RU31015U1 - A device for protecting information stored in a computer and / or on a computer-readable medium - Google Patents

Description

A device for protecting information stored in a computer and / or computer readable

information carrier

The invention relates to the cryptographic protection of information stored in a computer and / or on a computer-readable storage medium, namely, to the protection of information stored in a computer and / or on a computer-readable storage medium from unauthorized access by encoding (encrypting) information during recording. The utility model can be used for cryptographic protection or to protect against unauthorized access to information stored in a computer and / or on a computer-readable storage medium.

In this application, encryption refers to the algorithm of mathematical transformation of information officially adopted by the competent organizations. For example, in the Russian Federation, the encryption algorithm is GOST 28147-89. Encoding is understood as a mathematical transformation algorithm designed to protect information, but not officially adopted as a standard for encryption. Encryption and encryption are resistant to information security, i.e. the degree of complexity and the number of mathematical transformations performed on the information (data). Information encryption is generally more reliable than encoding and requires large computing resources.

Encrypting or encoding data is the primary means of protecting it. Encrypted or encoded data is available only to those who own the key on which this data is encoded or encrypted.

Currently, there are many computer programs designed to protect information by encryption (encoding). However, they all have fundamental flaws. One of the main disadvantages is the instability to specific viruses (the so-called Trojan viruses), which allow you to determine the key and gain access to data.

More reliable data protection can be achieved using hardware. A number of devices are known that implement methods of protecting information at the hardware level.

So, it is known a device for protecting against unauthorized access to information stored in a personal computer (RF patent No. 2067313 IPC G06F 12/14). A known device that implements this method contains an external storage medium made in the form of non-volatile memory, which recorded personal

MPKOObR 12/14

user information and hash function of all protected files of this user. The device also contains read-only memory, a controller for exchanging information with a personal computer, a controller for exchanging information with an external storage medium, and a remote contact unit for reading information from an external storage medium.

However, the above-described approach to solving the problem of protecting data stored in a personal computer involves pre-recording the user's password in the personal computer, with which the password entered by the user from the keyboard is then compared. The presence in the computer of data corresponding to the user's password makes it, in principle, accessible to third parties, which reduces the degree of reliability of the known device. Connecting the protection device to a common PC bus makes it possible to use a double program, the operation of which on the interface coincides with the operation of the protection device interface, which increases the likelihood of unauthorized access to data.

Closest to the proposed device are a device for protecting information stored in a personal computer (RF patent No. 2099779 IPC G06F 12/14). The device contains:

1) an external storage medium made in the form of non-volatile memory;

2) microprocessor;

3) an interface for exchanging information with an external storage medium;

4) random access memory;

5) an interface for exchanging information with a personal computer connected to random access memory;

6) a random number sensor connected to a microprocessor;

7) a permanent storage device connected to the interface for exchanging information with a personal computer and designed to store information protection programs, prevent unauthorized access to a personal computer, open key distribution and digital signature.

However, in the device described above, as in the previously described, the same approach is used to solve the problem of protecting data stored in the PC, which involves pre-recording the user's password in the PC with which the password entered by the user from the keyboard is then compared. The presence in the computer of data corresponding to the user's password makes it, in principle, accessible to third parties, which reduces the degree of reliability of the known method and device. Connecting the protection device to a common PC bus makes it possible to use a double program, the operation of which on the interface coincides with the operation of the interface

security devices, which increases the likelihood of unauthorized access to data. In addition, the described devices have a limited scope, as they are intended only to protect data stored in personal computers, and are focused on certain operating systems.

The problem to which the claimed technical solution is directed is to increase the degree of reliability of protection of information stored in a computer and / or on a computer-readable storage medium, expand the scope of the method and device protection, ensuring independence from the hardware platform (including when upgrading a computer ) and from the operating system, as well as providing simplicity and ease of use of the device.

The problem is solved due to the fact that the information protection device. stored in a computer and / or on a machine-readable medium (hereinafter referred to as “information protection device”), containing an external information medium for storing a key used for encoding / decoding or encrypting / decrypting data, a microprocessor with an information exchange interface connected to its first input / output with an external information carrier and to the second input / output, an interface for exchanging information with an external drive, a random number sensor, an interface for exchanging information with a controller is additionally introduced ohm computer storage, the first input / output controller coupled to a computer storage, the second input / output coupled to the third input / output microprocessor, and a read only memory for storing a control program, connected to a fourth input / outputs of the microprocessor. The random number sensor can be connected to the information exchange interface with an external storage medium either through a microprocessor or directly, the device and the external storage device are made as a whole

The claimed invention is illustrated by drawings.

