Method of comparing security status of windows family operating systems

FIELD: physics; computer engineering.

SUBSTANCE: invention relates to management of security of Windows family operating systems (including Microsoft Windows 2000 Professional, Microsoft Windows 2000 Server, Microsoft Windows XP Professional, Microsoft Windows Server 2003, Microsoft Windows Server 2008, Microsoft Windows Vista Ultimate, Enterprise and Business 32-x and 64-x versions of any localisation), and specifically to comparison of configuration characteristics of operating systems from the view point of assessing their security. The result is achieved owing to possibility of comparing configuration parametres, monitoring the behaviour of changes in status and detection from a given "standard" status in Windows family operating systems after proposal of a procedure for comparing security status and switching to the analysed complete set of configuration parameters of security of user layer resources.

EFFECT: increased efficiency of assessing system security.

3 cl, 1 dwg

 

The invention relates to the field of safety management operating systems of the Windows family (including Microsoft Windows 2000 Professional Microsoft Windows 2000 Server, Microsoft Windows XP Professional, Microsoft Windows Server 2003, Microsoft Windows Server 2008, Microsoft Windows Vista Ultimate, Enterprise and Business 32-bit and 64-bit versions of any localization), namely the comparison of configurations of operating systems from the point of view of assessing their safety.

Known systems and methods of securing the operating systems based on the analysis of the characteristics of the configuration, for example, US 2007136578, H04L 9/00, publ. 2007-06-14, WO 2007021949, G06F 12/14, publ. 2007-02-22, the system and methods provide improved security model, the application for the invention of the Russian Federation No. 2005120655, H04L 9/32, publ. 2006-01-20. However, none of these materials does not describe how to map two or more States security operating systems of the Windows family.

There is a method of identifying configuration settings, which cause undesirable behavior of the system that contains the procedure for monitoring parameters of the operating system (US 2007300103, G06F 9/445; G06F 11/34; G06F 11/07; H04L 12/24, publ. 2007-12-27). However, this method does not provide the mapping configurations operating systems of Windows from a security point of view.

The basis of the invention is to provide a method of mapping States of the security-related operating systems of the Windows family, which provided a more effective assessment of security systems by providing opportunities mapping of configuration parameters, tracking the dynamics of the changes of States and detecting deviations from a given reference state in the operating systems of the Windows family through the supply procedure mapping state security and inclusion in the analyzed set of full set of configuration parameters, resource security, custom level.

The solution of a technical problem is provided by the fact that in the mapping of state security of the operating systems of the Windows family, including fixation and mapping configuration security settings, subjects and objects operating systems of Windows, select the files and directories in the file system that will be included in the first matching condition; by default, mapped in the state include all directories in the file system other than system Windows directory, Program Files, Documents and Settings, removable, network and virtual disks;

then bypass the selected part of the file system hierarchy, fixing for each file system object its absolute path name and the security identifier of the owner, discretionary list effective n the AV access and values of security attributes "Flag inheritance rights" and "distribution rights"; however, if the object is a file system directory, fix the composition of the sub-directories, and files;

then record the names of the actors in the system (users, user groups, and built-in security principals), security identifiers, sets the assigned privileges and sets of groups, members of which is the subject; if the subject is a group of users, record the names and security IDs of its members;

then retain registered status in the status file;

because the mapping is feasible for a pair of States, all of the above actions, including maintaining the status file, re-perform the necessary number of times (at least once) at any time in the same system or in different systems, in order to form a set of matching conditions;

then choose to map two fixed state stored in the state files, select the mapping conditions conditions and make comparisons based on the selected conditions; the conditions mapping restrict the set of matched subjects, objects and their configuration security settings and define the next steps of the mapping procedure, which allows to process the part of PA is Umerov and thereby to accelerate the process;

remove from saved state files and produce a mapping of the compounds of the subjects; however, in each state of the noted entities, which are not available in another state;

then remove from saved state files and produce a mapping of the composition of the groups; in each condition for each group in the set of its members celebrate the subjects that are missing in this set of this group in another state;

then remove from saved state files and perform matching sets of groups whose members are entities that are present in both States; in each condition for each subject in the set of groups note groups that are missing in this kit of this subject in another state;

then remove from saved state files and perform matching sets of privileges possessed by the entities that are present in both States; in each condition for each subject in the set of privileges celebrate privileges that are not available in this kit of this subject in another state;

