WO2020105032A1 - Method of secure communication and system thereof - Google Patents
Method of secure communication and system thereofInfo
- Publication number
- WO2020105032A1 WO2020105032A1 PCT/IL2019/051238 IL2019051238W WO2020105032A1 WO 2020105032 A1 WO2020105032 A1 WO 2020105032A1 IL 2019051238 W IL2019051238 W IL 2019051238W WO 2020105032 A1 WO2020105032 A1 WO 2020105032A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- inspection
- computer
- manual
- signed
- signing
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/565—Static detection by checking file integrity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
- G06F21/645—Protecting data integrity, e.g. using checksums, certificates or signatures using a third party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0471—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying encryption by an intermediary, e.g. receiving clear information at the intermediary and encrypting the received information at the intermediary before forwarding
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
Definitions
- the presently disclosed subject matter relates, in general, to the field of data communication, and more specifically, to secure communication between a source computer and a destination computer.
- a computerized method of secure communication between a source computer and a destination computer comprising: upon operatively connecting the source computer and the destination computer with an inspection computer, receiving, by the inspection computer, data sent by the source computer to the destination computer; inspecting, by the inspection computer, the received data using one or more filtering mechanisms, giving rise to one or more inspection results each corresponding to a respective filtering mechanism, each inspection result indicative of an inspected status of the received data; separately signing, by the inspection computer, each of the one or more inspection results, giving rise to one or more signed inspection results; determining, by the inspection computer and based on an inspection management policy, whether to send at least some of the inspection results and/or derivatives thereof for manual inspection, wherein the inspection management policy is specified with respect to one or more attributes associated with the received data; upon a positive determination, providing manual inspection of the at least some inspection results and/or derivatives thereof sent by the inspection computer, giving rise to at
- the method according to this aspect of the presently disclosed subject matter can comprise one or more of features (i) to (xiii) listed below, in any desired combination or permutation which is technically possible:
- the inspection computer can comprise one or more inspectors configured with the one or more filtering mechanisms and associated with one or more secure signing mechanisms.
- the received data can be separately inspected by each inspector using a respective filtering mechanism thereof and each of the one or more inspection results can be separately signed by a corresponding inspector using a respective secure signing mechanism thereof.
- the one or more filtering mechanisms can be selected from a group of filtering mechanisms comprising malware detection, data leak prevention, expression recognition, format conversion, redacting modification and data filtration.
- the selection can be based on the inspection management policy and the received data.
- At least one of the inspection results can include an inspected status of the received data and inspected data corresponding to the received data.
- the manual inspection can be performed by at least one manual inspector each associated with a secure signing mechanism, and the signing of the at least one manual inspection result can be performed separately by each of the at least one manual inspector, using the secure signing mechanism associated therewith.
- At least some of i) the secure signing mechanisms associated with the one or more inspectors, and ii) the secure signing mechanism associated with each of the at least one manual inspector, can be cryptographic signing executed in a secure environment.
- the cryptographic signing can be executed in a designated secure enclave of a protected memory region.
- Each of the one or more inspectors and the at least one manual inspector can have a respective secure enclave designated thereto, and have a secure signing mechanism associated therewith which is cryptographic signing executed in the designated secure enclave.
- One or more attributes associated with the received data can be selected from a group comprising: one or more attributes of the received data, one or more attributes of the source computer that sends the data, and one or more attributes of an environment in which the data is sent.
- the method can further comprise aggregating, by the inspection computer, the one or more inspection results to an aggregated inspection result and determining whether to send the aggregated inspection result for manual inspection.
- the manual inspection can be performed on the aggregated inspection result.
- the predefined criterion can be based on a sum of weighted signed inspection results as specified in the inspection management policy.
- the additional verification can comprise verifying completeness and accuracy of the one or more signed inspection results and/or the at least one signed manual inspection result.
- the inspection management policy can include a list of predefined orders of the one or more inspectors, and the received data can be inspected and signed by the one or more inspectors in one of the list of predefined orders, such that each inspector, except for the first inspector, signs on a content including the received data and one or more signatures of one or more preceding inspectors that previously performed the signing, giving rise to a chain of signatures, and the additional verification can comprise verifying completeness and accuracy of each signature in the chain of signatures, and whether an order of the chain of signatures belongs to the list of predefined orders.
