RU2658894C1 - Method of the data access control with the users accounts protection - Google Patents

Abstract

FIELD: information technologies.

SUBSTANCE: invention relates to information security. Method consists in that on the part of the protected object with the object data administrator, generating the protected object ID unique identifier, generating the object administration random symmetric key CA, obtaining the CO object data encryption symmetric key by the derived key calculation from the CA key using the ID identifier as the modifier, encrypting the protected object data on the CO key, receiving the encrypted SDO data, generating the service data block containing the ID identifier, information about the protected object and specification of the used cryptographic functions, forming the access to the object list, consisting of users accounts, to which access to the protected object is granted, wherein at least one of the accounts belongs to the object administrator, performing the following actions for each account: receiving, from the selected user having the asymmetric key pair including the public key and private key, its public key, generating the random number, taking it as the temporary identifier, generating the account identifier, taking the temporary identifier as its value, generating the random asymmetric keys pair including the public key and private key, generating the account random symmetric account key KZ, calculating the common symmetrical key KZP from the private key and the public key, encrypting the KZ key on the KZP key, receiving the encrypted key, deciding on the administrator rights assignment to the user, generating the parameter value, characterizing the administrator rights availability in the user, generating the data block, encrypting it on the KZ key, receiving the encrypted data, forming the selected user account text description, generating the administration verification data block, encrypting it on the CA key, receiving the encrypted data, generating the selected user account, storing together the SDO encrypted data, service information, the object access list.

EFFECT: enabling the decentralized control over the data access rights.

1 cl

Description

FIELD OF THE INVENTION

The present invention relates to the field of information security and cryptography, and, in particular, to methods for managing and controlling access to confidential information stored and processed in automated computer systems.

State of the art

When building security systems, a variety of access control methods are used (discretionary, credential, role-based and other methods). The discretionary model of access control is the main implementation of the discriminatory policy of access to resources in the processing of confidential information, according to the requirements for an information security system (Guidance document: Computer facilities. Protection against unauthorized access to information. Indicators of protection against unauthorized access to information. - M .: State Technical Commission of Russia, 1992).

Discretionary access control (DAC) is based on access control lists or access control matrices of protected objects (Access Control List, ACL), which lists the subjects (users or processes) with access rights to this object and their authority.

The discretionary access model and the requirements of the guidelines provide for the separation of user roles, namely, the role of the administrator is allocated, who is granted the exclusive right to create an access list and is charged with maintaining this list up to date in accordance with the Security Policy used.

The discretionary model provides for hierarchical access control and the possibility of delegating administrator rights. For example, in most operating systems, such as Unix or Windows, there is a main administrator (or superuser) who has the right to appoint administrators of individual objects (owners of objects) and delegate them rights to manage access lists of these objects.

Encryption is traditionally used to protect information. As a result, access control to the data of the protected object is reduced to access control to the secret encryption key of this data. It is impossible to do without using a secret encryption key even with remote access to data via insecure communication channels, for example, when storing information in cloud services.

In the general case, the management of other powers (making changes to the data, code execution, etc.) can be realized through access control to certain secret parameters (keys). For example, the legitimacy of a change or code before execution can be checked against a checksum calculated using a secret parameter.

There is a method of providing access to a large amount of protected information to many users (RF patent No. 2391783, priority date 01/14/20015), in which information, instead of being repeatedly encrypted on the individual secret keys of users, is encrypted once on a technology key. The technological key itself is encrypted on the individual keys of users (or in a chain on other technological keys, the last of which is encrypted on the key of a specific user) and is transmitted to these users in encrypted form. In the known method, the formation, verification and updating of access lists is not considered and assigned to some trusted service, and independent change of authorization parameters (public keys) of users is not provided.

When placing data and transferring access control to it to an untrusted party (for example, a cloud service provider), along with encrypting information, it is necessary to monitor the observance of access rights to data on the user side. You can remotely distinguish a legitimate user from an attacker only by the presence of a secret parameter (key) in him (his possession). That is, user authorization should, in particular, consist in the fact that he uses his secret parameter to calculate or find the data encryption key. Such a secret authorization parameter can be: a password, directly a secret key or an individual device with a secret key (eToken), which does not allow the key to be read, but allows you to perform some conversions using this key.

In the long-term storage and processing of protected information for security reasons and according to the requirements of the guidelines, it is necessary to be able to change both the data encryption key and the individual user authorization parameters. For example, these actions are required when one of these parameters is compromised or threatens to be compromised.

Moreover, with a large number of users, the direct interaction of the object administrator with each user to change the parameters of his authorization can be technically difficult and / or impossible for an acceptable time. In addition, familiarizing the administrator with the secret user authorization parameters can pose a security risk: the user can use these same parameters to access another protected object that this administrator does not have access to. The requirement for the user to apply unique authorization parameters for each protected object is already creating problems for users to manage these parameters with a large number of objects to which this user is allowed.

Therefore, the ability for the user to change their authorization parameters independently of other users and administrators and the ability for the administrator to change the data encryption key without the participation of users is an undoubted positive feature of the access control system.

On the other hand, such opportunities for users to independently change authorization parameters deprive the administrator of a simple way to control the integrity of the access list by the checksum (including the checksum using the administration key). For the attacker, on the contrary, there is the prospect of creating an account (or replacing the account of a legitimate user) with the authorization parameters known to him in the hope that when the administrator changes the encryption key, these authorization parameters will allow to calculate a new encryption key and, accordingly, gain access to the protected information . Therefore, separate means of authenticating user accounts in access lists are required.

With a large number of users, another desirable feature of the access control system is the effective search of your account by authorization parameters, since testing all accounts for authorization may require an unacceptably long time.

The most complete solution to these problems is presented in the method (US patent No. 8738531, priority from 08.07.2008), which is further considered as a prototype.

The prototype proposes in the user account to place in the encrypted public key of the user OKP key encryption data object KO.

Public key encryption systems use interconnected public key (OK) and secret key (CK) in cryptographic operations, which are effectively generated using the GenPub () = (OK, CK) procedure. The OK key is distributed among correspondents for encrypting C messages to this addressee using the PubEncrypt (C, OK) = AL process. The user (recipient) keeps the SK key secret and uses it to decrypt the encrypted AL messages sent to him using the PubDecrypt procedure (AL, AL) = C. This encryption scheme is based on the property that calculating the IS and / or finding C using known OK and AL requires unacceptable computing resources. Several public key encryption systems are known, of which the RSA system is most widely used (US Patent No. 4405829, priority dated 12/14/1977).

In this prototype, the user account is formed by the administrator (owner) from the values:

ОКП - открытого ключа пользователя;

OKP - public key of the user;

ШКО = PubEncrypt (КО, ОКП) - ключа шифрования объекта КО, зашифрованного на открытом ключе пользователя;

ShKO = PubEncrypt (KO, OKP) - encryption key of the KO object encrypted on the user's public key;

СК = Hash (ОКП, КО) - контрольной суммы учетной записи, являющейся результатом хэширования открытого ключа пользователя и ключа защиты объекта.

SK = Hash (OKP, KO) - the checksum of the account, which is the result of hashing the user's public key and object security key.

This structure of accounts allows the user to efficiently find his account using the public key of the OKP and calculate the security key of the object KO = PubDecrypt (ShKO, SKP). Having the security key of the TO object, the user can, by generating a new pair of OKP and UPC public and private keys, calculate without an administrator the account for the new keys, i.e. Change your authorization / access to the object yourself. The administrator, like any of the users, can re-encrypt the object on the new key of the TO and create user accounts for the new key using the specified public keys of the OKP without the participation of other users. At the same time, the SK checksum allows you to make sure that the public key used has been declared by the person who has the security key of the object of the TO, i.e. legitimate user, not an attacker.

The main disadvantage of the prototype is that it actually does not have the role of administrator: any legitimate user can act as an administrator and add new users (or replace the public key in another user's account with one known to him) that the administrator cannot technically detect. This property poses a security risk: before being fired, an attacker could create several fake accounts (or replace public keys in user accounts that rarely access the object and for a long time do not detect such a spoofing), which will allow him to maintain access to the object after his account has been deleted and changing the security key of the object by the administrator.

