WO2019215442A1 - Système sécurisé de stockage, d'échange et de traitement de données - Google Patents

Système sécurisé de stockage, d'échange et de traitement de données Download PDF

Info

Publication number
WO2019215442A1
WO2019215442A1 PCT/GB2019/051265 GB2019051265W WO2019215442A1 WO 2019215442 A1 WO2019215442 A1 WO 2019215442A1 GB 2019051265 W GB2019051265 W GB 2019051265W WO 2019215442 A1 WO2019215442 A1 WO 2019215442A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
secure
switch
storage buffer
processor
Prior art date
Application number
PCT/GB2019/051265
Other languages
English (en)
Inventor
Paul EMERTON
Keith EMERTON
Original Assignee
Torricel Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Torricel Limited filed Critical Torricel Limited
Publication of WO2019215442A1 publication Critical patent/WO2019215442A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Definitions

  • the present disclosure relates to a secure data processing system and to a corresponding method of securely processing data.
  • Modern computer and telecommunication systems are often permanently connected together via internal networks such as Ethernet LAN, Bluetooth, NFC and external networks such as WAN / ADSL or Fibre Internet to undertake certain tasks and provide services.
  • internal networks such as Ethernet LAN, Bluetooth, NFC and external networks such as WAN / ADSL or Fibre Internet to undertake certain tasks and provide services.
  • a website that accepts and makes a volume of crypto-currency payments usually has some of its crypto-currency wallets stored on a networked computer system as part of the website infrastructure for immediate access - a 'hot wallet'.
  • hackers enter the system through the network, for example by using a Virus / Trojan or insecure password. Once they get access to the payment server, they are able to run programme code or execute computer commands which reveal the 'private key' data. Once the hacker has the 'private key' data, they are able to create, sign and irreversibly send transactions on any internet-connected computer in the world.
  • a hacker may also execute transactions on the payment server, moving cryptocurrencies from the 'hot-wallet' directly into their own crypto-wallet.
  • An objective of the present disclosure is to ensure the continued free-flow of data whilst protecting against these breaches by in effect providing the security benefits of an off-line system.
  • the method and system described herein enforces data and system isolation with safe control of processes, data integrity and movement of data, providing effectively autonomous access to the data and processes of isolated 'off-line' systems.
  • the system preferably utilises a discrete logic- based supervisory state machine controller with Exclusive-OR logic isolation of either shared memory 'buffers' and/or interconnected data communication lines.
  • a secure data processing system comprising: an input connector operatively connected in use to an external data network; a first storage buffer arranged to store an instruction received from the external data network via the input connector; a secure data processor arranged to process the instruction stored in the storage buffer; a first data switch operatively coupling the input connector to the first storage buffer; a second data switch operatively coupling the first storage buffer to the secure data processor; and wherein the first and second data switches are configured when activated to respectively either provide a first data communication channel between the input and the first storage buffer, or to provide a second data communication channel between the storage buffer and the secure data processor, and to prevent both first and second communication channels being provided simultaneously between the input and the secure data processor. Preventing the first and second communication channels being provided simultaneously ensures that the secure data processor is isolated from the external data network, and ensures that the security benefits of an off-line system are provided to the secure data processor.
  • the secure data processing system may comprise: a data switch controller operatively connected to the first and second data switches, arranged in use to either activate the first data switch to establish the first data communication channel, or the second data switch to establish the second data communication channel.
  • the data switch controller may be configured with an Exclusive-OR "XOR" logic, enabling the controller to either activate the first data switch and deactivate the second data switch at the same time or in succession, or activate the second data switch and deactivate the first data switch at the same time or in succession. This prevents a circuit configuration existing in which both the first and second switch are active to provide a direct communication channel between external data network via the input and the secure data processor.
  • the data switch controller may be operatively connected with the first storage buffer and the secure processor, and may comprise a reduced logic configuration preventing instructions received from either the first storage buffer or the secure processor being executed for activating the second data switch whilst the first data switch is activated, and for preventing instructions received from either the first storage buffer or the secure processor being executed for activating the first data switch whilst the second data switch is activated, thereby preventing the first data communication channel and the second data communication channel being contemporaneously provided. This further improves the security of the system by preventing the data switch controller executing any malicious instructions, which would result in both the first and second data switches being contemporaneously active, thus enabling a direct communication channel being established between the external data network via the input and the secure data processor.
  • the data switch controller is preferably a state machine.
  • the data switch controller is preferably arranged to be triggered, to operate the data switches, exclusively by discrete logic signals received through discrete logic lines.
  • the data switch controller is preferably arranged to activate and deactivate each of the data switches in accordance with a strict predetermined sequence of logic signals!
  • the data switch controller is preferably arranged to disconnect all of the switches in the event an out of sequence logic signal (or any signal that is determined to be an out of sequence logic signal) is received by the data switch controller.
  • the data switch controller/state machine is preferably a dedicated, data-isolated microprocessor system.
  • a dedicated and otherwise independent switch controller/state machine best enables secure and consistent control of the data switching system in accordance with the above aspect.
  • the secure data processing system is preferably configured such that the data switch controller/state machine has no data connection to any other system, any data network or any human interface. There may, however, be a connection to a limited number of discrete logic inputs only to allow for manual intervention to disable or reset the system, Such arrangements will eliminate any possible way for an attacker to compromise the system using an internet or LAN connection.
  • the data switch controller/state machine is preferably data-isolated from the systems it controls (including the first and second storage buffers and the secure data processor) by use of only the discrete logic signaling. It preferably only communicates and controls the systems by sensing and setting Discrete Logic Flags. With such an arrangement, even if a compromised system attempted to pass data to it in an attempted attack, the data switch controller/state machine controller would not identify the signal as a data signal, nor would it have any programming that allowed it to "read" the data.
  • the secure data processor may be configured in use to process executable instructions compliant with a predefined data specification, the data specification defining a set of permissible executable instructions, and the secure data processing system may comprise: a data verification module arranged in use to analyse the received instructions for compliance with the predefined data specification; and wherein the first storage buffer is configured in use to prevent the received instructions from being passed to the data processor if the instructions are non-compliant with the predefined data specification.
  • the data switch controller may be arranged in use to deactivate any active data switch if the instructions are non-compliant with the predefined data specification.
