RU98612U1 - AUTOMATED WORKPLACE PROTECTED FROM INFORMATION LEAKS - Google Patents

Abstract

 An automated workstation with information leakage protection, consisting of a monitor, printer, keyboard, mouse type mouse (MTM), USB key, system unit of a personal electronic computer (SB PC), radio noise generator (GRS), power line noise suppression device (UZE) ), a network filter (SF) and a block of electrical outlets (BER), which is connected by an input and an output to a 220 V power supply network and to the input of a network filter node (SF), which is connected to an input respectively by the first, second, and third outputs the monitor’s power supply house, with the printer’s power input and the power supply of the SB PC node, which is connected to the monitor port, the printer port, the keyboard port, and the mouse port of the pointing device (MTM) type, respectively, with the first, second, third, and fourth ports this node SB PC is made with the ability to install and operate on it software (software) in the form of an operating system (OS) that provides control functions of the software and hardware AWP, the formation of a user interface with pre leaving him the ability to enter and / or output information using the keyboard, the mouse-type manipulator node (MTM), a printer and monitor, information processing software, virus protection information protection software, data encryption software and OS trusted boot software using hardware such as USB -key, by which it is possible to authenticate the user, control the loading of the OS and control access to the software, information and hardware resources of the workstation during the operation of the SB PC, in addition, the node of the radio noise generator (G

Description

The utility model relates to telecommunications, and more specifically to devices protecting computer systems from unauthorized activity and can be used in information systems and complexes, mainly at various informatization facilities equipped with an automated workstation (AWP), to protect information from unauthorized access, which can be organized on the basis of interception and analysis of spurious emissions and interference arising from the operation of the AWS.

As a rule, for the preparation of documents, presentations, processing of multimedia data and other types of information, computer facilities are widely used, configured in the form of workstations (AWS) [L1].

Information circulating in the AWP, especially confidential information, is increasingly becoming the object of “hunting” for unauthorized individuals (PFL), business competitors, and other intruders who are trying to make unauthorized access (NSD) [L2, L3] to the AWP system and information resources .

A variety of methods, technologies and technical means can be used to implement NSD, among which the most dangerous, due to the high stealth of use, is the technical channel. Under the technical channel of information leakage (TKUI), according to [L4], we mean the combination of the reconnaissance object, reconnaissance equipment (TCP) and the physical environment in which the information signal propagates. In essence, by TKUI they mean a method of obtaining reconnaissance information about an object using TCP.

An automated workstation is an integral part of the system, including stationary equipment, peripheral devices, connecting lines, distribution and communication devices, power supply systems and grounding systems. When the AWP is functioning, objectively, as a by-product, the conditions are created for the organization of TCUI, which is expressed in the formation of various types of secondary electromagnetic radiation and interference (PEMIN). PEMIN [L5] - spurious electromagnetic radiation of the radio range, inducing electromagnetic radiation on connecting lines and extraneous conductors that go beyond the controlled zone, leakage of information signals in the power and ground circuits.

According to the data from [L6], due to spurious electromagnetic radiation and interference, information can be read from a computer monitor at a distance of several hundred meters or more. You can also read information from the processor, keyboard, hard drive, drive, etc., so all cryptosystems become almost meaningless if you do not take appropriate active protection measures.

Specialists [L7, L8] noted that radiation from computer elements and other technical means of the workstation is a fairly informative channel for information leakage, using which, by intercepting and decoding these emissions, PFL can obtain information about all the information processed in the workstation computer. Modern advances in the production technology of radio receivers, multichannel signal reception (both from different directions and at different frequencies), followed by their correlation processing, make it possible to ensure a sufficient range of information interception. The process of intercepting information circulating in the workstation, for example, by receiving spurious radiation from a composite monitor signal, is quite real. Moreover, methods are used to make the computer transmit the necessary information and not wait for the user to turn to confidential documents. This is solved as follows: the computer that is part of the AWP is “infected” with a special Trojan horse-type bookmark program using any of the known methods of virus technology: through a presentation CD, an interesting program or toy, a driver disk, and through any of the communication channels to which the AWP is connected (local network, Internet, etc.). Further, the Spy program [L8] searches for the necessary information on the PC disk and, by accessing various computer devices, causes the appearance of spurious emissions. For example, a Spy program can embed a message in a composite monitor signal, while the user, playing a favorite game such as Solitaire, does not even suspect that confidential text messages or images can be inserted into the image of playing cards. With the help of a special receiving device, interception of spurious radiation from the monitor and the selection of the desired useful signal can be provided. The conducted experimental studies have confirmed such a possibility of obtaining confidential information. This is one of the technology options for covert data transmission through the channel of spurious electromagnetic radiation using software. The technology proposed by Cambridge scientists, in essence, is a kind of computer steganography, i.e. method of covert transmission of useful messages in harmless video, audio, image and text files. A feature of the technology is the use of the PEMIN channel for data transmission, which greatly complicates the detection of the fact of unauthorized transmission in comparison with traditional computer steganography. So, if there are hardware and software tools (Fire Wall, Proxy server, etc.) to prevent unauthorized data transfer via a local network or the Internet, then there are no means to detect hidden data transmission via PEMIN, and to detect such radiation in general the broadband spectrum (over 1000 MHz) of spurious PC emissions without knowledge of the parameters of the useful signal is very problematic. The main danger of the technology for transmitting confidential information using PEMIN is the secrecy of the virus program. Such a program, unlike most viruses, does not "spoil" the data, does not disrupt the operation of the PC, does not send out unauthorized data distribution over the network, which means that it is not detected by the user and network administrator for a long time. Therefore, if viruses that use the Internet for data transfer manifest themselves almost instantly, and they quickly find an “antidote” in the form of anti-virus programs, then viruses that use PEMIN for data transfer can work for years without detecting themselves, controlling the radiation of almost any computer element. Studies have shown that the majority of computer elements, a keyboard, a mouse-type manipulator, a printer, and other technical devices contained in the AWP can form PEMIN. At the same time, the signals emitted by these devices can be intercepted without significant costs, since the information in these devices is transmitted by a serial code, all parameters of which are standardized and well known.