- an inspection computer operatively connected with the source computer and the destination computer with an inspection computer, the inspection computer configured to: receive data sent by the source computer to the destination computer; inspect the received data using one or more filtering mechanisms, giving rise to one or more inspection results each corresponding to a respective filtering mechanism, each inspection result indicative of an inspected status of the received data; separately sign each of the one or more inspection results, giving rise to one or more signed inspection results; determine, based on an inspection management policy, whether to send at least some of the inspection results and/or derivatives thereof for manual inspection, wherein the inspection management policy is specified with respect to one or more attributes associated with the received data; upon a positive determination, provide manual inspection of the at least some inspection results and/or derivatives thereof sent by the inspection computer, giving rise to at least one manual inspection result indicative of an approval status, and provide signing of the at least one manual inspection result, giving rise to at least one signed manual inspection result; and analyze, by the inspection computer, signed inspection results including at
- a non-transitory computer readable storage medium tangibly embodying a program of instructions that, when executed by a computer, cause the computer to perform a method of secure communication between a source computer and a destination computer, the method comprising: upon operatively connecting the source computer and the destination computer with an inspection computer, receiving, by the inspection computer, data sent by the source computer to the destination computer; inspecting, by the inspection computer, the received data using one or more filtering mechanisms, giving rise to one or more inspection results each corresponding to a respective filtering mechanism, each inspection result indicative of an inspected status of the received data; separately signing, by the inspection computer, each of the one or more inspection results, giving rise to one or more signed inspection results; determining, by the
- This aspect of the disclosed subject matter can comprise one or more of features (i) to (xiii) listed above with respect to the method, mutatis mutandis, in any desired combination or permutation which is technically possible.
- FIG. 1 illustrates a schematic block diagram of an inspection computer system in accordance with certain embodiments of the presently disclosed subject matter
- FIG. 2 illustrates a generalized flowchart of secure communication between a source computer and a destination computer in accordance with certain embodiments of the presently disclosed subject matter
- FIG. 3 is a schematic illustration of ensuring secure communication for a client-server path and a server-client path in the client-server communication architecture in accordance with certain embodiments of the presently disclosed subject matter.
- computer should be expansively construed to cover any kind of hardware-based electronic device with data processing capabilities including, by way of non-limiting example, the inspection computer and parts thereof, as well as the processing and memory unit and processor comprised therein as disclosed in the present application.
- non-transitory memory and“non-transitory storage medium” used herein should be expansively construed to cover any volatile or non-volatile computer memory suitable to the presently disclosed subject matter.
- FIG. 1 illustrating a schematic block diagram of an inspection computer system in accordance with certain embodiments of the presently disclosed subject matter.
- the system 100 illustrated in Fig. 1 refers to an inspection computer operatively connected to a source computer 101 and a destination computer 120.
- the inspection computer can be used for ensuring secure data communication between the source computer 101 and the destination computer 120.
- the source computer refers to a requesting computerized entity that initializes data transmission to the destination computer
- the destination computer refers to a receiving computerized entity that receives the transmitted data.
- the source computer and destination computer can refer to any computerized entities that can connect and communicate with each other in any suitable data communication schemes and structures, and the present disclosure is not limited to a specific type, structure, and/or functionality/role of each entity.
- the source computer and destination computer can work in a client- server communication architecture.
- the source computer can refer to a client who initializes a request to import information to the destination computer which acts as the server.
- the source computer can refer to the server which provides or exports information to the destination computer, which accordingly acts as the client.
- One illustrative example in such cases can be a local- remote connection scheme.
- Fra- instance an organization such as, e.g., an insurance company, may allow for remote users/agents to connect to its internal system and get insurance quotes. However, measures should be taken to prevent the remote users from exfiltrating any company valuable information and/or introducing any malware to the internal systems.
- the inspection computer system as proposed herein can be utilized for ensuring secure communication for the client-server path and/or the server- client path. Details of these aspects are further described below with reference to Fig.
- system 100 can comprise a processing and memory unit (PMU, also termed as processing unit) 102 operatively connected to a hardware-based I/O interface 126 and a storage unit 122.
- PMU 102 is configured to provide all processing necessary for operating system 100 as further detailed below with reference to Fig. 2.
- PMU 102 comprises a processor (not shown separately) and a memory (not shown separately).
- the processor of PMU 102 can be configured to execute several functional modules in accordance with computer-readable instructions implemented on a non- transitory computer-readable memory comprised in die PMU. Such functional modules are referred to hereinafter as comprised in the PMU.
- the term processor referred to herein should be expansively construed to cover any processing circuitry with data processing capabilities, and the present disclosure is not limited to the type or platform thereof, or number of processing cores comprised therein.
- Functional modules comprised in the PMU 102 can comprise one or more inspectors 104, a policy enforcer 108, and a controller 106 which is operatively connected with the inspectors and the policy enforcer.
- the one or more inspectors 104 can be configured to inspect the received data using one or more filtering mechanisms, giving rise to one or more inspection results each corresponding to a respective filtering mechanism.
- Each of the inspection results can be indicative of an inspected status of the received data.
- the one or more inspectors 104 can be further configured to separately sign each of the one or more inspection results, giving rise to one or more signed inspection results.
- the controller 106 can be configured to determine, based on an inspection management policy, whether to send at least some of the inspection results and/or derivatives thereof for manual inspection.
