Method (variants) and device (variants) for protecting communication channel of a computer network
 Multi-broadcasting, limited by time window for future delivery of multi-broadcasting / 2305863In accordance to the invention, encoded event, containing information which is not meant to be published before time of publishing, is dispatched to clients before the time of publishing. In the moment of the time of publishing, small decryption key is dispatched to each client. In another variant, highly reliable boundary servers, which can be trusted not to publish the information before appropriate time, dispatch non-encrypted event or decode an encrypted event and dispatch decrypted event in certain time or before it, but after the time of publishing, so that decrypted or non-encrypted event reached clients, which can not store and decrypt an encrypted event, approximately at the same time when the key reaches other clients. Therefore, every client may receive information at approximately one and the same time, independently from client throughput or client capacity for storage and decryption of information. |
 Remote user authentication method and the system for realization of the method / 2303811In accordance to method, electronic user identification data is formed and saved in authentication server database, which data is compared to identification data of user during realization of procedure of user access to computer network of protected system and on basis of that comparison, decision is taken about degree of user authority. |
 Method, device and information carrier for confirming access right to autonomous resources / 2300142Method includes changing identification information during each new query of autonomous resource, which information is used for identification of carrier during following queries to autonomous resources, by including it in algorithmically converted form on information carrier and in database of central device and checking of its correspondence in a row of previous queries to autonomous resources. Each autonomous resource has memory block for storing conversion algorithms and signs of these algorithms and block for reading/recording carrier information. Central device contains at appropriate data bank addresses the virtual memory blocks for storing information for identification of carriers and memory block for storing a set of algorithms for converting code from one type to another and signs of these algorithms, and for each carrier - information storage address which was used during previous accesses. Carrier contains energy-independent additional memory block for recording, storing and reading additional information code after identification of carrier, available both during manufacture of carrier and its submission to autonomous resource. |
 Method for controlling protected communication line in dynamic networks / 2297037Invention discloses method for setting up protected communication lines for transferring data and controlling them by means of exchanging keys for protection, authentication and authorization. Method includes setup of protected communication line with limited privileges with usage of identifier of mobile computing block. This is especially profitable is user of mobile block does not have information identifying the user and fit for authentication. Also, advantage of provision by user of information taken by default, identifying the user, is that it initiates intervention of system administrator instead of refusal based on empty string. This decentralized procedure allows new users to access the network without required physical presence in central office for demonstration of their tickets. |
|
/ 2292122 |
 Method for restricting access to protected system / 2289845Fingerprint image is registered with following user personality identification. Some peculiarities of papillary pattern coordinates are determined and using difference of coordinates of peculiarities of received fingerprint image and stored in database positive or negative decision to grant access to system is made. |
|
Method for restricting access to protected system / 2289845 Fingerprint image is registered with following user personality identification. Some peculiarities of papillary pattern coordinates are determined and using difference of coordinates of peculiarities of received fingerprint image and stored in database positive or negative decision to grant access to system is made. |
 Distribution device, terminal device, program and method used in these devices / 2287851In distribution device groups of two or more informational products which represent digital informational content are stored with information about policy administration which indicates user's rights to this group by interrelated method. Distribution device transfers the user requested informational content from group to the terminal device with license certificate (LC), refreshes information about policy administration decreasing policy validity. On return of the renewed LC distribution device increases the decreased policy validity taking into account the part of policy validity which is indicated in the renewed LC. On user's demand distribution device again transfers LC or other digital informational content. |
 Method for using a server, device for controlling reservation of server and means for storing a program / 2276400For this in accordance to method reservation is requested, reservation is confirmed, authentication information included in reservation information is stored, service is requested on basis of authentication information, server utilization is authenticated and server is utilized on basis of authentication result, while on stage of reservation confirmation device for controlling reservation transfers reservation setting information, and on stage of authentication server utilization is only confirmed when authentication information matches authentication information transferred from user terminal. Device contains receiving means, information generation device and transmitting means. |
|
Method for using a server, device for controlling reservation of server and means for storing a program / 2276400 For this in accordance to method reservation is requested, reservation is confirmed, authentication information included in reservation information is stored, service is requested on basis of authentication information, server utilization is authenticated and server is utilized on basis of authentication result, while on stage of reservation confirmation device for controlling reservation transfers reservation setting information, and on stage of authentication server utilization is only confirmed when authentication information matches authentication information transferred from user terminal. Device contains receiving means, information generation device and transmitting means. |
|
Distribution device, terminal device, program and method used in these devices / 2287851 In distribution device groups of two or more informational products which represent digital informational content are stored with information about policy administration which indicates user's rights to this group by interrelated method. Distribution device transfers the user requested informational content from group to the terminal device with license certificate (LC), refreshes information about policy administration decreasing policy validity. On return of the renewed LC distribution device increases the decreased policy validity taking into account the part of policy validity which is indicated in the renewed LC. On user's demand distribution device again transfers LC or other digital informational content. |
|
Method for restricting access to protected system / 2289845 Fingerprint image is registered with following user personality identification. Some peculiarities of papillary pattern coordinates are determined and using difference of coordinates of peculiarities of received fingerprint image and stored in database positive or negative decision to grant access to system is made. |
|
Method for restricting access to protected system / 2289845 Fingerprint image is registered with following user personality identification. Some peculiarities of papillary pattern coordinates are determined and using difference of coordinates of peculiarities of received fingerprint image and stored in database positive or negative decision to grant access to system is made. |
|
/ 2292122 |
|
Method for controlling protected communication line in dynamic networks / 2297037 Invention discloses method for setting up protected communication lines for transferring data and controlling them by means of exchanging keys for protection, authentication and authorization. Method includes setup of protected communication line with limited privileges with usage of identifier of mobile computing block. This is especially profitable is user of mobile block does not have information identifying the user and fit for authentication. Also, advantage of provision by user of information taken by default, identifying the user, is that it initiates intervention of system administrator instead of refusal based on empty string. This decentralized procedure allows new users to access the network without required physical presence in central office for demonstration of their tickets. |
|
Method, device and information carrier for confirming access right to autonomous resources / 2300142 Method includes changing identification information during each new query of autonomous resource, which information is used for identification of carrier during following queries to autonomous resources, by including it in algorithmically converted form on information carrier and in database of central device and checking of its correspondence in a row of previous queries to autonomous resources. Each autonomous resource has memory block for storing conversion algorithms and signs of these algorithms and block for reading/recording carrier information. Central device contains at appropriate data bank addresses the virtual memory blocks for storing information for identification of carriers and memory block for storing a set of algorithms for converting code from one type to another and signs of these algorithms, and for each carrier - information storage address which was used during previous accesses. Carrier contains energy-independent additional memory block for recording, storing and reading additional information code after identification of carrier, available both during manufacture of carrier and its submission to autonomous resource. |
|
Remote user authentication method and the system for realization of the method / 2303811 In accordance to method, electronic user identification data is formed and saved in authentication server database, which data is compared to identification data of user during realization of procedure of user access to computer network of protected system and on basis of that comparison, decision is taken about degree of user authority. |
|
Multi-broadcasting, limited by time window for future delivery of multi-broadcasting / 2305863 In accordance to the invention, encoded event, containing information which is not meant to be published before time of publishing, is dispatched to clients before the time of publishing. In the moment of the time of publishing, small decryption key is dispatched to each client. In another variant, highly reliable boundary servers, which can be trusted not to publish the information before appropriate time, dispatch non-encrypted event or decode an encrypted event and dispatch decrypted event in certain time or before it, but after the time of publishing, so that decrypted or non-encrypted event reached clients, which can not store and decrypt an encrypted event, approximately at the same time when the key reaches other clients. Therefore, every client may receive information at approximately one and the same time, independently from client throughput or client capacity for storage and decryption of information. |
 Method (variants) and device (variants) for protecting communication channel of a computer network / 2306599In the method, initial data is set, initial data packet is generated at sender side. Then received data packet is encoded and transformed to TCP/IP format. After that current addresses of sender and receiver are included in it and formed packet is transferred. Sender address is replaced. At receiver side, sender and receiver addresses are selected and compared to predetermined addresses. In case of mismatch received packets are not analyzed, and in case of match encoded data is extracted from received packet and decoded. Receiver address is replaced. Then initial data packet is repeatedly formed at sender side. Protection device consists of 2 identical local protection segments 31 and 3k, one of which is connected to local computing network li, and k one is connected to local computing network lk. Local computing networks are interconnected through corresponding routers 41,4k and the Internet. |
FIELD: information safety of digital communication systems, possible use in distributed computing networks, combined through the Internet network.
SUBSTANCE: in the method, initial data is set, initial data packet is generated at sender side. Then received data packet is encoded and transformed to TCP/IP format. After that current addresses of sender and receiver are included in it and formed packet is transferred. Sender address is replaced. At receiver side, sender and receiver addresses are selected and compared to predetermined addresses. In case of mismatch received packets are not analyzed, and in case of match encoded data is extracted from received packet and decoded. Receiver address is replaced. Then initial data packet is repeatedly formed at sender side. Protection device consists of 2 identical local protection segments 31 and 3k, one of which is connected to local computing network li, and k one is connected to local computing network lk. Local computing networks are interconnected through corresponding routers 41,4k and the Internet.
EFFECT: increased safety and concealment of communication channel operation.
6 cl, 27 dwg
Technical solutions combined to form a single inventive concept relate to the field of information security of digital communication systems and can be used in distributed computing networks (sun), connected through the Internet.
There is a method of protection from unauthorized sharing between the first computer network and the second computer network that is implemented in the System of protection for related computer networks" RF patent No. 2152691, IPC G06F 12/14, publ. 10.07.2000,
The method is to perform the following: receive at a first network interface of the first computer network communication message in the first format network Protocol. Convert the communication message in the second format network Protocol, resulting in information about the addresses of source and destination is deleted from the communication message. Transmit the communication message to the second network interface. Perform the inverse transform in the second network interface of the communication message in the first format network Protocol. Transmit the communication message after the inverse transform to the second computer network.
The disadvantage of this method is the high probability of breach of confidentiality when using virtual frequent the second network, namely listening and reconstruction of traffic of the virtual private network at some point the Internet.
There is also known a method of protecting a virtual channel that is implemented in the System security virtual circuit a corporate network credentials principle of access control to resources, built on communication channels and means for switching communication network for General use" RF patent No. 2163727, IPC G06F 13/00, F 12/14, publ. 27.02.2001,
The method consists in the following steps: the client agrees its access rights from the firewall to the firewall pass inspection. If all checks are passed, then the packet is going, allowing the connection between the client and the firewall. The packet, allowing the connection comes to the client, passing the transceiver unit and the block encryption/decryption and digital signatures. Then it is passed to the block forming a closed Protocol. Then send the package, making the connection at the standard connection, but in each package replaces the IP address of the destination server on the IP address of the firewall of the Corporation.
The disadvantage of this method is the high probability of penetration into the corporate network at the point of connection to the Internet and / or disrupt its normal operation.
The known method of protection of the information circulating in a distributed telecommunication system during transmission over the common communication channels implemented in a Distributed telecommunication system for transmitting divided data intended for separate transmit and receive" patent US 6912252, IPC H04L 12/56; H04L 12/28, publ. 08.11.2001,
The method consists in performing the following: raw data from the sender divided into N parts. Further, combinations of all of them form groups of intermediate data. Then transfer intermediate data independently of N communication channels. The recipient accept the group of intermediate data that came over N channels, and restore the original data.
The disadvantage of this method is the relatively low security due to information transmission in the clear, and low secrecy due to increase the probability of recognition of the structure of a distributed telecommunication system by increasing the probability of detecting an identity of its members when information exchange by increasing the number of communication channels.
