WO2017134434A1 - Diode de données - Google Patents

Diode de données Download PDF

Info

Publication number
WO2017134434A1
WO2017134434A1 PCT/GB2017/050250 GB2017050250W WO2017134434A1 WO 2017134434 A1 WO2017134434 A1 WO 2017134434A1 GB 2017050250 W GB2017050250 W GB 2017050250W WO 2017134434 A1 WO2017134434 A1 WO 2017134434A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
data diode
power
diode
power supply
Prior art date
Application number
PCT/GB2017/050250
Other languages
English (en)
Inventor
John-Paul ROUGHLEY
Original Assignee
Bae Systems Plc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from GB1601999.4A external-priority patent/GB2547007A/en
Priority claimed from EP16275018.6A external-priority patent/EP3203702A1/fr
Application filed by Bae Systems Plc filed Critical Bae Systems Plc
Publication of WO2017134434A1 publication Critical patent/WO2017134434A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security

Definitions

  • a data diode is a device which facilitates a unidirectional flow of information. Such devices are used to enforce one-way communication between systems or networks having differing security classifications, for instance.
  • the security classifications may be defined in terms of commercial confidentiality, defence security or any instance where data from a higher classification system should not flow to, or contaminate, a lower classification system.
  • a problem with existing data diode solutions is that they are often reliant on embedded software, which itself is a security risk, since the software itself may be prone to attack or infiltration and this could compromise the entire device, allowing data to flow contrary to the user's intention.
  • Existing data diodes can also be prohibitively expensive, especially those which are certified to a military standard. There therefore exists a need for a simple, inexpensive data diode.
  • Figure 1 shows a multi-network configuration
  • Figure 2 shows a detailed schematic of a data diode according to an embodiment of the invention.
  • Figure 1 shows a multi-network configuration, comprising three distinct but interconnected networks, 10, 20, 30.
  • Networks 10 and 20 are of a higher classification than network 30, which is of a lower classification.
  • Networks 10 and 20 trust each other and are able to communicate freely in a bidirectional manner, as shown in Figure 1 .
  • Network 30 is of a lower classification and is not permitted to communicate freely with network 10. However, network 30 is required to transmit data to network 10 in a manner which does not permit higher classification data flow in the opposite direction (i.e. from the higher to the lower classification network).
  • Such a situation may arise in a secure network, where the secure network is required to receive data from a lower classification network, wherein the data may comprise environmental status information or other non-classified data.
  • a data diode 100 Connected between networks 10 and 30 is a data diode 100, which is a physical device via which networks 10 and 30 are interconnected and which permits data to flow in only a single direction i.e. from the lower classification network 30 to the higher classification network 10.
  • Figure 2 shows a detailed schematic of the data diode 100 according to an embodiment of the present invention.
  • the data diode 100 is operable in a serial data system, whereby the transmitting network is connected at serial data input 130 and the receiving network is connected to serial data output 170.
  • data is always transmitted from a lower classification network to a higher classification network, but it is possible to configure this in the opposite direction, should that be necessary. It is also possible to connect two networks of equal classification, whereby one is not permitted to receive data from the other. The skilled person will readily appreciate the different scenarios which would benefit from a data diode according to an embodiment of the invention.
  • serial data communication standard in use is RS485, but other serial data may also benefit from embodiments of the invention.
  • RS485 it is not generally possible to draw any operational power from the signal lines themselves.
  • RS485 is a serial interface of a type known as 'multi-drop' and, as such, it is not always possible to know how many devices are connected to a particular signal line. To ensure signal quality, it is not possible to draw power from the signal lines.
  • Power is therefore provided separately from the signal lines and is derived from a suitable power system, such as 24V DC system, which may be provided as standard on many vessels, for instance, where the data diode may be used.
  • the power input is supplied to power conversion module 1 10, where, using a switching regulator, it is converted to 12V DC for use in other parts of the data diode 100.
  • Power is provided directly from the power conversion module for a first part of the data diode 100, namely the receive portion 100a, comprising serial data transceiver 140. Power is also provided to a power isolation convertor 120. It is important to note that the data diode is provided with power from only a single external power supply.
  • the power isolation convertor 120 is in the form of a DC-DC convertor and is arranged to provide isolated power to the transmit portion 100b of the data diode 100, comprising serial data transceiver 160.
  • the power isolation convertor 120 is in the form of a DC-DC convertor and is arranged to provide isolated power to the transmit portion 100b of the data diode 100, comprising serial data transceiver 160.
  • Data enters the data diode 100 at serial data input 130 on a differential pair of lines connected to the first serial data transceiver 140, which in this embodiment is an RS485 transceiver.
  • the first transceiver 140 converts the input signal (at ⁇ 15V DC) to a lower magnitude DC signal voltage (approximately 1 .2V DC), which in turn is used as the driving signal for an optocoupler 150.
  • the optocoupler 150 is operable to provide guaranteed data isolation between the transmitting and receiving networks, in that it physically allows only one-way communication. This is achieved by means of a single transmitter of light (emitter) and a single receiver of light (a photoreceptor), which are encapsulated within the optocoupler component. The light is not visible from the exterior of the component, since this would obviously pose a security risk.
  • the optocoupler 150 is chosen for convenience, since it is provided in a single physical package. However, functionally, it may be replaced by a separate optical transmitter (emitter) and receiver (detector).
  • the data signal leaving first transceiver 140 is used to energise the light source in the optocoupler 150, with the light thereby generated being detected by the photoreceptor, which then generates a corresponding electronic output signal. It is not physically possible for the photoreceptor to act as an emitter and vice-versa.
  • the output signal thereby generated is supplied to a second serial data transceiver 160, operable to produce the differential voltage necessary to drive the output 170, which is then, in turn, connected to the receiving system.
  • the differential data leaving the data diode output 170 is substantially identical to that arriving at the data diode input 130. By substantially identical, it is meant that the signal leaving output 170 is operable within the same voltage limits as defined by the applicable standard e.g. RS485, and conveying the same information.
  • Embodiments of the invention find particular use in military vehicles, where it is desirable or necessary to provide at least two distinct networks having different security classifications, which must share some information, but where contamination between the networks must be avoided.
  • a particular environment which can benefit from embodiments of the inventions is marine vessels of the surface and submersible type.
  • embodiments of the invention do not require any programming and include no software or firmware elements, they are able to operate without any customised configuration, beyond physically connecting them in circuit. This makes them particularly immune to hacking or phishing attacks.
  • the physical components required are well known and tested to perform to a range of reliability requirements, resulting in a device which can be certified to operate to a range of applicable standards.
  • Physical connections to the data diode 100 may be provided by standard connectors or by hardwiring the incoming/outgoing connections using screw terminal or similar.
  • the data diode 100 will normally be housed in a secure environment which will prevent or at least hinder tampering with the connections.
  • the data diode is provided as a unitary device, with suitable packaging to prevent or deter physical compromise. Preferably, any attempt to tamper with the device will be evident or will render the device inoperable.
  • the electrical connections to the unitary data diode device consist of a data input, a data output and a single power supply. There are no other connections required in order for the data diode to operate. This is advantageous, since no specialised power supply is required over and above that which is customarily provided in the environment in which the data diode is intended to be used.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Dc Digital Transmission (AREA)