- the inspection management policy can be specified with respect to one or more attributes associated with the received data. It is to be noted that the one or more inspectors referred herein are computerized functional modules comprised in the PMU, as compared to the manual inspector which is further described below.
- the manual inspection module 110 can be configured to provide manual inspection of the at least some inspection results and/or derivatives thereof sent by the inspection computer (e.g., the controller 106), giving rise to at least one manual inspection result indicative of an approval status, and provide signing of the at least one manual inspection result, giving rise to at least one signed manual inspection result.
- the controller 106 can be further configured to analyze signed inspection results including, including at least one of i) the one or more signed inspection results, and ii) the at least one signed manual inspection result, and perform additional verification of the signed inspection results when result of the analyzing meets a predefined criterion specified by the inspection management policy.
- system 100 can comprise a storage unit 122.
- the storage unit 122 can be configured to store any data necessary for operating system 100, e.g., data related to input and output of system 100, as well as intermediate processing results generated by system 100.
- the storage unit 122 can be configured to store data received from the source computer 101, inspection result(s), inspected data, manual inspection result, and signed inspection result, etc.
- system 100 can optionally comprise a computer-based Graphical user interface (GUI) 124 which is configured to enable user-specified inputs and/or outputs related to system 100. For instance, the user may view the received data, and/or some of the inspection results on the GUI. Optionally, the user may be provided, through the GUI, with options of defining certain operation parameters of system 100.
- GUI Graphical user interface
- the system illustrated in Fig. 1 can be implemented in a distributed computing environment, in which one or more of the aforementioned functional modules shown in Fig. 1, such as the one or more inspectors 104 or some thereof, the policy enforcer 108, and the controller 106, can be distributed over several local and/or remote devices, and can be linked through a communication network.
- the storage unit 122 and GUI 124 are illustrated as being part of the system 100 in Fig. 1, in some other embodiments, at least some of the aforementioned units can be implemented as being external to system 100 and can be configured to operate in data communication with system 100 via I/O interface 126.
- the inspection computer can be implemented as stand-alone computer(s) and can be operatively connected to the source computer and destination computer to operate in conjunction therewith (as exemplarily illustrated in Fig. 1).
- the inspection computer, or at least part of the functionality thereof can be integrated with the source computer and/or the destination computer thereby facilitating and enhancing the functionalities thereof.
- components of the system 100, or at least part thereof may form part of the source computer and/or the destination computer.
- FIG.2 illustrating a generalized flowchart of secure communication between a source computer and a destination computer in accordance with certain embodiments of die presentiy disclosed subject matter.
- data is received (202), by the inspection computer (e.g., by the PMU 102 via the I/O interface 126), the data being sent by the source computer to the destination computer through the inspection computer.
- an inspection computer e.g., the inspection computer 100 as illustrated in Fig. 1
- the source computer and destination computer can refer to any computerized entities that can connect and communicate with each other in any suitable data communication schemes and structures.
- the data sent by the source computer can include any type of data indicative of specific information which can be represented in any suitable formats and/or structures.
- the data can be represented in a file format with different possible file types, such as, e.g., image files, text files, audio and/or video files, etc., of which the specific formats can be determined by specific programs associated with these files.
- the present disclosure is not limited by a specific type of representation thereof.
- any data being sent not associated with a typical file format, such as, e.g., an instant message should also be construed to be covered by the present disclosure.
- the inspection computer may perform the inspection of received data by default without the source computer and destination computer being aware of such inspection, and in some other cases, the inspection computer may perform the inspection upon receiving a specific request from the source computer for inspecting die received data.
- the source computer may need to be authenticated and health-checked (e.g., by the inspection computer), before being allowed to proceed with other operations as described below.
- the received data can be inspected (204), by the inspection computer, using one or more filtering mechanisms, giving rise to one or more inspection results each corresponding to a respective filtering mechanism.
- Each of the one or more inspection results can be separately signed (206), by the inspection computer, giving rise to one or more signed inspection results.
- the inspection computer can comprise one or more inspectors (e.g., the one or more inspectors 104 as comprised in the PMU illustrated in Fig. 1).
- the one or more inspectors can be respectively configured with the one or more filtering mechanisms and associated with one or more secure signing mechanisms.
- the received data can be separately inspected by each inspector using a respective filtering mechanism thereof.
- Each of the inspection results can be separately signed by a corresponding inspector using a respective secure signing mechanism thereof.
- the terms “filtering” and “filtering mechanism(s)” are used herein, they should not be construed as being limited to merely removing unwanted features or components from the received data, but rather intend to cover any suitable inspection mechanism that can be used to validate the received data.
- the one or more filtering mechanisms of the one or more inspectors can be selected from a group of filtering mechanisms comprising malware detection, data leak prevention, expression recognition, format conversion, redacting modification and data cleansing. An illustrative description of these filtering mechanisms is given herein for exemplary purposes only and does not intend to limit the present disclosure in any way.
