Access control using a parameterized hash function

 

(57) Abstract:

The invention relates to access control in a computer system. The storage unit receives a data block that includes the encrypted executable module and signature component. The separation unit associated with the storage unit, separates the signature component from the encrypted executable module. The block decoding, connected to the separation unit, deshifriral encrypted executable module using signature component as the key. This leads to obtaining the decrypted executable program. The unit identification associated with the block decoding, finds identification tag in the decrypted executable program and identifies a composite key that is assigned to the identification tag. The set of signatures associated with the identification block, performs key cryptographic hash algorithm for the decrypted executable program using a composite key as the key. The technical result of the invention is to improve reliability of the system due to the detection of latent errors in the interfaces between the components of the subsystem. 5 c. and 7 C.p. f-crystals, 7 Il.

The present invented the device and method of identifying origin of the executable module and use this identification to determine the level of access rights, provided the executable module.

PRIOR ART

Violation of protection in computer systems can be divided into intentional and accidental. Species intentional access include unauthorized reading of data, unauthorized changes to data and unauthorized destruction of data. Most operating systems provide processes tools to spawn other processes. In this environment, potentially creating a situation in which the resources of the operating system and user files are used incorrectly. Wormy and viruses are two common ways of incorrect use. Protection of a computer system depends on the ability to identify the source of the programs that must be performed, and verify that these programs have not been modified in such a way that might threaten system security.

In addition to the authentication of the source program you must also make sure that the files, memory segments, the CPU and other resources of the computer system can be used only by those processes that have received the relevant authorisation from the operating system. There are several reasons for ograniczenia access. The most important is the need to ensure that each software component acting in the system, uses system resources ways that are consistent with the established rules for use of these resources. Protection can improve reliability by detecting latent faults in the interfaces between the constituent subsystems. Early error detection interface can prevent disabling defective subsystems other subsystems that may not function correctly.

The process typically works within the field of protection. This area defines the resources that a process can have access. Each area defines a set of objects and the types of operations that can be invoked for each object. The ability to perform an operation on an object is defined as the right of access. A scope is a set of access rights, each of which typically represents an ordered pair of the form: "name of the object, the set of rights". For example, if D has a right of access file F, {read, write}", then the process executing in region D may be implemented as read and write to the file F. However, other operations can be performed on this object will not be permitted. The field can be the be static or dynamic. Thus, it is important to limit the scope of protection available to each process.

Thus there is a need for a device and method for providing secure against forgery of the signature of the executable module that can be used to identify the origin of the executable module, to determine if any modification of the executable module, the level of access rights and authorization to use the executable module of the operating system.

THE INVENTION

The described method and apparatus for access control in a computer system. The first variant implementation of the access controller includes a storage unit. The storage unit stores the data block that includes the signature component and the encrypted executable module. The separation unit is connected with the storage unit. The separation unit receives the data block and separates the signature component from the encrypted executable module. Block decryption associated with the separation unit. Block decryption receives the encrypted executable module and decrypts the encrypted executable module, converting it into an executable program. This is achieved by performing a decryption algorithm, which is ul. The unit identification associated with the block decryption. The identification block receives an executable program that you want to use, and identifies the key specified identification tag in an executable program for calculating cryptographically encrypted key hash value of the executable program. Unit generating a signature associated with the block decoding. The block generating signatures receives an executable program and calculates a cryptographically encrypted key hash value for the executable program using the completed key identified by the identification block. The validation block associated with the block hash. The validation block compares the key hash value from the signature component to verify the source data block and was not made any modification of the data block. The destination block of the rights associated with the block hash. The block assignment of rights gets the key used to compute the key hash value of the executable program, and assigns executable program in accordance with the rights associated with the key.

The second variant implementation of the present invention discloses a method of control is sifrovany executable module. After the data block is received, the signature component is separated from the encrypted executable module. Then the executable module decode by performing decryption algorithm that uses signature component as the key. Identify a composite key that corresponds to the identified tag in an executable program. A composite key is used to compute the key hash value of the executable program. After the key hash value computed by the key hash value sravnivaut with signature component to verify the source data block. Executable program assign rights in accordance with the rights previously assigned to the key.