  • the data switch controller may be arranged in use to deactivate the first data switch, and subsequently activate the second data switch if the received instructions are compliant with the predefined data specification, to enable the received instructions to be forwarded to the secure data processor for processing.
  • the secure data processor may comprise a receiving module for receiving the instructions from the first storage buffer, and the secure data processor may be arranged in use to output a control signal enabling the second data switch to be deactivated if the received instructions are non-compliant with the predefined data specification.
  • the instructions may comprise a plurality of data bits and the first storage buffer may comprise a transmitting module configured to individually and sequentially transmit the one or more data bits of the received instructions stored in the first storage buffer to the secure data processor via the second data switch when activated, if the instructions are compliant with the predefined data specification.
  • the first storage buffer's transmitting module may be arranged in use to transmit the one or more bits in response to a request received from the secure data processor.
  • the first storage buffer's transmitting module may be arranged in use to individually transmit each bit comprised in the one or more bits in response to a different request for each bit being received from the secure data processor.
  • the secure data processor may be configured in use to analyse a received bit, and output a request for a further bit if the received bit is compliant with the predefined data specification.
  • the first storage buffer may comprise a translation module arranged in use to convert the received instructions into a reduced instruction set comprising two or more limited task-specific instructions executable by the secure data processor.
  • the advantage of this is that it enables only predefined actions defined in the reduced instruction set to be executed by the processor. Thus Trojan horses, viruses, other potentially security compromising commands aren't executable by the processor.
  • the secure data processor may be configured in use to process instructions expressed in accordance with the reduced instruction set.
  • the secure data processor may be arranged to generate a data output, and the system may comprise: an output connector operatively connected in use to the external data network; a second storage buffer arranged to store the data output for output to the external data network received from the secure data processor: the secure data processor may be coupled to the second storage buffer via a third data switch; wherein the output connector may be operatively coupled to the second storage buffer via a fourth data switch; and the third and fourth data switches may be configured when activated to respectively either provide a third data communication channel between the secure data processor and second storage buffer, or provide a fourth data
  • the data switch controller is preferably operatively connected to the third and fourth data switches, and arranged in use to either activate the third data switch to establish the third data
  • the data switch controller may be configured with an Exclusive-OR "XOR" logic, enabling the controller to either activate the third data switch and deactivate the fourth data switch at the same time or in succession, or activate the fourth data switch and deactivate the third data switch at the same time or in succession.
  • XOR Exclusive-OR
  • each data switch may be arranged when activated, to establish a mono- directional data communication channel enabling data to flow in a single direction.
  • the first storage buffer may be arranged to store the data output for output to the external data network received from the secure data processor; and the first and second data switches of the above aspect may be further configured when activated to respectively either provide a third data communication channel between the secure data processor and first storage buffer, or provide a fourth data communication channel between the first storage buffer and the output connector, and to prevent both the third and fourth communication channels being provided simultaneously between the secure data processor and the output connector.
  • At least one data switch may comprise an opto-isolator configured to provide a data communication channel by converting a received electrical signal into an optical signal, and back-into an electrical signal for output.
  • At least one data switch may comprise a relay switch.
  • the secure data processor may be configured in use to execute a cryptographic function.
  • the secure data processor may be configured to execute a blockchain transaction.
  • the secure data processor may comprise: a secure data store and a secure data store management processor for retrieving and storing data to the secure data store.
  • a method of securely processing data comprising: receiving at an input connector, instructions from an external data network; activating a first data switch to provide a first data communication channel between the input connector and a first storage buffer; transmitting the received instructions to the first storage buffer via the activated first data switch; storing the received instructions in the first storage buffer; activating a second data switch to provide a second data communication channel between the first data storage buffer and a secure data processor; transmitting the received instructions to the secure data processor for processing; and wherein the first data switch is deactivated prior to activating the second data switch to prevent both the first and second communication channels being
  • the method may comprise: activating either the first data switch to provide the first data
  • the method may comprise: analysing the received instructions for compliance with a predefined data 10 specification; and preventing the received instructions from being passed to the data processor if the received instructions are non-compliant with the predefined data specification.
  • the method may comprise: deactivating any active data switch, if the received instructions are non- compliant with the predefined data specification.
  • the method may comprise: deactivating the first data switch, and subsequently activating the second data switch, if the received instructions are compliant with the predefined data specification.
  • the received instructions may comprise one or more data bits, and the method comprises: individually and sequentially transmitting the one or more bits to the secure data processor via the second data switch when activated, if the received instructions are compliant with the predefined data
  • the method may comprise transmitting the one or more bits in response to a request received from the secure data processor.
  • the method may comprise: analysing a received bit, and outputting a request for a further bit in dependence on the received bit being compliant with the predefined specification.
  • the method may comprise converting the received instructions into a reduced instruction set
  • the method may comprise: activating a third data switch to provide a third data communication channel between the secure data processor and a second storage buffer; outputting a data output from the secure data processor to the second storage buffer; storing the data output in the second 30 storage buffer; activating a fourth data switch to provide a fourth data communication channel
  • the method may comprise: activating either the third data switch to establish the third data communication channel, or the fourth data switch to establish the fourth data communication channel.
  • the method may comprise: providing a mono-directional data communication channel when any one 40 of the data switches is activated.
  • the method may comprise: executing a cryptographic function at the secure data processor. For example, a blockchain transaction.
  • Yet a further aspect of the invention provides a data switch controller suitable for controlling activation of a first data switch to provide a first data communication channel between an external data network and a storage buffer, and activation of a second data switch to provide a second data communication channel between the storage buffer and a secure processor
