Device for protecting information from unsanctioned access for computers of informational and computing systems

FIELD: computer engineering, possible use for trusted loading of a computer and for protection from unsanctioned access to information, which is stored in personal computers and in computerized informational and computing systems.

SUBSTANCE: device contains controller for exchanging information with external information carrier, controller for exchanging information with computer, processor for identification and authentication of users, blocks of energy-independent memory, module for blocking common control bus and exchanging computer data when an attempt of unsanctioned access to it is made, power management device, block of interfaces of external devices, module for blocking external devices, energy-independent flash memory, hardware indicator of random numbers, microcontroller of sensors of opening and extraction of computer components, random-access memory device, where introduced additionally to identification and authentication processor are module of constant user authentication, module for checking integrity and conditions of hardware components of protection device, module for controlling load on switches of hardware encoder, module for controlling network adapters, module for interaction with system for delimiting access and module for interaction with servers of informational and computing system.

EFFECT: expanded functional capabilities and increased efficiency of protection of information from unsanctioned access.

1 dwg

 

The invention relates to the field of computer technology and is intended for trusted boot your computer and protect against unauthorized access to information processed and stored in personal computers and in computer information and computing systems. Using it will allow you to obtain a technical result increased functionality of the device and increase the efficiency of protection of this information, including the highest level of confidentiality, up to the level of "top secret".

A device Dallas Lock 5.0 (manufacturer LLC "Fiduciary"), which is a hardware and software system for the protection of the resources of a personal computer from unauthorized access and containing external media-identifying information of the user with a remote contact node, module identification and authentication of users before loading the operating system (OS), a block of non-volatile memory in which are recorded the user's credentials, the module locks when attempting unauthorized access thereto, the registration module attempts unauthorized access to a special "log" on the hard disk of the computer module Keylock at boot time, as well as modules access user files and folders and file-integrity monitoring. The hardware device to perform the Jena cards, installed in slot PCI or ISA computer. As an external storage medium uses the ID of the Touch Memory or electronic Proximity card.

This device is a hardware-software modules trusted download (APMJ) type "E-lock" (EZE) vypolnjaet a set of standard functions, characteristic of devices of this class:

- registration of each user in the system, checking his personal ID and password;

- lock your computer if you log in unregistered user;

- check the events in the system log;

- monitoring the integrity of important user and system files, including OS.

- prevent unauthorized boot from external removable media.

Dallas Lock 5.0 provides protection of confidential information at the level of the 3rd protection class in accordance with the certificate of gasteromycete. The device can operate only in the Windows NT 4.0 environment. The functions of identification and authentication of users and all operations associated with the key information, as well as the logging of events is handled by the processor of the computer, and not EZ, which gives the attacker the possibility of introducing a system of special software "bookmarks"that can make unauthorized access to the data or their modification. Storing log unauthorized access attempts is on the hard drive and not on the EZ Board that does not guarantee protection log entries from modification. In addition, the device supports a limited number of file systems (only FAT and NTFS) and does not allow interaction with other subsystems, in particular, does not provide the possibility of switching external devices.

Broader functionality and increased efficiency of computer information protection from unauthorized access has EZ "Shield" (the manufacturer of the FSUE Concern "Systemfrom", see patent RU No. 2212705, CL G06F 12/14, 24.01.2002,, publ. 20.09.2003,). The device comprises an external storage medium, made in the form of non-volatile memory unit is reading data from external media controller information exchange with the external medium, which provides identification and authentication of the user, and located on a common Board permanent memory (ROM) BIOS extensions, the controller exchange information with a computer connected to its common control bus and data exchange, the device locks the shared bus, the power control and four blocks of non-volatile memory that store the user's credentials, the event log, settings EZ and the time interval of the lock e is M from its incorporation to transfer control to the program of expansion BIOS respectively.

The known device provides better protection against unauthorized access through the implementation of a number of additional functions and placement of critical data and settings on the Board EZ additional blocks of nonvolatile memory. In particular, the placement on the Board EZ utility data used in the organization of user access to information stored on computers, secure storage of these data. Introduction monitoring device power supply bus controller to lock the shared bus computer provides the attack with power failures.