To counter this threat, the prototype proposed to generate an encryption key for the object data from 2 keys: from the security key of the TO object and the key of the CS server, for which you need to separately authorize on a trusted service. The need to use an additional trusted authorization service actually disavows the account structure declared in the prototype: what improves the prototype compared to this trusted authorization becomes unclear.

Another disadvantage of the prototype is the direct listing in the access list of public keys of users. In typical situations, when a user uses the same pair of public and private keys to access different protected objects, an attacker will have the opportunity to analyze access lists and extract public keys that appear most often. By focusing on calculating the corresponding secret keys, in case of success, the attacker gains access to several protected objects at once instead of spending the same computing resources to access each of these objects separately.

In addition, public keys of users can be obtained from public key certificates, which allows an attacker to identify the circle of persons admitted to a particular protected object, and thereby indirectly determine the nature of the data contained in it and more reasonably choose the object of attack.

Disclosure of invention

The technical result is the provision of:

1) decentralized control over access rights by providing access to information based on the results of local user authorization without using trusted centralized authorization services;

2) differentiation of user roles by allocating administrator roles with the possibility of delegating administrator rights to other users;

3) independent change of authorization parameters by users and administrators, in which replacing authorization parameters does not require interaction with other users and administrators;

4) effective search for users of their account in the access list;

5) an independent change of the object's security settings, in which the replacement of information security settings by the administrator does not require interaction with users and other administrators;

6) identifying unauthorized changes to the access list;

7) concealment of the composition of persons having access to protected information.

To this end, a method for controlling access to data in a computer is provided, the computer having installed software configured to

генерировать уникальные идентификаторы,

generate unique identifiers

генерировать случайные числа,

generate random numbers

генерировать случайные симметричные ключи,

generate random symmetric keys,

генерировать случайные асимметричные пары ключей в составе открытого ключа и секретного ключа,

generate random asymmetric key pairs in the composition of the public key and secret key,

вычислять значение функции хэширования,

calculate the value of the hash function,

вычислять производный симметричный ключ из исходного симметричного ключа и значения модификатора,

calculate the derived symmetric key from the original symmetric key and the modifier value,

вычислять общий симметричный ключ из секретного ключа и открытого ключа,

calculate a common symmetric key from a private key and a public key,

зашифровывать и расшифровывать данные на симметричном ключе,

encrypt and decrypt data on a symmetric key,

зашифровывать и расшифровывать симметричный ключ на симметричном ключе;

encrypt and decrypt a symmetric key on a symmetric key;

the method consists in the fact that, on the part of the administrator of the protected object, with the data of the TO object, they perform the following actions:

генерируют уникальный идентификатор ИД защищаемого объекта;

generate a unique identifier for the ID of the protected object;

генерируют случайный симметричный ключ КА администрирования объекта;

generate a random symmetric key of the object administration CA;

получают симметричный ключ шифрования данных объекта КО путем вычисления производного ключа от ключа КА с использованием идентификатора ИД в качестве модификатора;

receive a symmetric key to encrypt the data of the object KO by calculating the derived key from the key KA using the ID identifier as a modifier;

зашифровывают данные защищаемого объекта ДО на ключе КО, получая зашифрованные данные ШДО;

encrypt the data of the protected object DO before the key KO, receiving the encrypted data of the SDO;

формируют блок данных служебной информации ДС, содержащий идентификатор ИД, сведения о защищаемом объекте и спецификацию использующихся криптографических функций СФ;

form a data block of service information of the DS containing the ID identifier, information about the protected object and the specification of the used cryptographic functions of the SF;

формируют список доступа ДД к объекту, состоящий из учетных записей пользователей, которым предоставляется доступ к защищаемому объекту, причем по крайней мере одна из учетных записей принадлежит администратору объекта, выполняя для каждой учетной записи УЗ следующие действия:

form a DD access list to the object, consisting of user accounts that are granted access to the protected object, at least one of the accounts belongs to the administrator of the object, performing the following actions for each UZ account:

получают у выбранного пользователя, имеющего асимметричную пару ключей в составе открытого ключа ОКП и секретного ключа СКП, его открытый ключ ОКП;

receive from the selected user having an asymmetric key pair as part of the public key OKP and the secret key UPC, his public key OKP;

генерируют случайное число, принимают его в качестве временного идентификатора ВИ;

generate a random number, take it as a temporary identifier of the VI;

формируют идентификатор ИЗ учетной записи УЗ, принимая в качестве его значения временный идентификатор ВИ;

form the identifier FROM the UZ account, taking as its value the temporary identifier of the VI;

генерируют случайную асимметричную пару ключей в составе открытого ключа ОКЗ и секретного ключа СКЗ;

generate a random asymmetric key pair in the composition of the public key CPS and the secret key CPS;

генерируют случайный симметричный ключ КЗ учетной записи УЗ;

generate a random symmetric key K3 account KM;

вычисляют общий симметричный ключ КЗП из секретного ключа СКЗ и открытого ключа ОКП;

calculate the common symmetric key KZP from the secret key SKZ and the public key OKP;

зашифровывают ключ КЗ на ключе КЗП, получая зашифрованный ключ ШКЗ;

encrypt the shortcut key on the shortcut key, receiving the encrypted key ShKZ;

принимают решение о наделении пользователя полномочиями администратора;

decide on the user with administrator privileges;

формируют значение параметра ПА, характеризующего наличие у пользователя полномочий администратора;

form the value of the user agent parameter characterizing the user having administrator privileges;

формируют блок данных ДЗ из следующих данных:

form a block of DZ data from the following data:

■ OKP key,

■ PA parameter,

■ KA key, if the PA parameter indicates that the user has administrator authority, otherwise - the KO key;

зашифровывают блок данных ДЗ на ключе КЗ, получая зашифрованные данные ШДЗ;

encrypting the DZ data block on the shortcut key, receiving the encrypted data of the DZD;

формируют текстовое описание Т учетной записи УЗ выбранного пользователя;

form a text description T of the UZ account of the selected user;

формируют блок проверочных данных администрирования ДА из следующих данных:

form a block of verification data for the administration of YES from the following data:

■ shortcut key,

■ PA parameter,

■ text description of T;

зашифровывают блок данных ДА на ключе КА, получая зашифрованные данные ШДА;

encrypt the YES data block on the KA key, receiving the encrypted SDA data;

формируют учетную запись выбранного пользователя УЗ в виде следующего блока данных:

form the account of the selected US user in the form of the following data block:

■ IZ identifier,

■ OKZ key,

■ encrypted key ShKZ,

■ encrypted data SHDZ,

■ encrypted SDA data;

сохраняют совместно следующие данные:

jointly store the following data:

зашифрованные данные ШДО,

encrypted SDO data,

служебную информацию ДС,

DS service information,

список доступа к объекту ДД;

access list to the DD object;

if necessary, access to the protected object by a user who has an asymmetric key pair as part of the public key of the OKP and the secret key of the UPC, performs the following actions:

(А) извлекают из служебной информации ДС идентификатор объекта ИД и спецификацию использующихся криптографических функций СФ;

(A) extract from the DS service information the identifier of the ID object and the specification of the used cryptographic functions of the SF;

вычисляют общий симметричный ключ КПП из секретного ключа СКП и открытого ключа ОКП;

calculate the common symmetric key PPC from the secret key of the UPC and the public key of the OKP;

вычисляют значение функции хэширования от блока данных, составленного из идентификатора ИД и ключа КПП, получая постоянное значение идентификатора ИЗ;

calculating the value of the hash function from the data block composed of the ID identifier and the PPC key, obtaining a constant value of the identifier FROM;

если доступ выполняется в первый раз с момента формирования администратором объекта списка доступа, то переходят к этапу (Б), иначе переходят к этапу (В);

if access is performed for the first time from the moment the administrator creates the access list object, then go to step (B), otherwise go to step (C);

(Б) получают у администратора объекта временный идентификатор ВИ, назначенный учетной записи данного пользователя при первичном формировании списка доступа;

(B) receive from the site administrator the temporary identifier of the VI assigned to the user’s account during the initial formation of the access list;

находят в списке доступа ДД учетную запись, у которой значение идентификатора ИЗ совпадает с ВИ;

find an account in the access list of the DD whose ID value of the ID matches the VI;