  • the data switch controller comprising: an output connector arranged in use to output either a first control signal enabling activation of the first data switch, or a second control signal enabling activation of the second data switch, and wherein the output connector is configured with an Exclusive-OR "XOR" logic, to respectively prevent the output of the second control signal if the first data switch is activated, and the output of the first control signal if the second data switch is activated.
  • Figure 1 is a schematic illustration of a secure data processing system according to a first embodiment of the present invention
  • Figure 2 is a schematic illustration of a discrete logic control system implemented in the system of Figure 1;
  • Figures 3 to 16 each comprise a pair of schematic illustrations showing the secure data processing system of Figure 1 and its discrete logic control system in a different switch state:
  • Figure 3 shows a fail safe switch state
  • Figure 4 shows a switch state in which a first storage buffer is connected to an external data network
  • Figure 5 shows a switch state in which the first storage buffer is ready to send data
  • Figure 6 shows a switch state in which a data switch controller is changing switches and notifying systems
  • Figure 7 shows a switch state in which the first storage buffer has finished sending data
  • Figure 8 shows a switch state in which a secure data processor is processing the request based on the data received from the first storage buffer, and all switches are disconnected;
  • Figure 9 shows a switch state in which the secure data processor is ready to send data to a second storage buffer
  • Figure 10 shows a switch state in which the secure data processor can send data to the second storage buffer
  • Figure 11 shows a switch state in which the secure data processor completes the data send to the second storage buffer and the data switch controller breaks the connection;
  • Figure 12 shows a switch state in which the switch controller waits whilst the second storage buffer translates the message into a data format for sending to the external data network;
  • Figure 13 shows a switch state in which second storage buffer signals to the data switch controller to enable an external data network connection
  • Figure 14 shows a switch date in which the second storage buffer sends data to the external network
  • Figure 15 shows a switch state in which the second storage buffer completes the data send and instructs the data switch controller to break the connection;
  • Figure 16 shows a switch state in which the first storage buffer is connected to the external data network
  • Figures 17 to 21 comprise schematic illustrations showing different PANIC states of the discrete logic system of the arrangement of Figure 1 in which all switches are disconnected and a PANIC STATE flag is set TRUE - the line signaling differs between each illustration;
  • Figure 22 comprises a schematic illustration showing an external SAFE STATE DEMAND on the discrete logic system of the arrangement of Figure 1;
  • Figure 23 shows an exemplary 3x8 decoder suitable for use for EXCLUSIVE-OR logic control of the data switches by the data switch controller of the arrangement of Figure 1;
  • Figure 24 illustrates a Bitcoin-qt software commands
  • Figure 25 illustrates a standard ASCII, Decimal, Flex, Octal, Binary Look Up Tables
  • Figure 26 illustrates a RIS-ASCII, Binary Look Up Table
  • Figure 27 illustrates an example circuit diagram of a combined 3x8 decoder and multi-pole relay data switch, which may be implemented in the arrangement of Figure 1 and controlled by the data switch controller thereof;
  • Figure 28 illustrates an example of an RIS data communication wrapper.
  • a first non-limiting example is described using the case-study of a 'Crypto- Currency Payment Server'.
  • the present invention is not limited to such an arrangement.
  • the secure data processing system as defined generally in the statements of invention and claims, may be used in numerous applications and is in no way limited to the specific implementations discussed in detail below, features of which may be omitted or replaced, within the scope of the claims, as will be readily appreciated by those skilled in the art.
  • the innovative system described herein moves such data and processes, in this example the 'private key' data and the digital signing of transaction messages to a system 'the secure system' that is isolated from the external network.
  • the system comprises a secure data processing system 1, comprising: an input connector 2 operatively connected in use to an external data network (not shown); a first storage buffer 3 arranged to store an instruction received from the external data network via the input connector 2; a secure data processor 4 arranged to process the instruction stored in the storage buffer 3; a first data switch 5 operatively coupling the input 2 connector to the first storage buffer 3; a second data switch 6 operatively coupling the first storage buffer 3 to the secure data processor 4; and wherein the first and second data switches 5, 6 are configured when activated to respectively either provide a first data communication channel between the input 2 and the first storage buffer 3, or to provide a second data communication channel between the first storage buffer 3 and the secure data processor 4, and to prevent both first and second communication channels being provided simultaneously between the input 2 and the secure data processor 4. Preventing the first and second communication channels being provided simultaneously ensures that the secure data processor is isolated from the external data network, and ensures that the security benefits of an off-line system are provided to the secure data processor.
  • a data switch controller 7 operatively connected to the first and second data switches 5, 6, which is arranged in use to either activate the first data switch 5 to establish the first data communication channel, or the second data switch 6 to establish the second data communication channel.
  • the data switch controller 7 is preferably a state machine.
  • the system yet further comprises an output connector 8 operatively connected in use to the external data network; a second storage buffer 9 arranged to store the data output for output to the external data network received from the secure data processor 4; the secure data processor 4 is coupled to the second storage buffer 9 via a third data switch 10; wherein the output connector 8 is operatively coupled to the second storage buffer 9 via a fourth data switch 11; and the third and fourth data switches 10, 11 are configured when activated to respectively either provide a third data communication channel between the secure. data processor 4 and second storage buffer * 10, or provide a . fourth data communication channel between the second storage buffer 10 and the output connector 8, and to prevent both the third and fourth communication channels being provided simultaneously between the secure data processor 4 and the output connector 8.
  • the data switch controller 7 is operatively connected to the third and fourth data switches 10, 11, and arranged in use to either activate the third data switch 10 to establish the third data communication channel, or the fourth data switch 11 to establish the fourth data communication channel.
  • the secure system of the present arrangement is isolated and secured by way of five independent but complimentary features, namely:
  • connection and disconnection feature using the first and second data switches always present, when all used together they provide an optimum security solution to the problems that exist with the prior art.
  • Translator system(s) preferably implemented in the storage buffers 3, 9, as discussed, when allowed by the state machine system controller 7, are able to submit transaction requests in a restricted format to a dedicated, but otherwise isolated system (secure processor 4) for cryptographic signing. That system is normally disconnected from all other Microprocessor Systems.
  • secure processor 4 a dedicated, but otherwise isolated system
  • the EXCLUSIVE-OR logic switch system controlled by the state machine system controller, physically prevents the translator from being connected to the External Data Network simultaneously.
  • an Output Translator system will then be instructed to receive the signed transaction, which it can then translate and submit to the Blockchain (for example) accordingly.
  • the autonomous nature of the system means that data and processing requests can be made on demand and in large volumes.
  • the system can move such requests at high speed whilst always maintaining the integrity of the data communication line air-gaps and Microprocessor System isolation.