However, this device does not provide security programs perform identification and authentication of users by providing access to information stored on computers, and does not allow interaction with other subsystems and devices that implement the security feature that limits its functionality and reduces the effectiveness of computer information protection from unauthorized access. Indeed, in the known device the functions of identification and authentication of users and all operations associated with the key information, as well as the logging of events is handled by the processor of the computer. In these circumstances, of registered users who have malicious intent, get POS of the activity implementation in the system of special software "bookmarks", who can perform when working with other registered users of different actions, including intercept sensitive data and save them in the computer "Poste restante".

Closest to the present invention is a protection device against unauthorized access to information stored on a personal computer in which the program identification and authentication of users is performed in a trusted environment using a processor identification and authentication, which is located on the motherboard of the device (EZ Shield-M"manufacturer FSUE Concern "Systemfrom", see patent RU No. 2263950, CL G06F 12/14, 28.11.2003,, publ. 27.05.2005,).

The known device comprises an external storage medium, made in the form of non-volatile memory unit is reading data from external media controller information exchange with external media located on a common Board permanent memory (ROM) BIOS extensions, the controller exchange information with a computer connected to its common control bus and data exchange, the device locks the shared bus, the power control processor identification and authentication input/output data exchange which is connected to the input/output data exchange controller of exchange of information with external media control the third output is connected to input device blocking the common control bus and data exchange computer, and the signal input - output device power control, and four blocks of non-volatile memory that store the user's credentials, the event log, settings EZ and the time interval lock the computer from its incorporation to transfer control to program the BIOS extensions.

Running programs identification and authentication of users in organizing their access to the information stored on your computer in a trusted environment using a processor identification and authentication, located on Board the EZ provides security programs and authentication identification and increases the effectiveness of information protection from unauthorized access.

However, the known device does not have a sufficient level of functionality to protect against unauthorized access to information stored and processed on a computer, and does not provide sufficient protection efficiency. Indeed, in the known device does not have hardware random numbers generator (RNG), which provides reliable conversion cryptographic information and the generation of encryption keys and the authentication information of the user (AIP), there is provided the multiplayer mode of operation with the remote control required for EZ intended to protect information with a high level of privacy, not ealized check the hardware components of the protection device. In addition, verification is only one time interval, critical for the start-up procedure EZ and boot the computer after turning it on, namely, the interval from the moment of turning on the computer before transferring control to the program BIOS extensions. However, EZ there are several critical periods of time (when possible unauthorized human intervention in the start-up procedure), in addition to this, in particular, the time the user logs into the system (at this time there is the expectation and user password), time to load encryption keys, time to start the authentication procedure, the time to run the shell EZE (from the date of completion of the authentication program to run the program integrity control system), the time the shell EZ, time to full readiness EZ and others

It should also be emphasized that one of the current requirements for the systems of information protection from unauthorized access is to provide comprehensive protection that involves the interaction of the access device to the computer with other means of protection (encryption, access control, device lock, etc. and organizing a unified hardware-software complex protection of information from unauthorized access on the basis of existing remedies. To implement this task, the desired system module, ensure the surrounding the relationship and interaction between components of a system of comprehensive protection. The security device to perform the functions of a backbone module should have interfaces for interaction with other means of protection, as well as additional locks, reliability and effectiveness of the protection. It is also desirable for critical operations associated with the control and processing of information in the interaction of remedies, was carried out in a secure environment on a common circuit Board (in its own RAM EZ), and not in the RAM of the computer and when using your own trusted OS.

In addition, the protection device must take into account new trends in the development of computing systems. In particular, at present has become a popular remote control and remote access, as well as developing technology "thin client". These areas have more stringent requirements to the means of information protection.

The remote access allows the user to enter an organization's network from a computer that is outside it, and ON the remote control allows you to solve problems on a remote computer, to carry out its administration. If this serious problem is the risk of unauthorized access to the network, and hence the need to have reliable mechanisms and means of authentication and user rights restriction.

Those who min thin client (TC) refers to a specific software product, which allows you to use a remote computer on a low-speed channel as a terminal, which may be missing the hard drive and own software. Software download is performed from the server. Information processing is performed on the application server and between the server and the client computer are transmitted only to the code of the key pressed and the screen changes. When creating information systems, computer-based technology TC is the most important security issue, since it is necessary to protect both the workplace TC (terminal TC)and the server part and the communication channel. One viable solution is the use of safety devices, providing reliable authentication mechanisms and identification, and the use of a trusted OS.