As the studies showed, the protection of the workstation from unauthorized access to information (NSI), which circulates on it, that is, is located in the computer memory of the automated workplace, on removable and non-removable media, is displayed on the monitor screen due to leaks through the technical channel based PEMIN, which are radiated into the air, is distributed over wire and cable systems, etc., is a very difficult task.

The complexity of solving the task of protecting the workstation from information leaks is the presence of contradictions. On the one hand, to perform work on the workstation, that is, use the workstation for its intended purpose, it is necessary to enable (activate) all software and hardware tools (PAS). During the operation of the AWP, the working PAS form the PEMIN, which is due to the existing physical laws, that is, objective reasons.

On the other hand, to eliminate PEMIN, all PASs must be turned off (deactivated). In this case, the workstation cannot be used for its intended purpose, the same for objective reasons.

An information search showed that the well-known technical solutions used in the workstation have a low level of protection against leakage of confidential information through the technical channel, which can be organized on the basis of the use of PEMIN arising from the operation of the workstation, as well as the impact on the effectiveness of protection against NSIs by the actions of personnel, operating said AWP. So, for example, information leakage through the technical channel can be facilitated by the fact that, during the intended use of the workstation by the personnel authorized to work on the workstation, technical protection means may not be activated, antivirus software may not be updated in a timely manner. Also, data encryption tools may not be regularly used, shielding and grounding schemes of technical equipment included in the AWS may not be used, and PEMIN suppression / masking tools, etc. may not be used and / or turned on.

In this regard, the search for technical solutions aimed at improving the level of protection of information contained and circulating in the automated workplace (AWS) from leakage through the technical channel due to PEMIN, taking into account the influence of the mentioned objective and subjective factors on the effectiveness of protection against NSDI is an urgent task.

From the technology [L9], a workstation (AWP) is known, consisting of a monitor, keyboard, a mouse-type manipulator (MTM), a printer, and a system unit of a personal electronic computer (SB PC), which is the first, second, third, and fourth port connected, respectively, with a monitor, with a keyboard, with a mouse type mouse (MTM) and a printer, while SB PC is configured to install and operate software on it in the form of an operating system (OS) that provides control of program functions MMM hardware of the automated workplace, creating a user interface with the ability to input and / or output information using the keyboard, MTM node, printer and monitor, software for processing user information and software to protect system and information resources from viruses.

Work AWP (complex) is carried out in a standard way. System software, for example, such as Windows 2000 / XP / Vista, is installed on the AWP computer (SB PC node), the drivers necessary for the operation of the hardware, including the keyboard, the MTM node, the printer, and the display, are also installed. Then, in accordance with the type of information processed on the complex, application software is installed (installed), for example, for the preparation and processing of text information (creating documents, presentations, etc.), an office software package, for example, Microsoft Office, can be installed in the OS . As a means to protect system and information resources of the workstation, anti-virus software is used.

The disadvantage of this complex is its low level of information protection from unauthorized access, which can be organized through a technical channel using PEMIN, which are formed during the operation of the complex.

This is due to the action of the following factors. As shown above, when organizing a technical channel for information leakage, Spy programs and by-products of the functioning of AWS hardware, which are PEMIN, can be used. However, in this complex, protection against information leaks through a technical channel is solved only by identifying and neutralizing Spy-programs, viruses and other software tools that can be used for NSDI. At the same time, the means of suppressing / masking PEMIN created during the operation of the workstation are absent in this complex, which significantly reduces the effectiveness of protecting information from unauthorized access due to leaks through the technical channel.

Additional factors that reduce the effectiveness of the complex’s protection against NSIs through the use of only anti-virus programs are the fact that attackers constantly create and use new types of viruses and other malicious programs to organize NSIs, and the creation and implementation of “antidotes” for new ones viruses are always delayed. This leads to the fact that for some time a new virus can perform its malicious function unhindered. The situation is aggravated by the presence and action of the previously mentioned subjective factor, that is, the inertia in the actions of personnel performing work on the workstation, and prone to ignoring procedures for timely updating of antivirus software.

From the technology [L10], a workstation (AWP) is known, consisting of a monitor, keyboard, a mouse-type manipulator (MTM), a printer, and a system unit for a personal electronic computer (SB PC), which is the first, second, third, and fourth port connected, respectively, with a monitor, with a keyboard, with a mouse type mouse (MTM) and a printer, while SB PC is configured to install and operate software on it in the form of an operating system (OS) that provides control of program functions MMM hardware of the AWP, creating a user interface with the ability to input and / or output information using the keyboard, MTM node, printer and monitor, information processing software and software for protecting information from viruses, data encryption software and software for performing trusted OS loading on SB PC.