The closest to the technical nature of the claimed is "a Way of protecting corporate virtual private computer network from unauthorized exchange of information with public transport is etu" RF patent No. 2182355, IPC G06F 12/14, 9/00, publ. 10.05.2002,
The method consists in the following steps: pre-generate a table of addresses of sources and recipients and their conformity to the IDs. Provide the sender of the original data packet. Determine the identity of the sender and recipient. Encode the data package. Add in a batch of messages, additional information (the identity of the sender and recipient). Convert output package in the format of TCP/IP. Include in the converted data packet in TCP/IP the current address of the sender and recipient. Transmit the generated package. Take the recipient has transmitted the packet. Extracted from the received packet message addresses and identifiers of the sender and recipient of messages. Compare the recipient extracted from the received packet message addresses and identifiers of the sender and recipient of messages pre-stored addresses and identifiers of the sender and recipient of messages. If they do not match the received service message is not analyzed, but at their coincidence extracted from the received encoded data packet. Decode the received data. Define compliance contained in the received packet address of the message sender and message recipient and the identity of the message sender and message recipient will precede the correctly recorded in the third memory block address of the message sender and message recipient and the identity of the message sender and recipient. Transmit the decoded data packet to the receiver of the message at the coincidence.
The disadvantage of the prototype is relatively low security and secrecy of communication because of the existence of the probability of detection of the communication channel on the site, which is part of the Internet, by identifying addresses of correspondents, as well as the possibility of opening patterns distributed sun.
Known as a "System of protection for related computer networks from unauthorized exchanges between the first computer network and the second computer network patent RF №2152691, IPC G06F 12/14, publ. 10.07.2000,
The system includes first and second network interface, each of which has a network interface adapter to communicate with the first and second networks, respectively. Each of the network interfaces is further provided with an adapter, transmission for sharing with adapter transfer to a different network interface and network software to prevent the transmission of service information routing between network interface adapters and adapter transmit each of the network interfaces. Each network interface further comprises a software Protocol translation.
The disadvantage of this system is relatively low secure communication channel using virtualizati network, which leads to the possibility of unauthorized listening and reconstruction schedule a virtual private network at some point the Internet.
Also known for "the protection System of virtual channel corporate network credentials principle of access control to resources, built on communication channels and means for switching communication network for General use" RF patent No. 2163727, IPC G06F 13/00, F 12/14, publ. 27.02.2001,
The system contains M firewalls, each of which consists of a transceiver unit, block packet filtering, block encryption/decryption and electronic signature and block client authentication ID, password, and service, and the first input/output firewall Corporation is the first input/output of the transceiver unit, the second input/output of the transceiver unit connected to the first input/output unit packet filter, the second input/output which is connected to the first input/output block encryption/decryption and digital signatures, the first input/output input firewall Corporation is the first input/output system protection. Each firewall Corporation includes a unit forming a closed Protocol, block client authentication by IP address, block access permissions for the logical server name, block the production of mandate to require the appropriate action, the validation block mandate client mandate actions and unit operational control.
The disadvantage of this system is that it does not provide a fully secure communication between clients and servers distributed cs, resulting in a high probability of penetration in the armed forces at the point of connection to the Internet and/or disrupt its normal operation.
Known also Distributed telecommunication system for transmitting divided data intended for separate transmit and receive" patent US 6912252, IPC H04L 12/56; H04L 12/28, publ. 08.11.2001,
The system contains the sending and receiving devices that are connected to N channels.
The disadvantage of this system is the relatively low level of security of information transmitted over communication channels, due to lack of funds encoding, and low secrecy of communication by introducing additional identifiers of the elements of a distributed telecommunication system by increasing the number of channels of communication between these elements.
The closest to the technical nature of the claimed is "the protection System of corporate virtual private computer network from unauthorized exchange of information with the public transport network" in patent RF №2182355, IPC G06F 12/1, 9/00, publ. 10.05.2002,
In the protection system of corporate virtual private computer network from unauthorized exchange of information with the public transport network corporate virtual private network contains two processors and interconnected through the interface of two routers. One of them is connected with a local area network (LAN) corporate virtual private computer network, a means of encoding and decoding and the first memory block is designed for recording and storing tables with additional information about the sender and recipient of messages. The second router is connected to the Internet and connected with the second memory unit that stores a table of addresses to the source and destination of messages.
The lack of a prototype system is relatively low security and secrecy of the operation of the communication channel. This disadvantage is due to the fact that the communication channels remote segments SU, built on the principle of virtual private networks and are connected through the Internet, easily distinguished by analyzing the traffic at some point the Internet, as they are characterized by high intensity of packet exchanges messages with the same addresses of the correspondents and the encoded information component of message packets. When the fact is it possible to define the addresses of remote segments BC and disclosure patterns distributed cs. Such information is sufficient for violations of information exchange, or to carry out their destructive impacts in relation to the distributed aircraft.
The purpose of the claimed technical solution is to develop method (variants) and a device (options) protection of the communication channel aircraft, providing increased security and secrecy of the operation of the communication channel on the Internet due to the complexity of the procedures for determining the addresses and identifying linkages remote segments distributed cs in the analysis of the graph at some point the Internet by a continuous change in the transmitted packets of the message address of the sender and the recipient, which makes it almost impossible for their definition and identification is relatively user-specific network or opening patterns distributed sun.
In the first variant of the method, this objective is achieved in that in the known method of secure communication aircraft, namely, that pre-specify the source data, including addresses of the sender and recipient of messages that form the sender of the original packet data, encode it, convert the format of TCP/IP include the current address of the sender and recipient and transmit the generated information packet messages to a recipient is received from the recipient of the message pack addresses upravitel and recipient, compare them to predefined addresses, if they do not match the received packets are not analyzed, but the coincidence of the received packet messages produce encoded data and decode them in the preset initial data additionally include a database of N addresses of the sender and recipient addresses. Assign from a given base current address of the sender Andthenand the recipient AndTPand memorize them. Moreover, the assigned addresses of the sender Andthenand the recipient AndTPremember the recipient as the return address of the sender AndGS pand the return address of the recipient Andop p. Provide the sender with information about the reverse address of the sender AndGS aboutand the recipient Andop aboutwhat the sender of the preset numbers to allocate addresses as the return address of the sender AndGS aboutand the recipient Andop aboutand memorize them. For formation of the sender of information service messages in the original data packet include the return address of the sender AndGS aboutand the recipient Andop about. After converting the encoded data packet in the format of TCP/IP include pre-stored current addresses of the sender Andthenand receive the body And TPand transmission from sender to receiver information service message, the sender replaces its previously assigned to the current address Andthenon pre-stored return address of the sender AndGS about. Distinguish the recipient from a received information packet messages encoded data and decode them. Extracted from the decoded data return address of the sender AndGS aboutand the recipient Andop about. Remember them as the current address of the sender Andthenand the recipient AndTPand then replaces the current address of the recipient AndTPnew, extracted from the decoded data, the recipient address Andop about. Then provide the recipient with information about reverse addresses of the sender AndGS pand the recipient Andop pwhat distinguish the recipient from a preset base address as the return address of the sender AndGS pand the recipient Andop pand memorize them. Provide the recipient a notification message pack, which form the original packet with an acknowledgment of receipt of the information packet messages and intermediate package by including in the original data packet return address of the sender AndGS pand receive the body And op p. Encode the intermediate data packet, converts it to the format of TCP/IP include in the packet pre-stored current address of the sender Andthenand the recipient AndTP. Transmit the generated notification service message from the recipient to the sender, then the receiver replace his current address AndTPon pre-stored return address of the recipient Andop p. Take the sender a notification service, allocate the addresses of the sender Andthenand the recipient AndTP. Compare them with the pre-stored in the sender's return address of the sender AndGS aboutand the recipient Andop about. If they do not match the accepted notification service messages are not analyzed, but the coincidence is recovered from the received notification message bundle encoded data, decode them, and perhaps the return address of the sender AndGS pand the recipient Andop p. And extracted from the decoded data return address of the recipient Andop pand the sender AndGS premember as the current address of the recipient AndTPand the sender Andthenand current address of the sender Andthenreplace with a new, isolated from zakodirovana the data address of the sender And GS p. Then re-form the sender information of the return address of the sender AndGS aboutand the recipient Andop about.
The values of N and S addresses of the sender and the recipient is chosen within the N-10-256, S-10-256.
Value return address of the sender AndGS aboutand the recipient Andop aboutthe sender and return address of the sender AndGS pand the recipient Andop pthe recipient is chosen randomly or by a predetermined rule.
In the second variant of the method, this objective is achieved in that in the known method of secure communication aircraft, namely, that pre-specify the source data, including addresses of the sender and recipient of messages that form the sender of the original packet data, encode it, convert the format of TCP/IP include the current address of the sender and recipient, transmit the generated information packet messages to a recipient is received from the recipient of the message pack addresses of the sender and recipient, compare them with the preset current addresses, if they do not match the received packets are not analyzed, but the coincidence of packet received messages to produce encoded data and decode them in pre-zagadnienie data additionally include a database of N addresses of the sender and recipient addresses. Assign from a given base current address of the sender Andthenand the recipient AndTPand memorize them. Ask the sender and recipient selection function of the current sender address FN(i) and recipient (FS(i)where i=1, 2, 3, ..., in accordance with which the i-th step, assign the new current address. Set equal to the unit number of the steps of changing addresses io=1 and ip=1. After the transfer from sender to receiver information package provide the sender with information about new current address of the sender Andthen iand the recipient AndTP iwhy designate the sender of the specified base address in accordance with pre-defined functions select new current address of the sender Andthen=FN(i) recipient AndTP i=FS(i) and remember them as the current address of the sender Andthenand the recipient AndTP. Then replace the sender's current address Andthenon the new current address of the sender Andthen iand increase the number of ioper unit (io=io+1). The recipient extracted from the received information packet messages encoded data and decode them. Provide the recipient with information about new current address of the sender Andthen iand the recipient AndTP i/sup> why designate the recipient of the specified base address in accordance with pre-defined functions select new current address of the sender Andthen i=FN(i) recipient AndTP i=FS(i). Remember them as the current address of the sender Andthenand the recipient AndTP. The recipient replace his current address to the new current address of the recipient AndTP iand increase the number of ipper unit (ip=ip+1). Then re-form the sender information packet message.
The values of N and S addresses of the sender and the recipient is chosen in the range N=10-256, S=10-256.
As a function of source address selection FN(i) and recipient (FS(i) use the sequence of Fibonacci numbers.where FN,S(i) the position corresponding address pairs in the pre-formed base address for the i-th step of the appointment of the new current adresowa.
