifiers match zovatelya previously stored by the operating system, user gets access to the operating system.

Simultaneously with the request for access or after gaining access to the corporate network 1, the user generates a service request signal, which indicates the objects and those actions that the user is going to perform on the requested data.

In addition, in the case of work in a multi-terminal network, the time of receipt of the request signal by the network server and the indication of the specific network node from which this request is made can be added to this identifier during the request.

Queries are generated by known methods, therefore, do not require additional explanations.

In the device 3 (authentication server), in accordance with the input request signal sequentially or simultaneously, depending on the time of generating requests for access and service, the user is authenticated and his image is identified. A user image identifier signal, including at least a user tolerance rank signal, a user confidence rank signal, and user action identifier signals are recorded in a predetermined memory area that is not accessible for unauthorized use.

The input request signal is transmitted to the system core memory, i.e. that part of it, which is constantly located in the main memory of the server. If the corporate network is implemented in the computer system of one server, in which the processing of request signals occurs in the permanent memory of this system, then the request is sent to this permanent memory.

After the end of the user authentication process, if the result is positive, the password valid for one user session on the corporate network 1 is sent to the wireless device 5 specified by the user during registration. This password is random, because it is generated in a stochastic manner and is encrypted using an encryption algorithm, in this case DES. Along with sending the password to the user, it is fixed in the core of the corporate network system.

The user, having received this password as an additional identifier, for example through a GSM network 4, enters it into server 3 (network administrator).

Thus, the user is accessed to the corporate network.

However, its access to objects containing information and the possibility of performing actions on it is allowed only after the identification of a service request, in accordance with the data forming the user image signal. This happens as follows.

The system administrator associates with the user identifier a signal of the rank of access to the information objects of this user and a signal of the level of trust of this user, which shows what actions this user has the right to perform on the corporate network. A user who has a specific admission rank has the right to access the data of any users whose admission rank is not higher than his own, and therefore, as having a specific level of trust, has the right to mark any data with a level no lower than his level. This tolerance rank and this level of trust along with the user ID, i.e. its registration name and password are recorded in a predetermined area of permanent memory of the core of the corporate network, which is accessed by the administrator (program) during the processing of the request. In principle, this information can also be recorded in RAM, provided that it has a sufficient volume for this, or this data can be stored in a separate storage device external to the computer system of the main server.

The formation of the signal of the possibility of user access to a specific object (information block) is carried out only after comparing the signal of the identifier of the image of the user with the label signal of the object (information block). In this case, the signal of the user tolerance rank contained in the user image identifier signal and the object access level signal are compared. If the user’s admission rank signal is higher than the object’s access level signal, the operating system allows the user any requested actions with this object if they do not relate to particularly important (secret) information. If the user access rank signal is equal to the object access level signal, then the operating system compares the user confidence rank signal with the confidence level signals for actions and reads the signals of action identifiers for which the rank signal from the memory, which is inaccessible for unauthorized access, user confidence is higher than the confidence level signal for a specific action.

Next, the signals of the user action identifiers contained in the image identifier signal of the given user are compared with the signals of the object’s action identifiers (information block) and they form the permission signal for this user to perform only those types of actions, the identifier signals for which this user are equal to the signals of the object’s action identifiers.

If the request indicates actions with especially important information simultaneously with the end of identification, they ask the user to confirm the request using the wireless device (mobile phone 5) and only after receiving confirmation issue permission to the user to perform the requested actions.

At the same time, each performed user action is recorded, and information about the actions performed is controlled in the corresponding cells of the area of operational or permanent memory of the core of the corporate network system allocated for this purpose.

In the event that during the access session to the corporate network it is discovered that the user’s identity rank is lower than the data access level or to perform actions on them that he is trying to access, there is a device in the main memory for erasing such information .

Thus, preventing the possibility of a user who does not have rights to illegally access any data on the corporate network.

However, the action of the operating system in this case is not limited to this. Any mismatch of names, passwords and signals of the corresponding identifiers, as well as a mismatch of the signal of the user image identifier is recorded by the corporate network operating system in the system log as an attempt of unauthorized access using data about the user who made this attempt. Such user behavior reduces the level of trust in him and the rank of his access to specific objects, and he may not know this, because this data is stored in the kernel of the operating system and is not reported to the user.

The proposed method, therefore, can significantly increase the security of data in the operating system from unauthorized access with the mandatory registration of attempts of such unauthorized access in the system log.

The above detailed description of the implementation of the proposed method serves only to illustrate and confirm the industrial applicability of this method, but does not limit its scope defined by the following claims.

The advantage of the proposed method is to increase the degree of client authentication by directly accessing it using the wireless source indicated by it and re-confirming the request when the client addresses information that is especially important for the organization.

This ensures the required level of security for the corporate network, excluding unauthorized access to it, and is achieved without complicating the software product and network design.

Currently, tests of various variants of the proposed method are ongoing, after which it is supposed to be used in corporate networks of several commercial organizations.

Claims (3)

1. A method of providing access to corporate network objects, which consists in the fact that during registration each user is assigned and then stored a user identifier signal and a user image identifier signal, including a specific set of data about the user and the actions allowed to him with each of the objects on the corporate network enters its identifier and generates a request signal for access to the corporate network and for service, containing at least an object name signal and description signals of the requested actions on the object, the generated service request signal is transmitted to the core of the system, where the signals of the identifiers of the user image, in accordance with the signal of the name of the object and the description signals of the requested ones, are read from the memory, which is inaccessible for unauthorized access to the core of the system actions on the object contained in the service request signal authenticate the user and identify the user image the user, and if the signal of the user’s admission to the objects level corresponds to or higher than the permissible one, a permission signal is generated to perform the actions, the descriptions of which are contained in the service request signal, simultaneously or after a decision is made on user access to the corporate network, characterized in that during registration in the memory, made inaccessible to unauthorized use, additionally enter the number of the mobile device and / or the identifier of another wireless source specified by the user before by adopting a decision on user access to the corporate network, a password is generated and sent to the user at the wireless source indicated by him, simultaneously fixing it in the system memory, for additional user authentication, during one session, they control the user's access to objects and actions with them, in If the service requests contain instructions on actions with objects containing information that is a commercial secret of the organization, they additionally ask the user for stvu wireless communication confirm request and only after its confirmation and identification form must also enable the implementation of the requested actions on objects corporate network. 2. The method according to claim 1, characterized in that the additional password for user access to the network for the duration of the session, generated stochastically, before being sent to the user, is encrypted using any of the known protocols, for example DES. 3. The method according to claim 1, characterized in that the formation of the service request by the user can be carried out both simultaneously with entering user identifiers and after allowing access to the corporate network, and during the session, the user’s work is monitored, including changes to access requests to network objects and actions on them.