Abstract

L'invention concerne une diode de données, disposée pour permettre un flux de données dans un seul sens, d'un émetteur à un récepteur, comprenant : un chemin de données comprenant un émetteur optique et un photorécepteur, logés physiquement dans un optocoupleur commun, les données de l'émetteur étant utilisées pour activer l'émetteur optique afin de créer un signal optique et le photorécepteur étant disposé pour produire un signal électrique en réponse au signal optique, moyennant quoi le signal électrique produit est disposé pour être passé au récepteur ; et des première et seconde alimentations électriques, moyennant quoi les première et seconde alimentations électriques sont isolées les unes des autres, la première alimentation électrique étant disposée pour délivrer une portion de réception de la diode de données et la seconde alimentation électrique étant conçue pour fournir une portion d'émission de la diode de données et les première et seconde alimentations électriques étant des alimentations électriques internes, chacune produite par une seule alimentation électrique externe.
PCT/GB2017/050250 2016-02-04 2017-02-02 Diode de données WO2017134434A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
EP16275018.6 2016-02-04
GB1601999.4A GB2547007A (en) 2016-02-04 2016-02-04 A data diode
EP16275018.6A EP3203702A1 (fr) 2016-02-04 2016-02-04 Diode de données
GB1601999.4 2016-02-04