In the third variant of the method, this objective is achieved in that in the known method of secure communication aircraft, namely, that pre-specify the source data, including addresses of the sender and recipient of messages that form the sender of the original packet data, encode it, convert the format of TCP/IP include the current address is tprovides and recipient, transmit the generated service messages to a recipient is received from the recipient of the message pack addresses of the sender and recipient, compare them with the preset current addresses, if they do not match the received packets are not analyzed, but the coincidence of the received packet messages produce encoded data and decode them, pre-set To the maximum number of unicast packets that specify the function FTo(i)determining the number Δk of message packets with the same address of the sender and recipient. Set equal to zero the number of sent and received packets of message jo=0 and jp=0 and is calculated using the function FTo(i) the number Δk of message packets with the same address of the sender and recipient. Set the base of the N addresses of the sender and recipient addresses. Assign the specified initial base current address of the sender Andthenand the recipient AndTPand memorize them. Then ask the sender and recipient selection function of the current sender address FN(i) and recipient (FS(i)where i=1, 2, 3, ..., in accordance with which the i-th step, assign the new current address. Set equal to the unit number of the steps of changing addresses io=1 and ip=1. After the transfer from the sender to the recipient batch of messages increase the send the indicator of the number of packets sent messages j oper unit (jo=jo+1). Compare the sender the number of packets sent messages jowith a pre-installed Δk, and when they do not match are transferred to the reception at the receiver of the message bundle. When a match is re-install the jo=0, increase the step number ioper unit (io=io+1) and compute the next value Δk. Then provide the sender with information about new current address of the sender Andthen iand the recipient AndTP iwhy designate the sender of the specified base address in accordance with pre-defined functions select new current address of the sender Andthen i=FN(i) recipient AndTP i=FS(i) and remember the selected sender address Andthen iand the recipient AndTP ias the current address of the sender Andthenand the recipient AndTP. Then replace the sender's current address Andthenon the new current address of the sender Andthen i. After selecting the recipient from a received information packet messages encoded data and decode increase the recipient the number of received packets of the message jpper unit (jp=jp+1). Compare the recipient number of paketo the message j pwith a pre-calculated value Δk and if not proceed to the formation of the sender of the next batch of messages. When matching set of jp=0. Increase the number of ipper unit (ip=ip+1) and compute the new value of Δk. Then provide the recipient with information about new current address of the sender Andthen 1and the recipient AndTP iwhy designate the recipient of the specified base address in accordance with pre-defined functions select new current address of the sender Andthen i=FN(i) recipient AndTP i=FS(i) and remember the selected sender address Andthen iand the recipient AndTP ias the current address of the sender Andthenand the recipient AndTP. Then replace the recipient's current address AndTPon the new current address of the recipient AndTP i. Then form the sender the next batch of messages.
The values of N and S addresses of the sender and the recipient is chosen within the N-10-256, S=10-256.
The value of K - the maximum number of unicast packets is chosen in the range K=200-250.
As the function that defines the number Δk of message packets with the same source addresses and destination IP is result the sequence of Fibonacci numbers.
As a function of source address selection FN(i) and recipient (FS(i) use the sequence of Fibonacci numbers.where FN,S(i) the position corresponding address pairs in the pre-formed base address for the i-th step of the appointment of the new current address.
In the first embodiment, the protective devices of the communication channel SU this objective is achieved in that in the known device the protection of the communication channel SU containing local segment protection (LSS), the first and second input/outputs which are connected respectively to the LAN and the router connected to the Internet, and contains the block storage database (BHBA)processor block encoding/decoding (CD), an information input and output, inputs "password" and "type conversion" which is connected to the appropriate ports of the processor, in LSS additionally introduced the block selection address (BWA)blocks online store back and current address (BOHEA and BOHTE), the first and second network adapters (CA). The control input of BWA connected to the port "address" processor, and x-bit output BVA connected to an x-bit input BHBA, m-bit output of which is connected to the m-bit input BOHEA. Control input and m-bit output BOHEA connected respectively to the port request "return address" and m-bit port on atny address of the processor. Control input and m-bit output BOHTA connected respectively to the control output request "current address" and m-bit port "current address" processor. This m-bit input "change the current address" BUHTA connected to the m bit port "to change the current address of the processor. The first SA n-bit output and input respectively connected to the n-bit input "source package" and output "source package" processor. The output of the "local network" the first SA is the first input/output LSS. The second SA p-bit input and output are connected respectively to the p-bit output and input "information/notification processor and t-bit port management processor connected to the t-bit control input of the second network adapter. The release of "the Internet" second SA is the second input/output LSS.
In the second embodiment, the protective devices of the communication channel SU this objective is achieved in that in the known device the protection of the communication channel SU containing LCS, the first and second input/outputs which are connected respectively to the LAN and the router connected to the Internet, and containing BHBA, the processor unit KD, information input and output, input "password" and "type conversion" which is connected to the appropriate ports of the processor, in LSS additionally introduced BV, BOHTE, the first and the second is A. The control input of BWA connected to the port "address" processor, and x-bit output block selection address are connected to the x-bit input BHBA. BHBA m-bit output connected to the m-bit input BOHTE. Control input and m-bit output BOHTA connected respectively to the port request "current address" and m-bit port "current address" processor. The first SA n-bit output and input respectively connected to the n-bit input "source package" and output "source package" processor. The "local network" the first SA is the first input/output LSS. The second SA R-bit input and output are connected respectively to the p-bit output and input "information/notification processor and t-bit port management processor connected to the t-bit control input of the second SA. The release of "the Internet" second SA is the second input/output LSS.
In the third embodiment, the protective devices of the communication channel SU this objective is achieved in that in the known device the protection of the communication channel SU containing LCS, the first and second input/outputs which are connected respectively to the LAN and the router connected to the Internet, and containing BHBA, the processor unit KD, information input and output, input "password" and "type conversion" which is connected to the appropriate ports of the processor, HP is additionally introduced BV, BOHTE, the first and second SA, the counter is a unicast packet (SOP) and the block select number of unicast packets (BVCAP). The control input of BWA connected to the port "address" processor, and x-bit output BVA connected to an x-bit input BHBA. BHBA m-bit output connected to the m-bit input BOHTE, control input and m-bit output of which is connected respectively to the port request "current address" and m-bit port "current address" processor. Control inputs "request is a unicast packet", "reset" and the s-bit output SOP is connected respectively to the ports request is a unicast packet", "reset" and 5-bit input "unicast packets to the CPU. Control inputs "request number", "start" and the s-bit output BVCAP connected respectively to the ports "request number", "start" and s-bit input number of the processor. The first SA n-bit output and input respectively connected to the n-bit input "source package" and output "source package" processor. The "local network" the first SA is the first input/output LSS. The second SA p-bit input and output are connected respectively to the p-bit output and input "information/notification processor, a t-bit port management processor connected to the t-bit control input of the second SA. The release of "the Internet" vtoro what about SA is the second input/output LSS.
Thanks to the new essential features in each of the variants of ways and in implementing their protection devices communication channel SU is achieved continuous change in packet message address of the sender and the recipient, which makes it almost impossible for their definition and identification is relatively user-specific network or opening patterns distributed cs, i.e. there is the possibility of achieving the formulated technical result - increase the security and secrecy of the operation of the communication channel of the aircraft.
Conducted by the applicant's analysis of the level of technology has allowed to establish that the analogues, characterized by a set of characteristics is identical for all features of the declared technical solutions exist, which indicates compliance of the device to the condition of patentability "novelty".
Search results known solutions in this and related areas of technology in order to identify characteristics that match the distinctive features of the prototype of the characteristics of each variant of the claimed inventions, showed that they do not follow explicitly from the prior art. The prior art also revealed no known effect provided the essential features of the claimed invention transformations on the achievement of the technical result. SL is therefore the claimed invention meets the condition of patentability "inventive step".
The stated objects of the invention are illustrated by the drawings on which is shown:
figure 1 - example of a typical structure of a distributed sun;
figure 2 - structure of the package messages;
figure 3 - the structure of the IP packet header of the message;
figure 4 - example base address of the sender and recipient;
5 is a block diagram of the algorithm that implements the first variant of the inventive method of secure communication VS;
6 is a drawing explaining the process of sending and receiving information and notification of message packets in the first variant of the method;
7 is a block diagram of the algorithm that implements the second variant of the inventive method of secure communication VS;
Fig - example table to assign a number to address pairs depending on the number of a step change of address;
figure 9 is a drawing explaining the process of sending and receiving information and notification of message packets in the second variant of the method;
figure 10 - block diagram of the algorithm that implements the third variant of the claimed method of secure communication VS;
11 is a table for assigning the number of unicast packets depending on the number of a step change of address;
Fig distributed entirely with the first variant of the device protection;
Fig - generalised distributed aircraft, equipped with a device on the Ohm protection of the communication channel of the aircraft;
Fig - less in the first embodiment of the protection device;
Fig diagram of BWA 3.1 in the first embodiment of the device;
Fig - block diagram of the algorithm processor 3.2 in the first embodiment of the device;
Fig diagram of BOHEA 3.6 (BOHTE 3.7);
Fig distributed aircraft with a second embodiment of the protection device;
Fig - less in the second variant of the device protection;
Fig diagram of BWA 3.1 in the second variant of the device;
Fig - block diagram of the algorithm processor 3.2 in the second variant of the device;
Fig distributed aircraft with the third option device security;
Fig - less in the third embodiment, device protection;
Fig - block diagram of the algorithm processor 3.2 in the third embodiment of the device;
Fig diagram BVCAP 3.7;
Fig - General scheme of the experiment;
Fig - drawing representing the structure of the distributed cs defined in the course of the experiment.
Implementing these methods is explained as follows. When combining remote segments distributed cs via the public telecommunication network (e.g. the Internet), the more complex task of ensuring secure communications. This is due to the emergence of a virtually unlimited range of potential threats or unauthorized access to information or interception during transmission over channels with the ides, or destructive effects on the aircraft. The task of protecting the information part of the message packages effectively solved using cryptography. However, even in the absence of the ability to decode the intercepted information the offender by the destructive impact of telecommunication equipment can disrupt the normal functioning of the armed forces. This is because the addresses of senders and recipients of message packets are transmitted in the clear. Thus, there is a contradiction between the need for open transmission addresses of senders and recipients of message packets via the communication channels and the requirement to ensure safety of aircraft, as revealing the true address offset entities creates preconditions for the implementation of the destructive effects on the aircraft. To eliminate this contradiction, directed technical solutions.
The first variant of the inventive method implemented as follows. In the General case the LAN is a set of computers, peripherals and communication equipment, joint physical communication lines. All of these elements are determined by the IDs, which in the most common Protocol stack TCP/IP uses the network address (IP address). If necessary, distributed processing, and the formation and (or) its transmission to the remote LAN unite, for example, through the Internet, forming a distributed sun. In this combination, the terminal communication equipment also identify network addresses, and the address of the target communication equipment and elements of the LAN do not intersect.
To transfer information between remote LANs (for example, LAN1and LAN2on figa) through interaction protocols establish the communication channel, which, in this case, understand the flow of information from sender to receiver.
Information flow from LAN1to LAN2pass through the routers and the Internet (figa). In General, this model can be simplified and represented as terminal communication equipment correspondents (sender and receiver of message packets), as well as a communication channel between them (figb).
For secure transmission of data across a network connection (e.g. the Internet) apply cryptographic protection of the information part of the message packages (figure 2). When using such mechanisms in the clear transfer only the IP header. The structure of the IP header is known and shown in figure 3. Figure 3 hatching selected field address of the sender and recipient of messages package.
During dynamic changes of network addresses share is Ely and receiver need to agree on. To do this, both correspondents pre-define the base of the N addresses of the sender and recipient addresses. Values for the number of sender addresses N and the recipient's chosen according to the dimensions of a standard subnet. In particular, for a subnet of a class With the values of N and S can be set in the range N=10-255, S=10-255, because for this class subnet number of subscribers does not exceed 255 (classification subnets known and described, for example, in the book Oleifera V.G. and Oleifera N.A. "Computer network. Principles, technologies and protocols.", e-mail for higher education, 2nd ed. SPb.: Peter, 2003. s). Example base address, which is presented in the table shown in figure 4. The first column in the table indicates the sequence number of the sender or recipient in the address. In the second and fourth columns represent the corresponding values of the addresses of the sender and recipient. IP address having a length of 4 bytes (32 bits), display the table in the most common form of representation of the IP address in decimal form (the format of the IP address in decimal form are known and described, for example, in the book Oleifera V.G. and Oleifera N.A. "Computer network. Principles, technologies and protocols.", e-mail for higher education, 2nd ed.; -SPb.: Peter, 2003. s). In the third and fifth columns locate additional information about the addresses. For example, they indicate the designation of the current addresses of the sender And thenand the recipient AndTPand the return address of the sender AndGS aboutand the recipient Andop about.
All the components of message packets (figure 2, 3) are electromagnetic signals into digital (binary) form. Consider steps above them are relevant transformations of signals, which change their parameters (total number of bits and a sequence of zero or singular values).