BRIEF DESCRIPTION OF DRAWINGS

The present invention is illustrated in the following detailed description, illustrated by the drawings. The description and drawings are not intended to limit the invention to the specific embodiment but are for explanation, facilitate understanding of the invention.

Fig. 1 illustrates a first variant implementation of the controller used in the computer system.

Fig. 2 illustre ateneu.

Fig. 3 illustrates the procedure for coding a block of information using coding block corresponding to the present invention.

Fig. 4 illustrates a block diagram of a second variant implementation of the controller corresponding to the present invention.

Fig. 5 illustrates a block diagram of a third variant of the implementation of the processing system of the video signal corresponding to the present invention.

Fig. 6 is a block diagram illustrating the encoding method.

Fig. 7 is a flowchart illustrating a method of access control in a computer system.

DETAILED DESCRIPTION OF EMBODIMENTS OF THE INVENTION

A new block access controller. Below are various specific details of embodiments of the invention. However, specialists in the art should be understood that the present invention may be practiced without these specific details. In addition, well-known methods, procedures, components and circuits are not described in detail so as not to obscure the essence of the present invention.

Some parts of the following detailed description are presented in terms of arrhythmic descriptions and representations are the means used by experts in the field of data processing in order to most effectively convey the substance of their work to other specialists in this field of technology. The algorithm is a sequence of operations leading to a desired result. Operations are actions performed on material objects with material resources. Usually, though not necessarily, these physical objects represent the electric and magnetic signals that can be stored, transferred, combined, compared, and subjected to other manipulations. As it turned out, it is sometimes useful, mainly for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers or the like. We must remember, however, that all these and similar terms should be associated with appropriate physical quantities and are merely convenient terms related to these quantities. Unless otherwise specified, should be taken into account that throughout the present invention, terms such as "processing", "computing", "calculating", "determining", "displaying" or the like, refer to actions and processes of a computer is tons of data, represented as physical (electronic) quantities within the registers of the computer system and storage devices, other data are also represented as physical quantities in a storage device of a computer system or registers or other devices, such as storage device or transmission devices, or display.

Fig. 1 illustrates in the form of a structural diagram of a computing system of the first variant implementation of the present invention. A computer system includes a bus 100, a keyboard interface 101, the external memory 102, a mass storage device 103, a CPU 104, a controller, a display device 105. Bus 100 is connected to the controller of the display device, a keyboard interface 101, a microprocessor 104, a memory 102 and a mass storage device 103. The controller of the display device may be connected to the display device. Keyboard interface 101 may be connected to the keyboard.

The bus 100 may be a single bus or a combination of multiple buses. For example, the bus 100 may include a bus, an ISA (industrial standard architecture) bus EISA (extended industry standard architecture), system bus, X-bus the regional computers International Association) or other bus. The bus 100 may also include a combination of any of these tires. Bus 100 provides communication links between components of the computer system. Keyboard interface 101 may be a keyboard controller or other interface keyboard. Keyboard interface 101 may be a specialized device or part of another device, such as a bus controller or other controller. Keyboard interface 101 is provided to connect the keyboard with the computer system and transmits signals from the keyboard to the computer system. External memory 102 may include dynamic random access memory (DOSE), statistical storage device (POPS) or other storage devices. External memory 102 stores information and data obtained from a mass storage device 103 and processor 104 for use by the processor 104. Mass storage device 103 may be a hard disk drive, a tape drive on a floppy disk, a CDROM drive, flash (ultra-fast) - ROM or other mass storage device. Mass storage device 103 provides information and data to the external memory 102.

The processor 104 processes the information and danali from the keyboard controller 101 and transmits information and data controller of the display device 105 for display on the display. The processor 104 also transmits video to the controller of the display device for display. The processor 104 may be a microprocessor with a full instruction set (CISC processor), a microprocessor with reduced instruction set (RISC processor), microprocessor long word commands (VLIW processor or other processor device. The controller of the display device 105 provides the connection of the display device with the computing system and acts as an interface between the display device and the computing system. The controller device display may be monochrome adapter (MDA), color graphics adapter (CGA), color graphics adapter (MCGA), graphics adapter (EGA), video graphics adapter (VGA), video graphics array (XGA) or another controller of the display device. The display device may be a television receiver, computer monitor, flat panel or other display devices. The display device receives information and data from the processor 104 via the controller, a display device 105, and displays the information and data for a user of the computing system.