  • the EXCLUSIVE-OR system provides a data movement and processing system much like an 'air-lock'. External environments are, in effect, permanently isolated from internal secured environments. Specifically, this isolation is an electrical isolation which is preferably realised as a physical disconnection between the external and internal environments. As in the case of an air-lock, the system also enables incoming data to be inspected prior to it being passed into the internal secured environment. The combination of the EXCLUSIVE-OR connection and disconnection in effect creates a kind of 'digital air-lock' within the translator system(s).
  • An EXCLUSIVE-OR configuration means that only one of the possible connections are connected at any one time, thereby enforcing an absolute disconnection of secure system(s) to any other system that is currently connected to an external network. There is never any direct or proxied connection to the secured system from any external network.
  • the enforced EXCLUSIVE-OR condition of switch enabling for the first and second data switches 5, 6 acts as a primary layer of security between the Data Switches and the state machine controller.
  • the compromised controller does not have the ability to open a pathway to the secure computer from the external network, as discussed further below.
  • the first system used in the example of an EXCLUSIVE-OR implementation is through use of discrete electronic components or as an 1C (Integrated Circuit) set (e.g./ 74LS138) that forms a 3x8 logic decoder circuit.
  • 1C Integrated Circuit
  • FIGURE 23 3x8 Decoder used for EXCLUSIVE-OR Logic Control of Data Switches by the State Machine Controller
  • FIGURE 27 Example Circuit Diagram of a Combined 3x8 Decoder and Multi- Pole Relay Data Switch, as controlled by the State Machine Controller.
  • the 3x8 decoder circuit allows a single logic "TRUE” or “1” state to be set on one of its 8 outputs lines (D0-D7) at any one time.
  • the remaining 7 outputs lines are always logic “FALSE” or "0".
  • the selection of the "TRUE” output line is determined by the setting of 3 discrete logic inputs in a binary form (A0, Al, A2), with the Least Significant Bit starting at A0. These settings are driven by the logic outputs from the General Purpose Input Output (GPIO) of the State Machine Controller 7.
  • GPIO General Purpose Input Output
  • these three logic inputs are preferably opto-isolatec from their triggering source.
  • An opto-isolator is a device which converts electronic signals to light, and then back to electronic signals, thus providing total electrical isolation between parts of a circuit, the purpose of which is to provide additional protection to sensitive microprocessors and circuits.
  • FIGURE 1 The Exclusive-OR Switching System.
  • 3x8 DECODER STATE 6 (Logic Output 'TRUE' on D5) is used to determine the controlled "SAFE STATE". STATE 6 does not enable any of the data switches (all data switches are disconnected), but it does set the discrete logic output for "SAFE STATE” as "TRUE” as a method of signalling a controlled disconnection by the State Machine Controller 7. This output is used as one of the discrete logic flag outputs from the State Machine Controller "SAFE STATE", as shown in FIGURE 2: The Discrete Logic Control System.
  • the 3x8 Decoder implementation is designed to ensure that a condition does not arise where any of the data switches 5, 6, 10, 11 are enabled during a failure situation, such as loss of power.
  • 3x8 DECODER STATES 7 (Logic Output 'TRUE' on D6) and 8 (Logic Output 'TRUE' on D7) will also call this condition, with all three outputs being linked together by way of an OR gate to trigger the FAIL SAFE discrete logic flag.
  • 3X8 DECODER STATES 1, 7 and 8 are not used by the State Machine Controller 7 and do not enable any of the data switches 5, 6, 10, 11, the system will effectively fail in a safe condition if these become active, which is functionally identical to 3x8 DECODER STATE 5 : SAFE STATE. No data communication between the microprocessor systems is possible for 3x8 Decoder states 1,6, 7, 8.
  • 3x8 DECODER STATE 2 (Logic Output 'TRUE' on Dl), 3 (Logic Output 'TRUE' on D2), 4 (Logic Output 'TRUE' on D3), and 5 (Logic Output ' TRUE' on D4) are used to exclusively enable each of the data switches 1, 2, 3 and 4, one at a time.
  • Microprocessor System 3 secure data processor 4
  • Microprocessor Systems 1 or 4 buffers 3 and 9 that also had an active connection to the External Data Network.
  • FIGURE 27 Example Circuit Diagram of a Combined 3x8 Decoder and Multi-Pole Relay Data Switch, as controlled by the State Machine Controller), (the 74LS138), works with inverted outputs across its output pins (D0-D7), meaning that a selected pins state is therefore "FALSE” or "0" instead of a "TRUE” or “1", as described in FIGURE 23.
  • Inverter ICs in this case the 74LS04 are then used to invert the state of each output pin (DO to D7) on the 74LS138.
  • the 3x8 decoder with inverters on its outputs (D0-D7) result in a single “TRUE” or "1” output on only 1 of the possible 8 outputs. The rest are then correctly held “FALSE” or "0".
  • the second exemplary system of EXCLUSIVE-OR implementation is through the use of a
  • FIGURE 1 The Exclusive- OR Switching System
  • the first relay (FIGURE 1 at the top left side) is a double-pole relay that passes the External Network Data Communication Lines on one pole (figure, top left) and the Internal Data Communication Lines on the other pole (FIGURE 1, lower middle - left).
  • the Internal Data Communication Lines passes through a further single-pole relay (bottom, left).
  • a further second single pole relay (FIGURE 1, bottom left and bottom right) is used to additionally switch the Internal Data Communication Lines.
  • these are Relay Data Switches 2 and 3.
  • the Internal Data Communication Line is connected to the NO (Normally Open) connections and is therefore disconnected.
  • the relay coil for Data Switch 2 or 3 only becomes powered when 3X8 DECODER STATES 3 or 4 (respectively) are set to "True” or "1", thus moving the relay's pole to the NO (Normally Open) connections and therefore connecting the Internal Data Communications Line.
  • FIGURE 27 creates a condition where the State Machine Controller 7 is able to disconnect all data lines from all systems (FIGURE 8 : SWITCH STATE 5 and FIGURE 23, 3x8 DECODER STATE 5), whilst also ensuring a "FAIL SAFE" condition where for example, there becomes a situation where there is a loss of power to the switch control system, the Internal Data Communication line is also disconnected (FIGURE 3 : SWITCH STATE 0 - FAIL SAFE)
  • This relay circuit design (FIGURE 27) enforces a further physical electro-mechanical implementation of EXCLUSIVE-OR control of data connections that cannot be manipulated by any controlling system, such as the State Machine Controller, or by unpowered or otherwise in a FAIL condition controlling circuitry.
  • the Exclusive-OR Switching circuitry is controlled by a State Machine 7 (Microprocessor System 2)
  • a state machine is a system that operates using a set of fixed variables in a specifically programmed way. There is no allowable tolerance within these variables, and its sole purpose is to undertake those specific monitoring / action tasks.
  • a dedicated and otherwise independent state machine controller enables consistent control of the Exclusive-OR Data Switching System.
  • the state machine 7 is a dedicated, data-isolated microprocessor system. It is important to note that it has no data connection to any other system, any data network or any human interface such as a Keyboard, other than the two discrete logic inputs which are designed to allow manual intervention to disable or reset the system. This means that there is no possible way for an attacker to compromise the system Using an internet or LAN connection.
  • the State Machine Controller monitors the processes of the overall system using the discrete logic flag system and allows the connection and disconnection of data switches in sequence, only on the condition that:
  • FIGURE 4 STATE 1 / FIGURE 23, 3x8 DECODER STATE2).
  • Microprocessor Systems 1 (first storage buffer 3) - Input Translator is sanitizing, processing and translating data received from the external network, all Internal Data Communication Lines and the secure system (Microprocessor System 3 - secure data processor 4) is always physically disconnected from it (FIGURE 5, STATE 1 / FIGURE 23, 3x8 DECODER STATE 2).
  • Microprocessor System 3 secure data processor 4
  • Secure System is undertaking secured instructions, such as retrieving requested data from its secured storage, processing secured data, cryptographically signing transactions, etc, it is always disconnected from all other systems.