To eliminate these drawbacks of the prototype, the device of the trusted boot your computer and protect against unauthorized access to information stored and processed on it, you need to enter hardware and software modules that enhance the functionality level to protect against unauthorized access and effectiveness of protection.

The technical result of the invention is to improve the functionality of your device trusted boot and effectiveness of protection against unauthorized access to information stored and processed in the computer and the computing system, by introducing the structure of the device hardware and software units that provide its interaction with other means of protection, the possibility of limiting and controlling access to hardware and software components of the computer and the protection device, efficient and reliable lock the computer at various unauthorized actions, and perform the most critical operations directly in the protection device.

Thanks to this functionality, the proposed device is a trusted boot and protection from unauthorized access of stored and processed information will be able to perform strategic functions, and on its basis it will be possible to build a comprehensive system to protect your computer.

The technical result is achieved by the fact that in the known device information protection from unauthorized access to computers, information and computing systems that contain controller information exchange with external storage media, the controller exchange information with a computer, processor identification and authentication of users, regardless of the CPU, the blocks of the nonvolatile memory with the user's credentials, the device settings and e-journal module blocking the common control bus and exchange Yes the local computer when you attempt to gain unauthorized access to it, as well as power control, entered the block interfaces to external devices, including the inter-module interface hardware encoder and the interface control network adapters, the module block external devices, including device lock and hard disk management, electromagnetic latch on the chassis, the signals RESET and POWER of the computer non-volatile flash memory storage units, a trusted operating system software integrity control device components, remote administration, and device management, monitoring of all critical time intervals of the start-up procedure and boot, client side SOFTWARE "thin client", a hardware random number sensor, the microcontroller of the sensor opening and extraction components of the computer with its own independent power supply, random access memory, and part of processor identification and authentication have been added to the streaming module user authentication, the module checks the integrity and condition of the hardware components of the protection device, the management module load keys hardware encoder, the control module network adapters, module interaction with the system access control and module interaction with servers in ormation computing system.

As a result of the applicant's analysis of the prior art, including searching by the patent and scientific and technical information sources and identify sources that contain information about the equivalents of the claimed technical solution was not detected source, characterized by signs, identical with all the essential features of the claimed technical solution. The definition from the list of identified unique prototype, as the most similar set of features analogue, has allowed to establish the essential towards perceived by the applicant to the technical result of the distinctive features of the claimed device trusted boot your computer and protect against unauthorized access to information stored and processed on it, set forth in the claims. Therefore, the claimed technical solution meets the criterion of "novelty".

Conducted by the applicant additional search revealed no known solutions containing characteristics that match the distinctive features of the prototype of the features of the declared device of protection against unauthorized access to information stored and processed on computers. The claimed technical solution is not apparent to the expert in the obvious way from the prior art and is not based on the variation of quantitative traits. Therefore, the claimed technical solution appropriate esthet the criterion of "inventive step".

The drawing shows an electrical structural diagram of one of the possible variants of the device of the trusted boot your computer and protect against unauthorized access to information stored and processed on it, which is set on a standard slot PCI bus of the computer.

The protection of information from unauthorized access to computers, information systems, computer-contains the total charge 1 placed on it by the controller 2 of the exchange of information with a computer, processor 3 identification and authentication of users (security processor), a control module and block 4 devices, block 5 interfaces to external devices module 6 blocking external devices, non-volatile flash memory 7 and EEPROM memory 8, a hardware RNG 9, additional random access memory device (RAM) 10, a power control 11, the microcontroller 12 of the sensor opening and removing components of a computer with its own independent power source 13 sound unit 14 and unit 15 for selecting the mode of operation of the device. The device connects to the shared bus control and data exchange 16 of the computer, hardware components of the device are connected through line local bus 17.

The microprocessor security 3 contains a number of software modules, providing " the protective functions of the device: the module 18 of the identification and authentication of users, implements additional function compared with the prototype, a permanent user authentication module 19 verify the integrity of the contents of the flash memory 7, the module 20 diagnostics of components of the device, the module 21 managing network adapters, the module 22 of device setting module 23 controls the loading of the key information, the module 24 support interaction with a system of differentiation of access installed on the computer, the module 25 support interaction with the server.