Figure 5 shows the block diagram of the algorithm explaining the sequence of actions that implement the claimed method of secure communication aircraft.
At the initial stage of the base addresses designate the current sender address, Andthenand the recipient AndTPmessage (BL figure 5). When installing and configuring device system administrators can assign a current address or strictly according to instructions, or coordinating their actions on the phone. Remember the current address in the additional information field of the table put the appropriate designations Andthenand aTP(see figure 4). Moreover, the assigned addresses of the sender Andthenand the recipient AndTPremember the recipient as the return address of the sender AndGS pand the return address of the recipient Andop p.
The sender of the pre for the Anna base addresses at random or according to a predetermined algorithm to produce as return address of the sender And GS aboutand the recipient Andop about. Memorize them (BL figure 5), which in the table (see figure 4) put the appropriate designations AndGS aboutAndop about.
Initially, the sender form the original data packet (BL figure 5). In addition, in the original package additionally reserved 64-bit field. Then form the intermediate package (see figa)in the reserved field of the source data packet include the return address of the sender AndGS aboutand the recipient Andop about(BL figure 5), comprising 64 bits of information previously recorded in the table (figure 4).
Then encode any known method of coding (see, for example, the book N.A. moldovyan and other "Cryptography: from primitive to synthesis", SPb.: CVS - Petersburg, 2004, s-337) received intermediate package (figa, BL figure 5) and converts it to a format TCP/IP (BL figure 5). The conversion consists of adding an IP header to the encoded data packet. The resulting package is an information service message (figa), the General structure of which is shown in figure 2. In the address field of the sender and the recipient address of the IP header (figure 3) include pre-stored current address of the sender Andthenand the recipient AndTP(BL figure 5) and lane is give the recipient the generated information packet messages (BL figure 5). Then replace the sender previously assigned to the current address Andthen(BL figure 5) on the previously stored return address of the sender AndGS about(in the field for additional information replace this address designation AndGS aboutfor athen). In this case the router connected to the Internet, transmit the command about a change of address, and the address itself. The mechanism of change of address of the sender and recipient are the same due to the identical hardware and/or software.
After receiving recipient information service messages (Fig, BL figure 5) from the header addresses of the sender Andthenand the recipient AndTP(BL figure 5), compare them (BL figure 5) (for example, bit) with pre-specified in the table addresses of the sender and recipient AndGS pand aop p. In the first case addresses the received packet is not analyzed, because the sender is not authorized participant information exchange. The coincidence of the addresses of the received packet messages emit the coded data (BL figure 5) by separating the IP header and decode them (BL figure 5).
After that, from the decoded data highlight the first 64 bits containing information about reverse addresses of the sender AndGS the and the recipient Andop about(BL figure 5). Remember them as the current address of the sender Andthenand the recipient AndTP(BL figure 5), which in the additional information field of the table put the appropriate symbol (see figure 4). Then replace the current address of the recipient AndTPnew, extracted from the decoded data address of the recipient (BL Fig, 5).
Next, form the recipient information about reverse addresses of the sender AndGS pand the recipient Andop p(BL figure 5). To do this, allocate randomly or according to a predetermined rule, a recipient of a predetermined base address as the return address of the sender AndGS pand the recipient Andop pand memorize them. While in the additional information field of the table put the appropriate symbol (figure 4).
For confirmation of receipt from the sender of the package at the recipient notification form the batch of messages (FIGU, BL figure 5). What is similar as that of the sender, form the original packet, representing the receipt of information service messages. Then to the original package, add a return address of the sender AndGS pand the recipient Andop pand receive the intermediate pack the data (BL figure 5).
Next, encode the intermediate data packet (BL figure 5) and converts it to a format TCP/IP (BL figure 5). Include in the packet pre-stored current address of the sender Andthenand the recipient AndTP(BL figure 5) and transmits the notification packet to the sender (BL figure 5). After that, the recipient will replace its current address AndTPon pre-stored return address of the recipient Andop p(BL figure 5).
After receiving from the sender a notification package (Figg, BL figure 5), allocate the addresses of the sender Andthenand the recipient AndTP(BL figure 5) and compare them on the table pre-stored in the sender's return address of the sender AndGS aboutand the recipient Andop about(BL figure 5). In the first case addresses the received service message is not analyzed, but the coincidence is recovered from the received notification message bundle coded data (BL figure 5) and decode them (BL figure 5).
Extracted from the decoded data return address of the sender AndGS pand the recipient Andop p(BL figure 5). Moreover, the selected return address of the recipient Andop pand the sender AndGS premember as the current address of the recipient AndTPand what of tprovides And then(BL figure 5). The current address of the sender Andthenreplace with the new address of the sender AndGS p(BL figure 5), isolated from the decoded data.
After that go to the formation of the sender information of the return address of the sender AndGS aboutand the recipient Andop about.
Thus, in the first variant of the method is achieved by continuous change in packet message address of the sender and recipient. Moreover, the change occurs in each transmitted packet messages, and new address to change is chosen randomly and transmitted in coded form. Open pass only the current address. It makes it impossible for their definition and identification specific to the user network and the opening patterns of the distributed cs, i.e. the possibility to increase the security and secrecy of the operation of the communication channel of the aircraft.
In the second variant of the method, as in the first to achieve the formulated technical result, i.e. increase the security and secrecy of the operation of the communication channel sun through a continuous change of address of the sender and recipient. This variant of the method implemented for cases of correspondents without confirmation by the recipient of the receipt from the sender info is racionero batch of messages.
Figure 7 shows the block diagram of the algorithm explaining the sequence of actions that implement the claimed method of secure communication aircraft.
In the original data (BL 7) in addition to a predefined base of the N addresses of the sender and recipient addresses optionally set the sender and recipient selection function of the current sender address FN(i) and recipient (FS(i)where i=1, 2, 3, ..., in accordance with which the i-th step, assign the new current address and set equal to the unit number of the steps of changing addresses from sender io=1 and receiver ip=1. As a function of source address selection FN(i) and recipient (FS(i) use the sequence of Fibonacci numbers.where FN,S(i) the position corresponding address pairs in the pre-formed base address (see figure 4) at i-th step of the appointment of the new current address. Example with the current address of the sender or recipient in accordance with the function FN,S(i) presented on Fig. For example, when i=2 f(i)=1, F=N,S(1)=1 and according to table 4 addresses of the sender and receiver correspond to the first pair of address - 218.113.77.1 and 218.113.78.1; if i=21 f(i)=10946, FN,S(i)=6 and according to table 4 addresses of the sender and the recipient equal to the sixth pair of address - 218.113.77.6 and 218.113.78.6. Also prior what about the assign base addresses current address of the sender And thenand the recipient AndTPmessages.
Next, similarly as in the first embodiment of the method, forming the original data packet (BL 7, figa) and encode it (BL 7, figa). Then convert the encoded packet in the format of TCP/IP (BL 7), include pre-stored current address of the sender Andthenand the recipient AndTP(BL 7) and transmit the information packet message to the recipient (BL 7, figa).
After that, in addition to the first variant of the method the sender from the specified address databases (tables) in accordance with the selection functions assign new current address (BL 7) of the sender Andthen iand the recipient AndTP i. Then remember these addresses as the current address of the sender Andthenand the recipient AndTP(BL 7), which in the table (see figure 4) put the appropriate designations Andthenand aTP. After that, the sender replaces the previously assigned to the current address Andthenon the new current address of the sender Andthen i(BL 7) and increase the number of steps per unit: io=io+1 (BL 7).
Then similarly as in the first embodiment of the method, the recipient accept the batch of messages (BL 7, Fig), allocate the addresses of the sender Andthenand the recipient AndTP(b is .12 figure 7) and compare them with the pre-specified in the table current addresses (BL 7). In the first case addresses the received service message is not analyzed, but the coincidence of it emit the coded data (BL 7, figb) and decode them (BL 7).
After that, in addition to the first variant of the method the recipient of the specified address databases (tables) in accordance with the selection functions assign new current address of the sender Andthen iand the recipient AndTP i(BL 7). Then remember these addresses as the current address of the sender Andthenand the recipient AndTP(BL 7), which in the table (see figure 4) put the appropriate designations Andthenand aTP. After that, the receiver replaces the previously assigned to the current address AndTPon the new current address of the recipient AndTP i(BL 7) and increase the number of steps per unit: ip=ip+1 (BL 7).
Next, go to the formation of the sender once the initial batch of messages.
Thus, in the second variant of the method is achieved by continuous change in packet message address of the sender and recipient. Moreover, the change occurs in each transmitted packet messages, and new addresses to change chosen by a predetermined rule known only to the sender and receiver of message packets. This makes the practice is logically impossible to define addresses of correspondents and identification specific to the user network and the opening patterns of the distributed cs, i.e. it is possible to increase the security and secrecy of the operation of the communication channel of the aircraft.
Considered the 1st and 2nd embodiments of the method provide a true stealth address offset entities and, consequently, the impossibility of opening patterns distributed aircraft and carry out their destructive effects on the aircraft. At the same time, the offender becomes obvious that when there is high intensity of information exchange and the absence of repeated pairs of addresses of the users take steps to protect the communication channel from destructive influences, i.e. mislead the potential infringer. In this sense, in some cases it is impractical to change the addresses of correspondents after the transmission (reception) of each batch of messages. The repetition of the address offset of the subjects in consistently sent the message packages will not raise suspicion among the offender and at the same time will cause the opening of the real structure of the distributed cs through the analysis and reconstruction of its graph. This possibility is realized in the third embodiment of the method.
In the third variant of the method is formulated to achieve a technical result, i.e. increase the security and secrecy of the operation of the communication channel SU, changing the addresses of the sender and the receiver perform not when each is th transmission message bundle and periodically, at a predetermined, known only to the sender and recipient rule that, in turn, will not cause suspicion of the offender. This variant of the method is also implemented for cases of correspondents without confirmation by the recipient of the receipt from the sender information service messages.
Figure 10 shows the block diagram of the algorithm explaining the sequence of actions that implement the claimed method of secure communication aircraft.
In the original data (BL figure 10), similarly as in the second variant of the method, the pre-set base of N addresses of the sender and recipient addresses and functions select the current sender address FN(i) and recipient (FS(i)where i=1, 2, 3, ..., in accordance with which the i-th step, assign the new current address. Also set equal to the unit number of the steps of changing addresses from sender iabout=1 and receiver ip=1. As a function of source address selection FN(i) and recipient (FS(i)the same as in the second variant of the method, using the sequence of Fibonacci numbers.where FN,S(i) the position corresponding address pairs in the pre-formed base address for the i-th step of the appointment of the new current address. Example with the current address of the sender or recipient with regard to the availa able scientific C with F N,S(i) presented on Fig. Similarly, pre-assign base addresses current address of the sender Andthenand the recipient AndTPmessages.
Additionally, the sender and receiver specify the function F (i), which determines the number Δk packets of messages that will be transmitted with the same addresses of the sender and recipient on the i-th step. As a function of FTo(i)determining the number Δk also use the sequence of Fibonacci numberswhere K is the maximum number of unicast packets, which, for example, set within K=200-250. The destination is a unicast packet, thus, along with protection from the analysis and the reconstruction of the graph distributed sun, hide from the offending application of security measures and will not arouse his suspicions. Example the number of unicast packets presented on 11. Calculate the initial number Δk. Set equal to zero the number of sent jo=0 and obtained jp=0 packet messages.
Next, similarly as in the second variant of the method, forming the original data packet (BL figure 10, figa) and encode it (BL figure 10, figa). Then convert the encoded packet in the format of TCP/IP (BL figure 10), include pre-stored current address of the sender Andthenand the recipient AndTA (BL figure 10) and transmit the information packet message to the recipient (BL figure 10, figa).