  • FIGURE 8, STATE 5 / FIGURE 23, 3x8 DECODER STATE 6 When Microprocessor System 3 (secure data processor 4) - Secure System is undertaking secured instructions, such as retrieving requested data from its secured storage, processing secured data, cryptographically signing transactions, etc, it is always disconnected from all other systems.
  • Microprocessor System 4 (second storage buffer 9) - Output Translator, the translator (second storage buffer 9) is always disconnected from the external network. Furthermore, Microprocessor System 3 (secure data processor 4) - Secure System is always disconnected from Microprocessor System 1 (first storage buffer 3) - Input
  • Microprocessor System 4 (second storage buffer 9) - Output Translator is sending data to the external network, it is always physically disconnected from the Internal Data Communication Lines and Microprocessor System 3 (secure data processor 4) - Secure System. (FIGURE 14, STATE 3 / FIGURE 23, 3x8 DECODER STATE 4).
  • External control of the system is effected by two external discrete logic flags.
  • Machine Controller 7 is waiting for a data transmission to complete between Microprocessor Systems. ii. A "READY to SEND" discrete logic flag will not be processed, and a PANIC state will be identified if;
  • the request is raised by a machine out of sequence.
  • the State Machine Controller 7 will expect to follow the flow of its intended task: a. If a message has been sent from Microprocessor System 1 (first storage buffer 3) to Microprocessor System 3 (secure data processor 4), the State Machine controller 7 will not allow Microprocessor System 1 (first storage buffer 3) to reconnect to the External Data Network until: i. Microprocessor System 3 (secure data processor 4) has communicated with Microprocessor 4 (second storage buffer 9),
  • the Internal Data Communications System is restricted to a limited task-specific set of instructions and data formats.
  • the specification includes a limited alphabet, radix and data message length.
  • the receiving system has no capability to process data or instructions that are not strictly compliant with the "RIS".
  • a receiving system If a receiving system is sent data that does not strictly comply with the specification, it will be wiped from its memory and a Discrete Logic PANIC flag will be signalled to the State Machine controller 7, causing it to disconnect all data switches.
  • the RIS is preferably based on a modified version of the ASCII system
  • FIGURE 26 RIS-ASCII / BINARY LOOKUP TABLE.
  • a custom set of instructions have been created which are used by both the communications protocol and the Microprocessors firmware programming.
  • the receiving system can cease the data transmission (or at least stop listening to it) as soon as a non- compljant instruction or data packet is received. This in turn significantly limits the risk of 'injection' style attacks where commands are used to attack the system in an attempt to force it to reveal information or undertake other instructions.
  • the firmware is programmed to cease listening to and interpreting data, and to trigger a PANIC condition by signalling to the State Machine Controller 7 using its Discrete Logic PANIC Flag. In the current implementation, this is known as a "ILLEGAL DATA RECEIVED EVENT". These are identified when data is received:
  • the Bitcoin Cryptocurrency wallet software "Bitcoin-qt.exe” is used on the secured system, Microprocessor System 3 (secure data processor 4) to store the private key and to cryptographically sign
  • Bitcoin QT has 68 possible commands (FIGURE 24 - The Bitcoin-qt software commands). One of these commands command reveals the secret cryptographic key as plain text.
  • a compromised online system may allow an attacker to send commands across the data networks to it, for instance by forcing access to the system's remote command terminal.
  • This is not possible in the task-limited RIS environment.
  • the secured system is only able to receive an unsigned transaction sent in accordance with the specified RIS. If any other commands are included in that message, the receiving system will identify that the message is not compliant with protocol and will not allow it to be processed (as per the process noted above).
  • the receiving Microprocessor's firmware is programmed to take in the content of a proposed unsigned Bitcoin transaction, as prepared by the payment server or Microprocessor System 1 - Input Translator. It will process and then output the signed transaction.
  • the RIS communication is sent strictly with the following structure.
  • An example of the RIS being used to send the above unsigned Bitcoin Testnet Transaction is described in FIGURE 28 : Example of RIS Data Communication Wrapper.
  • TX Length Command First command describes the total number of data bits
  • TX SYS ID The ID of the system that is sending the message.
  • RX SYS ID The ID of the intended recipient system.
  • START MESSAGE Command signifying next data received is the message content.
  • all data communication to and from the secured system is made using a custom primitive bit-by-bit serial communications protocol in a data "PULL" configuration.
  • the receiving system requests each individual data bit using a discrete logic flag system, one bit at a time.
  • the receiving system will set its discrete logic PANIC flag as "TRUE", signalling to the State Machine Controller 7 to change to the SAFE STATE (FIGURE 23, 3X8 DECODER STATE 6) where all data communication lines are disconnected and further data transfers are halted.
  • the Limited Serial Communications System uses three direct system-to-system opto-isolated, relay- switched discrete logic General Purpose Inputs and Output (GPIO) lines. These lines are directly linked to between two communicating systems and which do not route through any other system (ethernet network or system UARTs for example).
  • GPIO General Purpose Inputs and Output
  • the data line is connected or disconnected by the relay contacts, which are controlled by the State Machine Controller 7 (FIGURE 1 : THE SWITCHING SYSTEM).
  • the State Machine Controller 7 (FIGURE 1 : THE SWITCHING SYSTEM). This means that the system receiving the data is explicitly programmed to be in a listening state where it interprets incoming data. It is instructed to do so by the State Machine Controller 7 via discrete logic signalling on the GPIO lines (FIGURE 2 : The Discrete Logic Control System). If the receiving system has not been instructed to receive data by the State Machine Controller 7, it will not look at the logic data input line and consequently will not store the data content.
  • the receiving system controls the flow of data. This method allows the receiving system to halt the flow of incoming data whilst it checks the integrity of the received data (e.g. compliance with the RIS-ASCII specification and then compliance of the data with the RIS Header received at the start of the data transmission), before other data is then allowed to be sent.
  • This method allows the receiving system to halt the flow of incoming data whilst it checks the integrity of the received data (e.g. compliance with the RIS-ASCII specification and then compliance of the data with the RIS Header received at the start of the data transmission), before other data is then allowed to be sent.
  • the secured system will identify an "ILLEGAL DATA RECEIVED EVENT" and stop making data pull requests and stop interpreting data sent to it.
  • the compromised data would not be able to enter the memory of the secured system, so attacks on the secured system's software processes and system architecture via the internal data communication lines would not be possible.
  • the Limited Serial Communications protocol used for Internal Data Communication does not use dedicated communication system architecture, such as UART (Universal Asynchronous Receiver-Transmitter), as these systems:
  • the Limited Serial Communications Protocol uses a primitive method of software- driven logic-level sensing and control of general purpose inputs and outputs (GPIO) on each of the Microprocessor Systems to send, interpret and control data.
  • GPIO general purpose inputs and outputs
  • the transmitting system continued to provide data not in compliance with the specification of the protocol, the receiving system has the capability to stop the transmission send by not signalling that it is ready for the next data bit.
  • the receiving system is programmed to ignore data sent to it. Even if the transmitting machine continued to send data without the "pull" permission of the receiving machine, that data reaches a 'dumb' GPIO logic line which is not being read, so that data will never enter the memory or processing system of the receiving machine. This eliminates any possibility of a buffer-overrun attack.