This AWP (complex) functions similarly to the previous product. It partially eliminates the shortcomings of the previous complex. This is achieved due to the fact that this product provides a wider range of means of protecting information from unauthorized access, which reduces the risks of NSDI through the technical channel. So, the value of information intercepted by cybercriminals through a technical channel is significantly reduced when the data is encrypted, as it is implemented in this complex. In addition, an increase in the level of information protection from leaks through the technical channel is achieved through the use of the trusted boot (SZ) procedure of the operating system and the use of access control tools (ACS) to the system and information resources of the workstation. Trusted loading [L11] of the computer prevents the unauthorized start of the PC system unit, and also prevents the loading of the operating system and gaining access to the information contained in the workstation. The scope of trusted boot tools includes the steps of the computer from starting the BIOS firmware to starting the operating system boot. Trusted boot includes: authentication, control of the device from which the BIOS starts loading the operating system, control of the integrity and reliability of the boot sector of the device and system files of the launched operating system, encryption / decryption of the boot sector and system files of the operating system. That is, all actions from both the PFL and malicious programs can be neutralized in a timely manner using the mentioned COURT and DZ.

The disadvantage of this complex is its low level of information protection from unauthorized access, which can be organized through a technical channel (PEMIN), which are formed during the operation of the complex.

The reason for this are factors similar to the previous complex. The main ones are: the lack of active suppression / masking tools for PEMIN created during the operation of the automated workstation and the vulnerability of information protection tools from subjective factors that depend on the actions of personnel servicing and operating the automated workplace.

According to the authors, the closest in technical essence to the claimed object (prototype) is, known from the technology [L12], a workstation (AWP), consisting of a monitor, printer, keyboard, mouse type mouse (MTM), USB key, system unit of a personal electronic computer (SB PC), a radio noise generator (GRS), a power line noise suppressor (UZE), a line filter (SF), and an electrical outlet block that is connected, respectively, to the input, the first output, the second output, and the third output pita 220 V power supply network, with the power supply of the GEMP node, with the power supply of the GES node, and with the input of the SF node, which is connected to the monitor’s power input, with the printer’s power input and with the power supply unit’s power input, respectively, with the first, second, and third outputs A PC, which is connected to the monitor port, to the printer port, to the keyboard port, to the port of the MTM node and to the USB port of the key, respectively, with the first, second, third, fourth and fifth ports, while the SB PC node is configured to function software on it in the form of an operating system (OS) that provides control of the functions of the AWP software and hardware, the formation of a user interface with the possibility of inputting and / or outputting information using the keyboard, MTM node, printer and monitor, processing software information and software for protecting information from viruses, data encryption software and software for performing trusted OS boot using hardware such as a USB dongle, which provides the possibility of user authentication, OS loading control and access control to the software, information and hardware resources of the AWS during the operation of the SB PC, in addition, the main switchgear assembly is configured to form in a local zone in which the hardware nodes of the AWP, electromagnetic field (EMF) are located in a wide range of radio frequencies that overlap and mask the PEMIN, which are created and emitted during the operation of the hardware nodes of the arm, green UZE is made with the possibility of forming in the wires of the supplying electric network 220 V, to which the aforementioned block of electrical outlets is connected, an electric noise field (ESR) that masks PEMIN, which are created and propagated through the wiring during the operation of the AWP hardware nodes.

A generalized functional diagram of this workstation (hereinafter referred to as the complex) is shown in FIG. 1

The complex consists of the system unit of a personal electronic computer (SB PC) 1, a network filter (SF) 2, a monitor 3, a printer 4, a block of electrical outlets (BER) 5, a keyboard 6, a mouse type mouse (MTM) 8, a radio noise generator (GRSH) 9, USB key 11 and the device noise network (UZE) 12.

At the same time, the BER 5 unit with its input, the first output, the second output and the third output is connected, respectively, with a 220 V power supply network (PES) 10, with a UZE 12, with a GRS 9 node and with the SF 2 unit, which is the first, the second and third outputs are connected, respectively, with the power input of the printer 4, with the power input of the monitor 3 and with the power input of the SB PC node 1, which is connected with the monitor port 3, respectively, with the first, second, third, fourth and fifth ports, with printer port 4, with keyboard port 6, with the port of the MTM node 8 and with 11 is a USB key.

Basically, the functioning of this complex is similar to the previous product. This complex has the following operating features.

First, this is the use of a USB key 11. To gain access to the system’s and operational resources of the complex, this node must be detected by the operating system on a computer whose functions are performed by SB PC 1. Physically, for this, the user of the complex simply needs to connect a USB key 11 to the corresponding port of SB PC 1.

Secondly, this is the availability of active protection equipment (TS AZ), which are GRS 9 and UZE 12 nodes. According to the regulations, these nodes must be activated by personnel during operation of the complex to protect information from leaks due to PEMIN.

Work on the complex begins with the user installing the USB key 11 in the SB PC 1 port, which is a hardware tool for controlling access to the complex’s resources. In the absence / removal of USB key 11 - access to the software, information and hardware resources of the complex is blocked. Externally, this is manifested in the fact that in the absence of this key, the OS does not boot, and if the key is removed (disconnected from the PC SB 1) when the OS is already loaded, the system freezes — access to the operating system is blocked (the system does not respond to pressing keyboard keys, a mouse-type manipulator and requires the installation of a USB key 11 to authorize the user).