After that, in addition to the second variant of the method increases with the sender the number of packets sent messages joper unit: jo=jo+1 (BL figure 10). Then compare jowith a pre-installed Δk (BL figure 10). If not go to the reception at the receiver of the message bundle. Thus, the next information packet message address of the sender and recipient do not change. If jo=k, then re-install the jo=0 and compute a new Δk (BL figure 10). Then increase the step number of the new destination current address by one: io=io+1. I.e. the sender change the current address of the sender and recipient.
Change the current address of the sender and the recipient are carried out similarly as in the second variant of the method. The sender of a given address databases (tables) in accordance with the function selection current address assign new current address (BL figure 10) of the sender Andthen iand the recipient AndTP i. Then remember these addresses as the current address of the sender Andthenand the recipient AndTP(BL figure 10). After that, the sender replaces the previously assigned current is s address And thenon the new current address of the sender Andthen i(BL figure 10). Next, the recipient accept the batch of messages (BL figure 10, figb), allocate the addresses of the sender Andthenand the recipient AndTP(BL figure 10) and compare them with the pre-specified in the table current addresses (BL figure 10). In the first case addresses the received service message is not analyzed, but the coincidence of it emit the coded data (BL figure 10, figb) and decode them (BL figure 10).
Then advanced to the second variant of the method increase the recipient the number of received packets of the message jpper unit: jp=jp+1 (BL figure 10). Compare jpwith a pre-installed Δk (BL figure 10). If not proceed to the formation of the sender of the next batch of messages. Thus, the receiver for analyzing the packets of the message address of the sender and recipient do not change (BL figure 10). If jp=Δk, then re-install the jp=0 and increase the number of new destination current address by one: ip=ip+1. Then calculate the new Δk (BL figure 10). I.e. the recipient is change the current address of the sender and recipient.
Change the current address of the sender and the receiver perform anal is Gino, as in the second variant of the method. The recipient of the specified address databases (tables) in accordance with the function selection current address assign new current address (BL figure 10) of the sender Andthen iand the recipient AndTP i. Then remember these addresses as the current address of the sender Andthenand the recipient AndTP(BL figure 10). After that, the receiver replaces the previously assigned to the current address AndTPon the new current address of the recipient AndTP i(BL figure 10).
Thus, in the third embodiment, the method also achieved a change in packet message address of the sender and recipient. Moreover, the change is not for every packet transmission messages, and periodically, at a predetermined, known only to the sender and recipient rule. This makes it virtually impossible the determination of the addresses of the correspondents and their identification is relatively user-specific network, and the opening patterns distributed sun, and at the same time not suspect the offender regarding the application of protection measures, i.e. the possibility to increase the security and secrecy of the operation of the communication channel of the aircraft.
In General, the distributed aircraft includes a set LAN 11-1k(see Fig). Each pair LAN, nab the emer 1 1and 1k(FEG)equipped with a protection device, consisting of 2 x local security segments (LSS) 31, 3kconnected to the corresponding LAN and via respective routers 41, 4kto the Internet 2. Thus, the communication channel the sun can be represented as shown in Fig. It includes two interacting LAN 11and 1kconnected to each other via respective routers 41, 4kand the Internet 2 and is equipped with a protection device link (Fig circled by the dotted line). The protection device consists of 2 identical LSS 31and 3kone of which is connected to LAN 11, a k-th to the LAN 1k.
In turn, in the first embodiment of the claimed device LSS (for example, 31), shown in Fig, consists of BWA 3.1, processor, 3.2, 3.3 first and second 3.8 SA, block KD 3.4, BHBA 3.5, BAHAA 3.6 and BOHTE 3.7.
The first input/output LSS 3 connected to the LAN 1. The second input/output LSS 3 connected to the router 4, in turn, is connected to the Internet 2. The control input of BWA 3.1 is connected to the port "address" processor 3.2, and x-bit output BVA 3.1 is connected to an x-bit input BHBA 3.5. BHBA m-bit output connected to the m-bit input BOHEA 3.6. In BOHEA 3.6 control input connected to a port request reverse address processor 3.2 and m-bit output is otklyuchen to m-bit port "return address" processor 3.2. Control input and m-bit output BOHTA 3.7 respectively connected to the control output request "current address" and m-bit port "current address" processor 3.2. Also at BOHTA 3.7 m-bit input "change the current address" is connected to the m-bit port "to change the current address of the processor 3.2. At block KD 3.4 information input and output, input "password" and "type conversion" is connected to the appropriate ports of the processor 3.2. The first SA 3.3 n-bit output and input respectively connected to the n-bit input "source package" and output "source package" processor 3.2. The output of the "local network" the first SA 3.2 is the first input/output LSS 3. The second SA 3.8 R-bit input and output are connected respectively to the p-bit output and input "information/notification processor 3.2. The processor 3.2 t-bit port "control" is connected to a t-bit control input of the second SA 3.8. Input/output "Internet" second SA 3.8 is the second input/output LSS 3. Second LCS performed similar to the first.
Block BWA 3.1 intended for forming the pair number of the addresses of the sender and recipient. Its scheme is shown in Fig, consists of a generator 8-digit pseudo-random sequence 3.1.1 and 8 logic elements And 3.1.21-3.1.28. The circuit of the generator 8-digit pseudo-random sequence is 3.1.1 known and described, for example, in the patent of Russian Federation №2081450.
Processor 3.2 is designed to generate control signals to the respective blocks LSS 3, to perform arithmetic and logical operations, data conversion, as well as for short-term storage, recording, and delivery of information. The algorithm processor 3.2 explaining the procedure in the first embodiment, the protective devices of the communication channel SU implementing the first variant of the method for secure communication of aircraft, shown in Fig. The principle of operation of the processor is known and described, for example, in the book "computer science: a tutorial" (edited by Navratilova. - Finance and statistics, 2002, s-147).
The first SA 3.3 role of the physical interface between the LAN and the processor.
The second SA 3.8 role of the physical interface between the router and the processor. Network adapters are known and described, for example, in the book Galkin, V.A. and Grigorieva Y.A. "telecommunications and networks: Uch. manual for schools" (Izd-vo MGTU im. Bauman, 2003, p.236-240).
Unit KD 3.4 is used to encrypt and decrypt data. Diagram of the device for the controlled conversion of binary data that implements encryption and decryption are known and described, for example, in the patent of Russian Federation №2239291, 27.10.2004,
Block BHBA 3.5 is designed for storing base addresses of the sender and recipient (figure 4), and that the same issue of the respective sets of addresses in BOHEA 3.6 after receiving the signal from BWA 3.1, indicating the number of address pairs. Block BHBA 3.5 is a mass storage device schemes are known and implemented, for example, on the chip CRU (see the book Wllile "Popular digital circuits: Handbook", 2nd edition, Rev. - Chelyabinsk: metallurgy, 1989. p.160-171).
Block BOHEA 3.6 is designed for recording and storing a return address, and for outputting these addresses on command processor 3.2.
Block BOHTA 3.7 is designed to record and store the current address, as well as for issue by the command processor 3.2. Schemes BOHEA 3.6 and BOHTE 3.7 identical and can be implemented in various ways, for example, as shown in Fig. The scheme consists of 64 elements And, on the entrance which serves for BOHEA 3.6 control signal from the processor 3.2 and 64-bit sequence of pulses from BHBA 3.5; for BOHTA 3.7 control signal from the processor 3.2 and 64-bit sequence of pulses from the processor 3.2. 64 output elements And (see Fig) are 64-bit output BOHTA 3.7, BAHAA 3.6 and connected to the appropriate ports of the processor 3.2.
Synchronization of the elements is provided by the synchronous pulse which serves to corresponding inputs of blocks. In the drawings, they are not shown.
The device operates as follows. The original data packet (see figa) from LAN 11through the first SA 3.3, port P1 is supplied to the CPU 3.2. The processor 3.2 fo mirouet request signal, which port A11 arrives at BOHEA 3.6 (see Fig). This query in BOHEA 3.6 (see Fig) permit the passage through the elements And 64-digit sequence of pulses, which represent the return address of the sender and recipient (64-bit required to address pairs with a length of 32 bits each). Thus a 64-digit sequence through the port A12 comes to the processor 3.2. After that, the processor 3.2 form an intermediate data packet (see step 1 on Fig) by adding in the original package return address of the sender and recipient (see figa).
Then the intermediate packet through the communication port P3 processor 3.2 send in the unit KD 3.4 (see Fig). In the processor 3.2 form the control signals for the encoder (see step 2 on Fig) and through the port P4 transmit the key to transformation, and through port P5 signal indicating the type of conversion (encoding). Thus, in block KD 3.4 form the encoded data packet (see figa)which block KD 3.4 through information port P6 is passed to the processor 3.2. Here there are transform coded packet in the format of TCP/IP (see step 3 Fig). The conversion consists of adding an IP header to the encoded data packet. Next, the processor 3.2 form request signal current address, which is sent through the port P13. This query in BAHTA 3.7 (the m Fig) permit the passage through the elements And 64-digit sequence of pulses that represent the current address of the sender and recipient (64-bit required to address pairs with a length of 32 bits each). Thus a 64-digit sequence through the port A14 comes to the processor 3.2. After that, the processor 3.2 obtained by converting the package into the address field of the sender and recipient address include obtained with BOHTA 3.7 current address of the sender and recipient. Thus form an information packet messages (see step 4 on Fig, figa), through which the port A7 processor 3.2 is passed through the second SA 3.8 on router 4, and then to the Internet 2.
After that, the processor 3.2 form a command to the router 4 to change the current address and transmit it together with the new current address of the sender (see step 5 on Fig) port P8 for its setting on the router 4.
When you receive a service message (figb) through the router 4 receives on LSS (for example 3k)similar to LSS 11also shown in Fig, where through the second SA 3.8 port P9 (Fig) it is passed to the processor 3.2. Of the fields in the recipient's address and the sender address of the IP packet header of the message (see figure 3) in the processor 3.2 addresses of the sender and recipient (see step 6 on Fig). The processor is 3.2 form request signal (see BL on Fig), through which the port A11 arrives at BOHEA 3.6 (see Fig), where the processor 3.2 port A12 pass the return address of the sender and recipient. The processor 3.2 are compared (bit) selected from the received information packet messages current addresses (see step 7 on Fig). If they do not match, the device does not analyze incoming service messages and expect next. In the case that the processor 3.2 distinguish from a batch of messages encrypted data (see step 8 on Fig, figb) by separating the IP header. Then the encoded packet through the communication port P3 processor 3.2 send in the unit KD 3.4 (see Fig). In the processor 3.2 form the control signals to decoder (see step 9 on Fig) and through the port P4 transmit the key to transformation, and through port P5 signal indicating the type of conversion (decoding). Next open data (see Fig) from the block KD 3.4 through information port P6 is passed to the processor 3.2.
After that, from the decoded data processor 3.2 allocate the first 64 bits of information, which is the new return address of the sender and recipient (see step 10 on Fig). Then, the original data packet processor 3.2 passes through the port P2 to the first SA 3.3, through which, in turn, the original packet data transfer in LAN 1. In the processor 3.2 form command on the exchange current address and transmit it through the port P8 through the second SA 3.8 on router 4 together with the received return address of the recipient. The processor 3.2 passes through the port p this address to change on BOHT 3.7. Then, the processor 3.2 form the signal to start BWA 3.1 (see step 11 on Fig), through which the port P10 (see Fig) goes to logic elements And permit the passage of pseudo-random sequences, constantly generated by the generator 8-digit pseudo-random sequence 3.1.1, the output BVA 3.1 to BHBA 3.5. In BHBA 3.5 this sequence sets the number of address pairs in the table (see figure 4) (8-digit sequence is sufficient to address any of the 255 entries in the database, as 28=256).