remove from saved state files and produce a mapping of the structures of file system directories mapped in two States, performing in each state of the recursive traversal of a fixed set ka is Logov; if a directory is present only in one condition, the bypass and the mapping of States relative to many of its subdirectories do not perform;

then remove from saved state files and produce a mapping file structures of directories that are present in both States; each state for each directory in the set of files contained in it, mark the files that are missing in this set this directory in another state;

then remove from saved state files and produce a mapping of security attributes "Flag inheritance rights" and "distribution rights" directory present in both States; each state for each directory note the attribute value that is different from the attribute values of this directory in another state;

then remove from saved state files and produce the identity mapping security of the owners of the directories and files that are present in both States; each state for each directory or file note the sid of the owner, which is different from the sid of the owner of this directory, or file in another state;

then remove from saved state files and perform matching on scrutiny lists the effective access rights for directories and files, present in both States; each state for each directory or file mark rights that no such discretionary list effective access rights to this directory, or file in a different state.

The result of the comparison States retain in the form of a report file that contains descriptions of the recorded state and the identified differences, and are in the form of two trees, lists many of the recorded subjects, objects and their configuration security settings are marked differences.

Improving the efficiency of the safety assessment of operating systems of the Windows family is ensured through the provision of opportunities for fixing the state security operating systems of Windows, tracking the dynamics of their changes, detecting deviations from a given reference state, which is a result of the offer procedure state mapping security of operating systems and processing the full set of configuration parameters, resource security, custom level, which include actors access (users and user groups), objects (files and directories in the file system), their security attributes (group membership, group, owner, privilege, discretionary STI is OK effective rights access).

The invention is illustrated with a drawing, which shows the result of comparing the two States in the form of two trees that represent the recorded subjects and objects, as well as discretionary lists effective access rights and noted the differences of rights.

When the process is intelligent matching conditions; this mapping procedure is performed on the pair of States recorded in the same system at different points in time, or over a pair of States, recorded in different systems at any time.

The system state includes the following configuration security settings of the operating systems Windows:

1. Many of the subjects presented in the form of a set of names and security IDs of the users, user groups, and built-in security principals.

2. Many entities-members for groups of users.

3. Many groups of entities.

4. Many privileges assigned to users, groups of users, and built-in security principals.

5. Many of the objects represented as a set of absolute paths and the hierarchy of files and directories in the file system.

6. Many security attributes "Flag inheritance rights" and "the Sphere of the distribution rights for file system objects.

7. Many names and security IDs owners to file system objects.

8. Many discretionary list effective access rights. Discretionary list of effective permissions for a pair of "subject-object" is a discretionary access control list object (discretionary access control list, DACL)specified for a specific subject, taking into account inherited and explicit permissions and prohibitions, shared access rights, group rights, rights of ownership and rights, replacing the privileges of the subject.

In the process choose the files and directories in the file system that will be included in the first matching condition; by default, mapped in the state include all directories in the file system other than system Windows directory, Program Files, Documents and Settings, removable, network and virtual disks.

Then bypass the selected part of the file system hierarchy, fixing for each file system object its absolute path name and the security identifier of the owner, discretionary list effective access rights and values of security attributes "Flag inheritance rights" and "distribution rights". When this passage on symbolic links do not exercise, files with multiple hard links is processed only once. If the object is a file system directory,fix the composition of the sub-directories, and files.

Then record the names of the actors in the system (users, user groups, and built-in security principals), security identifiers, sets the assigned privileges and sets of groups, whose members are subject. If the subject is a group of users, record the names and security IDs of its members.

Fixed the status stored in the status file.

Because the mapping is feasible for a pair of States, all of the above actions, including maintaining the status file, re-perform the necessary number of times (at least once) at any time in the same system or in different systems, in order to form a set of matching conditions.

Opt for matching two fixed state stored in the state files, select the mapping conditions conditions and make comparisons based on the selected conditions. This mapping conditions restrict the set of matched subjects, objects and their configuration security settings and define the next steps of the mapping procedure, which allows to process with some parameters and thereby to accelerate the process.

Remove from saved state files and produce a mapping of the compounds of the subjects. Juxta posing is providing users and groups, with constant ("well-known") SIDS is by their ID, the other by name. In each state of the noted entities, which are not available in any other state.