The computing system also is vasani with access rights in a computer system, is stored in the block access controller 106. Each key defines the area in which the program operates. The keys also define one or more composite keys, which are used as parameters of a cryptographic hash function to generate a signature program. The signature program in the future is used as the encryption key to encrypt an executable program.

Block access controller 106 receives a process that must be executed by the processor 104 of the mass storage device 103 or other device I / o, connected to the bus 100. The process includes the encrypted executable module and signature component. Before computing the system will execute the program, the control unit access 106 checks whether the signature program of the well-known composite key. Checking signature component of the process control block access 106 identifies the origin of the process that checks whether the process is modified in such a way that began to threaten the computer system, and determines the level of access that the operating system must provide the process. Then block access controller 106 allows and the A.

Fig. 2 illustrates a block diagram of the first variant implementation of the coding block of the file of the present invention. The coding block of the file 210 includes a signature generator 221 and the cryptography block 230. The signature generator 221 performs operations for creating a signature of an executable program to be executed by processor 104. The cryptography block 230 encrypts the file containing the executable program, using the signature as a key. The signature generator 221 performs the cryptographic key of the hash function on the open text executable program, generating the encrypted text. The signature generator 221 uses keys that are composite keys are those keys that are stored in the access control block 106. Each of the composite keys used in cryptographic hash functions associated with a set of access rights. These rights are assigned to the executable program before its execution.

The signature generator 221 includes a computing unit 222 and the cryptography block 223. The signature generator 221 may use the computing unit and the cryptography block 223 to perform any number of cryptographic key hash functions or encryption algorithms in the open text executable program. The keys are the shields, the required copy of the key of the operating system. The signature generator 221 may use such standard algorithms as Lucifer, Madryga, NewDES, FEAL, REDOC, LOKI, Khufu, Khafre, or IDEA, in order to generate a cryptographic key hash value for the executable program. In the first embodiment of the present invention, the computing unit 222 and the cryptography block 223 use Chaining Encrypted Blocks (FCSB) Data Encryption Standard (SSD) in order to generate a cryptographic key hash value for the executable program.

Fig. 3 illustrates operations performed by the computing unit 222 and the cryptography block 223, when he uses FCSB to generate the key hash value for the executable program. Chaining uses a feedback mechanism. The results of the encryption of the previous block come back to the encryption of the current block. In other words, the previous block is used to change the encryption of the next block. Each ciphertext block depends on the block of plain text that gave birth to it, and from previous blocks of plain text. In FCSB plaintext is processed according to the operation eliminating the m example, the coding block 210 receives the file, containing an executable program, with size 24 bytes. The signature generator 221 divides the file into 24 bytes into three sections by 8 bytes. The first 8 bytes of plaintext are represented as P1 in block 301. P1 is processed by the procedure of "exclusive OR" with the originating vector (IV) stored in the computing unit 222. This leads to the first result. Initiating the vector is a function of the first compound key associated with a set of access rights that will be assigned to an executable program. Then P1 is processed by the procedure of "exclusive OR" IV; block encryption 223 performs a key encryption algorithm using a second composite key for the first result, forming a first encrypted result C1. Key encryption algorithm may be one of a number of different key encryption algorithms, including any of the key encryption algorithms, listed earlier. The calculation module 222 processes the procedure for "exclusive OR" of the first encrypted result with the second 8-byte section is represented as P2, to obtain the second 8-byte result. The cryptography block 223 performs a key encryption algorithm using a second composite key for the second result is And the second encrypted result with the third 8-byte section to form the third 8-byte result. The cryptography block 223 performs a key encryption algorithm using a second composite key for the third result. This leads to receiving the third encrypted result C3, which is used as a signature of an executable program.

The block generating signatures 221 generates the signature for the executable program, which is a function of all characters in the file. Thus, if the executable program is changed, you will discover a modification, re-computing the cryptographic key hash value and comparing the re-calculated value with the original signature.