  • the Microprocessor Systems can act in real-time when un-expected instructions or data is received, by flagging a PANIC condition to the State Machine controller 7 using the Discrete Logic Flag System.
  • the State Machine Controller will effect a STATE 5 / 3x8 DECODER STATE 6 (FIGURE 23, 3X8 DECODER STATE 6) which causes all Data Communication Systems to be disconnected, with the State Machine Controller signalling a Discrete Logic Flag showing that the PANIC condition has occurred.
  • Sensing - via Opto-lsolators - TTL Levels, - ("FALSE” or “0") Ov / ("TRUE” or “1”) +5v. Inverting Logic determines progressive states.
  • FIGURE 1 The Exclusive-OR Switching System
  • the one-way flow of data prevents requests being made by, and data being returned to an externally-connected system.
  • the benefit of which is that if one of the translators
  • a custom "PULL" system of data-bit by data-bit data movement means that the receiving system is always in control and that only compliant instructions and data reaches the
  • Microprocessor system's processes This is achieved by using:
  • GPIO opto-isolated data logic line
  • the rate of data transmission is determined by the receiving and transmittingsystems.
  • the custom Limited Serial Communication Protocol does not move data as most serial communication systems do:
  • the rate of data transmission determined by a timing specification (e.g. baud rate) (asynchronous system)
  • the rate of data transmission is continuously variable and is determined by:
  • the principal of the "PULL" data movement process is that the receiving Microprocessor System (e.g. Microprocessor System 3) signals to the transmitting system (e.g. Microprocessor System 1) that it is ready for the next bit of data.
  • the receiving Microprocessor System e.g. Microprocessor System 3
  • the transmitting system e.g. Microprocessor System 1
  • the transmitter has set the next data bit.
  • Buffer Overflow attacks which occur when more data is sent to the receiving system than it is expecting. In such an attack, the receiving system might continue to receive the data and consequently store the data in memory locations beyond the memory that had been allocated for data transmission. The data that flows beyond those allocations may contain unauthorised / attacking computer code that the computer may then automatically execute, thus compromising the system.
  • Usual data transfers use an asynchronous method, namely one where each data bit is sent and read on a timed basis. And in a synchronous (common clock) method of transfer, the attacker could identify the start of a transmission and compare analogue electro-magnetic radiation / powerline information on a timed basis in an attempt to decode information.
  • the data transfer of each bit does not occur on any kind of regular timing, so it would be significantly more difficult to identify the individual bits of data, particularly when two or more data bits are the same (e.g. 0,0 or 1,1). Even in a situation where the same message is sent twice, it would be highly improbable that the message and bit timings were identical.
  • each Microprocessor System has numerous other tasks to complete as part of its general architecture performance and operating system demands.
  • the microprocessor system may only have one or two general system tasks to complete before continuing with the communication process. In that case, the time between reading two bits of data would be shorter.
  • the Microprocessor System could have 20 or more general system tasks to complete before continuing with the software-driven communications tasks. Some of those other tasks may take longer than others (for example, reading and writing to non-volatile memory, vs. tasks with fewer, simple computation or polling instructions). In that case, the time between reading two bits of data would be significantly longer - in some cases comparatively by an order of magnitude.
  • Power Glitch Attack are attacks which involve momentarily dropping the power supply to the system during clock cycles with the purpose that the glitch causes the Microprocessor System to skip programme instructions (for example, turning off the processor during the moment it authenticates a password, consequently bypassing that security and causing the system to allow access to secured parts of the system).
  • the status of the inversion would be correct, but the.total number of bits within the data transmission would not match the length data supplied within the start of the transmission - the transmission header. Consequently, the receiving system would find the stored data to be non-compliant, wipe it and then flag a PANIC state before it began processing the data. tail, the method of data transmission follows the following process.
  • the transmitting Microprocessor System first instructs the State Machine Controller 7 that it is ready to send data by setting the "Data Ready” discrete logic flag to "1". (FIGURE 5).
  • the State Machine Controller 7 Checks the state of all PANIC flags firstly and then between each of the following processes.
  • the PANIC condition can only be reset using the external opto-isolated "RESET DEMAND” discrete logic control line, c.
  • the State Machine Controller 7 completes any current process.
  • the State Machine Controller 7 will not override any ongoing process.
  • the Microprocessor System making the "Data Ready” request will wait until it is given permission to proceed.
  • the State Machine Controller 7 Senses the "Data Ready" discrete logic flag from the Microprocessor System.
  • the State Machine Controller 7 then opens the appropriate data communication lines by enabling the relevant Data Switch via the 3x8 DECODER electronic controller and Relay Data Switch System.
  • the State Machine Controller 7 then instructs the receiving system to listen by setting the discrete logic flag "INT Receive” to "1".
  • the transmitting Microprocessor System then inverts its "Ready to Send” discrete logic flag. For example, if the "Ready to Send” was in a state of "1" prior to setting the data bit, the "Ready to Send” state would be changed to "0". If the "Ready to Send” state was "0", it would be changed to "1".
  • the transmitting Microprocessor System is continually inspecting the logic status of the "Clear to Send" line. When the logic state of the "Clear to Send" inverts, the transmitting Microprocessor System repeats steps (b) to (d) until the data transmission is completed.
  • the disclosure includes a custom opto-isolated Discrete Logic Flag System is used both as a method of control and as a primitive (non-data) communication platform between the Microprocessor Systems.
  • the Microprocessor Systems set or inspect flags depending on the instructions within their firmware programming, much like a state machine would. Any attempt to communicate data over these lines is simply ignored by the intended recipient - without even entering the memory of the MicroprocessorSystem.
  • All lines of communication, sensing and control are opto-isolated. If any of the discrete logic lines, or the systems to which they are attach become electrically compromised (e.g. a high powered electrical surge), it will not be able to reach and therefore affect any other system.
  • the flagging system is in effect a latch type system, where the logic level is set and persists so long as the condition which it is representing persists.
  • the "Secure Data Storage, Exchange and Processing System” example described below, including the autonomous State Machine Controlled isolation of external and bespoke internal communication data lines can be scaled from technology as small as a single silicon chip, such as a VLSI (Very Large Scale Integration) System on Chip (SOC) and small single-board microprocessor systems, through to large- scale datacentre operations.
  • VLSI Very Large Scale Integration
  • SOC System on Chip
  • Example Device Payment Hardware Server controlled by embedded firmware.
  • the system shown in Figure 1 illustrates an example implementation that incorporates four independent microprocessor systems.
  • Three of these Microprocessor systems namely the first storage buffer 3, the secure data processor 4 and the second storage buffer 9, communicate with each-other physically via data communication lines, air-gapped by electro-mechanical data switches 5, 6, 10, 11, using an internal Reduced Instruction Set Limited Serial Communication Protocol and discrete logic control.
  • One of the Microsystems is the Discrete Logic State Machine Controller 7 that controls the data switches.