Similarly, form, transmit and receive notification service message.
Next, form the next information packet messages from the sender.
In the second embodiment of the claimed device distributed aircraft also includes a set LAN 11-1k(see Fig). Each pair LAN, for example, 11and 1k(FEG) equipped with a protection device, consisting of 2 x local security segments (LSS) 31, 3kconnected to the corresponding LAN and via respective routers 41, 4kto the Internet 2. Thus, the communication channel the sun can be represented as shown in Fig. It includes two interacting LAN 11and 1kconnected to each other through the corresponding route is history 4 1, 4kand the Internet 2 and is equipped with a protection device link (Fig circled by the dotted line). The protection device consists of 2 identical LSS 31and 3kone of which is connected to LWS1and k-th to LWSk.
In turn, in the second embodiment of the claimed device LSS (for example, 31), shown in Fig, consists of BWA 3.1, processor, 3.2, 3.3 first and second 3.7 SA, block KD 3.4, BHBA 3.5 and BOHTE 3.6.
The first input/output LSS 3 connected to the LAN 1. The second input/output LSS 3 connected to the router 4, in turn, is connected to the Internet 2. The control input of BWA 3.1 is connected to the port "address" processor 3.2, and x-bit output BVA 3.1 is connected to an x-bit input BHBA 3.5. BHBA 3.5 m-bit output connected to the m-bit input BOHTA 3.6. Control input and m-bit output BOHTA 3.6 respectively connected to the port request "current address" and m-bit port "current address" processor 3.2. At block KD 3.4 information input and output, input "password" and "type conversion" is connected to the appropriate ports of the processor 3.2. The first SA 3.3 n-bit output and input respectively connected to the n-bit input "source package" and output "source package" processor 3.2. The output of the "local network" the first SA 3.3 is the first input/output LSS 3. The second SA 3.7 p-bit input and output are connected to the ENES respectively to the p-bit output and input "information/notification processor 3.2. The processor 3.2 t-bit port "control" is connected to a t-bit control input of the second SA 3.7. Input/output "Internet" second SA 3.7 is the second input/output LSS 3.
Block BWA 3.1 is designed to generate numbers addresses. Its scheme is shown in Fig consists of adder rooms step 3.1.1 and computer rooms address 3.1.2. A counter circuit that implements the functions of the adder rooms step 3.1.1, known and described, for example, the book Wllile "Popular digital circuits: a Handbook" (2nd edition, Rev. - Chelyabinsk: metallurgy, 1989. Pp.93-102). Computer rooms address 3.1.2 is a calculator function Fibonacci implemented in the form of a microprocessor to calculate the values of the Fibonacci numbers by the formula shown on page 11 (or 13) of this specification.
The algorithm processor 3.2 explaining the procedure in the second embodiment, the protective devices of the communication channel SU implementing the second variant of the method for secure communication of aircraft, shown in Fig.
Block BOHTA 3.6 is designed to record and store the current address received from BHBA 3.5, as well as issuing the command processor 3.2. Scheme BOHTA 3.6 can be implemented in various ways, for example, as shown in Fig.
The purpose and scheme of the other blocks LSS 3 was the same as in the first variant of realization of the device protection channel with the ides of aircraft.
The device operates as follows. The original data packet (see figa) from LAN 11through the first SA 3.3, port P1 is supplied to the CPU 3.2. Then the original packet through the communication port PZ processor 3.2 send in the unit KD 3.4 (see Fig). After that, the processor 3.2 form the control signals for the encoder (see step 1 on Fig) and through the port P4 transmit the key to transformation, and through port P5 signal indicating the type of conversion (encoding). Thus in block KD 3.4 form the encoded data packet (see figa)which block KD 3.4 through information port P6 is passed to the processor 3.2. Here there are transform coded packet in the format of TCP/IP (see step 2 on Fig). The conversion consists of adding an IP header to the encoded data packet. Next, the processor 3.2 form request signal current address, which is sent through the port A11. This query in BAHTA 3.6 (see Fig) permit the passage through the elements And 64-digit sequence of pulses that represent the current address of the sender and recipient (64-bit required for the two address length of 32 bits each). Thus a 64-digit sequence through the port A12 comes to the processor 3.2. After that, the processor 3.2 obtained by converting the package into the address field of the sender and the address the recipient include obtained with BOHTA 3.6 current address of the sender and recipient. Thus form an information packet messages (see step 3 Fig, figa), through which the port A7 processor 3.2 is passed through the second SA 3.7 on router 4, and then to the Internet 2.
Then, the processor 3.2 form the signal to start BWA 3.1 (see step 4 on Fig), through which the port P10 pass on BWA 3.1 (see Fig). This signal starts the adder 3.1.1, the output of which is formed by a sequence of pulses corresponding to the number of the step change of current address io(i.e. counter measures i, see table on Fig). This sequence is fed to the transmitter of the address number 3.1.2 where using Fibonacci determine the value of the address number (i.e. the value of FN,S(i)see table on Fig).
After that, the processor 3.2 generate a request signal of the current sender address, port A11 pass on BOHT 3.6. Upon request, BOHTE 3.6 gives a 64-digit sequence of pulses corresponding to the value of the current address of the sender and recipient, and through the port A12 transmits to the processor 3.2. After that, the processor 3.2 form a command to the router 4 to change the current address and transmit it together with the new current sender address defined by the value of the low 32 bits adopted from BOHTA 3.6 64-digit sequence of pulses (see step 5 on Fig)port P8 to establish the Oia on the router 4.
When you receive a service message (figb) through the router 4 receives on LSS (for example 3K)similar to LSS 1lalso shown in Fig, where through the second SA 3.7 port P9 (Fig) it is passed to the processor 3.2. Of the fields in the recipient's address and the sender address of the IP packet header of the message (see figure 3) in the processor 3.2 addresses of the sender and recipient (see step 6 on Fig).
In the processor 3.2 form request signal, which port A11 arrives at BOHTA 3.6 (see Fig), where the processor 3.2 port A12 pass the current address of the sender and recipient. The processor 3.2 are compared (bit) selected from the received information packet messages current addresses (see step 7 on Fig). If they do not match, the device does not analyze incoming service messages and expect next. In the case that the processor 3.2 distinguish from a batch of messages encrypted data (see step 8 on Fig, figb) by separating the IP header. Then the encoded packet through the communication port PZ processor 3.2 send in the unit KD 3.4 (see Fig). In the processor 3.2 form the control signals to decoder (see step 9 on Fig) and through the port P4 transmit the key to transformation, and through port P5 signal indicating the type of conversion (decoding). Next open data (see figb) from the block KD 3.4 the information via the port P6 is passed to the processor 3.2. After this initial data packet processor 3.2 passes through the port P2 to the first SA 3.3, through which, in turn, the original packet data transfer in LAN 1.
Then, the processor 3.2 form the signal to start BWA 3.1 (see step 10 on Fig), through which the port P10 pass on BWA 3.1 (see Fig). This signal starts the adder 3.1.1. At the output of the adder 3.1.1 is formed by a sequence of pulses corresponding to the number of the step change of current address ip(i.e. in the counter define i, see table on Fig). This sequence is fed to the transmitter of the address number 3.1.2 where using Fibonacci determine the value of the address number (i.e. the value of FN,S(i)see table on Fig).
After that, the processor 3.2 form request signal current address of a recipient via port A11 pass on BOHT 3.6. Upon request, BOHTE 3.6 gives a 64-digit sequence of pulses corresponding to the value of the current address of the sender and recipient, and through the port A12 transmits to the processor 3.2. Next, the processor 3.2 form a command to the router 4 to change the current address and transmit it together with the new current address of the recipient is determined by the value of the low 32 bits adopted from BOHTA 3.6 64-digit sequence of pulses (see step 11 on Fig)port P8 for its setting on the router 4.
Caleefornia the next information packet messages from the sender.
In the third embodiment of the claimed device distributed aircraft also includes a set LAN 11-1k(see Fig). Each pair LAN, for example, 11and 1k(FEG) equipped with a protection device, consisting of 2 x local security segments (LSS) 31, 3kconnected to the corresponding LAN and via respective routers 41, 4kto the Internet 2. Thus the communication channel the sun can be represented as shown in Fig. It includes two interacting LAN 11and 1kconnected to each other via respective routers 41, 4kand the Internet 2 and is equipped with a protection device link (Fig circled by the dotted line). The protection device consists of 2 identical LSS 31and 3kone of which is connected to LWS1and k-th to LWSk.
In turn, in the third embodiment of the claimed device LSS (for example, 3l), shown in Fig, consists of BWA 3.1, processor, 3.2, 3.3 first and second 3.9 SA, block KD 3.4, BHBA 3.5 and BOHTE 3.6, BVOP cap.
The first input/output LSS 3 connected to the LAN 1. The second input/output LSS 3 connected to the router 4, in turn, is connected to the Internet 2. The control input of BWA 3.1 is connected to the port "address" processor 3.2, and x-bit output BVA 3.1 is connected to an x-bit input BHBA 3.5. BHBA 3. m-bit output connected to the m-bit input BOHTA 3.6. Control input and m-bit output BOHTA 3.6 respectively connected to the port request "current address" and m-bit port "current address" processor 3.2. At block KD 3.4 information input and output, input "password" and "type conversion" is connected to the appropriate ports of the processor 3.2. Control inputs "request is a unicast packet", "reset" and the s-bit output SOP 3.8 respectively connected to the ports request is a unicast packet", "reset" and 5-bit input "unicast packets" processor 3.2. Control inputs "request number", "start", and 5-bit output BVCAP 3.7 respectively connected to the ports "request number", "start", and 5-bit input number of processor 3.2. The first SA 3.3 n-bit output and input respectively connected to the n-bit input "source package" and output "source package" processor 3.2. The output of the "local network" the first SA 3.3 is the first input/output LSS 3. The second SA 3.9 p-bit input and output are connected respectively to the p-bit output and input "information/notification processor 3.2. The processor 3.2 t-bit port "control" is connected to a t-bit control input of the second SA 3.9. Input/output "Internet" second SA 3.9 is the second input/output LSS 3.
Block BWA 3.1 is designed to generate numbers addresses. Its scheme is shown in Fig, consists of adder rooms step 3.1.1 and computer rooms address 3.1.2. A counter circuit that implements the functions of the adder rooms step 3.1.1, known and described, for example, the book Wllile "Popular digital circuits: a Handbook" (2nd edition, Rev. - Chelyabinsk: metallurgy, 1989. Pp.93-102). Computer rooms address 3.1.2 is a calculator function Fibonacci, similar as in the second embodiment, the protective devices of the communication channel of the aircraft.
The algorithm processor 3.2 explaining the procedure in the third embodiment, the protective devices of the communication channel SU implementing the third variant of the method for secure communication of aircraft, shown in Fig.
Block BVCAP 3.7 is designed to generate the number of message packets transmitted (the sender) or received (the recipient) with the same addresses of the sender and recipient, as well as of issuing this number by the command processor 3.2. Scheme BVCAP 3.7, shown in Fig, consists of a register storing the number of unicast packets 3.7.1, evaluator number of unicast packets 3.7.2 and adder step number change of address 3.7.3. The register storing the number of unicast packets 3.7.1 is designed for recording, storage and distribution of the number of unicast packets (Δ (k) upon request processor 3.2. It is similar as BOHTA 3.7 or BOHEA 3.6 in the first variant of implementation of the protection devices of the communication channel Suiteshotel number of unicast packets 3.7.2 is designed to calculate the number of unicast packets and is an evaluator function Fibonacci, implemented in the form of a microprocessor to calculate the values of the Fibonacci numbers (FK(i)) by the formula shown on page 13. The adder rooms step change of address 3.7.3 is designed to count the number of a step change of addresses that are the source data for computer number of unicast packets 3.7.2. Meter scheme that implements the adder, known and described, for example, the book Wllile "Popular digital circuits: a Handbook" (2nd edition, Rev. - Chelyabinsk: metallurgy, 1989. pp.93-102).