- Malware detection can refer to searching for malicious code embedded in the received data, such as, e.g., those mechanisms used in anti-virus software.
- Data leak prevention can refer to verifying and preventing valuable information from being exfiltrated.
- Expression recognition can refer to a regular expression engine which allows one to detect data that matches specified regular expressions/pattems.
- Format conversion can refer to converting the format of the received data from one to another for security purposes, such as, e.g., converting Microsoft Word to PDF or to an image format.
- Redacting modification can refer to modifying data sent from the source computer automatically, e.g., for purpose of redacting the data (e.g., editing the data for censoring or obscuring certain content for security purposes).
- Data cleansing can refer to detecting and correcting (or removing) any components that are not required and might be used for transmitting unwanted data, by way of, e.g., deconstructing the data into components and rebuilding it. -
- the selection of the one or more filtering mechanisms or the one or more inspectors to be used for a given received data can be performed (e.g., by the controller 106 as illustrated in Fig. 1) based on an inspection management policy and the given received data.
- Hie inspection management policy used herein can refer to a set of inspection rules and configurations that the inspection computer (in particular, the controller) is configured with for performing inspection of the received data.
- the inspection management policy is specifically determined with respect to each received data to be inspected, as detailed below with reference to block
- Each inspection result from a corresponding inspector can be indicative of an inspected status of the received data.
- at least one of the inspection results can include an inspected status of the received data and inspected data corresponding to the received data.
- there can be various types of inspected statuses By way of example, one type of inspected status can be that no issue was uncovered, which provides a positive indication of the data being benign. Another type of inspected status can be that one or more issues were uncovered, together with descriptive information associated with the uncovered issues.
- a further type of inspected status can be that certain modification was performed on the received data, resulting in inspected data which is a modified version of the received data.
- Other possible types of inspected statuses can include (but are not limited to): data cannot be processed, error reading data, internal error in filter, insufficient resources for performing filtering, etc.
- the one or more inspectors can be respectively associated with one or more secure signing mechanisms.
- the term“signing” or “signing mechanism” used herein refers to a computing scheme used to provide a digital signature for presenting the authenticity and integrity of digital data such as messages or documents.
- a valid digital signature can give a recipient reason to believe that the transmitted message was created by the claimed sender (i.e., authentication), and that the message was not altered in transit (i.e., integrity), thus can be used to detect forgery and/or tampering.
- the secure signing mechanisms associated with the one or more inspectors are cryptographically based. Digital signing or digital signatures in general employ asymmetric cryptography (e.g., Public-key cryptography).
- a signing mechanism or signing scheme allows a sender that owns a key pair of public key and private key to be able to sign data using the private key, and enables the receiver to verify the signed data (including the signature together with the data) using the corresponding public key.
- One example of a possible signing mechanism can be based on an RSA algorithm.
- the physical carrier is a piece of hardware (such as, e.g., a USB dongle/adaptor, etc.) that stores the private key, and, only when being connected to a device, can enable the device to perform the signing using the private key. Therefore, one needs to physically have the dongle in order to sign the data, which provides another layer of protection for the secure signing mechanism.
- the physical carrier can be coded and in some cases have its own processor for providing the additional functionality of protection.
- a secure enclave (also referred to herein as SE or enclave) is a trusted execution environment embedded in an application or process which provides a secure region (e.g., separated and encrypted) for the application to execute code and store data inside.
- the secure enclave can be executed from a protected memory region in which data is to be protected using access control mechanisms to be provided by the processor associated with secure enclave instructions.
- the secure enclave is implemented by Intel as Software Guard Extensions (SGX).
- SGX is a new mode of execution on the processor with corresponding memory protection semantic and instructions to be used for management.
- SGX can create secure enclaves by filling protected memory pages with desired code and data, locking the code and data in the enclaves, and performing measurement therein.
- the processor can execute the code inside the enclave. No other entities, including the kernel (ring 0), hypervisor (ring“-1”), SMM (ring“-2”), or AMT (ring“-3”), have the right to read or write the memory pages belonging to the enclave.
- secure enclave or similar data security and access control mechanisms (which may be termed differently), are also implemented by other platforms and/or vendor's technologies, such as, e.g., Secure Encrypted Virtualization (SEV) by AMD and TrustZone by ARM, etc.
- SEV Secure Encrypted Virtualization
- the secure enclave as described above can be used as a secure environment for preserving the private key and/or for executing the signing using the key, therefore providing additional security protection to the key and/or the execution of the signing which no other entities have right to access regardless of current privilege level and CPU mode, even if the device has been compromised. This is due to the fact that when an enclave is entered, an access control mechanism ensures that enclave memory pages belonging to the enclave cannot be read or written from outside the enclave.