In addition, at the start of operation of the complex, personnel need to perform the functions of checking, tuning and activating the TS AZ (nodes of the SRS 9, UZE 12) so that the fields generated by these generators suppress / mask the radiation generated by the complex during its operation.

This complex partially eliminates the disadvantages of the previous product. This is achieved through the use of the following protective mechanisms.

Firstly, this is the use of hardware to limit access to system and information resources, which is achieved by using a USB key 11. It is known that software protection is based mainly on the use of passwords that can be intercepted. In this complex, access to the mentioned system and information resources is possible only if a USB key 11 is connected to the computer (SB PC 1). This allows, in cases where there is no USB key 11 connected to the PC PC 1, to block, as direct access to the PFL complex, so to prevent information leakage using malicious software, which, as shown above, can use PEMIN to organize NSDI.

Secondly, this is the use of technical means of active protection, which are GRS 9 and UZE 12 nodes. The effectiveness of information protection from leaks with the help of these nodes is due to the possibility of creating radiation with them that can significantly exceed the intensity of PEMIN, which are formed and emitted in the process of functioning of the hardware nodes of the complex and, thereby, ensure their suppression / masking.

The disadvantage of this complex is the low level of information protection from unauthorized access, which can be organized by intercepting and analyzing the PEMIN emitted by the nodes of the complex during its operation, especially in case of violation of the functions of the TS AZ.

This is due to the presence of the following objective and subjective factors.

The main objective factor can be attributed to the failure of the TS AZ. With the occurrence of such cases, the operation of the complex can continue, almost unlimited time. Whether TS AZ work or not - the main functions of the complex - are preserved. That is, the violation of the functions of the TS AZ is not connected and does not affect the possibility of using the complex for its intended purpose. Obviously, the operation of the complex with deactivated (turned off, faulty, etc.) TS AZ creates a threat of information leaks due to PEMIN, since they are not suppressed / masked.

The main subjective factor is the dependence of the suppression / masking of PEMIN created by the complex on the actions of the personnel operating and maintaining the complex. That is, whether the vehicles will be turned on, serviced, repaired, tuned, tested, etc. on time, it all depends on those individuals (FL) who are required to do this. And since PLs are subject to fatigue, stress, forgetfulness, distraction, etc., the control of TS A3 functions can be quite low, which is why the complex can be operated without PEMIN suppression / masking means.

That is, the low level of information protection from unauthorized access, which can be organized by intercepting and analyzing the PEMIN emitted by the nodes of the complex during its operation, is due to the low reliability of monitoring the functions of TS AZ to mask / suppress the mentioned PEMIN.

The low reliability of monitoring the functions of the TS AZ is due to the fact that regardless of the activity of the TS AZ, the possibility of operating the complex is preserved. The operation of the complex with deactivated TS AZ significantly reduces the level of protection against hard drive over the technical channel, since PEMIN are not suppressed / masked and favorable conditions for information leakage are created.

The authors of this application for a utility model have proposed an idea, the essence of which is to establish a functional relationship between controlling access to the system’s information resources of the complex and the activity of TS AZ. The presence of such a connection makes it possible to operate the complex only with activated TS AZ. In cases of malfunction of the TS AZ, access to the system information resources of the complex is blocked. This prevents the complex from operating in unprotected mode, that is, without suppressing / masking the PEMIN that are formed during the functioning of the complex.

As shown by patent research, technical solutions that provide the ability to control access to the system-information resources of the workstation depending on the activity of technical active protection equipment that suppress / mask PEMIN that are emitted and propagated in the physical environment during operation of the workstation are not known from the technology.

The purpose of the utility model is to expand the functionality of an automated workstation (AWS) for managing access control to its system and information resources, taking into account the activity of technical means providing suppression / masking of side electromagnetic radiation and interference, which are formed during operation of the said AWS.