заменяют в учетной записи пользователя значение идентификатора ИЗ на вычисленное постоянное значение;

replace the value of the identifier FROM the user account with the calculated constant value;

(В) находят в списке доступа ДД учетную запись, у которой значение ИЗ совпадает с вычисленным;

(B) find an account in the access list of the DD whose account value matches the calculated value;

получают из найденной учетной записи ключи ОКЗ, ШКЗ и зашифрованные данные ШДЗ, ШДА;

receive from the found account the keys OKZ, ShKZ and encrypted data ShDZ, ShDA;

вычисляют общий симметричный ключ КЗП из ключей СКП и ОКЗ;

calculate the common symmetric key KZP of the keys SKP and OKZ;

расшифровывают ключом КЗП зашифрованный ключ ШКЗ, получая секретный ключ КЗ;

decrypt with the KZP key the encrypted SHKZ key, receiving the KZ KZ secret key;

расшифровывают ключом КЗ зашифрованные данные ШДЗ, получая значение параметра ПА и ключ К;

decrypt the encrypted SDZ data with the shortcut key, obtaining the value of the PA parameter and the key K;

если параметр ПА указывает на наличие у пользователя полномочий администратора, принимают ключ К в качестве ключа администрирования КА и вычисляют для него производный ключ, используя идентификатор ИД в качестве модификатора, получая ключ шифрования данных КО;

if the PA parameter indicates that the user has administrator privileges, they accept the key K as the KA administration key and calculate the derivative key for it using the ID identifier as a modifier, obtaining the key for encrypting the KO data;

если параметр ПА указывает на отсутствие у пользователя полномочий администратора, принимают ключ К в качестве ключа шифрования данных КО;

if the PA parameter indicates that the user does not have administrator privileges, they accept the key K as the key for encrypting the KO data;

расшифровывают зашифрованные данные ШДО с помощью ключа КО, получая данные защищаемого объекта ДО;

decrypt the encrypted data of the SDO using the key KO, receiving data of the protected object DO;

if necessary, on the part of the user who has an asymmetric key pair as part of the OKP public key and SKP secret key, switch to using another asymmetric key pair as part of the OKM public key and SKM secret key and have access to the protected object, perform the following actions:

выполняют действия для доступа к защищаемому объекту согласно этапу А, получая идентификатор ИД, ключи ОКЗ, КЗ, К и значение параметра ПА;

perform actions for access to the protected object according to step A, receiving an ID identifier, OKZ, KZ, K keys and a PA parameter value;

вычисляют общий симметричный ключ КММ из секретного ключа СКМ и открытого ключа ОКМ;

calculate the common symmetric key KMM from the secret key SCM and the public key OKM;

вычисляют значение функции хэширования от блока данных, составленного из идентификатора ИД и ключа КММ, получая модифицированное постоянное значение идентификатора ИЗ;

calculating the value of the hash function from the data block composed of the ID identifier and the KMM key, obtaining a modified constant value of the identifier FROM;

заменяют в учетной записи пользователя УЗ значение идентификатора ИЗ на модифицированное значение;

replace the value of the identifier FROM the user account UZ with a modified value;

вычисляют модифицированное значение ключа КЗП как общий симметричный ключ для ключей СКМ и ОКЗ;

calculating the modified value of the KZP key as a common symmetric key for the SCM and OKZ keys;

зашифровывают ключ КЗ на модифицированном ключе КЗП, получая модифицированное значение зашифрованного ключ ШКЗ;

encrypt the shortcut key on the modified shortcut key, receiving the modified value of the encrypted shortcut key;

заменяют в учетной записи пользователя УЗ значение зашифрованного ключа ШКЗ на модифицированное значение;

replace the value of the encrypted key ShKZ in the user account of the UZ with a modified value;

формируют модифицированный блок данных ДЗ из следующих данных:

form a modified block of DZ data from the following data:

ключ ОКМ,

OKM key

параметр ПА,

PA parameter

ключ К;

key K;

зашифровывают блок данных ДЗ на модифицированном ключе КЗ, получая модифицированное значение зашифрованных данных ШДЗ;

encrypting the data block of the remote sensing data on a modified short-circuit key, obtaining the modified value of the encrypted SDZ data;

заменяют в учетной записи пользователя УЗ значение зашифрованных данных ШДЗ на модифицированное значение;

replacing the value of the encrypted data of the SDZ in the user account of the ultrasonic operator with a modified value;

if necessary, the following actions are performed by the administrator of the object for verification of the user account:

выполняют действия для доступа к защищаемому объекту согласно этапу А, получая ключи КА и КО;

perform actions for access to the protected object according to stage A, receiving keys KA and KO;

получают из списка доступа проверяемую учетную запись пользователя УЗ;

get a verified user account from the access list;

из учетной записи УЗ получают значения зашифрованных данных ШДЗ, ШДА;

from the UZ account, the values of the encrypted data of ShDZ, ShDA are obtained;

расшифровывают данные ШДА на ключе КА, получая ключ КЗ, параметр ПА и текстовое описание Т учетной записи УЗ;

decrypt the SDA data on the KA key, receiving the shortcut key, the PA parameter and the text description T of the KM account;

расшифровывают данные ШДЗ на ключе КЗ, получая параметр ПА и ключ К;

decrypt the SDZ data on the shortcut key, receiving the PA parameter and key K;

по текстовому описанию Т устанавливают соответствие сведений учетной записи УЗ пользователю, имеющему допуск к защищаемому объекту;

the textual description of T establishes the correspondence of the account information of the UZ to a user who has access to the protected object;

устанавливают соответствие значений параметра ПА, полученных из данных ШДА и ШДЗ;

establish the correspondence of the values of the PA parameter obtained from the SDA and SDZ data;

если параметр ПА указывает на наличие у пользователя полномочий администратора, устанавливают соответствие ключа К ключу КА;

if the PA parameter indicates that the user has administrator privileges, the correspondence of the K key to the KA key is established;

если параметр ПА указывает на отсутствие у пользователя полномочий администратора, устанавливают соответствие ключа К ключу КО;

if the PA parameter indicates that the user does not have administrator privileges, establish the correspondence of the key K to the key KO;

if necessary, the following actions are performed by the administrator of the data encryption key replacement object:

выполняют действия для доступа к защищаемому объекту согласно этапу А, получая ключи КА, КО и идентификатор ИД;

perform actions to access the protected object according to step A, receiving keys KA, KO and ID identifier;

расшифровывают на ключе КО данные ШДО, получая данные защищаемого объекта ДО;

decrypt the data of the SDO on the KO key, receiving the data of the protected object of DO;

генерируют случайный модифицированный симметричный ключ администрирования объекта КА;

generating a random modified symmetric administration key of the spacecraft object;

вычисляют производный ключ для модифицированного ключа КА, используя идентификатор ИД в качестве модификатора, получая модифицированный ключ КО;

calculate the derivative key for the modified key KA, using the ID identifier as a modifier, obtaining a modified key KO;

зашифровывают данные ДО на модифицированном ключе КО;

encrypt DO data on a modified KO key;

формируют модифицированный список доступа ДД к объекту, выполняя для каждой учетной записи пользователя УЗ из списка доступа ДД следующие действия:

form a modified access list DD to the object, performing for each user account KM from the access list DD the following actions:

считывают значение идентификатора ИЗ;

read the value of the identifier FROM;

выполняют проверку учетной записи пользователя УЗ, получая при этом значения идентификатора ИЗ, ключа ОКП, параметра ПА и текстовое описание Т;

verify the user account of the ultrasound, while receiving the values of the identifier FROM, OKP key, parameter PA and text description T;

при неуспешной проверке исключают УЗ из модифицированного списка доступа ДД и переходят к следующей учетной записи, иначе выполняют следующие действия:

upon unsuccessful verification, exclude KMs from the modified DD access list and proceed to the next account; otherwise, perform the following actions:

генерируют случайную модифицированную асимметричную пару ключей в составе открытого ключа ОКЗ и секретного ключа СКЗ;

generate a random modified asymmetric key pair in the composition of the public key CPS and the secret key CPS;