The cryptography block 230 performs encryption operations executable by running the encryption algorithm using a signature created in the result of the work of key cryptographic hash algorithm as the key. This leads to obtaining the encrypted executable module. Encrypting the executable program provides an additional level of security to prevent unauthorized reading of the executable program by a third party. The cryptography block 230 can use the diversity of Sal is subject to execution.

Fig. 4 illustrates a block diagram of a second variant implementation of the access controller of the present invention. The access control block 400 includes a storage unit 410, the separation unit 420, block decryption 430, the identification block 440, the block generating signatures 450, the validation block 460 and the destination block of the rights 470.

The storage unit 410 receives a data block including an encrypted executable module and signature component. The storage unit 410 may include DOSE, POPS or other types of RAM. The storage unit 410 uses a sign to indicate the computer system, whether the stored executable module, or operable program. The sign indicates the computer system that the storage unit 410 is used as a temporary memory when the stored file is executable. The sign indicates the computer system that the storage unit 410 is used as a place of execution, when a file is an executable program.

The separation unit 420 is connected to the storage unit 410. The separation unit 420 receives the data block from the storage unit 410 and separates the encrypted executable module from the signature component. This allows the access control block 400 obrabecim is coupled to the storage unit 420 and the storage unit 410. Block decryption 430 receives the encrypted executable module in the form of the ciphertext and signature component from the separation unit 420. Block decryption 430 decrypts the encrypted executable module using signature component as the decryption key. Block decryption 430 converts the encrypted executable module in the decrypted executable program.

The identification block 440 is connected to the block decryption 430 and the storage unit 410. The identification block 440 receives an executable program from the block decryption 430. The identification block 440 reads the identification tag in an executable program and identifies the appropriate composite key that is assigned to the identification tag. This composite key is usually the same key that is used by the block generating signatures 221 to generate the key hash value for the executable program. In the first embodiment of the present invention, the identifying processor 440 includes a lookup table that is coordinating different identification labels with different composite keys. Compound key associated with the specific access rights that are granted to the IV is 410. The generation unit 450 receives the identification of a compound key assigned identification label of an executable program. The block generating signatures 450 performs operations to calculate a cryptographic key, the hash value of the decrypted executable program obtained by the identification block 440, using the identification of a compound key, the received identification block 440. The block generating signatures 450 stores a set of keys, which correspond to specific access rights in a computer system. These keys are used to form a variety of composite keys for encoding and decoding executable programs and decrypted executable programs.

The validation block 460 is associated with a power generation signature 450 and the storage unit 410. The validation block 460 receives the signature component of the executable module from the storage unit 410 and the key hash value of the decrypted executable program from the block generating signatures 450. The validation block 460 compares the key hash value of the decrypted executable program with a signature component of the executable module. If they match, the validation block 460 allows the execution of the decrypted executable program to the military, and does not permit its implementation by a computer system.

In the first embodiment of the present invention block the generation of signatures 450 does not receive identification of a compound key that is used to compute the key of the hash decrypted executable program. Instead, the block generating signatures 450 calculates several key hashed values of the decrypted executable program using composite keys obtained by permutations of keys stored in the block generating signatures 450. These key hashed values are accepted by the validation block 460, which determines whether any of the key hashed values of the original signature component. Similarly, if there is a match between the signature component of the executable module and any of the computed hashed key values of the decrypted executable program, the validation block 460 allows the execution of the decrypted executable by a computer system. If there is no match, the validation block 460 decides that the executable has been modified and should not be performed by a computer system.

The destination block of the rights 470 coach, used to calculate the corresponding key hash values for the signature component of the executable module. When the destination block of the rights 470 receives the signal from the validation block 460, indicating that the decrypted executable program must be executed by a computer system, the rights assignment unit 470 performs the operations required to assign the rights available to the program, identifying the rights associated with a specific compound keys used for calculation of the respective key hash values. In the first embodiment of the present invention block the assignment of rights 470 may include a lookup table that is coordinating various composite keys with different levels of access rights. After the destination block of the rights 470 will assign the appropriate rights to be decrypted executable program, the destination block of the rights 470 changes the sign in the storage unit 410 to indicate the computer system, the storage unit 410 is used as the executable. Computer system perceives indicate that the storage unit 410 contains the executable program, and proceeds to its execution.

