Method for data protection from unsanctioned access in a lan

FIELD: computer science.

SUBSTANCE: method includes protective mathematical conversion of service data of network frame prior to transfer to environment for transfer of a LAN. To said protective conversion the data is subjected, which is contained in headers of network frames of channel level, and also in headers of all encapsulated network packets and segments. As a result the very possibility of interception is prevented.

EFFECT: higher efficiency.

7 cl, 2 dwg

 

The proposed method relates to the field of computing machinery, and in particular to systems of information protection from unauthorized access.

One of the most common tools used for unauthorized access to information transmitted over a local area network, is a Protocol analyzer. The Protocol analyzer is a software-hardware means, connected to the distribution environment of the local area network and intended for localization of faults and abnormal operating modes of the network equipment through capture and analysis of network traffic. The most famous Protocol analyzers has the functionality to copy all network traffic and network frames matching the specified filter criteria, as well as buffering the captured network personnel, their visualization and analysis in order to restore the original data (files). As the filtering criteria can be used by the IP addresses of the participants of the information exchange, the protocols used for the formation of a network frame, the MAC addresses of the workstations from which or on which are sent to the network frames, and any other parameters of the network frames specified in the service information. Service information network ka the RA includes the contents of all headers and additional service fields, formed and attached to a segment of unstructured data coming from applications in the networking services, along segment from one Protocol or standard open systems interaction ISO/OSI to another.

The wrongful use of Protocol analyzers is a real threat to the confidentiality of information transmitted through the local area network. A Protocol analyzer connected to the network as the workstation. The difference is that if a workstation network is able to receive only broadcast network frames or network frames that are addressed directly to her, the Protocol analyzer is able to copy all network traffic distribution environment local area network. For this purpose, the Protocol analyzers are network adapters that support for hardware or software mode "chaotic" capture (promiscuous mode) network frames.

The most popular currently found Protocol analyzers Network Monitor from Microsoft, WinPcap, ScoopLm, WinDump, THC-parasite, SpyNet Sniffer Pro LAN Sniffer Basic, Packet Tracer, Iris, Hoppa Analyzer, CommView, ASniffer.

Applicable methods of protecting information from unauthorized access in the distribution environment local area network (see, for example, Aveskulov, Ometepec Protection to nutrinova terrorism", Reference manual - SPb.: BHV-Petersburg: Arlette, 2002) are based mainly on the use of cryptographic protection of information. Current means of cryptographic protection of information in a local area network focused on closing the original information transmitted network services for transmission over a local area network. The disadvantage of this approach is that the service information is not subjected to cryptographic transformations and transmitted in the distribution environment local area network in the clear. However, in the event of unlawful use of Protocol analyzers, all network frames, through which is passed the original information can be copied from the database at the physical level. In accordance with the content of the service information from captured network frames closed source information may be collected in the files and subjected to cryptanalysis.

The tools for creating virtual private networks do not provide protection of network frames from the intercept at the physical layer local area network (see, for example, Eshchanov, Spinasanta Security local area networks", "Peace and security", No. 2 (46) - 2003, p.33), as their encryption header only IP packet to set the Ohm level standard for interoperability of open systems ISO/OSI.

The aim of the developed method for protecting data from unauthorized access in a local area network is to counter unauthorized copying and modification of network frames in the distribution environment local area network to collect network packets, segments and files from unauthorized intercepted in the environment distribution network frames.

This goal is achieved by the fact that the protection of network traffic from unauthorized access is provided by the introduction to the technical implementation of the connectivity technologies open systems ISO/OSI node security placed between podrobnem MAC link layer and physical layer standard for interoperability of open systems ISO/OSI. Before transmitting the network frame in the node security secrete service information preceding the data field of application standard for interoperability of open systems ISO/OSI, and provide a protective mathematical transformation of the selected service information. After completion of the protective mathematical conversion service information network, the frame is passed from node security at the physical layer for future broadcast in the distribution environment of the local area network. When receiving a network frame from the physical layer in the node security performs reverse m theme conversion service information and verify the legitimacy of the received network frames by validating service information after performing the inverse mathematical transformation. The transmission of network frames at the MAC sublayer of the layer is carried out in the case of a positive validation service information network frames. In case of negative result of the validation service information network frames to lock the transmission of network frames from the node security at the MAC sublayer of the layer.