генерируют случайный модифицированный симметричный ключ КЗ;

generate a random modified short-circuit symmetric key;

вычисляют модифицированное значение общего ключа КЗП из модифицированного ключа СКЗ и ключа ОКП;

calculating the modified value of the common KZP key from the modified SKZ key and the OKP key;

зашифровывают модифицированный ключ КЗ на модифицированном ключе КЗП, получая модифицированное значение зашифрованного ключа ШКЗ;

encrypting the modified KZ key on the modified KZP key, obtaining the modified value of the encrypted ShKZ key;

формируют модифицированный блок данных ДЗ из следующих данных:

form a modified block of DZ data from the following data:

ключ ОКП,

OKP key

параметр ПА,

PA parameter

модифицированный ключ КА, если параметр ПА указывает на наличие у пользователя полномочий администратора, иначе - модифицированный ключ КО;

a modified KA key, if the PA parameter indicates that the user has administrator privileges, otherwise - a modified KO key;

зашифровывают модифицированный блок данных ДЗ на модифицированном ключе КЗ, получая модифицированное значение зашифрованных данных ШДЗ;

encrypting the modified block of DZ data on the modified short-circuit key, obtaining the modified value of the encrypted data of the DZD;

формируют модифицированный блок проверочных данных ДА из следующих данных:

form a modified block of test data YES from the following data:

модифицированный ключ КЗ,

modified shortcut key,

параметр ПА,

PA parameter

текстовое описание Т;

text description of T;

зашифровывают модифицированный блок ДА на модифицированном ключе КА, получая модифицированное значение зашифрованных данных ШДА;

encrypting the modified YES block on the modified KA key, obtaining the modified value of the encrypted SDA data;

формируют учетную запись УЗ в модифицированном списке доступа ДД из следующих данных:

form the account KM in the modified access list DD from the following data:

идентификатор ИЗ,

identifier FROM

модифицированный ключ ОКЗ,

modified OKZ key,

модифицированный зашифрованный ключ ШКЗ,

ShKZ modified encrypted key,

модифицированные зашифрованные данные ШДЗ.

modified encrypted SHDZ data.

The inventive method is applicable in conditions where the object with the protected information and access lists to it are located in a public place. However, it is allowed to use additional security measures to access the object and its access lists, which is beyond the scope of the proposed method.

In the claimed method, access to the protected information is controlled by providing the legitimate user with the opportunity to calculate the secret parameter (key) of the TO, on which the object data is encrypted. Numerous classical (symmetric) encryption algorithms and their operating modes are known that provide the corresponding characteristics of information protection (B. Schneier. Applied cryptography, M: Triumph, 2002). In the claimed method, it does not matter which encryption algorithm is used to protect information. From the encryption algorithm used and the mode of its use, it is only required that without knowing the secret key in the encrypted text, it is impossible to replace individual fragments, purposefully imposing the necessary data upon decryption.

To separate the roles of users and administrators in the claimed method, key diversification is used: the administrator is provided with the main key - the KA administration key, and the user operates with the KO derived key formed from the administration key and the unclassified modifier - the unique identifier of the ID object - using the unidirectional NewKey function (KA , ID) = KO. The use of the unidirectional function NewKey () makes it impossible for the user to calculate the spacecraft administration key using the well-known KO key and obtain administrator privileges provided by this key. Such key diversification is applicable to distinguish the superuser role from administrators or to differentiate user roles. Many key diversification functions are known, for example, (RFC 8018, NIST Special Publication 800-132, P 50.1.113-2016, information at: https://tools.ietf.org/html/rfc8018). For the proposed method, it does not matter which of the key diversification functions is used.

One of the distinguishing features of the proposed method is the separation of the user account into two interconnected parts with different access rights. The first part of the account is accessed by the administrator and a legitimate user, and the second only by the administrator. The administrator’s exclusive access to the second part of the account allows him to place data in it to control the legitimacy of the changes that the user is allowed to make in the first part of the account.

Another distinctive feature of the proposed method is the encryption of each part of the user account on separate keys. Separate encryption of parts of the account not only ensures the separation of access to them between the user and the administrator, but also allows you to hide from other users the belonging of this account to a specific person and the authorization parameters used in this record.

For joint access of the administrator and the user to the general part of the account in the claimed method, ephemeral keys are used (NIST Special Publication 800-57 Revivsion 3, P 50.1.113-2016, information at: http://csrc.nist.gov/publications/ nistpubs / 800-57 / sp800-57_part1_rev3_general.pdf) for an open key distribution system. An open key distribution system is a type of public key system in which a pair of users with each other’s public keys OKP1 and OKP2 efficiently calculate the common secret key K12 using the well-known function ComKey () without additional interaction, using their private keys SKP1 and SKP2, as:

K12 = ComKey (OKP2, SKP1) and

K12 = ComKey (OKP1, SKP2).

An open key distribution system requires that finding the public key K12 only by using the public keys OKP1 and OKP2 without using the keys SKP1 or SKP2 is an unacceptably complex computational task.

Several public key distribution systems are known, of which the Diffie-Hellman system is most widely used (US Pat. No. 4,200,770, priority dated September 6, 1977). For the proposed method, it does not matter which of the public key distribution systems is used.

In the claimed method, access lists to the protected information object are generated by the object administrator as follows.

According to the rules of the operating system (OS) used in the computer, the protected object is assigned a unique identifier ID (for Windows, for example, the size of the unique identifier is 16 bytes).

The service information of the protected object of the DS is generated, which contains open information of the type: object type, object data formats, software version number (software), specifications of the used cryptographic transformations of the SF and a unique identifier ID. The composition of the service information is not of fundamental importance for the proposed method.

A random symmetric KA administration key = rand () is generated, from which, using the unidirectional key diversification function NewKey (*, *), a derivative key is calculated using the unique identifier of the ID object — the security key of the KO = NewKey object (KA, ID).

The information of the protected DO object is encrypted on the security key of the TO object and is replaced by the encrypted data SDO = Encrypt (DO, TO).

Together with the encrypted data, service information and an access list consisting of user accounts are stored. User and administrator accounts are created by the administrator on the basis of personal public keys of OKP users.

To create a user account, the administrator generates a random symmetric account key KZ = rand () and generates an asymmetric pair from the public and secret keys of the record (OKZ, SKZ) = GenPub (rand ()), where GenPub (*) is the function of generating the key pair for an open key distribution system, a rand () is a random number sensor.

Using the public key of the user OKP and the generated ephemeral key SKZ, the administrator calculates the common key KZP = ComKey (OKP, SKZ), where = ComKey (*, *) is the function of generating a common pair key.

The user’s public key is placed the public key of the OKP and the result of the encryption key encryption on the common key KZP key account KZ, i.e. ShKZ = Encrypt (KZ, KZP).

The account data of the DZ user, which is encrypted on the account key of the KZ account, is added to the account, consisting of the following values: the public key of the OKP user characterizing the role of the user of the PA parameter (administrator or user), and the key K, which acts as the administrator for the CA and for user roles - KO, i.e. SDZ = Encrypt (OKP || PA || K, KZ).

To verify the authenticity of the account, it includes the YES administration verification data block — the account key KZ, the user account role and text information about user T, encrypted on the KA administration key: SDA = Encrypt (KZ || PA || T, KA).

To provide the user with the opportunity to efficiently search for their account, each of them, when created, is provided with a temporary identifier for the VI, obtained randomly: VI = rand (). The first time a user accesses the protected object, he replaces the temporary identifier of the VI with the permanent identifier of the IZ account, calculated by the unidirectional Hash function from the unique identifier of the object ID and the key obtained as a shared key for his secret and public keys KPP = ComKey (OKP, UPC):

FROM = Hash (ID || PPC).

Thus, in the claimed control method, together with the protected data of the object, the unique identifier of the object ID and the specifications of the SF formats / algorithms are stored, and the object data is encrypted on the KO symmetric key, which is a derivative of the KO = NewKey (KA, ID) symmetric key from a randomly generated administration key KA = rand ().

In the access list, each user account, including the administrator of the protected object, has a unique IZ identifier calculated using the unidirectional function, as IZ = Hash (ID || KPP), where KPP is a secret key obtained as a public key for public and private keys user, PPC = ComKey (OKP, UPC), or a random temporary identifier of the VI assigned by the administrator for the first session of the user.