Fig. 5 illustrates in the form strukturerna system includes bus 500, the microprocessor 510, a memory 520, a storage device 530, the keyboard controller 540 and the controller of the display device 550.

The microprocessor 510 may be a microprocessor with a full instruction set (CISC processor), a microprocessor with a reduced instruction set (RISC CPU) or other processor device. The microprocessor executes commands or code stored in memory 520, and performs operations on the data stored in the memory 520. In addition, the computer system 500 includes a storage device 530 (such as hard drive, floppy or optical disk), which is connected with a bus 515. The controller of the display device 550 is also connected to bus 515. The controller of the display device 550 is provided to connect the display device with the computer system. The keyboard controller 540 is provided to connect the keyboard with the computer system and transmits signals from the keyboard to the computer system.

The memory 520 is connected to the microprocessor 510 via bus 500. The memory 520 may be a dynamic storage device (DOSE), static random access memory device (POPS) or other storage device. The memory 520 can store commands do other computer programs. The memory 520 includes a storage module 521, a separation module 522, the decryption module 523, the identification module 524, the generation module signature 525, the scanning module 526 and rights assignment module 527. The storage module 521 includes a first set of executable processor commands, which are executed by processor 510 as shown in Fig. 7. The storage module performs a function similar to that executes the storage unit 410 in Fig. 4. The separation module 522 includes a second set of executable processor commands that are executed by processor 510 as shown in Fig. 7. The separation module 522 performs a function similar to that performs the separation unit 420 in Fig. 4. The decryption module 523 includes a third set of executable processor commands, which are executed by processor 510 as shown in Fig. 7. The decryption module 523 performs a function similar to the fact that the block performs decryption 430 in Fig.4. The identification module 524 includes a fourth set of executable processor commands that are executed by processor 510 as shown in Fig.7. The identification module 524 functions the same as the identification block 440 in Fig.4. The generation module signature 525 includes a fifth set of executable commands of the processor,and like the fact that the block performs the generation of the signature 450 in Fig.4. The module 526 includes a sixth set of executable processor commands that are executed by processor 510 as shown in Fig.7. The module 526 performs a function similar to that performs the validation block 460 in Fig. 4. The rights assignment module 527 includes a seventh set of executable processor commands that are executed by processor 510 as shown in Fig.7. The assignment module 527 rights functions the same rights assignment unit 470 of Fig. 4.

Fig. 6 is a flowchart illustrating a method of encoding an executable program that must be executed by a computer system. First get an executable program, as shown in block 601. Then get a composite key that defines the associated rights that will be assigned to the executable program, as shown in block 602. Perform key cryptographic hash algorithm to an executable program. Used a composite key can be either individual symmetric keys or public asymmetric keys. This leads to obtaining an encrypted key hash value that serves as a signature for the executable programmazione hash value as the key. As a result of this get the executable module. This is shown in block 604. After the executable program encoded in the executable module, send the executable module and signature component in a computer system for processing and execution. This is shown in block 605.

Fig. 7 is a flowchart illustrating a method of access control in a computer system. First get a block of data that includes the signature component and an executable module, as shown in block 701. Separate signature component from the executable, as shown in block 702. Decrypt the executable module using signature component as the key. This leads to obtaining the decrypted executable program, as shown in block 703.

Then determine the identification tag in the decrypted executable program, as shown in block 704. Identify a compound key associated with the identification tag, as shown in block 705. Calculate key cryptographic hash value for the decrypted executable program using a compound key associated with the identification tag, as shown in block 706. Then check the source block of data, and whether identifizierung for decrypted executable program. This is shown in block 707. If the signature component in the data block does not match the computed key cryptographic hash value of the decrypted executable program do not perform well, as shown in block 708. If the signature component in the data block corresponds to a calculated key cryptographic hash value, then assign the appropriate rights to be decrypted executable program, as defined by a composite key. This is shown in block 709. Finally, execute the decrypted executable program, as shown in block 710.

In the foregoing description of the invention contains links to specific variations in its implementation. It is obvious, however, that can be done various modifications and changes of the invention without changing the nature and scope of the invention defined by the claims attached.