The unit SOP 3.8 is designed to count the number of message packets transmitted (the sender) or received (the recipient) with the same addresses of the sender and the recipient; and the issuance by the command processor 3.2. A counter circuit that implements the functions of the SOP 3.8, known and described, for example, the book Wllile "Popular digital circuits: a Handbook" (2nd edition, Rev. - Chelyabinsk: metallurgy, 1989. Pp.93-102).
The purpose and scheme of the other blocks LSS 3 was the same as in the second variant of implementation of the protection devices of the communication channel of the aircraft.
The device operates as follows. The original data packet (see figa) from LAN 11through the first SA 3.3, port P1 is supplied to the CPU 3.2. Then the original packet through the communication port P3 processor 3.2 send in the unit KD 3.4 (see Fig). After that, the processor 3.2 form the control is Ignacy for the encoder (see step 1 on Fig) and through the port P4 transmit the key to transformation, and through port P5 signal indicating the type of conversion (encoding). Thus in block KD 3.4 form the encoded data packet (see figa)which block KD 3.4 through information port P6 is passed to the processor 3.2. Here there are transform coded packet in the format of TCP/IP (see step 2 on Fig). The conversion consists of adding an IP header to the encoded data packet. Next, the processor 3.2 form request signal current address, which is sent through the port A17. This query in BAHTA 3.6 (see Fig) permit the passage through the elements And 64-digit sequence of pulses that represent the current address of the sender and recipient. Thus a 64-digit sequence through the port P comes to the processor 3.2. After that, the processor 3.2 obtained by converting the package into the address field of the sender and recipient address include obtained with BOHTA 3.6 current address of the sender and recipient. Thus form an information packet messages (see step 3 Fig, figa), through which the port A7 processor 3.2 is passed through the second SA 3.9 on router 4, and then to the Internet 2.
Next, form processor 3.2 signal to start the SOP 3.8 (see step 4 on Fig), through which the port A11 pass nasop 3.8. The counter will add one to the previously stored number (jabout=jo+1) and give the value received through the port A12 processor 3.2. In the processor 3.2 forming a query current value Δk (the number of message packets that are transmitted with the same addresses of the sender and recipient), through which the port A14 processor 3.2 pass on BVCAP 3.7 (see step 5 on Fig, Fig). This request is sent to the register storing the number of unicast packets 3.7.1 (Fig scheme register storing the number of unicast packets same as BOHTA 3.7 on Fig) and permit the passage through the elements And 32-digit sequence of pulses, which represent the number Δk generated and transmitted from the transmitter the number of unicast packets 3.7.2. Then this number through the port p enters the processor 3.2. The processor 3.2 compare (bit) transmitted values of joand Δk (see step. 6 Fig). If jo≠Δk, the sender of the form the next batch of messages, and the receiver receive the information packet message. In the case of joand Δk processor 3.2 generate a signal to reset SOP 3.8 (see SAG on Fig), through which the port P13 (Fig enters SOP 3.8 and performs a reset (i.e. sets jo=0).
After that, the processor 3.2 form the signal to start BVCAP 3.7 (see W the g 8 Fig), which port A16 passed on BVCAP 3.7 (Fig). This signal is applied to the adder rooms step change of address 3.7.3. In the adder increase the value of step number change of address by one (i.e. define a new io=io+1 see table 11). This value is fed to the transmitter the number of unicast packets 3.7.2, where you determine the number of unicast packets Δk (i.e. the value of FK(i) see table 11).
Then, the processor 3.2 form the signal to start BWA 3.1 (see step 9 on Fig), through which the port P10 (Fig) pass on BWA 3.1. This signal starts the adder 3.1.1. At the output of the adder 3.1.1 is formed by a sequence of pulses corresponding to the number of the step change of current address io(i.e. in the counter define iosee table on Fig). This sequence is fed to the transmitter of the address number 3.1.2, in which using the Fibonacci determine the value of the address number (i.e. the value of FN,Si) see table on Fig).
After that, the processor 3.2 generate a request signal of the current sender address, port A17 pass on BOHT 3.6. Upon request, BOHTE 3.6 gives a 64-digit sequence of pulses corresponding to the value of the current address of the sender and recipient, and through the port B transmits to the processor 3.2. Next, the processor 3.2 form a command to the router 4 to change the current address and transmit it together with the new current address of the sender, determined by the value of the low 32 bits adopted from BOHTA 3.6 64-digit sequence of pulses (see step 10 on FIH)port P8 for its setting on the router 4.
When you receive a service message (figb) through the router 4 receives on LSS (for example 3k)similar to LSS 11also shown in Fig, where through the second SA 3.9 port P9 (Fig) it is passed to the processor 3.2. Of the fields in the recipient's address and the sender address of the IP packet header of the message (see figure 3) in the processor 3.2 addresses of the sender and recipient (see step 11 on Fig).
In the processor 3.2 form request signal, which port A17 arrives at BOHTA 3.6 (see Fig), where the processor 3.2 port B transmit the current address of the sender and recipient. The processor 3.2 comparing the (bit -) extracted from the received information packet messages current addresses (see step 12 on Fig). If they do not match, the device does not analyze incoming service messages and expect next. In the case that the processor 3.2 distinguish from a batch of messages encrypted data (see step 13 on Fig, figb) by separating the IP header. Then the encoded packet through the communication port PZ processor 3.2 send in the unit KD 3.4 (see Fig). In the processor 3.2 form the control signals to decoder (see step 14 is as Fig) and through the port P4 transmit the key to transformation and through port P5 signal indicating the type of conversion (decoding). Next open data (see figb) from the block KD 3.4 through information port P6 port P2 is passed to the first SA 3.3, through which, in turn, the original packet data transfer in LAN 1.
Next, form processor 3.2 signal to start the SOP 3.8 (see step 15 on Fig), through which the port A11 pass on SOP 3.8. The counter will add one to the previously stored number (jp=jp+1) and give the value received through the port A12 processor 3.2. In the processor 3.2 forming a query current value Δk (the number of message packets that are transmitted with the same addresses of the sender and recipient), through which the port A14 processor 3.2 pass on BVCAP 3.7 (see step 16 on Fig, Fig). This request is sent to the register storing the number of unicast packets 3.7.1 (Fig scheme register storing the number of unicast packets same as BOHTA 3.7 on Fig) and permit the passage through the elements And 32-digit sequence of pulses, which represent the number Δk generated and transmitted from the transmitter the number of unicast packets 3.7.2. Then this number through the port p enters the processor 3.2. The processor 3.2 compare (bit) transmitted values of jpand Δk (see step. 17 Fig). If jp≠Δk, the sender forms the shape of the next batch of messages and the receiver is expected next information packet message. In the case of jpand Δk processor 3.2 generate a signal to reset SOP 3.8 (see step. 18 Fig), through which the port P13 (Fig enters SOP 3.8 and performs a reset (i.e. sets jp=0).
After that, the processor 3.2 form the signal to start BVCAP 3.7 (see step 19 on Fig), through which the port A16 passed on BVCAP 3.7 (Fig). This signal is applied to the adder rooms step change of address 3.7.3. In the adder increase the value of step number change of address by one (i.e. define a new ip=ip+1 see table 11). This value is fed to the transmitter the number of unicast packets 3.7.2, where you determine the number of unicast packets Δk (i.e. the value of Fto(i) see table 11).
Then, the processor 3.2 form the signal to start BWA 3.1 (see step 20 on Fig), through which the port P10 (Fig) pass on BWA 3.1. This signal starts the adder 3.1.1. At the output of the adder 3.1.1 is formed by a sequence of pulses corresponding to the number of the step change of current address ip(i.e. in the counter define ipsee table on Fig). This sequence is fed to the transmitter of the address number 3.1.2, in which using the Fibonacci determine the value of the address number (i.e. the value of FN,S(i) see table on Fig).
After that, the processor 3.2 form request signal current address of a recipient via port A17 pass on BOHT 3.6. Upon request, BOHTE 3.6 gives a 64-digit sequence of pulses corresponding to the value of the current address of the sender and recipient, and through the port B transmits to the processor 3.2. Next, the processor 3.2 form a command to the router 4 to change the current address and transmit it together with the new current address defined by the value of the low 32 bits adopted from BOHTA 3.6 64-digit sequence of pulses of the recipient (see step 21 on Fig)port P8 for its setting on the router 4.
Next, form the next information packet messages from the sender.
The possibility of achieving the formulated technical result was verified by simulation.
A General scheme of the experiment is presented on Fig.
The distributed model aircraft represented two remote local SU (LAN 1 and LAN 2)connected through the Internet, represented by a set of routers (M2-Mk-1). To connect to the Internet in LAN 1 and LAN 2 was used routers M1and MK.
In the course of the experiment between LAN 1 and LAN 2 was implemented information exchange through communication channel passes asego through routers M 1-MK. Packages messages from LAN 1 to LAN 2 was transmitted in coded form and the open form was transmitted only to the IP header that contains the address of the sender and recipient (IP addresses routers M1and MK).
To the router Mi(1<i<K) was connected to a packet analyzer, by allowing the interception and analysis of message packets to separate the addresses of the sender and recipient, and view their contents.
In the first variant of the experiment addresses of routers M1and MKwere fixed. Using packet analyzer revealed that through the router Miin the process of information exchange LAN 1 and LAN 2 are the packets of the message with open IP headers that contain addresses of routers M1and MKand with encoded information component. That is, the interception and packet analysis allowed to detect the transmission of coded information between two nodes in the Internet.
This observation allowed us to determine unequivocally established between routers M1and Mkthe secure communications channel. Therefore, it can be assumed that the perpetrator with a high probability it could use a packet sniffer on the router Mito determine the structure of the distributed cs, as shown in figa, which contradicts the requirement for secrecy of the communication channel. In the same way, the intruder could perform a destructive effect on the routers M1and Mkto disrupt the exchange of information, which contradicts the requirement for security of the communication channel.
In the second variant of the experiment for each of the routers M1and Mkwere set base in an amount of 5 IP addresses, in accordance with which the process of information exchange have been changed. The choice of base addresses for the change was carried out randomly. Change of addresses of routers M1and Mkproduced periodically after sending (receiving) a series of message packets. Using packet analyzer revealed that through the router Miin the process of information exchange LAN 1 and LAN 2 are also packages message open the IP header and the encoded information component of message packets. However, analysis of packet headers of the messages did not find a single communication channel between routers M1and Mk. On the contrary, it revealed a large number of communication channels between different pairs of addresses (figb) with lower intensity of information exchange.
This means that the probability of determining a violator of the true structure of the distributed cs significantly decreased, because such a definition is needed further is part of the analytical study. Therefore, in this case, the likelihood of destructive effects also decreased.
Based on these results we can conclude that the developed method (variants) and a device (options) allow due to continuous change in packet message address of the sender and receiver to improve the security and secrecy of the operation of the communication channel of the aircraft.