Each account contains values:

ОКЗ - открытый ключ из случайно сгенерированной пары открытого и секретного ключей (ОКЗ, СКЗ) = GenPub (rand ());

OKZ - public key from a randomly generated pair of public and private keys (OKZ, SKZ) = GenPub (rand ());

ШКЗ = Encrypt (КЗП, КЗ) - случайно сгенерированный симметричный ключ записи КЗ = rand (), зашифрованный на общем ключе КЗП, вычисленного в системе открытого распределения ключей КЗП = ComKey (ОКП, СКЗ) по открытому ключу пользователя ОКП и ключу СКЗ;

ShKZ = Encrypt (KZP, KZ) - a randomly generated symmetric write key KZ = rand (), encrypted on a shared KZP key, calculated in the KZP = ComKey public key distribution system (OKK, SKZ) using the public key of the OKP user and the SKZ key;

ШДЗ = Encrypt (ОКП || ПА || К, КЗ) - зашифрованная на ключе записи КЗ информация пользователя, состоящая из открытого ключа пользователя ОКП, параметра ПА, характеризующего роль пользователя (администратор или пользователь) и симметричного ключа К, который для роли администратора является КА, а для роли пользователя - КО.

SDZ = Encrypt (OKP || PA || K, KZ) - user information encrypted on the KZ record key, consisting of the OKP user public key, user parameter characterizing the user role (administrator or user) and the symmetric key K, which is for the administrator role is a spacecraft, and for a user role is a spacecraft.

ШДА=Encrypt (КЗ || ПА || Т, КА) - зашифрованные на ключе администрирования КА проверочные данные, состоящие из ключа записи КЗ, параметра ПА, характеризующего роль пользователя (администратор или пользователь) и текстового описания о пользователе Т.

SDA = Encrypt (KZ || PA || T, KA) - verification data encrypted on the KA administration key, consisting of a KZ record key, PA parameter characterizing the role of the user (administrator or user) and a text description about user T.

To access the protected object, the user extracts from the service information the unique identifier of the ID object and first calculates the key KPP = ComKey (OKP, SKP), and then the identifier of his record as FR = Hash (ID || KPP). When the object is first accessed, it uses instead of the IZ a random temporary identifier of the VI assigned to it by the administrator. By identifier, the user finds his account, and when he first accesses the object, he independently replaces the identifier of the VI with a constant value of FROM.

Next, the user extracts the public key of the OKZ record from his account and, using his secret key UPC, calculates the common key KZP = ComKey (OKZ, SKP), on which he decrypts the ShKZ field and finds the record key KZ = Decrypt (ShKZ, KZP). On the key of the short circuit record, the user decrypts the SHDZ field and finds the values of the OKP || PA || K = Decrypt (ShDZ, KZ). If the PA parameter points to the role “user”, then K = KO and the user gains access to the object data by decrypting them on the key K. If the role is “administrator”, then K = KA, and the user calculates the derivative key KO = to decrypt the data of the object NewKey (CA, ID).

To switch to a new pair of public and private keys (OKM, SKM), the user performs the above calculations with the same pair of keys (OKP, SKM) and calculates the new values:

PPC = ComKey (OKM, SCM),

FROM = Hash (ID || PPC),

SDZ = Encrypt (OKM || PA || K, KZ),

ШК3 = Encrypt (KZ, KZP),

where KZP = ComKey (OKZ, SKM),

and replaces the old values in the account with the corresponding new ones.

To verify the authenticity of the user account, the administrator performs the above calculations with his account and finds the values of KA and KO. Then, on the key, the KA decrypts the SDA field in the user account and receives the short-circuit values || PA || T = Decrypt (YES, KA). Then, in the same account, it decrypts the SHDZ field on the received shortcut key, finds the values of the OKP || PA || K = Decrypt (ШЗЗ, КЗ) and checks if the PA parameter that defines the user's role coincides with the previously decrypted one and matches K with the spacecraft or with the KO in accordance with the user's role.

To change the encryption key of the object, the administrator generates a new random administration key KA = rand () and calculates a new key for the object KO = NewKey (KA, ID), after which, according to his account, he finds the old keys of KA and KO and re-encrypts the data object from the previous key to the new one. Then it checks each user account in the manner described above. In the verified records, the identifier of the user record FROM is stored, and the remaining fields are recalculated for new values using the proposed formulas.

The delegation of administrator privileges to the user consists in the fact that when the ShDZ and ShDA fields are formed, the PA parameter points to the "administrator" role, and the K = KA parameter.

The formation of the user account identifier based on the unique identifier of the ID object ensures the uniqueness of this identifier for different objects even when the user uses the same key to access the object.

Since the data on the user's public key is encrypted on a short-circuit key that is individual for each record, and only the administrator or the user can calculate this key, only the administrator of both lists or the user can detect the public key duplication, which ensures storage in secrecy of the composition of persons having access to the protected object.

The implementation of the invention

Implementation of the proposed method can be carried out in a computer running any OS, for example, Windows 7, 10, etc.

The computer must have an administrator defined and the users listed (at least one user).

The administrator should be able, if necessary, to obtain from users who have previously generated an asymmetric key pair as part of the public private key and private secret key their public keys.

The computer must also contain at least one protected object, access to which is advisable to protect, for example, it can be a text file with confidential information.

To prepare for using the proposed method, it is necessary to form a software tool configured to

генерировать уникальные идентификаторы,

generate unique identifiers

генерировать случайные числа,

generate random numbers

генерировать случайные симметричные ключи,

generate random symmetric keys,

генерировать случайные асимметричные пары ключей в составе открытого ключа и секретного ключа,

generate random asymmetric key pairs in the composition of the public key and secret key,

вычислять значение функции хэширования,

calculate the value of the hash function,

вычислять производный симметричный ключ из исходного симметричного ключа и значения модификатора,

calculate the derived symmetric key from the original symmetric key and the modifier value,

вычислять общий симметричный ключ из секретного ключа и открытого ключа,

calculate a common symmetric key from a private key and a public key,

зашифровывать и расшифровывать данные на симметричном ключе,

encrypt and decrypt data on a symmetric key,

зашифровывать и расшифровывать симметричный ключ на симметричном ключе.

encrypt and decrypt a symmetric key on a symmetric key.

This software is a program or a set of programs, which, knowing its purpose and functions, can be formed by a specialist in programming (programmer). The prepared software tool after installation is installed (installed) in the computer.

Then, the computer starts working as usual. In the course of work on the part of the administrator of the protected object, with the data of the TO object, they perform the following actions:

генерируют уникальный идентификатор ИД защищаемого объекта;

generate a unique identifier for the ID of the protected object;

генерируют случайный симметричный ключ КА администрирования объекта;

generate a random symmetric key of the object administration CA;

получают симметричный ключ шифрования данных объекта КО путем вычисления производного ключа от ключа КА с использованием идентификатора ИД в качестве модификатора;

receive a symmetric key to encrypt the data of the object KO by calculating the derived key from the key KA using the ID identifier as a modifier;

зашифровывают данные защищаемого объекта ДО на ключе КО, получая зашифрованные данные ШДО;

encrypt the data of the protected object DO before the key KO, receiving the encrypted data of the SDO;

формируют блок данных служебной информации ДС, содержащий идентификатор ИД, сведения о защищаемом объекте и спецификацию использующихся криптографических функций СФ;

form a data block of service information of the DS containing the ID identifier, information about the protected object and the specification of the used cryptographic functions of the SF;

формируют список доступа ДД к объекту, состоящий из учетных записей пользователей, которым предоставляется доступ к защищаемому объекту, причем по крайней мере одна из учетных записей принадлежит администратору объекта, выполняя для каждой учетной записи УЗ следующие действия:

form a DD access list to the object, consisting of user accounts that are granted access to the protected object, at least one of the accounts belongs to the administrator of the object, performing the following actions for each UZ account:

получают у выбранного пользователя, имеющего асимметричную пару ключей в составе открытого ключа ОКП и секретного ключа СКП, его открытый ключ ОКП;

receive from the selected user having an asymmetric key pair as part of the public key OKP and the secret key UPC, his public key OKP;