Then remove from saved state files and produce a mapping of group memberships. In each condition for each group in the set of its members celebrate the subjects that are missing in this set of this group in another state.

Then remove from saved state files and perform matching sets of groups whose members are entities that are present in both States. In each condition for each subject in the set of groups note groups that are missing in this kit of this subject in any other state.

Then remove from saved state files and perform matching sets of privileges possessed by the entities that are present in both States. In each condition for each subject in the set of privileges celebrate privileges that are not available in this kit of this subject in any other state.

Remove from saved state files and produce a mapping of the structures of file system directories mapped in two States, performing in each state of the recursive traversal fixed the CSOs multiple directories. If a directory is present only in one condition, the bypass and the mapping of States relative to many of its subdirectories do not perform.

Then remove from saved state files and produce a mapping file structures of directories that are present in both States. In each condition for each directory in the set of files contained in it, mark the files that are missing in this set this directory in another state.

Then remove from saved state files and produce a mapping of security attributes "Flag inheritance rights" and "distribution rights" directory present in both States. In each condition for each directory note the attribute value that is different from the attribute values of this directory in another state.

Then remove from saved state files and produce the identity mapping security of the owners of the directories and files that are present in both States. In each condition for each directory or file note the sid of the owner, which is different from the sid of the owner of this directory, or file in a different state.

Then remove from saved state files and produce the mapping di is creazioni lists the effective access rights for directories and files, present in both States. In each condition for each directory or file mark rights that no such discretionary list effective access rights to this directory, or file in a different state.

In the present invention under the discretionary list of effective permissions for a pair of "subject-object" refers to the discretionary access control list object (discretionary access control list, DACL)specified for a specific subject, taking into account inherited and explicit permissions and prohibitions, shared access rights, group rights, rights of ownership and rights, replacing the privileges of the subject.

The result of the comparison States retain in the form of a report file that contains descriptions of the recorded state and the identified differences, and are in the form of two trees, lists many of the recorded subjects, objects and their configuration security settings are marked differences. The use of conditions to be considered when comparing States, allows to obtain the result in minimized form, taking into account only the set of associated parameters.

The explanation of the present invention will cite the example of mapping two States S1and S2(see drawing).

1. Mapping entities.

1.1. Comparison of compositions of subjects.

All built-in security principals, with constant ("well-known") SIDS are present in both States. In the state of S1present the user with Alex, who is not in the condition S2. In the state of S2lists the user Peter and a group of Experts that are not in the condition S1.

The transition to the next step of mapping is performed after fixation of differences between conditions on the composition of the subjects.

1.2. Comparison of compositions of groups.

In the state of S2user Peter is in the group of Experts.

The transition to the next step of mapping is performed after fixation of differences in state group.

1.3. The comparison of the sets of groups whose members are entities.

All the same users are in the same group.

1.4. Matching sets of privileges.

The Nick, which is present in both States, in S1has the privilege of "Backup files and directories", which it is not in the condition S2.

The transition to the next step performed after fixation of differences between States by sets of privileges that are assigned to entities.

2. Mapping objects.

2.1. Comparison of compositions directory.

The file system objects that are marked by the operator to the mapping specified in both States, that is, the field mappings overlap. As 2the directory is missing CurrentProject.

The transition to the next step of mapping is performed after fixation of differences between conditions on the composition of the directories in the file system.

2.2. The mapping file formulations directory.

In the state of S1missing file secure.doc in the Private directory.

2.3. Mapping security settings directory.

The values of security attributes "Flag inheritance rights" and "distribution rights" directories are the same. All objects in the file system owners are the same. On the boot.ini file in the state of S1the user JohnWalker installed the complete set of effective privileges, and status S2- not established effective rights "Performance" and "Entry".

The invention improves the efficiency of the safety assessment systems by providing opportunities mapping of configuration parameters, tracking the dynamics of the changes of States and detecting deviations from a given reference state in the operating systems of the Windows family through the supply procedure mapping state security and inclusion in the analyzed set of full set of security settings user level.