Accordingly, the description and drawings are illustrative rather than restrictive.

Specialists in the art upon consideration of the preceding description should be apparent, various changes and modifications of the present invention, therefore, the specific embodiments of, shown in OPI the variants of implementation are not intended to limit the scope of the claims, which contains only the essential features of the invention.

1. The method of forming an encoded executable module comprising performing a cryptographic key hash value for the executable program to generate a signature component using a first key having an associated set of access rights assigned to an executable program, and the execution of the encryption algorithm for an executable program using the signature component as the second key.

2. The method according to p. 1, wherein when performing the cryptographic key of the hash functions by the execution of the algorithm chaining blocks of data encryption standard.

3. The method of access control, including the Department signature component from the executable module in the block of data, interpretation of the executable module into an executable program using a signature component, the calculation of the cryptographic key, the hash value of the executable program using the key and validation of source data block by comparing the signature component with a cryptographic key of the hash value.

4. The method according to p. 3, from estoodeeva identification tag, to perform cryptographic key hash value for the executable program.

5. The method according to p. 3, characterized in that it includes rights assignment executable program in accordance with the rights associated with the key.

6. Unit for encoding an executable program that contains the block generating signatures for performing cryptographic key hash value for the executable program to generate a signature component using a first key having an associated set of access rights assigned to an executable program, and the first block of the encryption that is associated with generating block signature to encrypt the executable program using the signature component as the second key.

7. Unit for encoding executable programs on p. 6, characterized in that the block generating the signature further includes a computing unit and the second block encryption, which performs the algorithm of formation of a chain of encrypted blocks of data encryption standard.

8. The access control block, comprising a separation unit for separating signature component obtained as a result of the execution key of the hash function for executable programs, * decoding the encrypted executable module to transform it into the decrypted executable program with signature component, block the generation of the signature, coupled with a block of decoding is to compute a cryptographic key of the hash value for the decrypted executable program using the key, and the validation block connected to the block generating the signature for comparison cryptographic key hash value with the signature component.

9. The access control block under item 8, characterized in that the block generating the signature further comprises a component for storing key that is used to store the key used by the block generating the signature.

10. The access control block under item 8, characterized in that it further comprises the identification block connected to the block decoding, designed to identify key pointing to the ID tag in an executable program, for calculating a cryptographic hash value for the decrypted executable program.

11. The access control block under item 8, characterized in that it contains the destination block of the rights associated with power generation of the signature, to assign rights to be decrypted executable program in accordance with the rights associated with the key.

12. Computer system, Sterna from the encrypted executable module in the data block, the block decoding associated with the separation unit, for decoding the encrypted executable module to convert it into an executable program with signature component unit generating a signature associated with a block of decoding is to compute a cryptographic key hash value for the executable program using the key, and the validation block associated with the block generate a signature that is designed to compare the cryptographic key hash value with the signature component.

 

Same patents:

The invention relates to distributed information and control systems (RIUS), mainly to RIUS, operating in real time, and can be used in various application systems, operating information of a confidential nature

FIELD: information protection.

SUBSTANCE: method for transferring messages while providing for confidentiality of identification signs of communication system objects with interaction of devices of communication system subscribers through central device for each communication session cryptographic conversion of subscriber device identifier is performed using encryption key of current subscriber device, while during said cryptographic conversion symmetrical cryptographic algorithm is used and two message transfer modes are taken in consideration, on initiative from subscriber device to central device and vice versa.

EFFECT: protection from unsanctioned access to identifiers of devices of system subscribers transferred via communication channels, in particular when providing for confidentiality of messages identification signs in communications systems with multiple subscriber devices.

6 dwg

FIELD: computer science.

SUBSTANCE: previously for sender and receiver a binary series of digital watermark k-bit long is formed as well as binary series of secret key, message is certified at sender side using binary series of digital watermark and secret key, certified message is sent to receiver, where authenticity of received message is checked using binary series of digital watermark and secret key.

EFFECT: higher reliability, higher efficiency.

4 cl, 5 dwg

FIELD: mobile communications.

