The mechanism of vzaimootnoshyenii type "customer center" in distributed information management systems real-time

 

(57) Abstract:

The invention relates to distributed information and control systems (RIUS), mainly to RIUS, operating in real time, and can be used in various application systems, operating information of a confidential nature. Technical result achieved during the implementation of the claimed invention is to improve crypto and imitator resistance process vzaimootnoshyenii without increasing the occupation time of the communication channel. The mechanism of vzaimootnoshyenii type "Customer Center" RIUS contains peripheral module authentication (ACA), which consists of arithmetical-logical unit (ALB), block storing passwords Subscriber, the random number generator, the unit of analysis MASK and comparator, as well as the Central authentication module (ARC), which consists of ALB, the storage unit of the current word QUERY, the first comparator unit storing passwords Subscriber unit of analysis of the QUERY words, the block storing the password REQUEST, the second comparator, a counter for the number of password REQUEST and generate the RESPONSE. 2 Il.

The invention relates to distributed information and control systemitem for various purposes, operating information of a confidential nature.

The specificity of the tasks of such systems, suggests the possibility of deliberate violations regulated (corresponding to THE System) mode of operation. Thus it is implicitly assumed that such a threat may come primarily from the Subscriber's Periphery. Therefore, access to the Subscriber to work in the System are granted only after it proves its authenticity. The identity of the Centre is not exposed: he is beyond suspicion. Meanwhile, the organization of ad hoc mode of System operation possible primarily as a result of unauthorized use of the system Administrator terminal (STA) is responsible for monitoring and managing operation of the System as a whole. The conclusion from this is that its authenticity is required to confirm not only the party, but also the Centre of the RIUS. Therefore, in systems operating information of a confidential nature, along with the traditional procedure of establishing a Centre authentication of the Subscriber Periphery apply a similar procedure for establishing a Subscriber authentication Center. Combined at run-time, both proceduralize, the participants of the dialogue - the Subscriber and the Center should have some identifying information, which they must present to each other as proof of identity.

The General scheme of the process of vzaimootnoshyenii can be represented in the form of a dialogue, a sequential exchange of identifying information between the subscriber and the Center - on a classic pattern "password-a review". In principle, such a dialogue could be a multi-step, which, of course, would increase the cryptographic strength of the algorithm vzaimootnoshyenii. But in this case, substantially increases the time to exchange channel information "Customer Center", which is unacceptable for systems operating in real time scale. Namely, for systems of this class the task of developing the algorithm vzaimootnoshyenii is the most important.

This task can be formulated as follows: it is necessary to develop such an algorithm vzaimootnoshyenii "Customer Center", which would be carried out for the minimum possible number of communication sessions, in the limit for one that is possible only if the identifying information is exchanged between the dialogue partners will be securely damask">

The closest in technical essence of the present invention is a technical solution described in the patent of the Russian Federation 2126170 "Mechanism vzaimootnoshyenii in distributed information management systems".

The process of vzaimootnoshyenii between the Subscriber and the Center of this technical solution is performed by functionally and structurally complete authentication modules peripheral and Central.

As a Subscriber REQUEST is used converted in arithmetical-logical unit (ALU) and then encrypted with the key Name of the terminal. Thus formed REQUEST along with the name of the terminal is transmitted to the Center. The standard RESPONSE Center is transformed into an ALU Name of the terminal.

Adopted by the Center, the REQUEST is decoded by the Center key, the corresponding key of the terminal, and his Name is converted into an ALU according to the same algorithm as in the ALU of the terminal. In the case of the truthfulness of the Center (the condition is that the knowledge of the transformation algorithm in ALU the terminal Name and the decryption key) the results should be the same (which should also testify about the truthfulness of the terminal). In this case, the result is Increased crypto and imitator resistance in this technical solution is achieved through changes in ALU from session to session parameters of the transformation algorithm. However, simultaneous transmission over the communication channel REQUEST and the Name of the terminal may, if the Attacker regular interception identifying information greatly facilitate his disclosure of the encryption key. This may result in false connection Center. A more complex task is to organize the false terminal, because of this, in addition to the encryption key, the Attacker would need to know the conversion algorithm in ALU Name of the terminal.

Technical result achieved in the implementation of the present invention is to improve crypto and imitator resistance process vzaimootnoshyenii without increasing the occupation time of the communication channel.