генерируют случайное число, принимают его в качестве временного идентификатора ВИ;

generate a random number, take it as a temporary identifier of the VI;

формируют идентификатор ИЗ учетной записи УЗ, принимая в качестве его значения временный идентификатор ВИ;

form the identifier FROM the UZ account, taking as its value the temporary identifier of the VI;

генерируют случайную асимметричную пару ключей в составе открытого ключа ОКЗ и секретного ключа СКЗ;

generate a random asymmetric key pair in the composition of the public key CPS and the secret key CPS;

генерируют случайный симметричный ключ КЗ учетной записи УЗ;

generate a random symmetric key K3 account KM;

вычисляют общий симметричный ключ КЗП из секретного ключа СКЗ и открытого ключа ОКП;

calculate the common symmetric key KZP from the secret key SKZ and the public key OKP;

зашифровывают ключ КЗ на ключе КЗП, получая зашифрованный ключ ШКЗ;

encrypt the shortcut key on the shortcut key, receiving the encrypted key ShKZ;

принимают решение о наделении пользователя полномочиями администратора;

decide on the user with administrator privileges;

формируют значение параметра ПА, характеризующего наличие у пользователя полномочий администратора;

form the value of the user agent parameter characterizing the user having administrator privileges;

формируют блок данных ДЗ из следующих данных:

form a block of DZ data from the following data:

ключ ОКП,

OKP key

параметр ПА,

PA parameter

ключ КА, если параметр ПА указывает на наличие у пользователя полномочий администратора, иначе - ключ КО;

KA key, if the PA parameter indicates that the user has administrator privileges; otherwise, the KO key;

зашифровывают блок данных ДЗ на ключе КЗ, получая зашифрованные данные ШДЗ;

encrypting the DZ data block on the shortcut key, receiving the encrypted data of the DZD;

формируют текстовое описание Т учетной записи УЗ выбранного пользователя;

form a text description T of the UZ account of the selected user;

формируют блок проверочных данных администрирования ДА из следующих данных:

form a block of verification data for the administration of YES from the following data:

ключ КЗ,

shortcut key

параметр ПА,

PA parameter

текстовое описание Т;

text description of T;

зашифровывают блок данных ДА на ключе КА, получая зашифрованные данные ШДА;

encrypt the YES data block on the KA key, receiving the encrypted SDA data;

формируют учетную запись выбранного пользователя УЗ в виде следующего блока данных:

form the account of the selected US user in the form of the following data block:

идентификатор ИЗ,

identifier FROM

ключ ОКЗ,

OKZ key

зашифрованный ключ ШКЗ,

ShKZ encrypted key,

зашифрованные данные ШДЗ,

ShZD encrypted data

зашифрованные данные ШДА;

SDA encrypted data;

сохраняют совместно следующие данные:

jointly store the following data:

зашифрованные данные ШДО,

encrypted SDO data,

служебную информацию ДС,

DS service information,

список доступа к объекту ДД.

access list to the DD object.

Thus, the data of the TO object is received in a secure, encrypted form.

The PA parameter used to provide access to the protected object can be, for example, an integer 0 or 1 (where 0 means the user does not have administrator privileges, and 1 means the user has such privileges) or text of the form "Yes" or "No" with appropriate meaning.

At the same time, differentiation of user roles is also ensured by allocation of administrator roles with the possibility of delegating administrator rights to other users.

As information about the protected object as part of the service information data block of the DS, a textual description of the object can be used, for example, text of the form "List of software modules".

As a specification of the cryptographic functions used, SF can be used:

применяемый алгоритм симметричного шифрования, длина блока и длина ключей, например блочный шифр «Кузнечик» по ГОСТ Р 34.12-2015 с длиной блока 128 бит и длиной ключа 256 бит, или блочный шифр AES по FIPS PUB 197 Advanced Encryption Standard с длиной блока 128 бит и длиной ключа 256 бит;

symmetric encryption algorithm used, block length and key length, for example, Grasshopper block cipher according to GOST R 34.12-2015 with 128 bit block length and 256 bit key length, or AES block cipher according to FIPS PUB 197 Advanced Encryption Standard with 128 bit block length and a key length of 256 bits;

применяемый алгоритм хэширования и размер хэширования, например? функция хэширования ГОСТ Р 34.11-2012 с размером хэша 256 бит или SHA-256 по FIPS PUB 180-4 Secure Hash Standard с размером хэша 256 бит;

the hash algorithm used and the hash size, for example? GOST R 34.11-2012 hash function with a 256-bit hash size or SHA-256 according to FIPS PUB 180-4 Secure Hash Standard with a 256-bit hash size;

применяемый алгоритм получения производного ключа, например, функция KDF_GOSTR3411_2012_256 по Р 50.1.113-2016, или HKDF по RFC 5869, и их параметры и др.

the applied derivative key algorithm, for example, the function KDF_GOSTR3411_2012_256 according to P 50.1.113-2016, or HKDF according to RFC 5869, and their parameters, etc.

If necessary, access to the protected object by a user who has an asymmetric key pair as part of the public key of the OKP and the secret key of the UPC, performs the following actions:

(А) извлекают из служебной информации ДС идентификатор объекта ИД и спецификацию использующихся криптографических функций СФ;

(A) extract from the DS service information the identifier of the ID object and the specification of the used cryptographic functions of the SF;

вычисляют общий симметричный ключ КПП из секретного ключа СКП и открытого ключа ОКП;

calculate the common symmetric key PPC from the secret key of the UPC and the public key of the OKP;

вычисляют значение функции хэширования от блока данных, составленного из идентификатора ИД и ключа КПП, получая постоянное значение идентификатора ИЗ;

calculating the value of the hash function from the data block composed of the ID identifier and the PPC key, obtaining a constant value of the identifier FROM;

если доступ выполняется в первый раз с момента формирования администратором объекта списка доступа, то переходят к этапу (Б), иначе переходят к этапу (В);

if access is performed for the first time from the moment the administrator creates the access list object, then go to step (B), otherwise go to step (C);

(Б) получают у администратора объекта временный идентификатор ВИ, назначенный учетной записи данного пользователя при первичном формировании списка доступа;

(B) receive from the site administrator the temporary identifier of the VI assigned to the user’s account during the initial formation of the access list;

находят в списке доступа ДД учетную запись, у которой значение идентификатора ИЗ совпадает с ВИ;

find an account in the access list of the DD whose ID value of the ID matches the VI;

заменяют в учетной записи пользователя значение идентификатора ИЗ на вычисленное постоянное значение;

replace the value of the identifier FROM the user account with the calculated constant value;

(В) находят в списке доступа ДД учетную запись, у которой значение ИЗ совпадает с вычисленным;

(B) find an account in the access list of the DD whose account value matches the calculated value;

получают из найденной учетной записи ключи ОКЗ, ШКЗ и зашифрованные данные ШДЗ, ШДА;

receive from the found account the keys OKZ, ShKZ and encrypted data ShDZ, ShDA;

вычисляют общий симметричный ключ КЗП из ключей СКП и ОКЗ;

calculate the common symmetric key KZP of the keys SKP and OKZ;

расшифровывают ключом КЗП зашифрованный ключ ШКЗ, получая секретный ключ КЗ;

decrypt with the KZP key the encrypted SHKZ key, receiving the KZ KZ secret key;

расшифровывают ключом КЗ зашифрованные данные ШДЗ, получая значение параметра ПА и ключ К;

decrypt the encrypted SDZ data with the shortcut key, obtaining the value of the PA parameter and the key K;

если параметр ПА указывает на наличие у пользователя полномочий администратора, принимают ключ К в качестве ключа администрирования КА и вычисляют для него производный ключ, используя идентификатор ИД в качестве модификатора, получая ключ шифрования данных КО;

if the PA parameter indicates that the user has administrator privileges, they accept the key K as the KA administration key and calculate the derivative key for it using the ID identifier as a modifier, obtaining the key for encrypting the KO data;

если параметр ПА указывает на отсутствие у пользователя полномочий администратора, принимают ключ К в качестве ключа шифрования данных КО;

if the PA parameter indicates that the user does not have administrator privileges, they accept the key K as the key for encrypting the KO data;

расшифровывают зашифрованные данные ШДО с помощью ключа КО, получая данные защищаемого объекта ДО;

decrypt the encrypted data of the SDO using the key KO, receiving data of the protected object DO;

Thus, access to data is provided for both ordinary users and users with administrator rights, and in addition, decentralized control of access rights by providing access to information based on the results of local user authorization without using trusted centralized authorization services.