When this protective mathematical transformation is performed with respect to the information contained in the headers of the network link layer frames, and headers are all encapsulated network packets and segments. Thus, the protective mathematical transformation expose part of the network frame of fixed size, starting solely from the initial delimiter SFD frame link layer and contains proprietary information all encapsulated protocols from the channel to the transport level standard for interoperability of open systems ISO/OSI.

The proposed method of information security provides an unauthorized copy of a network frame from the distribution environment local area network active opposition transmission network frame with the link layer to higher levels of standard for interoperability of open systems ISO/OSI for further Assembly of network packets, segmentowe files in the absence of illegitimate station means the inverse mathematical transformation service information to the given formula the inverse transform. Provided the specified safety function that the network frame is performed in the distribution environment local area networks with a checksum value that is not relevant to that which will be calculated on illegitimate workstation local area network. As a result of this unauthorized intercepted network frame on illegitimate station will be marked as failed. And even in the case of compulsory admission the specified network frame will not be able to be used to build network packets, segments and files, as in this case, the mathematical transformations are all necessary to build the service information will be hidden.

The proposed method of data protection eliminates the possibility of the use of Protocol analyzers filtering rules based on the indication of the MAC and IP addresses of legitimate participants in the exchange of information and they use protocols network protocols, thereby counteracting the unauthorized use Protocol analyzers to monitor and capture network traffic on illegitimate workstation local area network.

The use of site security validation service information after performing the inverse mathematical transformation provides the t timely detecting modification of a network of frames and the translation block unauthorized modified network frames from the physical layer to the MAC sublayer of the layer.

The above features of the process of protecting information from unauthorized access in a local area network in their functional relationships in comparison with known methods allow to draw a conclusion on the conformity of the proposed technical solution the criterion of "novelty".

The proposed method of information security in local area networks, is focused not on the closure of the original information transmitted network services, and to prevent the possibility of capturing network frames in the distribution environment of the local area network and collection of the intercepted network personnel files for further unauthorized use or cryptanalysis. While the proposed method does not deny the possibility of the use of cryptographic protection of information contained in files and data fields of network segments, packets and frames. This approach leads to a significant increase in the level of protection of information from unauthorized access in a local area network which can provide protection without the use of cryptographic protection of information, and the use of cryptographic protection of information is to significantly increase the time required for the implementation of the discredited system of cryptographic protection, and much is entrusted to toughen requirements for memory devices used Protocol analyzers. These properties allow us to conclude about the relevance of the proposed technical solutions to the criterion of "inventive step".

The invention is illustrated graphic materials, in which figure 1 shows a block diagram of a device that implements the proposed method, and figure 2 shows the field structure of the service information of the network frame subjected to the processing device that implements the proposed method.

Figure 1 is indicated:

1 - the MAC sublayer data link layer standard open systems interaction ISO/OSI, including the node transmitting the network frame 1.1 and the node receiving the network frame 1.2;

2 - site safety; includes: block mathematical transformations 2.1; block validation service information 2.2; block specify mathematical formulas 2.3; block reverse mathematical transformations 2.4;

3 - physical layer standard for interoperability of open systems ISO/OSI containing the node transmit/receive network frames.

Figure 1 shows the block diagram of the implementation of the method, which can be implemented at the hardware level (as part of the network adapter), and hardware-software level (as part of a network adapter driver). To ensure information security in local area network tools that implement the node is security-related 2, must be installed on all legitimate nodes and stations of a local area network, and the nodes security 2 must be set to a single mathematical formula conversion.

Site security 2 operates as follows.