SUBSTANCE: server generates one-time activation code, sends it to user via intellectual card in cell phone and when user inputs an activation code in his cell phone, inputted code is transmitted to server for verification, in case of positive result server sends a command to phone to provide for access, which opens access to appropriate set of functions of intellectual card, while portion of functions can contain, for example, PKI-functions, which were concealed and inaccessible for user until said moment, after that user can select his own PIN-code for authentication, encoding and signature for transactions, and, concerning activation of PKI functions, generation of necessary secret and open keys, and also necessary certification are carried out after verification of activation code.

EFFECT: higher efficiency, broader functional capabilities.

1 cl, 1 dwg

FIELD: computer science.

SUBSTANCE: system has center of certification, forming and distribution of keys, at least one user device and at least one distributed data processing server. Method describes operation of said system. Subsystem for forming open keys contains memory block for tables of secret substitutions of columns and rows of secret keys tables, memory block for table of symmetric substitution of columns and rows of external key table, register for sequence of transitive connection between rows of secret substitutions tables, block for logical output on sequence of transitive dependence, memory block for table of relative non-secret substitution of columns and rows of external key table, open key register, input commutation block and control block.

EFFECT: higher efficiency, broader functional capabilities.

5 cl, 15 dwg

Protection means // 2260840

FIELD: mobile communications.

SUBSTANCE: protection means has key module and blocking module. Mobile communication system has protection means and communication port. Method describes operation of said protection means and mobile device.

EFFECT: broader functional capabilities.

3 cl, 5 dwg

FIELD: electrical communications.

SUBSTANCE: proposed method that can be used in attack detection systems for on-line detection and blocking of unauthorized attacks in computer systems including Internet involves presetting of list of authorized connections as aggregate of reference connection identifiers, introduction of factor of urgency of reference authorized-connection identifiers and list of names of authorized processes, generation of list of unauthorized connections received in the course of checkup due to introduction of maximal admissible quantity of any of probable unauthorized connections, and their counting.

EFFECT: enhanced reliability of identifying unauthorized attacks in computer networks.

1 cl, 8 dwg

FIELD: systems and method for controlling transfer of keys for decoding or access to encoded information.

SUBSTANCE: each one of variants of information protection systems for controlling access to protected information has hardware means for storing at least one data element, including decoding key and appropriate information protection code, while information protection code sets number of operations of passage of decoding key, and first user, connected to encoded information, can determine through information protection code, whether second user can transfer code for information protection to third user, while number of generation of data is requested each time after receipt of query for transferring decoding key to another user and is decreased for one unit for each request, and as soon as it reaches zero, system denies all further requests.

EFFECT: improved level of information protection.

3 cl, 6 dwg

FIELD: engineering of object access means.

SUBSTANCE: device has saved standard, containing fingerprint of authorized user, combined with verification code. In case of match between fingerprint of authorized user with one stored in memory, verification code if generated. Device activated by key periodically transmits an identifier, on receipt by access device of identifier, matching one of identifiers stored in memory, appropriate access key is extracted and sent to device activated by key to allow access to user.

EFFECT: high level of protection from unauthorized access.

3 cl, 2 dwg

FIELD: radio engineering, in particular, authentication method for stationary regional wireless broadband access systems, possible use, for example, for protecting transferred data in stationary regional broadband access systems.

SUBSTANCE: in accordance to method, two main procedures are performed - authentication of client station and, also, authentication of base station.

EFFECT: increased protection level of transmitted data in stationary wireless broadband access systems.

4 cl, 6 dwg

FIELD: technology for checking authentication and authorization.

SUBSTANCE: method for checking rights of user of end telecommunication device for using a service, while device for accessing telecommunication network receives at least one certificate and identification data from telecommunication end device, after that network control device together with certification device checks, whether certificate, confirming identification data, is valid and whether it has positive status, whether additional privileges are given by additional certificates, and if that is so, then secret data is transferred to access device (session key), which are also transferred to telecommunication end device in form, encrypted by at least an open key, and access device provides free access by taking a decision, appropriate for rights of user of telecommunication network.

EFFECT: simple and efficient authentication and authorization of users for certain services or transactions, performed via telecommunication network.

11 cl, 1 dwg

Up!