In FIG. 1 shows a connection diagram of an information protection device.

In FIG. 2 is a block diagram of one embodiment of an information protection device.

The information protection device 1 (Fig. 1) is connected to the input / output 3 of the computer 4 by the first input / output 2 connected to the drive controller (not shown) of the computer 4, the second input / output 5 is connected to an external storage medium 6 and the third input / output 7 with an external drive 8.

an external storage medium 12, the second input / output 13 of the microprocessor 9 is connected to the input / output 14 of the information exchange interface with the external drive 15, the third input / output 16 of the microprocessor 9 is connected to the second input / output 17 of the information exchange interface with the drive controller 18. To the input 19 of the microprocessor 9 is connected to a random number sensor 20, and to the input 21 is a read-only memory (ROM) 22, designed to store the control program. The first input / output 23 of the information exchange interface with the drive controller 18 is connected to the first input / output 2 of the information protection device 1, input / output 24 of the information exchange interface with an external medium 12 is connected to the input / output 5 of the information protection device 1, input / output 25 the interface for exchanging information with an external drive 15 is connected to the input / output 7 of the information protection device 1.

All components included in the device 1 information protection components can be placed on one board. This board can be placed in a separate case, placed outside the computer, or can be placed inside the computer case. In both cases, the board with the components located on it is connected via inputs / outputs 2 and 7, respectively, to the drive controller of computer 4 and to an external drive 8.

The information protection device 1 and the external drive 8 can be structurally implemented as a single device, for example, by placing both devices (1 and 8) on the same board.

In the present invention, as a microprocessor 9, a digital signal processing processor can be used that provides high-speed cryptographic operations. For example, a microprocessor type ADSP - 2181 manufactured by Analog Devices, described in the book User's Guide to Signal Microprocessors of the ADSP.-Per. with eng. O.V. Luneva edited by A.D. Viktorova.-St. Petersburg.-1997.-520s.

The physical random number sensor 20 used to generate keys is described in the book by G. Korn Modeling random processes on analog and analog-digital machines.-M.-Iz-vo Mir.- 1968.-p. 125 and is a noise generator forming an arbitrary sequence of bits from which a unique key is generated.

Permanent storage device 22, for example, type At27C512-90, designed to store the control program, is known and described in the reference manual of the company Advanced MicroDevices EPROM Products, 1993/1994.

in the information protection device 1, the external information carrier 6 is made, for example, in the form of a non-volatile memory and contains a unique key for encrypting (encoding) / decrypting (decoding) data. As such a storage medium can be used, for example, a personal identifier of the family Touch Memory (TM), described, for example, in Hard and Soft magazine, No. 6, dec. 1994, p. 70.

Structurally, the TM is a non-volatile memory, size, enclosed in a metal case with one signal contact and one ground contact. The case, resembling in appearance a miniature battery used in watches, is easily mounted on a carrier (card, key fob). Information is written and read from memory by simply touching the TM reader, which is very simple in design, which can be located on the housing of the information protection device 1, and is connected to the input / output 5 of this device 1.

The design of the interface for exchanging information with an external storage medium 12 such as, for example, TM, is known and described in the Product List of the company Dallas Semiconductor Product Data Book, 1992-1993, p.12.35.

The key information 0 recorded in the external information carrier 6 can be transmitted to the information protection device 1 also in the form of an infrared or radio signal. When this external storage medium 6 is an infrared transmitter or radio transmitter, respectively

The information exchange interface with the drive controller 18 is implemented in accordance with the ATA / ATAPI-4 standard described in the technical documentation of the NCITS committee (Working Report T13, 1998).

The information exchange interface with the external drive 15 is implemented in accordance with the ATA / ATAPI-4 standard described in the technical documentation of the NCITS committee (Working Report T13, 1998).