This is achieved by the fact that the mechanism of vzaimootnoshyenii type "Customer Center" in distributed information management systems, real-time, containing the peripheral module authentication (ACA), which consists of arithmetical-logical unit(ALB) and the comparator, the outputs of which are respectively input signals "Normal" and "Alarm", and the Central authentication module (ARC), which consists of ALB and the first comparator entered:

the part of the ACA unit of analysis MASKS, block storage ParallelArray Subscriber connected to the first input ALB, a second input connected to the zero output of the analysis block MASK through RNG, and L-bit output of the analysis block MASK is connected to the first comparator input, a second input which is the input of the signal RESPONSE of an ARC, and the first output ALB connected to control inputs of the block storing passwords Subscriber, RNG and analysis block MASK, the second output ALB is the output REQUEST signal of the ACA, the input of the Start signal which is the control input ALB,

- part ARC connected in series, the unit of analysis of the QUERY words and the power storing passwords Subscriber, connected in series block storing the password REQUEST, the second comparator and the set of RESPONSE, and the storage unit of the current word of the QUERY and the count of the password REQUEST, the first output ALB through the block store the current QUERY words connected to the first input of the first comparator, the second input of which is connected to the first output unit storing passwords Subscriber, the second output of which, and first and second outputs of the first comparator and the control signal output unit store the current QUERY words are connected with the corresponding inputs of the unit of analysis of the QUERY words, the output signal of the completion of the verification cycle koto - with the second input of the processing unit RESPONSE and counter input password REQUEST, to the control input of which is connected to the second output ALB, a second input which is the input QUERY ACA, and the output processing unit RESPONSE and the other the output of the second comparator are respectively the output signal RESPONSE of the ARC and the output signal "Alarm".

In Fig. 1 presents a block diagram of the algorithm vzaimootnoshyenii of the present invention, and Fig. 2 is a block diagram of a mechanism that implements the process of vzaimootnoshyenii between one of the remote terminals and a HUNDRED.

The implementation of the presented algorithm vzaimootnoshyenii is carried out as in technical decision-prototype through functionally and structurally complete authentication modules - peripheral (ACA) and Central (ARC), which are equipped with terminals Periphery and one HUNDRED, respectively.

A detailed exposition of the mechanism of the exchange of identifying information would be included in the block diagram of other components of the terminal, as well as appropriate interface that would complicate the consideration of the actual process of vzaimootnoshyenii. Therefore, the interface to the block diagram includes: arithmetical-logical unit (ALB)-1, block storing passwords Subscriber 2, the random number generator (GCS)-3, the unit of analysis MASKS-4, representing the L-bit shift register with feedback and comparator-5.

The ARC includes: arithmetical-logical unit (ALB)-6, the storage unit of the current word QUERY 7, the first comparator 8 unit storing passwords Subscriber-9, the unit of analysis of the QUERY words-10 (consisting of a counter address of the array password of the Subscriber and logical elements AND1AND2AND3and OR), the block storing the password REQUEST-11, the second comparator 12 and counter password REQUEST-13 and the forming unit RESPONSE-14, which represents an L-bit shift register without feedback.

Setting up the peripheral modules authentication is carried out on a specially equipped terminal system security and is as follows:

- the formation and distribution of passwords M in blocks storing passwords Subscriber-2;

- installation of MASKS in shift registers units of analysis MASKS-4.

In addition, system security is the formation and placement on the appropriate machine media list of names and profiles that are registered in the System subscribers, Row, characterizing the site:

- an array of passwords - M (similar to the hosted security Service in the storage unit ACA);

- the number of passwords as part of the REQUEST - TO;

- the total number of words (passwords and pseudoparallel) in the REQUEST.

The values of K, L and M for each pair of "Customer Center" individual. The passwords and pseudoparallel represent the n-byte word.

Configured authentication modules are connected to a specially provided in the peripheral terminals and a HUNDRED connectors (in case of implementation of the terminal on the basis of personal computers authentication modules are inserted into the expansion slots).

The process of vzaimootnoshyenii preceded by the setting in the ARC Profile of the Subscriber (the appropriate charges brought by Subscriber Name). The setup is as follows:

set the constants in the block storing the password REQUEST-11;

the census with the machine carrier in the storage unit passwords Subscriber-9 array of passwords M, corresponding to a given Subscriber.

The process of vzaimootnoshyenii is carried out in one session and passes through three phases: initial - ACA, intermediate in the ARC and the final again in ACA.

The creation of a QUERY in ALB-1 occurs for L cycles, each of which is as follows:

in block storing passwords Subscriber-2 (L-th digit "I") sampling and transmission in ALB-1 regular password;

- RNG-3 (L-th digit is "0") generation and transfer in ALB-1 pseudoparallel;

- in shift register analysis MASK-4 shift MASK one bit to the right;

- ALB-1 installing the next word (password or pseudoparallel) on the i-e location (i= 1, . . . , L) generated sequence of words of the QUERY.