1. How to map States of the security of operating systems of the Windows family, including the mapping to nfiguration security settings, operating systems, characterized in that select the files and directories in the file system that will be included in the first matching condition; by default, mapped in the state include all directories in the file system other than system Windows directory, Program Files, Documents and Settings, removable, network and virtual disks; then bypass the selected part of the file system hierarchy, fixing for each file system object its absolute path name and the security identifier of the owner, discretionary list effective access rights and values of security attributes "Flag inheritance rights" and "distribution rights"; if the object is a file system directory, fix the composition of the sub-directories, and files; then record the names of the actors in the system (users, user groups, and built-in security principals), security identifiers, sets the assigned privileges and sets of groups, members of which is the subject; if the subject is a group of users, record the names and security IDs of its members; then retain registered status in the status file; repeat the above steps, including the preservation of the status file to form a set of matching conditions; choose to map two zafiksirovat the data state, saved state files, select the mapping conditions conditions and make comparisons based on the selected conditions; the conditions mapping restrict the set of matched subjects, objects and their configuration security settings and define the next steps of the mapping procedure, which allows to process with some parameters and thereby to accelerate the process; make a comparison of the compositions of the subjects; however, in each state of the noted actors, which are not available in another state; then remove from saved state files and produce a mapping of the composition of the groups; in each condition for each group in the set of its members celebrate the subjects that are missing in this set of this group in another state; then remove from saved state files and perform matching sets of groups whose members are entities that are present in both States; in each condition for each subject in the set of groups note groups that are missing in this kit of this subject in any other state; then remove from saved state files and perform matching sets of privileges possessed by the entities that are present in both States; each state for each of the CSOs of the subject in its set of privileges celebrate privileges those included in this kit of this subject in any other state; extract from a saved state files and produce a mapping of the structures of file system directories mapped in two States, performing in each state of the recursive traversal of a fixed set of directories; if a directory is present only in one condition, the bypass and the mapping of States relative to many of its subdirectories do not perform; then remove from saved state files and produce a mapping file structures of directories that are present in both States; each state for each directory in the set of files contained in it, mark the files that are missing in this set this directory in another state; then remove from saved state files and produce a mapping of security attributes "Flag inheritance rights" and "distribution rights" directory present in both States; each state for each directory note the attribute value that is different from the attribute values of this directory in another state; then remove from saved state files and produce the identity mapping security of the owners of the directories and files that are present in both States; however, the each condition for each directory or file note the sid of the owner, which is different from the sid of the owner of this directory, or file in another state; then remove from saved state files and perform matching discretionary lists the effective access rights for directories and files that are present in both States; each state for each directory or file mark rights that no such discretionary list effective access rights to this directory, or file in a different state.

2. The method according to claim 1, characterized in that the result of the comparison States retain in the form of a report file that contains descriptions of the recorded state and the identified differences, and are in the form of two trees, lists many of the recorded subjects, objects and their configuration security settings are marked differences.

3. The method according to claim 1, characterized in that the mapping of States produced in accordance with the selected conditions that restrict the set of matched subjects, objects, and configuration security settings.



 

Same patents:

FIELD: physics; communications.

SUBSTANCE: invention relates to the technology of protecting digital content, and specifically to playing back digital content using licenses. A chain comprises an end license associated with content at one end, and a root license at the other end and all intermediate licenses in between. The end license and all intermediate licenses in the chain are attached to neighbouring licenses in the chain towards the root license, and the root license is attached to the private key owner (PR-U). Each license in the chain is verified and confirmation is made of whether the license allows content playback. A decryption key is obtained from the end license based on application of (PR-U) to the root license. The obtained key is used to decrypt the encrypted content, and the decrypted content is played back.

EFFECT: provision of playback of encrypted digital content on a computer in accordance with a license chain, on which a request for playing back encrypted content is received and a license chain corresponding to that content is found.

5 cl, 5 dwg

FIELD: physics; computer engineering.

SUBSTANCE: invention relates to systems and methods for coordinating software components. Version management policy, which is included in the target component, shows how to access the target component, for instance either as a library component or as a platform component. A component can be designated a library component when it creates a version which is compatible at the binary code level. When other components request for such a component, they receive exactly the component version which they requested. On the other hand, a component can be designated a platform component when it creates a version which is compatible at the bit code level. When other components request for such a component, they receive the last updated version of the requested component instead. That way, access to the corresponding component version is provided (even a version which is different from the requested version). Other implementation versions include mechanisms for stratification of the component application field, based on different data processing levels.

EFFECT: improved version management.

23 cl, 8 dwg

FIELD: physics; computer engineering.