The device 1 is protected information after connecting to the inputs / outputs 3 of the computer 4 and to the external drive 8 operates as follows:

When you turn on computer 4, its boot control is first carried out in normal mode, but before the operating system (OS) is booted, control is transferred to a program written in ROM (not shown in Fig.) Located at the addresses of the extended BIOS (basic input-output system). The program located in the ROM checks whether there is a touch of the external storage medium 6 to the input / output 5 of the information protection device 1 and, if the external storage medium 6 touched the input / output 5, the information exchange interface with the external storage medium 12 reads

the key stored in it and transfers it to the microprocessor 9 in the form of a specific sequence of signals. At the same time, the control program generates a user password request on which the key is encrypted (encoded). In response to the request, the user enters a password into computer 4, which, in the form of a certain sequence of signals from computer 4, enters the microprocessor 9 through the information exchange interface with the drive controller 18. After that, computer 4 continues to load normally.

The microprocessor 9 operates under the control of a program stored in the ROM 22. Upon power-up, the control program is downloaded to the microprocessor 9. This program implements the management of information exchange with the drive controller and an external drive, as well as the encryption / decryption (encoding / decoding) of the key data.

The key from the external medium 6 enters the microprocessor 9 in encoded (encrypted) form and if the password is specified correctly by the user, it is decrypted (decoded) on the password in accordance with the GOST 28147-89 algorithm. When writing data to an external drive 8, which is connected to the information protection device 1, the initial data in accordance with the command to write to the computer 4 to write from the computer 4 through the input / output 3 in the form of a certain sequence of signals are fed to the input / output 2 of the protection device 1 information and through the information exchange interface with the drive controller 18 to the microprocessor 9, which is converted in accordance with an encryption algorithm (for example, GOST 28147-89) or encoding based on an individual user key. Thus encoded (encrypted) data in the form of a certain sequence of signals via the information exchange interface with an external drive 15 is fed to the input / output 7 of an information protection device 1 and then to an external drive 8 and stored there in an encoded (encrypted) form. When reading data from an external drive 8, according to a command to read data in the form of a sequence of signals received by computer 4, in accordance with the data exchange protocol from the input / output 7 of the information protection device 1 through the information exchange interface with an external drive 15, they are transferred to the microprocessor 9, in which they are decoded (decrypted) in accordance with the encoding algorithm (encryption, for example, GOST 28147-89). The conversion is based on the user's individual key. Thus decoded (decrypted) data in the form of a certain sequence of signals through the information exchange interface with the drive controller 18 and in accordance with the used data exchange protocol come from

input / output 2 of the device 1 to protect information on input / output 3 of the computer 4 and then through the controller of the computer’s drives to the processor (not shown) of the computer 4 and thus become available to the user. In accordance with the claimed method, information is stored in the external drive 8 only in encrypted (encoded) form.

If the password entered by the user does not correspond to the key recorded in the external storage medium 6, then this key will not be correctly decoded (decrypted) in the microprocessor 9, and, therefore, the data read from the external storage device 8 will go to computer 4 un decoded ( unencrypted) and, accordingly, will not be available to the user who indicated the wrong password or presented a key that does not match the password.

If it is necessary to generate a new key, the microprocessor 9 of the information protection device 1 reads a random sequence of bits from the random number sensor 20 and generates a command to request a password. In response to the request, the user enters a password, which, in the form of a certain sequence of signals, enters the microprocessor 9. Then, in accordance with the encoding algorithm (or encryption, for example, GOST 28147-89), a new key is generated in the microprocessor 9, which is transmitted via an information exchange interface with an external one information carrier 12 is transmitted in the form of a certain sequence of signals when the external information carrier 6 touches input / output 5, to which input / output 24 of the information exchange interface with external media is connected elem information 12. In this case, information about the new key is not available from the computer 4.

Claims (4)

1. A device for protecting information stored in a computer and / or on a computer-readable medium containing an external information medium for storing a key used for encoding / decoding or encrypting / decrypting data, a microprocessor with an information exchange interface connected to its first input / output external storage medium and to the second input / output interface for the exchange of information with a computer-readable medium, a random number sensor connected to the interface for exchanging information with an external medium information, characterized in that an additional interface for exchanging information with the computer storage controller is introduced, the first input / output connected to the input / output of the information protection device for connecting to the computer storage controller, the second input / output connected to the third input / output of the microprocessor, and read-only memory designed to store the control program, connected to the fourth input / output of the microprocessor. 2. The device according to claim 1, characterized in that the random number sensor is connected and the information exchange interface with an external storage medium via a microprocessor. 3. The device according to claim 1, characterized in that the random number sensor is connected to the information exchange interface with an external storage medium directly. 4. The device according to claim 1, characterized in that the device and the external drive are made as a whole.