This goal is achieved due to the fact that in the well-known automated workstation (AWP), consisting of a monitor, printer, keyboard, mouse-type manipulator (MTM), USB key, system unit of a personal electronic computer (SB PC), radio noise generator ( GRS), a device for noise of the power supply network (UZE), line filter (SF) and the block of electrical outlets, which is connected with the input and the first output, respectively, with a 220 V power supply network and with the input of the SF unit, which is connected with the first, second, and third outputs with Responsibly, with the monitor’s power input, with the printer’s power input and with the power supply of the PC SB unit, which is connected to the monitor port, printer port, keyboard port, and MTM node port, respectively, with the first, second, third, and fourth ports At the same time, the SB PC node is configured to install and operate software on it in the form of an operating system (OS) that provides control of the functions of the AWP software and hardware, the formation of a user interface with giving him the ability to enter and / or output information using the keyboard, MTM node, printer and monitor, information processing software and software for protecting information from viruses, data encryption software and software for performing trusted OS loading using hardware means such as a USB key, which provides the possibility of user authentication, OS boot control and access control to software, information and hardware res To the workstation in the process of operation of the SB PC, in addition, the HFS node is configured to form, in the local zone where the workstation hardware nodes are located, an electromagnetic field (EMF) in a wide range of radio frequencies that overlap and mask the PEMIN, which are created and emitted by the air in the process the functioning of the AWP hardware nodes, the UZE node is configured to form 220 V supply wires in the wires, to which the aforementioned block of electrical outlets, an electric noise field (ESR), which is a mask It implements PEMIN, which are created and distributed through the electrical wiring during the operation of the hardware components of the AWS, additionally introduced the first current sensor (PDT), the second current sensor (VDT), microcontroller (MK) and the switch, which are connected by the first, second and third ports, respectively, with the fifth port of the SB PC, with the USB port of the dongle and with the first port of the microcontroller, which is connected by the second and third ports, respectively, to the first output of the PDT node and to the first output of the VDT node, which is connected by the second and third ports to the nodes ohms of the UZE and with the second output of the BER node, which is connected to the input of the PDT node by the third output, which is connected to the GRS node by the second output, while the PDT and VDT nodes are capable of non-contact measurement of the alternating current passing through them and the formation of an output voltage proportional to the above current, in addition, the microcontroller operates according to the program, which provides the ability to analyze and process the signals coming from the nodes of the PDT and VDT, to identify the activity of the nodes of the main switchgear and the ultrasonic element by the level of power consumed by them generation of active protection status (SAZ) signals with a high or low level, respectively, in the presence or absence of activity of the GRS and UZE nodes and access control to the system and information resources of the workstation by emulating the connection and disconnecting the USB key to the PC SB node through the switch using mentioned signals SAZ.

The proposed device provides the following combination of distinctive features and properties.

Firstly, this is the introduction of the first current sensor (PDT), the second current sensor (VDT), the microcontroller (MK) and the switch, which is connected to the fifth port of the SB-PC and the port, respectively, by the first, second and third ports A USB key and with the first port of the microcontroller, which is connected by the second and third ports, respectively, to the first output of the PDT node and to the first output of the VDT node, which is connected by the second and third ports to the UZE node and to the second output of the BER node, which is the third the output is connected to the input node PDT, which eye output coupled to node GRSH.

Secondly, it is the operation of the microcontroller according to the program, which provides the ability to analyze and process signals coming from the nodes of the solid-state drive and the airborne motor, identify the activity of the nodes of the main switchgear and ultrasonic devices by the level of power consumed by them, and generate active protection status signals (SAZ) with a high or low , respectively, in the presence or absence of activity of the GRS and UZE nodes and access control to the system and information resources of the workstation by emulating the connection and disconnecting the USB key to the PC SB node through the switch using SAZ notifications mentioned signals.

The presence and use of all the above signs and properties allows us to implement a functional relationship between the activity of the TS AZ and access to system and information resources of the workstation. Physically, this is expressed in the fact that in the presence of TS AZ activity, that is, when the GRS and UZE nodes are turned on and working as usual, suppressing / masking the PEMIN created by the AWP, access to the AWP system and information resources is allowed. In the absence of activity of the TS AZ - access to the AWP functions is blocked. That is, the presence and use of all of the above signs and properties makes it possible to ensure the AWP functioning only with activated technical means of active protection that suppress / mask the technical channel of information leakage via PEMIN.

The combination of distinguishing features and properties of the proposed workstation with protection against information leakage is not known from the technology, therefore it meets the criterion of novelty.

At the same time, to achieve the maximum effect on expanding the functionality of the automated workstation (AWS) for managing access control to its system and information resources, depending on the activity of active protection hardware that suppresses / disguises the PEMIN that are formed during the operation of the aforementioned AWP, it is necessary use the totality of distinguishing features and properties specified above.

Figure 2 shows the functional diagram of a workstation with protection against information leakage (hereinafter - the complex).

The complex (Fig. 2) consists of a system unit of a personal electronic computer (SB PC) 1, a network filter (SF) 2, a monitor 3, a block of electrical outlets (BER) 4, a printer 6, a keyboard 7, a first current sensor ( PDT) 8, a second current sensor (VDT) 9, a mouse type manipulator (MTM) 10, a USB key 12, a radio noise generator (GRS) 13, a power line noise suppression device (UZE) 14, a switch 15, a microcontroller (MK) 16.

At the same time, the BER 4 unit with its input, the first output, the second output and the third output is connected, respectively, with a 220 V power supply network (PES) 5, with the input of the VDT node 9, with the input of the PDT node 8 and the input of the SF 2 node, which the first, second and third outputs are connected, respectively, with the power input of the printer 6, with the power input of the monitor 3 and with the power input of the SB unit PC 1, which is connected to the monitor port 3, respectively, by the first, second, third, fourth and fifth ports , with printer port 6, with keyboard port 7, with port m of the MTM node 10 and with the first port of the switch 15, which is connected with the second and third ports, respectively, with a USB key 12 and with the MK node 16, which is connected with the second and third ports, respectively, with the first output of the PDT node, the second output, connected in series node PDT and the input node GRS, and connected in series with the first output node VDT 9, the second output node VDT 9 and the input node UZE 14.

The complex (figure 2) operates as follows.

In the initial state, the complex is turned off. To ensure the possibility of using the complex for its intended purpose, a software package (software) is installed on the SB PC node 1. At the same time, an operating system (OS) is installed on SB PC 1, which controls the functions of the software and hardware of the complex, creates a user interface with the ability to input and / or output information using the keyboard 7, the MTM 10 node, monitor 3 and printer 6 , installation of software oriented for processing information necessary for the user, installation of software to protect the OS and user information from viruses, installation of software eniya to encrypt data and software for performing trusted boot OS using a USB key 12. Also installed drivers for hardware components of the complex (3 monitor, printer 6, and others.) under the control of the OS installed on Sa PEVM1.