  • This implementation uses a firmware programmed microprocessor as the State Machine Controller.
  • the State Machine Controller in the present implementation can be deployed as a discrete logic circuit, as a custom programmed logic chip (e.g. PLA) or as a dedicated ASIC (Application Specific Integrated Circuit).
  • Microprocessor System 1 Input Translator, first storage buffer 3
  • State Machine Controller 7 is instructed by the State Machine Controller 7 to request payment request data from the external network (Payment Server Database).
  • Microprocessor System 3 Secure System, secure data processor 4) requests and is sent the data from the Input Translator (Microprocessor System 1, first storage buffer 3).
  • Microprocessor System 3 (Secure System, secure data processor 4) then sends its data forward to the output translator (Microprocessor System 4, second storage buffer 9).
  • Microprocessor System 4 (second storage buffer 9) then sends its data to the external network (for instance an outgoing Signed Payment Server Database).
  • Microprocessor System 1 (first storage buffer 3): The Input Translator
  • the data If the data is compliant, it then encodes the message as a binary message ready for sending using the RIS-ASCII custom reduced instruction set (FIGURE 26). The message is stored in the Transmit Buffer.
  • FIG. 5 (FIGURE 5)
  • Microprocessor System 2 The State Machine Controller 7
  • the State Machine Controller 7 is the autonomous controller of the data communication line's electro-mechanical air-gap and is the core of the Discrete logic Flag System. (FIGURE 2)
  • the system has no data connection to any other system. It only communicates and
  • connection / isolation states based on the signals it receives fromthe Discrete Logic Flag System.
  • STATE 1 Microprocessor System 1 (first storage buffer 3) connected to the External Network (FIGURE4)
  • STATE 4 Microprocessor System 4 (second storage buffer 9) connected to the External Network (FIGURE 14)
  • EXT Receive (1) informs Microprocessor System 1 (first storage buffer 3) that it may start communicating with the External Network. (FIGURE 2).
  • Microprocessor System 3 (secure data processor 4): The Secure Data Store and Signing System
  • Microprocessor System 3 (secure data processor 4) become air-gapped as a result of the sending Microcomputer signalling the end of the send to the State Machine Controller 7 (FIGURE 8). It then computes programmed tasks as required and prepares data to send onwards.
  • a Bitcoin transaction signing it will:
  • Microprocessor System 4 (second storage buffer 9): The Output Translator
  • this system may only be connected to the external network or data connection when it is physically disconnected from any other internal data communication line.
  • the State Machine Controller 7 (Microprocessor System 2) disconnects the Internal Data Communication line, due to the control of switches 5, 6, 10, 11 by the State Machine
  • Microprocessor System 4 (second storage buffer 9) has completed the translation and is ready to send data on wards, it sets the appropriate flag within the Discrete Logic Flag System "DATA Ready (3)" (FIGURE 13), and then sends the message onwards when instructed by Microprocessor System 2 (data switch controller 7) by the Qiscrete Logic Flag System "SEND Now (3)" (FIGURE 14) .
  • a PANIC STATE may be called by:
  • FIGURE 19 An External trigger which sets "SAFE STATE DEMAND” to "TRUE".
  • FIG. 3 (FIGURE 3)
  • PANIC STATE can be sensed by external systems via an isolated link (e.g. opto-isolator), such that the appropriate system authority can be contacted, or another action taken.
  • isolated link e.g. opto-isolator
  • Movement sensing e.g. accelerometer, shock detector and compassfeedback.
  • the State Machine Controller 7 (Microprocessor System 2) makes it impossible for
  • the State Machine Controller 7 (Microprocessor System 2) only opens data channels for a set period of time based criteria such as expected data length.
  • Microprocessor System 3 are different to standard communication protocols in that:
  • the communications occur over a one-way serial data channel that is limited by data length.
  • the communications utilise a unique and limited vocabulary, as previously described.
  • a programmed timeout will occur if an expected discrete logic flag does not change within a reasonable specified time.
  • Microprocessor System 2 State Machine System Controller
  • Microprocessor System 3 Secure Store & Compute.
  • the system is less secure than a 4 Microprocessor system configuration as it could be possible for two-way communication between the Translator and the Secure System.
  • the core aspect of the present disclosure are that the secure data processor 4 is isolated from the external network at all times, preferably by way of physical separation. It is highly preferable that a state machine controller is used to determine which systems are connected at any one time. It is further highly preferable that there is a one way flow of data into and out of the system.
  • the system can be implemented using one or more of the following techniques: Most Physically Secure techniques:
  • CMOS Complementary Metal Oxide Silicon
  • TTL Transistor to Transistor Logic
  • CPLD Computer Logic Gate Array
  • FPGA Field-Programmable Gate Array
  • PLD Programmable Logic Device
  • VLSI Very Large Scale Integration
  • SOC system-on-chip
  • Such checks could include one or more or all of the following:
  • Second payment integrity checks where a small but specified amount must be paid in each transaction to an owned address. If the payment was not present in the transaction request, then a PANIC condition would be called.
  • Power supply systems can be designed to protect against "power-line side-channel” hacking analysis and "Power-glitch” attacks.
  • the electronic circuits, processors and memory subject to thermal compliance design considerations could be potted; namely the entire electronic assembly including the circuit board, casing and components be filled with a solid compound. Although primarily intended as a method of protecting data line hacks, the system would be more resilient to physical attack if it was potted in its entirety.
  • a distributed database / ledger system A distributed database / ledger system.
  • a message (usually with transaction data) that is accepted into the Mempool, prior to being verified and added to the Blockchain.
  • a State Machine system that is not data connected to, nor controlled by any other external system, other ' than via a simple set of discrete logic flags.
  • Implementations can include electro-mechanical switches and logic control restrictions.
  • the purpose of said air gap is to deny all transfer and receipt of data, for the isolation of one device to another.
  • Boolean expression which describes a condition.
  • the OR expression describes a condition where one or the other, or both states can be logic TRUE.
  • the EXCLUSIVE-OR (XOR) expression is similar except that it does not accept more than one input's state to be "TRUE” for it to output "TRUE”.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un système de traitement de données sécurisé comprenant : un connecteur d'entrée connecté fonctionnellement pendant l'utilisation à un réseau de données externe ; un premier tampon de stockage conçu pour stocker une instruction reçue du réseau de données externe par le biais du connecteur d'entrée ; un processeur de données sécurisé conçu pour traiter l'instruction stockée dans le tampon de stockage ; un premier commutateur de données couplant fonctionnellement le connecteur d'entrée au premier tampon de stockage ; un second commutateur de données couplant de manière fonctionnelle le premier tampon de stockage au processeur de données sécurisé ; les premier et second commutateurs de données étant configurés lorsqu'ils sont activés pour fournir respectivement un premier canal de communication de données entre l'entrée et le premier tampon de stockage ou pour fournir un second canal de communication de données entre le tampon de stockage et le processeur de données sécurisé, et pour empêcher les premier et second canaux de communication d'être fournis simultanément entre l'entrée et le processeur de données sécurisé.
PCT/GB2019/051265 2018-05-08 2019-05-08 Système sécurisé de stockage, d'échange et de traitement de données WO2019215442A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
GB1807503.6 2018-05-08
GBGB1807503.6A GB201807503D0 (en) 2018-05-08 2018-05-08 Secure data storage, exchange and processing system
GB1819629.5 2018-11-30
GBGB1819629.5A GB201819629D0 (en) 2018-05-08 2018-11-30 Secure data storage, exchange and processing system