SUBSTANCE: invention relates to computer security. In the system, according to the invention, a basic operating system is used together with a highly reliable operating system. The basic operating system is at least a certain part of infrastructure of the highly reliable system. Occlusion of elements of the graphical user interface, related to the highly reliable operating system, is prevented. Also part of the secret information, which upon command can be displayed by elements of the graphical user interface, related to the highly reliable system, is stored. Coordination of defined components of images of all elements of the graphical user interface, related to the highly reliable operating system, also enables identification of valid elements. In the system for managing windows of the basic operating system there is public heading information for window identification, belonging to the process operating under control of the highly reliable operating system. Information of the secret heading, related to same window, is used only in the highly reliable operating system.

EFFECT: invention increases security of computer systems from hacking.

30 cl, 9 dwg

FIELD: physics; computer engineering.

SUBSTANCE: invention relates to architecture and a method of permitting display of digital content with the corresponding digital license, associated with a specific computer device. Transmitting and receiving computer devices are connected to each other over a network. A transmitting device transmits protected digital content to a receiving device such that, the receiving device can access that content even if the content is directly licensed to the transmitting device and not to the receiving device.

EFFECT: coordinated access to content between computer devices on a network.

20 cl, 6 dwg

FIELD: information technologies.

SUBSTANCE: inventions are related to computer systems and methods for provision of protected access to database. System comprises memory device for protection descriptors, which store information about protection, related to at least one line of database, besides database contains at least one table that includes at least one line and two columns, in one of columns there is a protection descriptor stored, being related to line, information stored in protection descriptor comprises data about which type of access and to which principal is permitted or prohibited; database processor that issues response to query of database, based at least partially on information about protection stored in protection descriptor, which is assessed on the basis of information stored in database, and context of user that makes query; query component that contains optimiser of queries, which defines optimal route for response provision to query.

EFFECT: improved protection of access to database.

20 cl, 9 dwg, 2 tbl

FIELD: information technologies.

SUBSTANCE: there chosen is domain identifier and connection of at least one user (P1, P2, …, PN1), at least one device (D1, D2, …, DM) and at least one information element (C1, C2, …, CN2) to Authorised Domain (AD) specified with domain identifier (Domain_ID). By means of that there have been obtained many checked devices (D1, D2, …, DM) and many checked personalities (P1, P2, …, PN1), which is authorised for access to information element of the above Authorised Domain (100). Thus, access of user who controls the device to information element of authorised domain is obtained either by checking the fact that information element and user are connected to one and the same domain or by checking the fact that device and information element are connected to one and the same domain.

EFFECT: ensuring method and system for providing Authorised Domain structure based both on personalities and on devices.

12 cl, 6 dwg

FIELD: information technologies.

SUBSTANCE: checking method of certificate validity, which includes the key connected to network devices, involves the step of receiving the encoded content and validity index connected to that content in the network. Certificate validity is evaluated from the time index included in the certificate where the time index has the value corresponding to the certificate issuing date, and from validity index connected to the above encoded content.

EFFECT: simplifying the checking process of certificate validity, which provides access to data without reducing data access security.

20 cl, 12 dwg

FIELD: information technologies.

SUBSTANCE: method and device for determining authenticity of the system user is based on comparing coordinates of peculiar features of papillary patterns of fingers at double finger touch of the receiving scanner surface. During the first registration there obtained are pictures of at least two fingerprints, and during the second registration there obtained is the picture of at least one fingerprint, at that, the second registration is performed upon "request-answer" protocol command. Authenticity is considered confirmed in case of non-linear dependence of coordinate offsets of peculiar features of the first and the second pictures. Device for implementing the method consists of a scanner, picture processing unit, database, comparing unit, protocol forming unit connected to the scanner, and comparing unit. Protocol forming unit display panel is located on the scanner front surface.

EFFECT: ensuring high accuracy of authenticity and excluding the access of occasional persons to the protected system.

3 cl, 3 dwg

FIELD: information technologies.

SUBSTANCE: first initial value is known both to the keyboard and the component. Keyboard and component exchange time values. Both the keyboard and the component compute the second initial value and the third initial value on the basis of time values and the first initial value. Both the keyboard and the component make one and the same computation so that both the keyboard and the component have one and the same second and third initial values. The keyboard encodes keystrokes meant for the component by using CBC-3DES method on the basis of the key and the second initial component, as well as creates message authentication code for each keystroke by using CBC-3DESMAC on the basis of the key and the third initial value. The component encodes and verifies keystrokes by using the key and the second and the third initial values.