Then, nodes ГРШ 13 and УЗЭ 14 are activated. Node ГРШ 13 forms in the local zone in which the hardware nodes of the complex are located, the electromagnetic field (EMF) 11 in a wide range of radio frequencies that overlap and mask the PEMIN, which are created and emitted by the ether during the operation of the hardware nodes of the complex. The UZE 14 node forms an electric noise field in the wires of the PES 5, which masks the PEMIN, which are created and propagated through the electrical wiring during the operation of the hardware nodes of the complex.

Power supply nodes GRSH 13 and UZE 14 is supplied, respectively, through nodes PDT 8 and VDT 9, which are made with the possibility of non-contact measurement of the passing through them alternating current and the formation of the output voltage proportional to the aforementioned current. When operating in the active mode, the power consumed by the GRS 13 and UZE 14 nodes in the power supply circuit is much higher than when they are in the passive mode (in the deactivated or off state). Therefore, the current flowing through the nodes of the PDT 8 and VDT 9, when these nodes are in the active mode, will also be higher than in the case when the nodes of the PDT 8 and VDT 9 are deactivated. The signals generated by the PDT 8 and VDT 9 nodes are fed to the microcontroller 16, which operates according to a program that provides the ability to analyze and process the signals received from the PDT 8 and VDT 9 nodes, identify the activity of the GRS 13 and UZE 14 nodes by the level of power consumption and signal generation active protection status (SAZ) with a high or low level, respectively, in the presence or absence of activity of GRS 13 and UZE 14. Nodes of the SAZ from the microcontroller 16 are fed to the switch 15. If the signal strength of the SAZ is high, then the switch it turns on what emulates the connection of the USB key 12 port to the SB PC 1 port. If the signal strength level is low, the switch turns off, which emulates the USB key 12 port disconnection from the SB PC 1 port. Emulation of connecting and disconnecting the USB key 12 to SB PC 1 provides control of access to the system and information resources of the workstation: if there is activity of the SRS 13 and UZE 14 - access to the system and information resources of the workstation is allowed, and in the absence of activity of the SRS 13 and UZE 14 - access to system and information resources of the workstation is prohibited.

In practice, it looks like this. When the user of the complex includes nodes ГРШ 13 and УЗЭ 14, the USB key 12 is emulated, and then the operating system (OS) is loaded onto the SB PC. If, for any reason, TS AZ, which are nodes of the SRS 13 and UZE 14, are deactivated (both or at least one of them), then the USB key 12 is disconnected and emulated; After turning on the nodes ГРШ 13 and УЗЭ 14, the node МК 16 emulates the connection of a USB key 12, as a result of which access to the complex functions and its resources is resumed.

As a result of using the proposed technical solution, the operation of the complex is possible only with activated nodes ГРШ 13 and УЗЭ 14, which provide suppression / masking of PEMIN, arising and propagating through different physical environments, during the functioning of this complex. At the same time, the level of information protection from leaks through the technical channel (PEMIN) is significantly increased.

The ability to operate the complex only with constantly active TS ZI (nodes ГРШ 13 and УЗЭ 14) significantly reduces the likelihood (possibility) of interception of the aforementioned PEMIN by unauthorized individuals (intruders), which ensures a high level of protection of the complex from information leaks through the technical channel (PEMIN).

Maintaining and using new signs and properties ensures the achievement of a technical result, which consists in reducing the probability of interception and analysis of radiation (PEMIN), which are formed during the operation of the complex, by establishing a functional relationship between access control to the system’s information resources of the complex and the activity of technical means of protection (TS A3), which can significantly reduce (almost completely) the duration of the complex in unprotected mode, that is, without suppression and / or m skirovki mentioned PEMIN.

When implementing the complex, its functioning algorithm can be represented as follows:

- Start;

- Preparation for work: installation of the USB key 12, the inclusion of nodes GRSH 13 and UZE 14;

- Status determination: measurement of voltage levels at the outputs of the PDT 8 and VDT 9 nodes and generation of active protection status signals (SAZ) at the input of the switch 15;

- Check: is the signal strength of the SAZ high? If YES, then emulate the connection of the USB key 12 to the SB-PC 1 port and go to the OPERATION procedure, if NO, then the emulation of disconnecting the USB key 12 from the SB-PC port 1 and switch to LOCK mode;

- The “WORK” procedure: launching the operating system on SB PC 1, authorizing the user, installing software and installing the necessary drivers, creating the user interface with opening various software applications, activating anti-virus protection, data encryption, etc .;

- Check: shut down? If - NO, then continued, if - YES, then go to the “COMPLETION OF WORK” procedure

- Periodic system check: USB dongle 12 - Is there? - if NO, then go to the LOCK procedure; If - YES, then return to the “WORK” procedure;

- BOKING procedure: prohibiting access to system and information resources of the complex with stopping the execution of software applications, emulating the “freezing” of the operating system, disabling the keyboard 7 and the MTM 10 node, switching to the status determination procedure;

- COMPLETION PROCEDURE: encryption and storage of the necessary data, closing of software applications, shutting down the personal computer 1, removing the USB key 12, turning off the power switch 13 and UZE 14;

- The end.