- each of the one or more inspectors can have a respective secure enclave designated thereto which provides a secure environment for the inspector to execute code and store data therein. Accordingly, each inspector can securely protect its own code and data using the designated enclave which is not accessible to any other entity. For instance, each inspector can choose to protect its private key, and/or execution of the signing in the designated enclave. In some cases, it may be determined that the entire inspection functionality associated with the inspector can be executed in die designated enclave thereof (i.e., the inspector is in fact running in the enclave).
- the one or more inspection results are separately signed by the one or more inspectors, and the one or more signed inspection results are obtained, it can be determined (208) (e.g., by the controller 106), based on the inspection management policy, whether to send at least some of the inspection results and/or derivatives thereof for manual inspection.
- the inspection management policy is specifically determined with respect to each received data to be inspected.
- the policy can be specified with respect to one or more attributes associated therewith.
- the one or more attributes associated with the received data can be selected from a group comprising: one or more attributes of the received data, one or more attributes of the source computer that sends the data and one or more attributes of an environment in which the data is sent.
- the attributes of the received data can include type of the data and content of the data.
- the attributes of the source computer can comprise user (i.e., the personnel/position using the source computer) name, type of user, type of the source computer, type and version of the operating system thereof, version of trusted entity application/support installed if any, current health (e.g., any security alert in effect), recent history of inspection, physical location and IP address thereof, etc.
- the attributes of the environment can comprise date and/or time of receiving the data, and number and type of inspected statuses returned from the inspectors, etc.
- the inspection management policy can include one or more predefined criteria which are based on one or more of the above listed attributes. At least some of the predefined criteria can be used for determining whether there is a need for manual inspection of any of the inspection results or derivatives thereof.
- predefined criteria can be used for determining whether there is a need for manual inspection of any of the inspection results or derivatives thereof.
- VBA Visual Basic for Applications
- an Excel file received from a user of a salesperson contains a Visual Basic for Applications (VBA) macro, that only one of the inspectors is able to decide whether is benign or not.
- VBA Visual Basic for Applications
- an AutoCAD file is received from an administrative assistant. Since this type of position does not usually entail handling this type of file, it is decided, based on the type of the file and the type of user, that the file needs to be sent on for manual inspection.
- a spreadsheet file is received from a user who is a CFO. All of the inspectors (and at least two) determine that it is benign, and none determines that it is malicious. It can be decided, based on the type of the file and the type of user, that the file can be automatically sent on (e.g., to the policy enforcer) without manual inspection.
- an inspection result can include an inspected status of the received data and inspected data corresponding to the received data.
- the controller can decide what exactly to be sent on for manual inspection. In some embodiments, it may be decided that manual inspection is needed only for some of tire inspection results (e.g., selected inspection result(s) of some specific inspector(s)). For each of those selected inspection results, one or more of the following derivatives thereof can be determined to be sent on for manual inspection: the inspected data, the inspected status, the originally received data, and the signed inspection result. For instance, in the above examples of received data being an Excel file or AutoCAD file, the original file, the inspected file together with an inspected status can be sent on for manual inspection.
- the inspected data corresponding to the received data can be a filtered/modified version of the received data.
- the controller can determine to send the inspected data for manual inspection for approval of the modification.
- the one or more inspection results, or at least some thereof can be aggregated (e.g., by the controller) to an aggregated inspection result, and the aggregated inspection result, as a derivative of the inspection results, can be sent on for manual inspection.
- the aggregated inspection result can include an aggregated inspected status generated based on the one or more inspected statuses, together with the original received data. In some other cases, it can include the aggregated inspected status together with the inspected data as inspected by at least one of the inspectors.
- manual inspection of the at least some of inspection results and/or derivatives thereof sent by the inspection computer can be provided (210) (e.g., by the manual inspection module 110), giving rise to at least one manual inspection result indicative of an approval status.
- signing of the at least one manual inspection result can be provided (210) (e.g., by the manual inspection module 110 to the controller 106), giving rise to at least one signed manual inspection result.
- the manual inspection can be performed by at least one manual inspector each associated with a secure signing mechanism, and the signing of the at least one manual inspection result can be performed separately by each of the at least one manual inspectors, using the secure signing mechanism associated therewith.
- the term manual inspector used herein refers to a person, as an approver (equipped with a computer device), who, upon receiving inspection results and/or derivatives from the inspection computer, performs additional inspection/verification in order to determine whether or not to approve the received information.
- the manual inspection module 110 referred to therein should be construed to include at least one computer device (or a dedicated inspection module of the computer device) operated by the at least one manual inspector for performing the additional inspection/verification.
- each of the at least one manual inspector can be equipped with a computer device which comprises a dedicated inspection module for performing the manual inspection process.
- the inspection module has a respective secure enclave designated thereto which provides a secure environment for the inspection module to execute code and store data therein. For instance, the inspection module can choose to protect its private key, and/or the execution of the signing in the designated enclave. In some cases, it may be determined that the entire manual inspection process associated with the inspection module can be executed in the designated enclave thereof.