If necessary, on the part of the user who has an asymmetric key pair as part of the OKP public key and SKP secret key, switch to using another asymmetric key pair as part of the OKM public key and SKM secret key and have access to the protected object, perform the following actions:

выполняют действия для доступа к защищаемому объекту согласно этапу А, получая идентификатор ИД, ключи ОКЗ, КЗ, К и значение параметра ПА;

perform actions for access to the protected object according to step A, receiving an ID identifier, OKZ, KZ, K keys and a PA parameter value;

вычисляют общий симметричный ключ КММ из секретного ключа СКМ и открытого ключа ОКМ;

calculate the common symmetric key KMM from the secret key SCM and the public key OKM;

вычисляют значение функции хэширования от блока данных, составленного из идентификатора ИД и ключа КММ, получая модифицированное постоянное значение идентификатора ИЗ;

calculating the value of the hash function from the data block composed of the ID identifier and the KMM key, obtaining a modified constant value of the identifier FROM;

заменяют в учетной записи пользователя УЗ значение идентификатора ИЗ на модифицированное значение;

replace the value of the identifier FROM the user account UZ with a modified value;

вычисляют модифицированное значение ключа КЗП как общий симметричный ключ для ключей СКМ и ОКЗ;

calculating the modified value of the KZP key as a common symmetric key for the SCM and OKZ keys;

зашифровывают ключ КЗ на модифицированном ключе КЗП, получая модифицированное значение зашифрованного ключ ШКЗ;

encrypt the shortcut key on the modified shortcut key, receiving the modified value of the encrypted shortcut key;

заменяют в учетной записи пользователя УЗ значение зашифрованного ключа ШКЗ на модифицированное значение;

replace the value of the encrypted key ShKZ in the user account of the UZ with a modified value;

формируют модифицированный блок данных ДЗ из следующих данных:

form a modified block of DZ data from the following data:

ключ ОКМ,

OKM key

параметр ПА,

PA parameter

ключ К;

key K;

зашифровывают блок данных ДЗ на модифицированном ключе КЗ, получая модифицированное значение зашифрованных данных ШДЗ;

encrypting the data block of the remote sensing data on a modified short-circuit key, obtaining the modified value of the encrypted SDZ data;

заменяют в учетной записи пользователя УЗ значение зашифрованных данных ШДЗ на модифицированное значение.

replace the value of the encrypted data of the SDZ in the user account of the UZ with a modified value.

As a result, an effective search is provided for users of their account in the access list and an independent change in the object’s security settings, in which replacing the information protection settings by the administrator does not require interaction with users and other administrators.

If necessary, on the part of the administrator of the object of the verification, the user account performs the following actions:

выполняют действия для доступа к защищаемому объекту согласно этапу А, получая ключи КА и КО;

perform actions for access to the protected object according to stage A, receiving keys KA and KO;

получают из списка доступа проверяемую учетную запись пользователя УЗ;

get a verified user account from the access list;

из учетной записи УЗ получают значения зашифрованных данных ШДЗ, ШДА;

from the UZ account, the values of the encrypted data of ShDZ, ShDA are obtained;

расшифровывают данные ШДА на ключе КА, получая ключ КЗ, параметр ПА и текстовое описание Т учетной записи УЗ;

decrypt the SDA data on the KA key, receiving the shortcut key, the PA parameter and the text description T of the KM account;

расшифровывают данные ШДЗ на ключе КЗ, получая параметр ПА и ключ К;

decrypt the SDZ data on the shortcut key, receiving the PA parameter and key K;

по текстовому описанию Т устанавливают соответствие сведений учетной записи УЗ пользователю, имеющему допуск к защищаемому объекту;

the textual description of T establishes the correspondence of the account information of the UZ to a user who has access to the protected object;

устанавливают соответствие значений параметра ПА, полученных из данных ШДА и ШДЗ;

establish the correspondence of the values of the PA parameter obtained from the SDA and SDZ data;

если параметр ПА указывает на наличие у пользователя полномочий администратора, устанавливают соответствие ключа К ключу КА;

if the PA parameter indicates that the user has administrator privileges, the correspondence of the K key to the KA key is established;

если параметр ПА указывает на отсутствие у пользователя полномочий администратора, устанавливают соответствие ключа К ключу КО.

if the PA parameter indicates that the user does not have administrator privileges, the correspondence of the K key to the KO key is established.

This ensures the identification of unauthorized changes in the access list, the possibility of correction and concealment of the persons having access to the protected information.

If necessary, the following actions are performed by the administrator of the data encryption key replacement object:

выполняют действия для доступа к защищаемому объекту согласно этапу А, получая ключи КА, КО и идентификатор ИД;

perform actions to access the protected object according to step A, receiving keys KA, KO and ID identifier;

расшифровывают на ключе КО данные ШДО, получая данные защищаемого объекта ДО;

decrypt the data of the SDO on the KO key, receiving the data of the protected object of DO;

генерируют случайный модифицированный симметричный ключ администрирования объекта КА;

generating a random modified symmetric administration key of the spacecraft object;

вычисляют производный ключ для модифицированного ключа КА, используя идентификатор ИД в качестве модификатора, получая модифицированный ключ КО;

calculate the derivative key for the modified key KA, using the ID identifier as a modifier, obtaining a modified key KO;

зашифровывают данные ДО на модифицированном ключе КО;

encrypt DO data on a modified KO key;

формируют модифицированный список доступа ДД к объекту, выполняя для каждой учетной записи пользователя УЗ из списка доступа ДД следующие действия:

form a modified access list DD to the object, performing for each user account KM from the access list DD the following actions:

считывают значение идентификатора ИЗ;

read the value of the identifier FROM;

выполняют проверку учетной записи пользователя УЗ, получая при этом значения идентификатора ИЗ, ключа ОКП, параметра ПА и текстовое описание Т;

verify the user account of the ultrasound, while receiving the values of the identifier FROM, OKP key, parameter PA and text description T;

при неуспешной проверке исключают УЗ из модифицированного списка доступа ДД и переходят к следующей учетной записи, иначе выполняют следующие действия:

upon unsuccessful verification, exclude KMs from the modified DD access list and proceed to the next account; otherwise, perform the following actions:

генерируют случайную модифицированную асимметричную пару ключей в составе открытого ключа ОКЗ и секретного ключа СКЗ;

generate a random modified asymmetric key pair in the composition of the public key CPS and the secret key CPS;

генерируют случайный модифицированный симметричный ключ КЗ;

generate a random modified short-circuit symmetric key;

вычисляют модифицированное значение общего ключа КЗП из модифицированного ключа СКЗ и ключа ОКП;

calculating the modified value of the common KZP key from the modified SKZ key and the OKP key;

зашифровывают модифицированный ключ КЗ на модифицированном ключе КЗП, получая модифицированное значение зашифрованного ключа ШКЗ;

encrypting the modified KZ key on the modified KZP key, obtaining the modified value of the encrypted ShKZ key;

формируют модифицированный блок данных ДЗ из следующих данных:

form a modified block of DZ data from the following data:

ключ ОКП,

OKP key

параметр ПА,

PA parameter

модифицированный ключ КА, если параметр ПА указывает на наличие у пользователя полномочий администратора, иначе - модифицированный ключ КО;

a modified KA key, if the PA parameter indicates that the user has administrator privileges, otherwise - a modified KO key;

зашифровывают модифицированный блок данных ДЗ на модифицированном ключе КЗ, получая модифицированное значение зашифрованных данных ШДЗ;

encrypting the modified block of DZ data on the modified short-circuit key, obtaining the modified value of the encrypted data of the DZD;

формируют модифицированный блок проверочных данных ДА из следующих данных:

form a modified block of test data YES from the following data:

модифицированный ключ КЗ,

modified shortcut key,

параметр ПА,

PA parameter

текстовое описание Т;

text description of T;

зашифровывают модифицированный блок ДА на модифицированном ключе КА, получая модифицированное значение зашифрованных данных ШДА;

encrypting the modified YES block on the modified KA key, obtaining the modified value of the encrypted SDA data;

формируют учетную запись УЗ в модифицированном списке доступа ДД из следующих данных:

form the account KM in the modified access list DD from the following data:

идентификатор ИЗ,

identifier FROM

модифицированный ключ ОКЗ,

modified OKZ key,

модифицированный зашифрованный ключ ШКЗ,

ShKZ modified encrypted key,

модифицированные зашифрованные данные ШДЗ.

modified encrypted SHDZ data.