Nodes SB SB 1, SF 2, monitor 3, BER 4, printer 6, keyboard 7, node MTM 10, USB key 12, nodes SRS 13 and UZE 14, as well as the implementation of the node SB PEVM 1 with the ability to install and operate on it software in the form of an operating system (OS) that provides control over the functions of the software and hardware of the complex, forming a user interface with the possibility of inputting and / or outputting information using the keyboard 7, MTM 10, printer 6 and monitor 3, software for information processing and software software to protect information from viruses, data encryption software and software for performing trusted OS boot using a USB key 12, which allows user authentication, OS boot control and access control to AWP software, information and hardware resources in the process of functioning of the SB PC, the implementation of the GRSh node 13 with the possibility of forming in the local zone in which the hardware nodes of the complex are located an electromagnetic field (EMF) in a wide range of radio frequencies that overlap and mask PEMIN, which are created and emitted by the ether during the operation of the hardware nodes of the complex, the implementation of the UZE 14 node with the possibility of forming a 220 V power supply network into the wires, to which the aforementioned block of electrical outlets, an electric noise field (ESR) is connected , which masks PEMIN, which are created and distributed through the wiring during the operation of the hardware nodes of the complex, can be similar to the corresponding features of the computer Lex prototype and do not require refinement in their implementation.

During the implementation of the GRSh node 13, products such as the SHTORA series of radio noise generators [L13] can also be used, which provide effective protection against information leakage due to spurious electromagnetic radiation and interference arising from the operation of electronic means of processing information storage and transmission.

An alternative solution for the implementation of the UZE 14 node is the use of a 220 V power supply and grounding noise generator, model LGSh-221 [L14], which provides active protection of various informatization objects from information leakage through the power supply network and grounding system by setting up broadband noise interference.

Nodes ПДТ 8 and ВДТ 9 can be implemented on the basis of compensation current sensors [L15], which provide a wide range of measurement of current values.

The microcontroller assembly MK 16 can be implemented on the basis of PIC controllers with sufficient performance and the required number of ports. An advantageous solution is the use of PIC18X5XX [L16] microcontrollers with built-in support for the full-speed USB2.0 bus.

The node of the switch 15 can be implemented on the basis of microcircuit type CD4052 [L17], which is a multi-channel analog multiplexer - demultiplexer with the necessary functions.

As the basic software for the MK 16 node, program procedures known from Computer Programs [L18-L20] can be used.

When implementing the MK 16 node and the switch 15, technical solutions, software procedures, and algorithms known from utility models [L21-L24] can also be used.

For ease of use, the nodes of MK 16, the switch 15, the nodes of the PDT 8 and VDT 9 can be installed in a separate compact housing.

The above means, with which it is possible to implement a utility model, make it possible to ensure its industrial applicability.

The main components of the complex are experimentally tested and can be used as the basis for creating samples of complexes that provide effective protection of information from leaks through the technical channel, which can be organized based on the use of spurious electromagnetic radiation and interference (PEMIN) created by this complex during operation. In an automated workplace with information protection from leaks, a significant increase in the level of information security against unauthorized access through a technical channel is achieved by introducing new features and properties and using the obtained technical result, which consists in reducing the likelihood of interception and analysis of emissions and pickups that are formed during the operation of the complex , by reducing the duration of the functioning of the complex in unprotected mode - without suppression and / or mass irovki mentioned PEMIN.

Thus, the technical solution developed by the authors and the technical result obtained using it provides an opportunity to significantly increase the level of protection of the information contained and circulating in the workstation from unauthorized access through the technical channel (PEMIN), which is formed during operation of the complex.

A workstation with protection against information leakage (AWP ZUI) will be in demand by a wide range of consumers who use computer technology to process confidential information that needs protection from unauthorized access, which can be organized by intercepting and analyzing PEMIN generated during the operation of the mentioned AWP ZUI.

LIST OF USED LITERATURE

1. Workstation, http://ru.wikipedia.org/wiki/

2. GOST R 51275-99 Information security. http://www.centre-expert.ru/index.php/infosec/

3. Threats to information security, http://www.bre.ru/security/

4. Technical channel for information leakage. Information security terminology. http://www.centre-expert.ru/index.php/infosec/

5. The problem of information leakage from computer technology through secondary electromagnetic radiation and interference (PEMIN), http://villa-bagio.narod.ru/izlu.htm

6. Protection against PEMIN, http://tom-haus.narod.ru/1/002/6.htm

7. Studies of spurious electromagnetic emissions of technical equipment, http://www.pemi.ru/

8. Spyware, http://ru.wikipedia.org/wiki/Spyware

9. An automated workstation in a secure execution for processing information constituting a state secret, http://www.npp-bit.ru/compex/arm_gostayna.php

10. Protected computers. Automated workstation "Bastion" company Aquarius, http://aq.ru/aquarius_spec.html

11. Trusted download, http://ru.wikipedia.org/wiki/

12. Automated workstation for the exchange of classified documentary information, utility model No. 80040, publication date: 01/20/2009

13. Broadband radio noise generator "Shtora-1", http://www.nero.ru/goods119.html

14. Noise generator of 220 V power supply network and grounding “LGSh-221”, http://www.blackhunter.ru/shop/item/17

15. Compensation current sensors, http://www.electronshik.ru/class/datchiki-toka-kompensatsionnie-s-tokovim-vihodom-01050703

16. The family of microcontrollers PIC18FX5XX with support for full-speed bus USB2.0, http://www.trt.ru/products /microchip/pic18_2.htm

17. Reference data CD4052, http://radio-elements.ru/cd4052.html

18. FSUE “18 Central Research Institute” of the Ministry of Defense of the Russian Federation, “Sensor Manager” computer program, State Registration Certificate with FIPS of the Russian Federation No. 20099610444 dated January 19, 2009, authors: Khotyachuk V.K., Khotyachuk K.M. and etc.