When transmitting the network frame from a node transmitting 1.1 MAC sublayer data link layer 1 in block mathematical transformations 2.1 site security 2 is protective mathematical transformation of the service information contained in the header of a network frame data link layer and in the headers of the encapsulated network packets and segments. Transfer converted proprietary information and other parts of the network frame is not subjected to protective mathematical transformation is performed from a block of mathematical transformations 2.1 node transmit/receive network frames 3.1 physical layer 3 after completion of all operations, mathematical conversion service information.

When receiving a network frame from the physical layer 3 in the block of the inverse mathematical transformation 2.4 site security 2 is the inverse mathematical transformation service information. After completion of all operations of the inverse mathematical transformation service information all network frame is transmitted in block validation service information is 2.2.

Block validation service information 2.2 verifies the legitimacy of the received network frame by validating service information after performing the inverse mathematical transformation.

Transmitting the network frame from a block validation service information 2.2 in the node receiving the network frame 1.2 MAC sublayer data link layer 1 is carried out only in case of positive result of the validating service information of the network frame. As criteria of correctness of the service information of the network frame is used:

in accordance with signatures network headers frames, packets and segments of standard values;

- matching the checksum of the header and data fields of network frames, packets and segments calculated values;

in accordance with dimensions taken from the physical layer network frames, packets and segments to the values specified in the respective fields of service information.

In case of negative result of the validation service information of the network frame is blocking the transmission of network frames from the block validation service information 2.2 in the node receiving the network frame 1.2 MAC sublayer data link layer 1. This situation can occur if:

- a violation is in the surrounding area network frame to the electromagnetic interference in the transmission medium physical layer local area network;

- violation of the integrity of the network frame of the unauthorized modification of the information contained in the network frame;

- receiving a network frame from a workstation that does not use means a security that is perceived as unauthorized connection of the transmitting station to the transmission medium physical layer local area network;

- receiving a network frame from a workstation that uses a different algorithm (formula) mathematical conversion site security that is perceived as unauthorized connection of the transmitting station to the transmission medium physical layer local area network.

Using the job mathematical formulas 2.3 locally by a particular event (such as change of hours, time of day), or remotely (for example, by the operator) is the task of the calculation algorithms (formulas) in blocks of mathematical transformations 2.1 and inverse mathematical transformation 2.4 site security 2.

Figure 2 presents the field of proprietary information under protective mathematical transformation in site security 2. As an example, consider the Protocol stack of TCP/IP as the most popular at present.

Information from the files assigned to the local transmission in the computer network, considered by TCP as an unstructured stream of bytes. The incoming data is buffered by TCP. For transmission to the network layer from the clipboard cut some continuous piece of data, called a segment.

TCP for each segment generates a header. Get the byte array consisting of the TCP header of a segment is called a TCP segment.

The header of the TCP segment has the following fields:

SP source port (Source Port), identifies the sender;

- DP destination port (Destination Port), identifies the recipient;

- SN - sequence number (Sequence Number)indicates the number of bytes that specifies the offset of the segment relative to the stream of data being sent;

AN - confirmed number (Acknowledgement Number), contains the maximum number of bytes in the received segment, increased by one, and is used as a receipt;

- HL - length header Length indicates the length of the header of the TCP segment, measured in 32-bit words;

- RSV - reserve (ReSerVed)field reserved for future use;

- CB - code bits (Code Bits)contain proprietary information about the type of the segment;

- WL - window size (Window Length), contains the declared value of the window size in bytes;

- CS - checksum (CheckSum) segment;

- UP - pointer urgency (Urgent Pointer);

- OPT - about the tion (OPTions) - this field has a variable length and may be absent, the maximum value of the field is 3 bytes; used for decision support tasks, for example, selecting the maximum size segment;

- PDD - filler (PaDDing) can have a variable length, is a dummy field that is used to bring the header size to a whole number of 32-bit words.