Thus, an independent change of the object’s security settings is ensured, in which the replacement of information security settings by the administrator does not require interaction with users and other administrators.

Claims (115)

A method of controlling access to data in a computer, and the computer has installed software configured to generate unique identifiers generate random numbers generate random symmetric keys, generate random asymmetric key pairs in the composition of the public key and secret key, calculate the value of the hash function, calculate the derived symmetric key from the original symmetric key and the modifier value, calculate a common symmetric key from a private key and a public key, encrypt and decrypt data on a symmetric key, encrypt and decrypt a symmetric key on a symmetric key, the method consists in the following actions by the administrator of the protected object with the data of the TO object: generate a unique identifier for the ID of the protected object; generate a random symmetric key of the object administration CA; receive a symmetric key to encrypt the data of the object KO by calculating the derived key from the key KA using the ID identifier as a modifier; encrypt the data of the protected object DO before the key KO, receiving the encrypted data of the SDO; form a data block of service information of the DS containing the ID identifier, information about the protected object and the specification of the used cryptographic functions of the SF; form a DD access list to the object, consisting of user accounts that are granted access to the protected object, at least one of the accounts belongs to the administrator of the object, performing the following actions for each UZ account: receive from the selected user having an asymmetric key pair as part of the public key OKP and the secret key UPC, his public key OKP; generate a random number, take it as a temporary identifier of the VI; form the identifier FROM the UZ account, taking as its value the temporary identifier of the VI; generate a random asymmetric key pair in the composition of the public key CPS and the secret key CPS; generate a random symmetric key K3 account KM; calculate the common symmetric key KZP from the secret key SKZ and the public key OKP; encrypt the shortcut key on the shortcut key, receiving the encrypted key ShKZ; decide on the user with administrator privileges; form the value of the user agent parameter characterizing the user having administrator privileges; form a block of DZ data from the following data: OKP key PA parameter KA key, if the PA parameter indicates that the user has administrator privileges; otherwise, the KO key; encrypting the DZ data block on the shortcut key, receiving the encrypted data of the DZD; form a text description T of the UZ account of the selected user; form a block of verification data for the administration of YES from the following data: shortcut key PA parameter text description of T; encrypt the YES data block on the KA key, receiving the encrypted SDA data; form the account of the selected US user in the form of the following data block: identifier FROM OKZ key ShKZ encrypted key, ShZD encrypted data SDA encrypted data; jointly store the following data: - encrypted SDO data, - DS service information, - access list to the DD object; if necessary, access to the protected object by a user who has an asymmetric key pair as part of the public key of the OKP and the secret key of the UPC, performs the following actions: (A) extract from the DS service information the identifier of the ID object and the specification of the used cryptographic functions of the SF; calculate the common symmetric key PPC from the secret key of the UPC and the public key of the OKP; calculating the value of the hash function from the data block composed of the ID identifier and the PPC key, obtaining a constant value of the identifier FROM; if access is performed for the first time from the moment the administrator creates the access list object, then go to step (B), otherwise go to step (C); (B) receive from the site administrator the temporary identifier of the VI assigned to the user’s account during the initial formation of the access list; find an account in the access list of the DD whose ID value of the ID matches the VI; replace the value of the identifier FROM the user account with the calculated constant value; (B) find an account in the access list of the DD whose account value matches the calculated value; receive from the found account the keys OKZ, ShKZ and encrypted data ShDZ, ShDA; calculate the common symmetric key KZP of the keys SKP and OKZ; decrypt with the KZP key the encrypted SHKZ key, receiving the KZ KZ secret key; decrypt the encrypted SDZ data with the shortcut key, obtaining the value of the PA parameter and the key K; if the PA parameter indicates that the user has administrator privileges, they accept the key K as the KA administration key and calculate the derivative key for it using the ID identifier as a modifier, obtaining the key for encrypting the KO data; if the PA parameter indicates that the user does not have administrator privileges, they accept the key K as the key for encrypting the KO data; decrypt the encrypted SDO data using the key KO, receiving data of the protected object of DO; if necessary, on the part of the user who has an asymmetric key pair as part of the OKP public key and SKP secret key, switch to using another asymmetric key pair as part of the OKM public key and SKM secret key and have access to the protected object, perform the following actions: perform actions for access to the protected object according to step A, receiving an ID identifier, OKZ, KZ, K keys and a PA parameter value; calculate the common symmetric key KMM from the secret key SCM and the public key OKM; calculating the value of the hash function from the data block composed of the ID identifier and the KMM key, obtaining a modified constant value of the identifier FROM; replace the value of the identifier FROM the user account UZ with a modified value; calculating the modified value of the KZP key as a common symmetric key for the SCM and OKZ keys; encrypt the shortcut key on the modified shortcut key, receiving the modified value of the encrypted shortcut key; replace the value of the encrypted key ShKZ in the user account of the UZ with a modified value; form a modified block of DZ data from the following data: OKM key PA parameter key K; encrypting the data block of the remote sensing data on a modified short-circuit key, obtaining the modified value of the encrypted SDZ data; replacing the value of the encrypted data of the SDZ in the user account of the ultrasonic operator with a modified value; if necessary, the following actions are performed by the administrator of the object for verification of the user account: perform actions for access to the protected object according to stage A, receiving keys KA and KO; get a verified user account from the access list; from the UZ account, the values of the encrypted data of ShDZ, ShDA are obtained; decrypt the SDA data on the KA key, receiving the shortcut key, the PA parameter and the text description T of the KM account; decrypt the SDZ data on the shortcut key, receiving the PA parameter and key K; the textual description of T establishes the correspondence of the account information of the UZ to a user who has access to the protected object; establish the correspondence of the values of the PA parameter obtained from the SDA and SDZ data; if the PA parameter indicates that the user has administrator privileges, the correspondence of the K key to the KA key is established; if the PA parameter indicates that the user does not have administrator privileges, establish the correspondence of the key K to the key KO; if necessary, the following actions are performed by the administrator of the data encryption key replacement object: perform actions to access the protected object according to step A, receiving keys KA, KO and ID identifier; decrypt the data of the SDO on the KO key, receiving the data of the protected object of DO; generating a random modified symmetric administration key of the spacecraft object; calculate the derivative key for the modified key KA, using the ID identifier as a modifier, obtaining a modified key KO; encrypt DO data on a modified KO key; form a modified access list DD to the object, performing for each user account KM from the access list DD the following actions: read the value of the identifier FROM; verify the user account of the ultrasound, while receiving the values of the identifier FROM, OKP key, parameter PA and text description T; upon unsuccessful verification, exclude KMs from the modified DD access list and proceed to the next account; otherwise, perform the following actions: generate a random modified asymmetric key pair in the composition of the public key CPS and the secret key CPS; generate a random modified short-circuit symmetric key; calculating the modified value of the common KZP key from the modified SKZ key and the OKP key; encrypting the modified KZ key on the modified KZP key, obtaining the modified value of the encrypted ShKZ key; form a modified block of DZ data from the following data: OKP key PA parameter a modified KA key, if the PA parameter indicates that the user has administrator privileges, otherwise - a modified KO key; encrypting the modified block of DZ data on the modified short-circuit key, obtaining the modified value of the encrypted data of the DZD; form a modified block of test data YES from the following data: modified shortcut key, PA parameter text description of T; encrypting the modified YES block on the modified KA key, obtaining the modified value of the encrypted SDA data; form the account KM in the modified access list DD from the following data: identifier FROM modified OKZ key, ShKZ modified encrypted key, modified encrypted SHDZ data.