19. FSUE “18 Central Research Institute” of the Ministry of Defense of the Russian Federation, Computer Program “Transceiver Controller”, Certificate of State Registration with FIPS of the Russian Federation No. 20099610445 dated January 19, 2009, authors: Bakunin IB, Khotyachuk VK, Khotyachuk K .M., Goncharov BC

20. FSUE “18 Central Research Institute” of the Ministry of Defense of the Russian Federation, “Computer Monitor of Communication Equipment” computer program, State Registration Certificate with FIPS of the Russian Federation No. 2009611020 dated February 16, 2009, authors: Vasin M.S., Shelestov M.E., Khotyachuk VK.

21. FSUE “18 Central Research Institute” of the Ministry of Defense of the Russian Federation, Utility Model “Protected Drive”, Utility Model Patent No. 87276 dated 05/29/2009 Authors: Khotyachuk V.K., Khotyachuk K.M., Timoshkin BC, Pokormyak L.V. .

22. FSUE “18 Central Research Institute” of the Russian Federation Ministry of Defense, Utility Model “Storage with Protection Against Unauthorized Access to Memory”, Utility Model Patent No. 84594 of July 10, 2009, authors: Vdovin E.I., Khotyachuk K.M., Khotyachuk VK.

23. FSUE “18 Central Research Institute” of the Ministry of Defense of the Russian Federation, Utility Model “Hidden Object Access Registrar”, Utility Model Patent No.86026 of 08.20.2009 authors: Bugaenko OV, Khotyachuk VK, Khotyachuk K.M ., Timoshkin BC

24. FSUE "18 Central Research Institute" of the Ministry of Defense of the Russian Federation, Utility Model "Drive with Location Control". Utility Model Patent No. 90233 dated 12/27/2009 Authors: Batalov A.V., Khotyachuk V.K., Khotyachuk K.M., Timoshkin B.C.

Claims (1)

An automated workstation with information leakage protection, consisting of a monitor, printer, keyboard, mouse type mouse (MTM), USB key, system unit of a personal electronic computer (SB PC), radio noise generator (GRS), power line noise suppression device (UZE) ), a network filter (SF) and a block of electrical outlets (BER), which is connected by an input and an output to a 220 V power supply network and to the input of a network filter node (SF), which is connected to an input respectively by the first, second, and third outputs the monitor’s power supply house, with the printer’s power input and the power supply of the SB PC node, which is connected to the monitor port, the printer port, the keyboard port, and the mouse port of the pointing device (MTM) type, respectively, with the first, second, third, and fourth ports this node SB PC is made with the ability to install and operate on it software (software) in the form of an operating system (OS) that provides control functions of the software and hardware AWP, the formation of a user interface with pre leaving him the ability to enter and / or output information using the keyboard, the mouse-type manipulator node (MTM), a printer and monitor, information processing software, virus protection information protection software, data encryption software and OS trusted boot software using hardware such as USB -key, by which it is possible to authenticate the user, control the loading of the OS and control access to the software, information and hardware resources of the workstation during the operation of the SB PC, in addition, the node of the radio noise generator (G W) is configured to form, in the local zone where the AWS hardware nodes are located, an electromagnetic field (EMF) in a wide range of radio frequencies that overlap and mask the PEMINs that are created and transmitted into the air during the operation of the AWS hardware nodes, the UZE node is configured to the formation in the wires of a 220 V supply network, to which the aforementioned block of electrical outlets is connected, an electric noise field (ESR) that masks PEMIN, which are created and propagated through the electric a flow during the operation of the AWP hardware nodes, characterized in that it includes an additional first current sensor (PDT), a second current sensor (VDT), a microcontroller (MK) and a switch that is connected to the fifth port by the first, second and third ports, respectively SB PC, with a USB key port and with the first port of the microcontroller, which is connected by the second and third ports respectively to the first output of the PDT assembly and to the first output of the VDT assembly, which is connected by the second and third ports to the UZE assembly and to the second output of the assembly and the BER, which is connected to the input of the PDT node by the third output, which is connected to the main switchgear unit by the second output, while the PDT and VDT nodes are capable of non-contact measurement of the current passing through them and the formation of an output voltage proportional to the current, in addition, the microcontroller operates by a program that provides the ability to analyze and process signals coming from the nodes of the ПДТ and ВДТ, identify the activity of the nodes ГРШ and УЗЭ by the level of power consumed by them, generate signals of the status of active Protection with a high or low level, respectively, in the presence or absence of activity of the HSS and UZE nodes and access control to the system and information resources of the workstation by emulating the connection or disconnection of the USB key to the PC SB node through the switch using the mentioned active protection status signals.