The generated TCP segment from the transport layer is transmitted to the network layer technology open systems interaction ISO/OSI available IP. The IP Protocol for the received TCP segment generates its own header. Get the byte array consisting of the generated IP header and the TCP segment is called an IP packet. The IP packet header has the following fields:

- Vers - version number (Version) IP;

- IHL - length header of an IP packet (IP Header Lenght), measured in 32-bit words;

ST - type (service Type)sets the priority of service and selection criteria of the route;

- TL - total length (Total Length) package with regard header and a data field;

- ID - package ID (Identification) in the fragmentation of the original package.

- Fs - flags (Flags) fragmentation of service;

- FO - offset fragment (Fragment Offset) of the data field of the current packet from the beginning of the common data fields of the source package is subjected to fragmentation;

- TTL - the time life Time To Live) of package during which the package can be moved across the network;

- P Protocol identifier (Protocol) header;

- HCS - header checksum (Header CheckSum) of the IP packet;

- DIP the IP destination address (Destination IP address);

- SIP - IP-address source IP address).

The LLC sublayer data link layer standard open systems interaction ISO/OSI seems to be the only Protocol LLC (802.2 standard). The LLC Protocol forms received from the network layer IP packet LLC frame having four main fields:

- DSAP address of the entry point of the service destination Service Access Point);

- SSAP address of the entry point of the service source Service Access Point);

- control field (Control);

Data - the data field containing the encapsulated IP packet.

LLC frame is surrounded by the signature of two one-byte fields "Flag"set to 7Eh=01111110b and used to determine the boundaries of the LLC frame to the MAC sub-level.

Ethernet (802.3) involves the formation of the MAC sublayer of the byte array, prepared for transmission in a transmission medium physical layer standard for interoperability of open systems ISO/OSI. The specified byte array has the following structure:

- Preamble - seven bytes of synchronization with the same value of AAh=10101010b.

- SFD - start delimiter frame (Start of Frame Delimiter) consists of one byte with bits set 1010111. The appearance of this combination is an indication of the upcoming reception of the frame.

- DA IS the MAC address of the recipient (Destination Address).

- SA is the MAC address of the sender (Sourse Address).

- L - the length of the data field in the frame.

- Data - field data. May contain from 0 to 1500 bytes. But if the length field is less than 46 bytes, then use the filling to complement the frame to the minimum allowable length. The filling consists of such number of bytes of placeholders, which provides a standard 802.3 minimum length of the data field (46 bytes).

- FCS - checksum network frame (Frame CheckSum)whose value is calculated according to the algorithm CRC-32.

A protective mathematical transformation of the service information contained in the network frame, implements the following security information:

1) network frame is not transmitted from the link layer to higher levels of technology open systems ISO/OSI for further processing, analysis and defragmentation of packets and segments against unauthorized copying of a network frame and software tools that are not installed tools site security with a given formula of the inverse mathematical transformation;

2) the network frame when the unauthorized copying of software and hardware that do not instal iravani tools site security with a given formula of the inverse mathematical transformation, will be marked as failed as it travels over the local area network with a false value checksum fields of the network frame;

3) the network frame when the unauthorized copying of software and hardware that are not installed tools site security with a given formula of the inverse mathematical transformation, will be marked as failed as it travels over the local area network with a false value of the length field of the network frame;

4) is provided combating unauthorized modification of a network frame, because the attacker is not available lengths of the network frame and a checksum;

5) provides active resistance to applying filtering rules for unauthorized use Protocol analyzers, because the network frame is transmitted over a local area network with mathematically transformed (false from the point of view of devices that do not have at their disposal a host security with a given formula of the inverse mathematical transformation) values MAC address of the source of information, the MAC address of the consumer information, the IP source address information, IP addresses, consumer information, the address of the entry point of service DSAP destination, the address of the entry point of the service source SSAP, types and versions about Okolow;

6) provides passive combating unauthorized use of Protocol analyzers, as it causes the overflow software buffer used for temporary storage and analysis of captured network frames, without the use of special means of degradation of network traffic;

7) is hiding the topology of the computer network, because the network address is not available to the attacker.

The possibility of technical realization of the inventive method is explained as follows.