- a CFO of a company can act as an approver using his/her designated computer device.
- the computer device is specifically configured with an inspection functionality implemented in an inspection module thereof.
- the signed manual inspection result can be provided to the controller of the inspection computer for making further decisions.
- a manual inspection result can be indicative of an approval status (i.e., whether the received at least part of inspection results and/or derivatives thereof sent by the inspection computer are approved or not).
- the manual inspection result can also include manual inspected data if the manual inspector performs certain modifications of the data upon inspection.
- signed inspection results can be analyzed (212) by the inspection computer (e.g., by the controller 106).
- the signed inspection results can include at least one of: i) the one or more signed inspection results, and ii) the at least one signed manual inspection result.
- the signed inspection results when it is determined in block 208 that there is no need for manual inspection, the signed inspection results here can only include the one or more signed inspection results as provided by the one or more inspectors.
- the signed inspection results can include either the at least one signed manual inspection result, or both the one or more signed inspection results as provided by the one or more inspectors, and the at least one signed manual inspection result.
- the analyzing can be based on a predefined criterion as specified by the inspection management policy.
- the one or more inspectors and/or the at least one manual inspector may be assigned with respective weight factors, and the signed inspection results can be analyzed/evaluated by the controller by applying the weight factors on corresponding inspection results, giving rise to a weighted sum/total (i.e., a sum of weighted signed inspection results).
- the predefined criterion can be based on the number of signed inspection results (e.g., based on tire signatures included in the signed inspection results) that are indicative of approval, or a sum of weighted signed inspection results that are indicative of approval, or a combination thereof.
- a predefined criterion can be that at least two signatures of manual inspectors indicative of approval should be obtained, or at least two signatures indicative of approval with a total weight of 5 should be obtained.
- the file can be sent to multiple manual inspectors who are assigned with different weights according to their positions/responsibilities in the organization, e.g., a CEO may be assigned with a weight of 4, a division manager may be assigned with a weight of 2, whereas a technical engineer and a salesperson may be assigned with a weight of 1, etc.
- the predefined criterion can be regarded as being met if two signatures indicative of approval are received with a weight of 5, for instance, receiving the signatures of a CEO and a technical engineer.
- a predefined criterion can be that at least three signatures indicative of approval with a total weight of 7 should be obtained, and, in addition, at least one of the three signatures is from the technical department.
- the predefined criterion can be that die inspection results from all of the one or more inspectors give a positive indication of the data being benign.
- additional verification of the signed inspection results can be performed (216) by the inspection computer (e.g., by the policy enforcer 108).
- the additional verification can determine whether to send inspected data corresponding to die received data to the destination computer.
- the additional verification can comprise verifying completeness and accuracy of the one or more signed inspection results and/or the at least one signed manual inspection result.
- the policy enforcer is configured to receive all the signed inspection results from the controller and make a final decision as to whether the data should be sent to the destination computer, thereby providing an additional layer of protection besides the controller (i.e., providing redundancy and increasing reliability of the system).
- the policy enforcer verifies whether all of the one or more inspectors and/or the at least one manual inspector have executed the inspection (i.e., completeness), and whether their signatures are correct (i.e., accuracy). [0061] On the other hand, when a result of the analyzing does not meet (214) the predefined criterion, additional verification of the signed inspection results does not need to be performed.
- the inspection process can stop (218) and it can be determined that the data will not be sent to die destination computer.
- the controller may maintain a “chain of signatures” mechanism (as specified in the inspection management policy), in which each inspector signs a content including a signature of previous executed inspectors.
- the inspection management policy can include a list of predefined orders of the one or more inspectors, and the received data can be inspected and signed by the one or more inspectors in one of the list of predefined orders such that each inspector, except for the first inspector, signs on a content including the received data and one or more signatures of one or more preceding inspectors that previously performed the signing, giving rise to a chain of signatures.
- the additional verification can comprise verifying completeness and accuracy of each signature in the chain of signatures, and, in addition, verifying whether an order of the chain of signatures belongs to the list of predefined orders. This can effectively prevent a situation when a takeover of the controller by a malicious party may allow problematic data to pass through.
- the controller can also be configured to verify the signatures of the inspectors in a similar manner as described above with reference to the policy enforcer, so as to facilitate analyzing the inspection results according to the inspection management policy.
- the controller may be configured to verify/examine if the inspectors are working correctly, in an attempt to detect whether the inspectors are compromised (e.g., some of the inspectors may be attacked by an attacker who would always return a bad response).
- One example of such verification can be probing the inspectors.
- the terms“probe” or“probing” refers to an action taken or a service used for the purpose of collecting data, and/or monitoring state or activity of an entity.
- each of the aforementioned functional modules can be implemented in separate devices distributed over local and/or remote entities, and can be operatively connected to each other through a communication network.