Publications (1)

Publication Number Publication Date
WO2019215442A1 true WO2019215442A1 (fr) 2019-11-14

Family

ID=62598223

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2019/051265 WO2019215442A1 (fr) 2018-05-08 2019-05-08 Système sécurisé de stockage, d'échange et de traitement de données

Country Status (2)

Country Link
GB (2) GB201807503D0 (fr)
WO (1) WO2019215442A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1164766A2 (fr) * 2000-06-16 2001-12-19 Ionos Co., Ltd. Dispositif de contrôle de connections de commutation
US20100199083A1 (en) * 2007-06-06 2010-08-05 Airbus Operations Incorporated As a Societe Par Actions Simpl Fiee Onboard access control system for communication from the open domain to the avionics domain
US20100299493A1 (en) * 2009-05-22 2010-11-25 Raytheon Company Multi-Level Security Computing System
US20180069832A1 (en) * 2006-06-27 2018-03-08 Waterfall Security Solutions Ltd. One Way Secure Link

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1164766A2 (fr) * 2000-06-16 2001-12-19 Ionos Co., Ltd. Dispositif de contrôle de connections de commutation
US20180069832A1 (en) * 2006-06-27 2018-03-08 Waterfall Security Solutions Ltd. One Way Secure Link
US20100199083A1 (en) * 2007-06-06 2010-08-05 Airbus Operations Incorporated As a Societe Par Actions Simpl Fiee Onboard access control system for communication from the open domain to the avionics domain
US20100299493A1 (en) * 2009-05-22 2010-11-25 Raytheon Company Multi-Level Security Computing System

Also Published As

Publication number Publication date
GB201819629D0 (en) 2019-01-16
GB201807503D0 (en) 2018-06-20

Similar Documents

Publication Publication Date Title
EP2936369B1 (fr) Vérification de mot de passe au moyen d'un clavier avec mode d'entrée de mot de passe sécurisé
CN107924365B (zh) 防黑客计算机设计
JP3691519B2 (ja) 異なった機密保護レベルのネットワークを相互に連絡させる方法及び手段
US8869273B2 (en) Apparatus and method for enhancing security of data on a host computing device and a peripheral device
CA2823745C (fr) Dispositif d'authentification d'utilisateur comptant de multiples interfaces hotes isolees
US20140282978A1 (en) Method and apparatus for secure interaction with a computer service provider
CN101976320B (zh) 一种可信计算机平台
WO2013176491A1 (fr) Procédé d'authentification d'utilisateur de service web
US10291599B2 (en) Systems, methods and apparatus for keystroke encryption
JP2003140759A (ja) 高信頼性コンピューティングプラットフォーム
US20140298008A1 (en) Control System Security Appliance
KR101534566B1 (ko) 클라우드 가상 데스크탑 보안 통제 장치 및 방법
CN101420299B (zh) 提高智能密钥设备稳定性的方法和智能密钥设备
JP2018502352A (ja) 自律的な制御のシステムおよび方法
WO2019215442A1 (fr) Système sécurisé de stockage, d'échange et de traitement de données
US10356226B2 (en) Secure connection with protected facilities
KR102081875B1 (ko) 사용자와 모바일 단말기 및 추가 인스턴스 간의 보안 상호 작용을 위한 방법
US20100132046A1 (en) Electronic Circuit for Securing Data Interchanges Between a Computer Station and a Network
CN111209544B (zh) Web应用安全保护方法、装置、电子设备及存储介质
EP3016017A1 (fr) Appareil muni d'un capteur ou d'un actionneur protégé par un élément sécurisé
US11373010B2 (en) Asymmetrical system and network architecture
CN108460267B (zh) 一种教学用计算机网络信息安全装置
CN112977331A (zh) 汽车远程控制装置、车身控制设备、系统及控制方法
Burmester A trusted computing architecture for critical infrastructure protection
US9942196B2 (en) Canonical network isolator component

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19730415

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19730415

Country of ref document: EP

Kind code of ref document: A1