Publications (1)

Publication Number Publication Date
WO2017134434A1 true WO2017134434A1 (fr) 2017-08-10

Family

ID=57963365

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2017/050250 WO2017134434A1 (fr) 2016-02-04 2017-02-02 Diode de données

Country Status (1)

Country Link
WO (1) WO2017134434A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3764260A1 (fr) * 2019-07-12 2021-01-13 Frantisek Mojzis Pare-feu analogique

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5703562A (en) * 1996-11-20 1997-12-30 Sandia Corporation Method for transferring data from an unsecured computer to a secured computer
US20100235561A1 (en) * 2007-10-10 2010-09-16 Bae Systems Plc Data diode
EP2415198B1 (fr) * 2009-04-01 2016-01-06 Raytheon Company Système de diode de données

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5703562A (en) * 1996-11-20 1997-12-30 Sandia Corporation Method for transferring data from an unsecured computer to a secured computer
US20100235561A1 (en) * 2007-10-10 2010-09-16 Bae Systems Plc Data diode
EP2415198B1 (fr) * 2009-04-01 2016-01-06 Raytheon Company Système de diode de données

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
AUSTIN SCOTT ET AL: "Tactical Data Diodes in Industrial Automation and Control Systems", 18 May 2015 (2015-05-18), GIAC directory of certified professionals, pages 1 - 32, XP055290300, Retrieved from the Internet <URL:http://www.giac.org/paper/gicsp/242/tactical-data-diodes-industrial-automation-control-systems/142041> [retrieved on 20160721] *
STEVENS M ET AL: "Data diodes", INTERNET CITATION, July 1995 (1995-07-01), XP002469791, Retrieved from the Internet <URL:http://hdl.handle.net/1947/3990> [retrieved on 20080220] *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3764260A1 (fr) * 2019-07-12 2021-01-13 Frantisek Mojzis Pare-feu analogique

Similar Documents

Publication Publication Date Title
EP2415198B1 (fr) Système de diode de données
US9750068B2 (en) Virtualized physical layer adapted for EHF contactless communication
US7898786B2 (en) Intrinsically safe galvanically isolated barrier device and method thereof
AU2008309376B2 (en) Data diode
US20170134090A1 (en) Handheld terminals, computers, and visible light communication systems
CN102355409A (zh) 数据的单向传输系统
US9306755B2 (en) Data transmission device
US20180198481A1 (en) Transmitter-receiver device connectable to a communications network by a can-type or flexray-type bus
WO2008150116A2 (fr) Système de transmission d&#39;image numérique transmettant des données d&#39;image numérique
JP2015524630A (ja) 海中光canバスのためのシステムおよび方法
US8527783B2 (en) Baseband ethernet extension system over coaxial cable
CN104184638B (zh) Rs‑485总线防冲突方法、接口芯片及其通信网络
WO2017134434A1 (fr) Diode de données
EP3203702A1 (fr) Diode de données
GB2547007A (en) A data diode
US11930071B2 (en) Network adapter for unidirectional transfer of data
Cronin et al. Covert data exfiltration using light and power channels
US20170302625A1 (en) Dynamically configurable packet filter
Shamir et al. Summary of an open discussion on IoT and lightweight cryptography
US9699115B2 (en) Bus network having a safety gate of a substantial safety isolation type
EP2865156A1 (fr) Appareil et procédé de raccordement de réseaux informatiques
KR101499894B1 (ko) 이더넷 통신망에서의 단방향 데이터 전송 장치
CN107634972B (zh) 核电站安全级系统与非安全级系统的单向通讯系统和板卡
US10602634B2 (en) Card module with multiple connector interfaces
CN108683513A (zh) 核电站安全级系统与非安全级系统的单向通讯系统和板卡

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17703218

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17703218

Country of ref document: EP

Kind code of ref document: A1