Unit 5 interfaces to external devices includes a universal interface RS232 or RS485 (option 26) for connecting external devices, for example, reader cards or biometric identifier, the interface 27 ID Touch Memory (electronic tablet), USB interface 28 for the USB ID (type eToken, ruToken, etc.), module-to-module interface 29 for connection to other hardware protection and communication with them, for example, with the device cryptographic data (UCSD), and the interface 30 managing network adapters that allow you to manipulate and form a secured local network, or on the contrary, to block (disable) the protected computer from the network.

Module 6 block external device includes an optional computer lock: the device (interface) 31 lock and manage hard and drives on your computer (access to hard disk drives), the device (interface) 32 blocking and control electromagnetic latch on the chassis, the device (interface) 33 blocking and control the RESET signal (reset), the device (interface) 34 blocking and control signal POWER of the computer (lock on power). Through the control module and the lock 4 and the controller 2 also implements a lock of the shared control bus and data exchange 16 computer (i.e. similar to the prototype module 4 performs the functions of the module lock control bus and computer data exchange). Management of all locks shall microprocessor security 3 associated local bus 17 with the control module and lock 4.

In the non-volatile flash memory 7 contains the following memory blocks: block 35 with integrity unit components unit 36 with the list of monitored hardware and software objects, block 37 with a remote device management unit 38 controls all critical time intervals of the start-up procedure and boot block 39 with a trusted OS (as a trusted OS can be used stripped-down versions of MS DOS, Linux, Windows CE and others, which may be pre-defined security settings of users), the block 40 with the client part ON "thin client". Because in non-volatile flash memory 7 is kept ON, running on the Central processor of the computer, access to this memory can be performed by the microprocessor of the security 3, and the CPU of the computer (but with permission of the microprocessor security 3).

In the non-volatile EEPROM memory 8 posted: block 41 BIOS extensions, electronic journal 42 registration of all events, block 43 with a user account and block 44 with the settings and keys of the remote control. Access to this memory is performed only by the microprocessor 3.

In its own RAM device 10 performs the operations of identification and authentication of users, working with key information, control external devices, check the integrity of the internal protection devices, interaction with servers remote management (in particular, when working in architecture thin client - server protection and control terminals TC) and other critical operations.

The protection of information against unauthorized access to computers, information systems, computer-scheme drawing operates as follows.

Before using the computer protection device (card device is installed in a free slot of the shared bus computer, for example, PCI) and pre-installed on it BY interaction with other means of protection (part of the software may condition yavlyaetsya optional by customer) perform user registration, why using a system of protection against unauthorized access to log files record variables and control information that defines the access rights of each user to computer resources:

- in the module 36 flash memory 7 to the list of monitored objects (list of protected from modification programs, including the operating system, and files, as well as the full path to each monitored file and/or the coordinates of each of the boot sector (the name of the starting program for this user), and also a table of control vectors of controlled objects (checksum values or the calculated value of the hash function protected from changes to files or boot sectors of the hard disk);

- in module 38 flash memory 7 is controlled intervals, the start-up procedure, including two major (time to load encryption keys and time the user logs into the system (waiting and password) - the interval between the start of the program user authentication and log it into the system), and eight additional (time intervals between removal of the RESET signal (lock) of the computer running the 1st part of the BIOS protection device, start 2nd (main) part of the BIOS, run the program user authentication, time to change the password, the time interval between the completion of the program authentication of the user is La and run the program system integrity, the time interval for the program integrity control system, the time to complete unit ready interval of time to the successful completion of its initialization);

- in module 43 EEPROM memory 8 - credentials of all users of this computer (name (registration number) of the user for credentials (user access rights, each user can have its own set of rights), serial number, key media user, standard for user authentication, the control vector (image) password, the password expiry user, the number of allowed failed login attempts and other);

- in module 44 EEPROM memory 8 - configuration data and the keys of the remote control;

- in the module 22 of the microprocessor 3 - device setup (user list (names and registration numbers), the number of attempts allowed access to the computer, locking mechanisms, and others).