EFFECT: providing safety connection between two components, such as a keyboard or a related device, and software component via an unsafe communication channel.

26 cl, 6 dwg

FIELD: instrument making.

SUBSTANCE: invention is related to the field of machine access, in particular to identification and authentication of object, user or principal with authenticator for logical entry into local and/or remote machine with operating system. Authenticators are transformed by means of one of multiple different modules of authenticator provides, every of which transforms according different type of authenticators into common protocol. Transformed authenticators are sent through application programming interface (API) to user interface module (UI) of logical entry to operating system (OS) of local machine, which is called by UI module of logical entry for authentication of transformed authenticators according to database of authenticators. User identified with transformed authenticator realises a logical entry for access to local machine in case of successful authentication.

EFFECT: possibility of safe joint application of multiple interacting modules that are fully compatible with operating system of local machine.

18 cl, 22 dwg

FIELD: engineering of devices and methods for using server for access to processing server, which performs given processing.

SUBSTANCE: for this in accordance to method reservation is requested, reservation is confirmed, authentication information included in reservation information is stored, service is requested on basis of authentication information, server utilization is authenticated and server is utilized on basis of authentication result, while on stage of reservation confirmation device for controlling reservation transfers reservation setting information, and on stage of authentication server utilization is only confirmed when authentication information matches authentication information transferred from user terminal. Device contains receiving means, information generation device and transmitting means.

EFFECT: creation of method for using server, device for controlling server reservation and means for storing a program, capable of providing multiple users with efficient utilization of functions of processing server with simultaneous decrease of interference from unauthorized users without complicated processing or authentication operations.

6 cl, 51 dwg

FIELD: distribution devices, terminal devices.

SUBSTANCE: in distribution device groups of two or more informational products which represent digital informational content are stored with information about policy administration which indicates user's rights to this group by interrelated method. Distribution device transfers the user requested informational content from group to the terminal device with license certificate (LC), refreshes information about policy administration decreasing policy validity. On return of the renewed LC distribution device increases the decreased policy validity taking into account the part of policy validity which is indicated in the renewed LC. On user's demand distribution device again transfers LC or other digital informational content.

EFFECT: distribution of digital content for a more complete satisfaction of user's demand.

22 cl, 58 dwg

FIELD: access to protected system restriction technics; avoidance of accidental persons access to system.

SUBSTANCE: fingerprint image is registered with following user personality identification. Some peculiarities of papillary pattern coordinates are determined and using difference of coordinates of peculiarities of received fingerprint image and stored in database positive or negative decision to grant access to system is made.

EFFECT: increased level of protection against access of accidental persons.

3 cl, 2 dwg

FIELD: access to protected system restriction technics; avoidance of accidental persons access to system.

SUBSTANCE: fingerprint image is registered with following user personality identification. Some peculiarities of papillary pattern coordinates are determined and using difference of coordinates of peculiarities of received fingerprint image and stored in database positive or negative decision to grant access to system is made.

EFFECT: increased level of protection against access of accidental persons.

3 cl, 2 dwg

FIELD: engineering of technical means for complex protection of information during its storage and transfer.

SUBSTANCE: method for complex information protection is realized in following order: prior to transfer into communication channel or prior to recording into memory, state of used communication channel or information storage environment is analyzed, from M possible codes parameters of optimal (n,k) code for current status of channel or information storage end are determined, information subject to protection is split on q-nary symbols l bits long (q=2l) for each q-nary system gamma combinations l bits long are formed independently from information source, for each set of k informational q-nary symbols (n-k) excessive q-nary symbols are formed in accordance to rules of source binary (n,k) code, each q-nary symbol is subjected to encrypting stochastic transformation with participation of gamma, after receipt from communication channel or after reading from memory for each q-nary symbol combination of gamma with length l is generated, synchronously with transferring side, reverse stochastic decrypting transformation is performed for each q-nary symbol with participation of gamma, by means of checking expressions of source binary code localized are correctly read from memory or received q-nary symbols, untrustworthily localized symbols are deleted, integrity of message is restored by correcting non-localized and erased q-nary symbols of each block, expressing their values through values of trustworthily localized or already corrected q-nary symbols, if trustworthy restoration of integrity of code block is impossible it is deleted, number of deleted blocks is counted, optimality is determined within observation interval of used code with correction of errors for current state of channel, if code optimum criterion exceeds given minimal and maximal limits, code is replaced with optimal code synchronously at transferring and receiving parts of channel in accordance to maximum transfer speed criterion.