- each of these modules can have a respective secure enclave designated thereto for storing the private key and/or executing the signing process and/or performing verification etc.
- the entire functionality of a module can be executed in the designated enclave thereof (i.e., the module is deemed as running in the enclave).
- FIG. 3 there is shown a schematic illustration of ensuring secure communication for a client-server path and a server-client path in the client- server communication architecture in accordance with certain embodiments of the presently disclosed subject matter.
- a client 304 is communicating with a server 302 through a communication network.
- the client 304 may initialize a request to import information to the server 302 (therefore the client-server path is also referred to as the import path), and the server 302 may provide or export information to tire client 304 (therefore the server-client path is also referred to as the export path).
- the inspection mechanism as proposed herein and described above with reference to Fig.2 can be used to secure the communication on the import path and/or the export path, thereby providing secure import and/or secure export communication paths between the client and the server.
- the inspection computer system and inspection mechanism as proposed herein can be similarly adapted to both paths.
- the left diagram 306 in Fig.3 shows a secure import inspection system.
- the import requestee serves as an interface to receive the inspection request from the client 304, and send the request to the import control (i.e., import controller, equivalent to the role of controller as described above).
- the import controller coordinates between the import inspectors, the manual inspection module, and the import policy enforcer, in a similar way as described above.
- the import enforcer serving as the last layer of protection, determines whether to forward the data on to the server.
- the right diagram 308 shows a secure export inspection system which is implemented in a similar manner. It is to be appreciated that due to different purposes of the two paths, the inspectors on either path may be associated with different filtering mechanisms, and the controller may be configured with different inspection management policies, for serving the specific purpose thereof.
- the system according to the invention may be, at least partly, implemented on a suitably programmed computer.
- the invention contemplates a computer program being readable by a computer for executing the method of the invention.
- the invention further contemplates a non- transitory computer-readable storage medium tangibly embodying a program of instructions executable by the computer for executing the method of the invention.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Virology (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/290,946 US11876783B2 (en) | 2018-11-21 | 2019-11-13 | Method of secure communication and system thereof |
SG11202103826SA SG11202103826SA (en) | 2018-11-21 | 2019-11-13 | Method of secure communication and system thereof |
EP19887266.5A EP3884644A4 (en) | 2018-11-21 | 2019-11-13 | Method of secure communication and system thereof |
JP2021527916A JP7470116B2 (en) | 2018-11-21 | 2019-11-13 | Secure communication method and system thereof |
KR1020217014616A KR20210092745A (en) | 2018-11-21 | 2019-11-13 | Secure communication method and system |
AU2019383075A AU2019383075A1 (en) | 2018-11-21 | 2019-11-13 | Method of secure communication and system thereof |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
IL263181A IL263181A (en) | 2018-11-21 | 2018-11-21 | Method of secure communication and system thereof |
IL263181 | 2018-11-21 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2020105032A1 true WO2020105032A1 (en) | 2020-05-28 |
Family
ID=66624734
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IL2019/051238 WO2020105032A1 (en) | 2018-11-21 | 2019-11-13 | Method of secure communication and system thereof |
Country Status (8)
Country | Link |
---|---|
US (1) | US11876783B2 (en) |
EP (1) | EP3884644A4 (en) |
JP (1) | JP7470116B2 (en) |
KR (1) | KR20210092745A (en) |
AU (1) | AU2019383075A1 (en) |
IL (1) | IL263181A (en) |
SG (1) | SG11202103826SA (en) |
WO (1) | WO2020105032A1 (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11641363B2 (en) * | 2019-01-14 | 2023-05-02 | Qatar Foundation For Education, Science And Community Development | Methods and systems for verifying the authenticity of a remote service |
US11356275B2 (en) * | 2020-05-27 | 2022-06-07 | International Business Machines Corporation | Electronically verifying a process flow |
US20220329671A1 (en) * | 2021-04-08 | 2022-10-13 | Mantech International Corporation | Systems and methods for cross domain solutions in multi-cloud environments |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5978475A (en) * | 1997-07-18 | 1999-11-02 | Counterpane Internet Security, Inc. | Event auditing system |
US20090044264A1 (en) * | 2007-08-07 | 2009-02-12 | Microsoft Corporation | Spam reduction in real time communications by human interaction proof |
US7865931B1 (en) * | 2002-11-25 | 2011-01-04 | Accenture Global Services Limited | Universal authorization and access control security measure for applications |