Node MAC sublayer transmit channel level and the node receiving/transmitting the physical layer, in the section which it is proposed to host the site security, technically implemented in the network adapter on the workstation of a local area network. As the host of the MAC sublayer transmit channel level, and the node receiving/transmitting the physical layer in a modern network adapters use various components and are not implemented on a single chip integrated circuit. This allows the implementation of host-based security standard network adapter local area network. The blocks included in the site safety and implement the claimed method of information protection can be implemented on the well-known element base, widely described in the technical literature.

2. The method according to p. 1, characterized in that the protective mathematical transformation is subjected to only a part of the network frame is a fixed size, length 64 bytes, starting solely from the initial delimiter SFD frame channel level standard for interoperability of open systems ISO/OSI.

3. The method according to p. 1, characterized in that block the transmission of network frames from the data link layer to higher levels of standard for interoperability of open systems ISO/OSI for further Assembly of network packets, segments and files, bypassing the inverse mathematical transformation of proprietary information by unauthorized copying of a network frame from among the most is of a local area network.

4. The method according to p. 1, characterized in that the protection against unauthorized copying of the network frame is carried out by passing the latter through the distribution environment local area networks with a checksum value that is not relevant to that which will be calculated on illegitimate workstation local area network.

5. The method according to p. 1, characterized in that the protection against unauthorized copying of the network frame is carried out by passing the latter through the distribution environment local area network with a false value of the length field of the data frame, the true value of which is restored after the inverse mathematical transformation service information of the network frame to a legitimate workstation local area network.

6. The method according to p. 1, characterized in that preclude the use of Protocol analyzers filtering rules based on the indication of the MAC and IP addresses of legitimate participants in the exchange of information and they use protocols network protocols, thereby counteracting the unauthorized use Protocol analyzers to monitor and capture network traffic on illegitimate workstation local area network.

7. The method according to p. 1, characterized in, determine fact modified the paths network frames and block the transmission of unauthorized modified network frames from the physical layer to the MAC sublayer of the layer.



 

Same patents:

FIELD: digital memory technologies.

SUBSTANCE: board has rewritable power-independent memory and control circuit, means for storing address, pointing at limit between authentication area and non-authentication area, circuit for changing size of said areas. Reading device contains estimation means, reading information, pointing at number of times, for which digital data can be read, and playback means. Second device variant additionally has means for digital output of contents.

EFFECT: higher efficiency.

3 cl, 23 dwg

FIELD: microprocessors.

SUBSTANCE: device has central processing devices, including first cryptographic block, at least one peripheral block, including second cryptographic block, device also has data bus, random numbers generator, conductor for supplying clock signal, conductor for providing random numbers signal, set of logical communication elements, while each cryptographic block has register of displacement with check connection.

EFFECT: higher level of unsanctioned access protection.

7 cl, 1 dwg

FIELD: electronics.

SUBSTANCE: device has signaling bus, loaded with clock signal, at least one couple of buses serving for encoding one bit, detector circuit, multiplexer. According to method in case of first value of signal of signal bus two buses of one couple detect same level of signal, and in case of second value of signal of signal bus two buses of one couple detect different signal levels, detect forbidden states during operation of board, change process of system functioning, to generate alarm in that way.

EFFECT: higher reliability of protection.

2 cl, 7 dwg

FIELD: copy protection.

SUBSTANCE: system has content distribution block, multiple recording and playback devices for digital data, calculations processing block, meant to perform communications with recording and playback devices and performing calculations processing for transferring license payments.

EFFECT: higher reliability of copy protection.

5 cl, 55 dwg

FIELD: computers.

SUBSTANCE: method includes, on basis of contents of central processor registers, received after processor performs some sort of command, by means of mathematical logical operation, forming certain finite control sum and storing it in memory, and on basis of contents of registers, received before start of execution by said processor of directly next command, certain starting checksum is formed, while if starting checksum mismatches finite checksum, error message is generated, which can be followed by halting of processor operation or blocking of chip board with its removal from circulation.