EFFECT: efficiency of each protection type and increased quality of maintenance of guaranteed characteristics of informational system.

18 cl

FIELD: technology for improving lines for transferring audio/video signals and data in dynamic networks and computer environments and, in particular, setting up communication lines with encryption and protection means and controlling thereof in such environment.

SUBSTANCE: invention discloses method for setting up protected communication lines for transferring data and controlling them by means of exchanging keys for protection, authentication and authorization. Method includes setup of protected communication line with limited privileges with usage of identifier of mobile computing block. This is especially profitable is user of mobile block does not have information identifying the user and fit for authentication. Also, advantage of provision by user of information taken by default, identifying the user, is that it initiates intervention of system administrator instead of refusal based on empty string. This decentralized procedure allows new users to access the network without required physical presence in central office for demonstration of their tickets.

EFFECT: simplified setup of dynamic protected lines of communication between client computer and server device.

6 cl, 10 dwg

FIELD: automatics and computer science, in particular, identification means for controlling access to autonomous resources.

SUBSTANCE: method includes changing identification information during each new query of autonomous resource, which information is used for identification of carrier during following queries to autonomous resources, by including it in algorithmically converted form on information carrier and in database of central device and checking of its correspondence in a row of previous queries to autonomous resources. Each autonomous resource has memory block for storing conversion algorithms and signs of these algorithms and block for reading/recording carrier information. Central device contains at appropriate data bank addresses the virtual memory blocks for storing information for identification of carriers and memory block for storing a set of algorithms for converting code from one type to another and signs of these algorithms, and for each carrier - information storage address which was used during previous accesses. Carrier contains energy-independent additional memory block for recording, storing and reading additional information code after identification of carrier, available both during manufacture of carrier and its submission to autonomous resource.

EFFECT: increased level of protection from unsanctioned access.

3 cl, 1 dwg

FIELD: digital data processing, namely, remote user authentication.

SUBSTANCE: in accordance to method, electronic user identification data is formed and saved in authentication server database, which data is compared to identification data of user during realization of procedure of user access to computer network of protected system and on basis of that comparison, decision is taken about degree of user authority.

EFFECT: possible passive user authentication mode without usage of hardware.

2 cl, 2 dwg

FIELD: information dissemination systems.

SUBSTANCE: in accordance to the invention, encoded event, containing information which is not meant to be published before time of publishing, is dispatched to clients before the time of publishing. In the moment of the time of publishing, small decryption key is dispatched to each client. In another variant, highly reliable boundary servers, which can be trusted not to publish the information before appropriate time, dispatch non-encrypted event or decode an encrypted event and dispatch decrypted event in certain time or before it, but after the time of publishing, so that decrypted or non-encrypted event reached clients, which can not store and decrypt an encrypted event, approximately at the same time when the key reaches other clients. Therefore, every client may receive information at approximately one and the same time, independently from client throughput or client capacity for storage and decryption of information.

EFFECT: ensured valid dissemination between various clients.

10 cl, 7 dwg

FIELD: information safety of digital communication systems, possible use in distributed computing networks, combined through the Internet network.

SUBSTANCE: in the method, initial data is set, initial data packet is generated at sender side. Then received data packet is encoded and transformed to TCP/IP format. After that current addresses of sender and receiver are included in it and formed packet is transferred. Sender address is replaced. At receiver side, sender and receiver addresses are selected and compared to predetermined addresses. In case of mismatch received packets are not analyzed, and in case of match encoded data is extracted from received packet and decoded. Receiver address is replaced. Then initial data packet is repeatedly formed at sender side. Protection device consists of 2 identical local protection segments 31 and 3k, one of which is connected to local computing network li, and k one is connected to local computing network lk. Local computing networks are interconnected through corresponding routers 41,4k and the Internet.

EFFECT: increased safety and concealment of communication channel operation.

6 cl, 27 dwg

Up!