EP2317690A1 (en) * | 2008-08-15 | 2011-05-04 | Alcatel Lucent | Method and device for distributed security controlling in communication network system |
US20180097829A1 (en) * | 2016-09-30 | 2018-04-05 | Mcafee, Inc | Safe sharing of sensitive data |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP4145582B2 (en) | 2002-06-28 | 2008-09-03 | Kddi株式会社 | Computer virus inspection device and mail gateway system |
US8738708B2 (en) * | 2004-12-21 | 2014-05-27 | Mcafee, Inc. | Bounce management in a trusted communication network |
JP2009515426A (en) | 2005-11-07 | 2009-04-09 | ジーディーエックス ネットワーク, インコーポレイテッド | High reliability communication network |
US10114966B2 (en) * | 2015-03-19 | 2018-10-30 | Netskope, Inc. | Systems and methods of per-document encryption of enterprise information stored on a cloud computing service (CCS) |
-
2018
- 2018-11-21 IL IL263181A patent/IL263181A/en unknown
-
2019
- 2019-11-13 KR KR1020217014616A patent/KR20210092745A/en not_active Application Discontinuation
- 2019-11-13 EP EP19887266.5A patent/EP3884644A4/en active Pending
- 2019-11-13 US US17/290,946 patent/US11876783B2/en active Active
- 2019-11-13 SG SG11202103826SA patent/SG11202103826SA/en unknown
- 2019-11-13 WO PCT/IL2019/051238 patent/WO2020105032A1/en unknown
- 2019-11-13 AU AU2019383075A patent/AU2019383075A1/en active Pending
- 2019-11-13 JP JP2021527916A patent/JP7470116B2/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5978475A (en) * | 1997-07-18 | 1999-11-02 | Counterpane Internet Security, Inc. | Event auditing system |
US7865931B1 (en) * | 2002-11-25 | 2011-01-04 | Accenture Global Services Limited | Universal authorization and access control security measure for applications |
US20090044264A1 (en) * | 2007-08-07 | 2009-02-12 | Microsoft Corporation | Spam reduction in real time communications by human interaction proof |
EP2317690A1 (en) * | 2008-08-15 | 2011-05-04 | Alcatel Lucent | Method and device for distributed security controlling in communication network system |
US20180097829A1 (en) * | 2016-09-30 | 2018-04-05 | Mcafee, Inc | Safe sharing of sensitive data |
Non-Patent Citations (1)
Title |
---|
See also references of EP3884644A4 * |
Also Published As
Publication number | Publication date |
---|---|
EP3884644A4 (en) | 2022-07-27 |
US20210377219A1 (en) | 2021-12-02 |
JP7470116B2 (en) | 2024-04-17 |
IL263181A (en) | 2020-05-31 |
KR20210092745A (en) | 2021-07-26 |
US11876783B2 (en) | 2024-01-16 |
AU2019383075A1 (en) | 2021-05-27 |
JP2022509121A (en) | 2022-01-20 |
SG11202103826SA (en) | 2021-06-29 |
EP3884644A1 (en) | 2021-09-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11876783B2 (en) | Method of secure communication and system thereof | |
US7096497B2 (en) | File checking using remote signing authority via a network | |
Butt et al. | Cloud security threats and solutions: A survey | |
US11544152B2 (en) | Leveraging sentiment in data protection systems | |
CN111666591A (en) | Online underwriting data security processing method, system, equipment and storage medium | |
Filiz et al. | On the effectiveness of ransomware decryption tools | |
Caston et al. | Risks and anatomy of data breaches | |
Weippl et al. | Introduction to Security and Privacy | |
CN111538972A (en) | System and method for verifying attack resilience in digital signatures of documents | |
Lee et al. | Classification and analysis of security techniques for the user terminal area in the internet banking service | |
Kavakli et al. | Privacy as an integral part of the implementation of cloud solutions | |
Axelrod | Reducing software assurance risks for security-critical and safety-critical systems | |
Litchfield et al. | A systematic review of vulnerabilities in hypervisors and their detection | |
Mowbray et al. | Protecting personal information in cloud computing | |
Chen et al. | Towards analyzing complex operating system access control configurations | |
Rajeyyagari et al. | A study on cyber-crimes, threats, security and its emerging trends on latest technologies: Influence on the Kingdom of Saudi Arabia | |
Boulares et al. | Insider threat likelihood assessment for flexible access control | |
Shivakumara et al. | Review Paper on Dynamic Mechanisms of Data Leakage Detection and Prevention | |
KR101725450B1 (en) | Reputation management system provides safety in html5 and method of the same | |
CN111538971B (en) | System and method for verifying digital signatures of files | |
US20240163299A1 (en) | Email security diagnosis device based on quantitative analysis of threat elements, and operation method thereof | |
CN117290823B (en) | APP intelligent detection and safety protection method, computer equipment and medium | |
Senapati et al. | Impact of information leakage and conserving digital privacy | |
EP3674945B1 (en) | System and method for verifying digital signatures of files | |
JP2009116391A (en) | Security policy setting device cooperating with safety level evaluation and a program and method thereof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19887266 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2021527916 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2019383075 Country of ref document: AU Date of ref document: 20191113 Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2019887266 Country of ref document: EP Effective date: 20210621 |