EFFECT: higher reliability.

2 cl, 2 dwg

FIELD: technologies for authentication of information.

SUBSTANCE: method includes performing absolute identification for confirming legality of data carrier according to first rule in preset time. Authentication information is recorded on this data carrier in previously set position. Process of arbitrary authentication is performed for confirming legality of said data carrier in accordance to second rule in arbitrary time. First rule includes announcing confirmation of standard match, if information for authentication is detected as registered in selected preset position. Second rule in given arbitrary authentication process includes announcing standard match, if information for authentication is detected as not registered in arbitrary positions, different from given preset position.

EFFECT: higher reliability.

6 cl, 12 dwg

Processor // 2248608

FIELD: computers, data protection.

SUBSTANCE: processor has bus interface device, device for selection/decoding of commands, device for dispatching/execution, program string decoding device, which string is selected from program and loaded in first levels command cash, which contains a set of N two-input elements XOR, keys memory, storing different N-bit decoding keys.

EFFECT: higher efficiency.

2 dwg

The invention relates to computing
The invention relates to computing, and in particular to information and computer systems and networks, and can be used in the network integrity monitoring for protection of information resources in workstations, informational, and functional servers, etc

The invention relates to computer technology and may find application in the organization of authorized access to resources of the computing system

FIELD: computer science.

SUBSTANCE: signals from each two bits of code of inputted data are converted to 1 of 4 code, calculations in said code are performed in accordance to operation code, result signals in said code are recorded, recorded signals are inputted into code control device and in case of mismatch error signal is generated and processing result output is blocked.

EFFECT: higher trustworthiness.

1 dwg

FIELD: computers.

SUBSTANCE: method includes, on basis of contents of central processor registers, received after processor performs some sort of command, by means of mathematical logical operation, forming certain finite control sum and storing it in memory, and on basis of contents of registers, received before start of execution by said processor of directly next command, certain starting checksum is formed, while if starting checksum mismatches finite checksum, error message is generated, which can be followed by halting of processor operation or blocking of chip board with its removal from circulation.

EFFECT: higher reliability.

2 cl, 2 dwg

FIELD: computers.

SUBSTANCE: device has commutation block, checked microcontroller, block of read-only memory devices of checked microcontroller, block of operative memory devices, PC, controlling microcontroller, block 7 of serial interface, indication block, commutation block of serial interface, block for forming a signal of starting setting of block for forming ROM addresses, block for forming addresses of Rom of checked microcontroller, block for decoding control signals, data-reading block, RAM recording block, block of memory access constants for checked microcontroller, block for forming addresses of checked microcontroller, block for forming start setting signal for controlling microcontroller, RAM reading block, block for forming RAM addresses and power buses.

EFFECT: higher efficiency.

3 dwg

The invention relates to a method and device control arithmetic logic module (ALM) in the vehicle

The invention relates to the means of technical diagnostics and can be used in systems for monitoring the technical condition of complex objects, for example, the products of aviation technology

The invention relates to a recording medium for recording audio and video data to the device for editing the specified data to the device for recording these data

The invention relates to the field of computer engineering and can be used to check codes

The invention relates to a device and to generate control commands for the actuators of the aircraft

The invention relates to a memory means containing at least one set of data in memory

The invention relates to the field of automation and computer engineering and can be used in computational structures to control the accuracy of arithmetic operations

FIELD: computers.

SUBSTANCE: device has commutation block, checked microcontroller, block of read-only memory devices of checked microcontroller, block of operative memory devices, PC, controlling microcontroller, block 7 of serial interface, indication block, commutation block of serial interface, block for forming a signal of starting setting of block for forming ROM addresses, block for forming addresses of Rom of checked microcontroller, block for decoding control signals, data-reading block, RAM recording block, block of memory access constants for checked microcontroller, block for forming addresses of checked microcontroller, block for forming start setting signal for controlling microcontroller, RAM reading block, block for forming RAM addresses and power buses.

EFFECT: higher efficiency.

3 dwg

Up!