1. How to secure communication channel of the computer network, namely, that pre-specify the source data, including addresses of the sender and recipient of messages that form the sender of the original packet data, encode it, is converted into the format of TCP/IP include the current address of the sender and recipient, transmit the generated information packet messages to a recipient is received from the recipient of the message pack addresses of the sender and recipient, compare them to predefined addresses, if they do not match the received packets are not analyzed, but the coincidence of the received packet messages produce encoded data and decode them, characterized in that preset initial data additionally include a database of N addresses of the sender and recipient addresses, appointed from a given base current address of the sender Andthenand the recipient AndTP, zapomina is tons of them moreover, the assigned addresses of the sender Andthenand the recipient AndTPremember the recipient as the return address of the sender AndGS pand the return address of the recipient Andop p, form sender's information about reverse addresses of the sender AndGS oand the recipient Andop owhat the sender of the preset numbers to allocate addresses as the return address of the sender AndGS oand the recipient Andop oand remember, for the formation of the sender of information service messages in the original data packet include the return address of the sender AndGS oand the recipient Andop oafter you convert the encoded data packet in the format of TCP/IP include pre-stored current addresses of the sender Andthenand the recipient AndTPand transmission from sender to receiver information service message, the sender replaces its previously assigned to the current address Andthenon pre-stored return address of the sender AndGS oafter separating the receiver from a received information packet messages encoded data and decoding distinguish them from the decoded data back to the sender address is GS oand the recipient Andop omemorize them as the current address of the sender Andthenand the recipient AndTPand then replaces the current address of the recipient AndTPnew, extracted from the decoded data, the recipient address Andop oafter which provide the recipient with information about reverse addresses of the sender AndGS pand the recipient Andop pwhat distinguish the recipient from a preset base address as the return address of the sender AndGS pand the recipient Andop pand remember, form recipient notification message pack, which form the original packet with an acknowledgment of receipt of the information packet messages and intermediate package by including in the original data packet return address of the sender AndGS pand the recipient Andop pencode the intermediate data packet, converts it to the format of TCP/IP include in the packet pre-stored current address of the sender Andthenand the recipient AndTPtransmit the generated notification service message from the recipient to the sender, then the receiver replace his current address AndTPon previously memorized back the hell is the EU recipient And op ptake the sender a notification service, allocate the addresses of the sender Andthenand the recipient AndTP, compare them with the pre-stored in the sender's return address of the sender AndGS oand the recipient Andop oif they do not match the accepted notification service messages are not analyzed, but the coincidence is recovered from the received notification message bundle encoded data, decode them, and perhaps the return address of the sender AndGS pand the recipient Andop pand extracted from the decoded data return address of the recipient Andop pand the sender AndGS premember as the current address of the recipient Andthenand the sender Andthenand current address of the sender Andthenreplace with new, extracted from the decoded data address of the sender AndGS pand then re-form the sender information of the return address of the sender AndGS oand the recipient Andop o.
2. The method according to claim 1, characterized in that the values of N and S addresses of the sender and the recipient is chosen in the range N=10÷256, S=10÷256.
3. The method according to claim 1, characterized in that the value of the return address of the sender AndGSȊ oand the recipient Andop othe sender and return address of the sender AndGS pand the recipient Andop pThe recipient is chosen randomly.
4. The method according to claim 1, characterized in that the value of the return address of the sender AndGS oand the recipient Andop othe sender and return address of the sender AndGS pand the recipient Andop pthe recipient is chosen by a predetermined algorithm.
5. How to secure communication channel of the computer network, namely, that pre-specify the source data, including addresses of the sender and recipient of messages that form the sender of the original packet data, encode it, is converted into the format of TCP/IP include the current address of the sender and recipient, transmit the generated information packet messages to a recipient is received from the recipient of the message pack addresses of the sender and recipient, compare them with the preset current addresses, if they do not match the received packets are not analyzed, but the coincidence of the received packet messages produce encoded data and decode them different the fact that the preset initial data additionally include a database of N addresses of the sender and S address is alocates, assign from a given base current address of the sender Andthenand the recipient AndTPmemorize them, and ask the sender and recipient selection function of the current sender address FN(i) and recipient (FS(i)where i=1, 2, 3, ..., in accordance with which the i-th step, assign the new current address is set to the unit number of the steps of changing addresses io=1 and ip=1, after the transfer from sender to receiver information package provide the sender with information about new current address of the sender Andthen iand the recipient AndTP iwhy designate the sender of the specified base address in accordance with pre-defined functions select new current address of the sender Andthen i=FN(i) and the recipient of ATP i=FS(i) and remember them as the current address of the sender Andthenand the recipient AndTPand then replace the sender's current address Andthenon the new current address of the sender Andthen iand increase the number of ioper unit (io=io+1), after selecting the recipient from a received information packet messages encoded data and decode them, provide the recipient with information about new current address of the sender Andthen iand what of locates And TP iwhy designate the recipient of the specified base address in accordance with pre-defined functions select new current address of the sender Andthen i=FN(i) recipient AndTP i=FS(i) and remember them as the current address of the sender Andthenand the recipient AndTPthen the recipient has to replace his current address to the new current address of a recipient of ATP iand increase the number of ipper unit (ip=ip+1), then re-form the sender information packet message.
6. The method according to claim 5, characterized in that the values of N and S addresses of the sender and the recipient is chosen in the range N=10÷256, S=10÷256.
7. The method according to claim 5, characterized in that as a function of source address selection FN(i) and recipient (FS(i) use the sequence of Fibonacci numbers.
8. How to secure communication channel of the computer network, namely, that pre-specify the source data, including addresses of the sender and recipient of messages that form the sender of the original packet data, encode it, convert the format of TCP/IP include the current address of the sender and recipient, transmit the generated service messages to a recipient is received from the floor is on of the motor package message addresses of the sender and recipient, compare them with the preset current addresses, if they do not match the received packets are not analyzed, but the coincidence of the received packet messages produce encoded data and decode them, wherein the pre-set To the maximum number of unicast packets that specify the function FTo(i)determining the number Δk of message packets with the same address of the sender and recipient, set equal to zero the number of sent and received packets of message jo=0 and jp=0 and is calculated using the function FTo(i) the number Δk of message packets with the same address of the sender and recipient, set the base of the N addresses of the sender and recipient addresses, assign the specified initial base current address of the sender Andthenand the recipient AndTPmemorize them, and then ask the sender and recipient selection function of the current sender address FN(i) and recipient (FS(i)where i=1, 2, 3, ..., in accordance with which the i-th step, assign the new current address and set equal to the unit number of the steps of changing addresses io=1 and ip=1, after transmission from the sender to the recipient batch of messages increase the sender the number of packets sent messages joper unit (jo=jo+1), compare the sender's number from rublennyh of message packets j owith a pre-installed Δk, and when they do not match are transferred to the reception at the receiver of the message bundle, and when the phone re-install the jo=0 increase the number of ioper unit (io=io+1) and compute the next value Δk, then provide the sender with information about new current address of the sender Andthen iand the recipient AndTP iwhy designate the sender of the specified base address in accordance with pre-defined functions select new current address of the sender Athen i=FN(i) recipient AndTP i=FS(i) and remember the selected sender address Andthen iand the recipient AndTP ias the current address of the sender Andthenand the recipient AndTP, then replace the sender's current address Andthenon the new current address of the sender Andthen iand after selecting the recipient from a received information packet messages encoded data and decode increase the recipient the number of received packets of the message jpper unit (jp=jp+1), and then compare the recipient the number of received packets of the message jpwith a pre-calculated value Δk and if not crossing the t to the formation of the sender of another message bundle and the coincidence set jp=0, increase the step number in the unit (ip=ip+1) and compute the new value of Δk, then provide the recipient with information about new current address of the sender Andthen 1and the recipient AndTP iwhy designate the recipient of the specified base address in accordance with pre-defined functions select new current address of the sender Andthen i=FN(i) and the recipient of ATP i=FS(i) and remember the selected sender address Andthen iand the recipient AndTP ias the current address of the sender Andthenand the recipient AndTPthen replace the recipient's current address ATPon the new current address of the recipient AndTP iafter which provide the sender the next batch of messages.
9. The method according to claim 8, characterized in that the values of N and S addresses of the sender and the recipient is chosen in the range N=10÷256, S=10÷256.
10. The method according to claim 8, characterized in that the value of K - the maximum number of unicast packets is chosen in the range K=200÷250.
11. The method according to claim 8, characterized in that as a function that determines the number Δk of message packets with the same address of the sender and recipient use a follower of the ity of Fibonacci numbers.
12. The method according to claim 8, characterized in that as a function of source address selection FN(i) and recipient (FS(i) use the sequence of Fibonacci numbers.
13. The protection device of the communication channel of the computer network containing local segment protection, the first and second input/outputs which are connected respectively to a local area network and the router connected to the Internet, and contains the block storage database, the processor, the block encoding/decoding, the information input and output, inputs "password" and "type conversion" which is connected to the appropriate ports of the processor, wherein the local component of protection is additionally introduced unit address selection, blocks online store back and current addresses of the first and second network adapters, the control input of the block selecting address connected to the port "address" processor, and x-bit output block selection addresses connected to the m-bit input block storage base address, an m-bit output of which is connected to the m-bit input block is operative to store the return address on the control input and m-bit output of which is connected respectively to the port request "return address" and m-bit port "return address" of the processor, the control input and m-bit in the stroke unit operative to store the current address connected respectively to the control output request "current address" and m-bit port "current address" processor, and m-bit input "change the current address block RAM storing the current address is connected to the m bit port "to change the current address of the processor, the n-bit output and input of the first network adapter is connected respectively to the n-bit input "source package" and output "source package" processor, and the output of the "local network" output "source package" processor, and the output of the local network of the first network adapter is the first input/output local segment protection, p-bit input and output of the second network adapter is connected respectively to the p-bit output and input "information/notification processor and t-bit port management processor connected to the t-bit control input of the second network adapter, the release of "the Internet" which is the second input/output local segment protection.
14. The protection device of the communication channel of the computer network containing local segment protection, the first and second input/outputs which are connected respectively to a local area network and the router connected to the Internet, and contains the block storage database, the processor, the block encoding/decoding, the information input and output, inputs "password" and "type conversion" which is connected to the appropriate ports of the processor, otlichayas the same time, in the local segment protection have been added to the block address selection unit operative to store the current address, the first and second network adapters, the control input of the block selecting address connected to the port "address" processor, and x-bit output block selection address are connected to the x-bit input block storage base address, an m-bit output of which is connected to the m-bit input block is operative to store the current address, control input and m-bit output of which is connected respectively to the port request "current address" and m-bit port "current address" processor, n-bit output and input of the first network adapter is connected respectively to the n-bit input "source package" and output "source package" processor, and the output of the local network of the first network adapter is the first input/output local segment protection, p-bit input and output of the second network adapter is connected respectively to the p-bit output and input "information/notification processor and t-bit port management processor connected to the t-bit control input of the second network adapter, the release of "the Internet" which is the second entrance/output local segment protection.
15. The protection device of the communication channel of the computer network containing local segment protection, first is the first and second input/outputs which are connected respectively to a local area network and the router, connected to the Internet, and contains the block storage database, the processor, the block encoding/decoding, the information input and output, inputs "password" and "type conversion" which is connected to the appropriate ports of the processor, wherein the local component of protection is additionally introduced block address selection unit operative to store the current address, the first and second network adapters, counter unicast packet and the block select number of unicast packets, the control input of the block selecting address connected to the port "address" processor, and x-bit output block selection addresses connected to x-bit input block storage base address, an m-bit output of which is connected to the m-bit input block is operative to store the current address, control input and m-bit output of which is connected respectively to the port request "current address" and bitwise port "current address" processor control inputs "request is a unicast packet", "reset" and m-bit output of the counter unicast packets connected respectively to the ports request is a unicast packet", "reset" and s-bit input "unicast packets" processor control inputs "request number""start" and the s-bit output block select number of unicast packets connected respectively to the ports"request number", "start" and s-bit input number of processor n-bit output and input of the first network adapter is connected respectively to the n-bit input "source package" and output "source package" processor, and the output of the local network of the first network adapter is the first input/output local segment protection, p-bit input and output of the second network adapter is connected respectively to the p-bit output and input "information/notification processor and t-bit port management processor connected to the t-bit control input the second network adapter, the release of "the Internet" which is the second input/output local segment protection.