After L cycles:

- the shift register unit of analysis MASK 4 is set to the initial value of the MASK - pattern RESPONSE Center, SIV L n-byte words For passwords and L-K pseudoparallel. The sequence they appear in the QUERY is determined by the MASK - L-bit binary word by mixing randomly To units with L-K zeros, where a one indicates the position of one of the passwords, and the zero-one pseudoparallel.

Formed in ALB-1 REQUEST is sent to the ARC.

The intermediate phase. In contrast to the process of forming the QUERY, which consists in mixing passwords with pseudoparalysis, when generating a RESPONSE, on the contrary, is their separation. In the ARC is consistently analyze each word of the QUERY to identify, password it or pseudopanel.

The first word received in ALB-6 REQUEST is sent to the storage unit of the current word REQUEST-7, which in turn generates a control signal that initiates the operation of the unit of analysis of the QUERY words-10 - arrives at the installation to its original state counter address of the array password of the Subscriber. The first word selected from a block of storage of passwords Subscriber-9 (generated by the address counter array passwords start address of the array of passwords) is sent to the comparator 8, wherein it is compared with the received at his first word of the QUERY. Simultaneously with the issuance of the words in the first comparat>the unit of analysis of the QUERY words-10.

In case of a positive comparison result (the output of the first comparator-8 "Yes") at the output of logic element1a signal is generated "I", which goes:

- in counter password REQUEST-13;

in the shift register unit to generate the RESPONSE-14 - on single sign-first class (followed by his shift one digit to the right);

- ALB-6 (through logical element OR as a signal of the completion of the next review cycle (in this case the first word of the QUERY.

From ALB-6 in the storage unit of the current word REQUEST-7 is passed to the next QUERY word, which (the storage unit of the current word REQUEST-7) forms, as in the case of the analysis of the first word of the QUERY, the control signal initiating the operation of the unit of analysis of the QUERY words-10 comes on the installation to its original state counter address of the array password of the Subscriber. After organizing the next review cycle, the next word of the QUERY.

In case of a negative comparison result (the output of the first comparator-8, "No") at the output of logic element2a signal is generated, increasing the content of the counter address of the array password of the Subscriber unit of analysis of the words C the ATA comparison, then the cycle check the next word of the QUERY completes and provides the following. If searching through the entire array of passwords will not give a positive result of the comparison, in this case, the output of the logical element AND a3(as the match signal counter overflow address of the array of passwords and the output signal of the first comparator-8, "NO") will be formed and a signal "0" which will be available in the shift register unit to generate the RESPONSE-14 - zero input the first grade (followed by his shift one digit to the right), and ALB-6 (through logical element OR as a signal cycle is complete, check the next word of the QUERY.

As a result, the completion of L cycles:

- in counter password REQUEST-13 shall be recorded the number identified in the REQUEST password;

- the shift register unit respond-14 must be L-bit binary word, the i-th bit (i= i, . . . , L) is the result of matching is "I" or mismatched - "0" validation of the i-th QUERY words with the words in the array password of the Subscriber;

- ALB-6 (after receipt of the unit of analysis of the QUERY words-10 signal on completion of the review cycle, the last L-th word) on the second output is formed by the solution of the issuance of its content to the second comparator-12. Received in the second comparator 12 of the counter contents of the password REQUEST-13 is compared with the contents of the storage unit the number of password REQUEST-11. Compared, therefore, the actual number of passwords in the structure adopted in the ARC REQUEST with their number, which in this QUERY should be. In case of negative result of the comparison by the second comparator-12 (exit "No") is formed by the signal "Alarm". The coincidence of the actual number, passwords set (indicating a correctly formed Subscriber REQUEST of the second comparator-12 (exit "Yes") is formed by a signal coming into the unit respond-14 to permit issuance in ACA L-bit binary word RESPONSE Center.

The final phase. Adopted in ACA RESPONSE Center is compared in comparator-5 with its standard MASK (with shift register unit of analysis MASKS-4). In case of positive result of the comparison (indicating correctly formed the Centre of the RESPONSE) comparator-5 generates the signal "Norm" negative "Alarm".

The mechanism of vzaimootnoshyenii type "Customer Center" in distributed information management real-time systems containing peripheral which are respectively outputs signals "Normal" and "Alarm" ACA, and the Central authentication module (ARC), which consists of ALB and the first comparator, characterized in that the ACA introduced the unit of analysis MASKS, block storing passwords Subscriber and the random number generator (RNG) with a single output unit MASK through the block storing passwords Subscriber connected to the first input ALB, a second input connected to the zero output of the analysis block MASK through RNG, a L - bit output of the analysis block MASK is connected to the first comparator input, a second input which is the input of the signal RESPONSE of an ARC, the first output ALB connected to control inputs of the block storing passwords Subscriber, RNG and analysis block MASK, and the output signal "Start" ACA is the control input ALB and ALB ACA is designed to generate the second output signal of the REQUEST and transmit this signal to the input ALB ARC, part of the ARC entered serially connected unit of analysis of the QUERY words and the power storing passwords Subscriber, connected in series block storing the password REQUEST, the second comparator and processing unit RESPONSE, and the storage unit of the current word of the QUERY and the count of the password REQUEST, the first output ALB through the storage unit of the current word of Zapalenia password of the Subscriber, the second output of which, the first and second outputs of the first comparator and the control signal output unit store the current QUERY words are connected with the corresponding inputs of the unit of analysis of the QUERY words, the output signal of a complete scan cycle of which is connected to the first input ALB, zero output with the first input of the signal RESPONSE, and a single output to the second input of the signal RESPONSE and counter input password REQUEST, to the control input of which is connected to the second output ALB, a second input which is the input QUERY ACA, and the other output of the second comparator is the output of the signal "Alarm", moreover, the processing unit ANSWER the ARC is designed to generate output words "ANSWER Center" to the second input of the comparator ACA.

 

Same patents:

The invention relates to distributed information and control systems (RIUS), mainly to RIUS with "star" topology, operating information of a confidential nature

The invention relates to distributed information and control systems (RIUS), mainly to RIUS, operating in real time, and can be used in various application systems, operating information of a confidential nature

The invention relates to communication between a mobile user through a computer network, in particular, it relates to a method and device that enables secure authentication of the mobile user in a communication network

The invention relates to access control in a computer system

The invention relates to distributed information and control systems (RIUS), mainly to RIUS, operating in real time, and can be used in various application systems, operating information of a confidential nature

The invention relates to gain access to resources of a computer system or a computer (computing) network, which is protected by a firewall, in response to requests from objects outside the firewall

The invention relates to communication technology and can be used for input and storage of confidential information, including shirokiya

The invention relates to railway automatics and is used in the management of vehicles

The invention relates to computing, and in particular to information and computer systems and networks, and can be used to protect information resources in workstations, informational, and functional (for example, a dedicated secure server, Proxy server, firewall, and t

The invention relates to computing, and in particular to information and computer systems and networks, and can be used for implementing the principles of distributed resources protection of computer systems and networks

The invention relates to computing, and in particular to information and computer systems and networks, and can be used to protect information resources in workstations and information servers

The invention relates to computing, and in particular to information and computer systems and networks, and can be used to protect information resources in workstations, informational, and functional servers

The invention relates to distributed information and control systems (RIUS), mainly to RIUS with "star" topology, operating information of a confidential nature

Processor // 2248608

FIELD: computers, data protection.

SUBSTANCE: processor has bus interface device, device for selection/decoding of commands, device for dispatching/execution, program string decoding device, which string is selected from program and loaded in first levels command cash, which contains a set of N two-input elements XOR, keys memory, storing different N-bit decoding keys.

EFFECT: higher efficiency.

2 dwg

FIELD: technologies for authentication of information.

SUBSTANCE: method includes performing absolute identification for confirming legality of data carrier according to first rule in preset time. Authentication information is recorded on this data carrier in previously set position. Process of arbitrary authentication is performed for confirming legality of said data carrier in accordance to second rule in arbitrary time. First rule includes announcing confirmation of standard match, if information for authentication is detected as registered in selected preset position. Second rule in given arbitrary authentication process includes announcing standard match, if information for authentication is detected as not registered in arbitrary positions, different from given preset position.

EFFECT: higher reliability.

6 cl, 12 dwg

FIELD: computers.

SUBSTANCE: method includes, on basis of contents of central processor registers, received after processor performs some sort of command, by means of mathematical logical operation, forming certain finite control sum and storing it in memory, and on basis of contents of registers, received before start of execution by said processor of directly next command, certain starting checksum is formed, while if starting checksum mismatches finite checksum, error message is generated, which can be followed by halting of processor operation or blocking of chip board with its removal from circulation.

EFFECT: higher reliability.

2 cl, 2 dwg

Up!