Decisions on all issues related to security, are accepted by the microprocessor security 3, which operates independently of the main processor in a computer embedded in his memory software. In particular, it manages the access to blocks of non-volatile memory in block 43 the non-volatile memory 8 is allowed read/write for the exchange of official information is a function with the application software protection against unauthorized access (block 18), performing user authentication. The access control units 38 and 42 (e-journal) non-volatile memory 7 and 8 respectively, the microprocessor security 3 carries out in collaboration with program expansion BIOS written in the block 41 non-volatile memory 8.

Software protection device consists of two interacting parts - IN microprocessor firmware and performed on the main processor of the computer (software)that is loaded into the computer from the non-volatile memory 7 protection device. ON the microprocessor may not be unauthorized amended as inaccessible from the computer. SOFTWARE running on the Central processor of the computer, working in a potentially hostile environment, and therefore his work and integrity is controlled by the software of the microprocessor security 3 (block 19).

Identification and authentication is carried out at each time the user logs into the system. To do this, when you turn on or restart the computer, boot management initially carried out in normal mode, and then during execution of the BIOS program testing hardware before booting the OS program expansion BIOS protection device, recorded in block 41 non-volatile memory 8, intercepts control is the initial booting stage, it is now possible to perform read/write sectors tracks your computer's hard drive.

At the initial stage of booting the computer after turning it on before transferring control to the program BIOS extensions, written in block 41 non-volatile memory 8, the CPU 3 provides block access to the shared bus control and data exchange computer via the control unit 4 and the controller 2. Information about controlled time intervals in the startup procedure, which is blocking access, the processor 3 receives from the module 38 flash memory 7 via the local bus 17.

After control, the initial load of a computer to program the BIOS extensions, written in block 41 non-volatile memory 8, when interacting with the processor 3 carries out the diagnosis of all components of the device (using the module 20 processor 3)and module 19 of the CPU 3 checks the integrity of software and data, is stored in the flash memory 7 (blocks 35-40 FOR checking the integrity of the controlled object, the controlled object, remote control, data values controlled time intervals in the startup procedure, which is blocking access, own trusted OS and the client part of the software "thin client", respectively).

If the result of the diagnostic errors have been identified in the operation of the device components and/or verify the integrity of software and data identified violations of the integrity of the contents of the flash memory 7, program expansion BIOS written in the block 41 non-volatile memory 8, in cooperation with the CPU 3 displays on the display of computer failure warning device protection from unauthorized access, logon, the user is forbidden, the computer locks up, and in the event log (block 42 nonvolatile memory 8) is the corresponding failure of the device or the violation of the integrity of the contents of the flash memory.

Commit breaches or unauthorized access optionally accompanied by an audible signal of a certain type associated with the nature of the violation, which is implemented by the block 14.

Depending on the configuration of the computer in which you install the device, locking computer can be done by several methods. A concrete method of blocking is determined by settings stored in the internal memory of the device (block 22 of the microprocessor security 3). The primary method of blocking computers that have on the motherboard input for the RESET button is the RESET signal. The closure of the contacts of the RESET button causes a full reset of the computer, and while the contacts are closed, the computer does not work, and when they opened, starts to restart your computer. To lock the computer on-Board safety devices installed relay (block 33 in module 6). After power up the computer the tera relay remains in the off state and holds the RESET signal of the computer the computer does not start. This continues until the microprocessor 3 of the protection device will not conduct an initial self-testing device. In the case of a successful self-test, the microcontroller includes a relay, it opens the contacts and removes the RESET signal, and then starts the operation of the protection functions of the electronic lock.

In addition to the main channel lock (RESET) the device is used and the backup channel - to lock the PCI bus. When this channel device captures on the PCI bus and blocks it via the control unit 4 and the controller 2, which causes the computer to freeze.

An alternative method of locking your computer is blocking via the POWER button. Mean button software power-down chassis ATC contacts from it goes directly to the motherboard. In case of error, the microprocessor 3 locks the computer through the PCI bus, beeps with an error code, and then includes a relay which closes its contacts conclusions the POWER button (block 34 in module 6), and the computer shuts down.

If the diagnostic results and the integrity check is passed successfully, the program BIOS extensions, written in block 41 non-volatile memory 8, in cooperation with the processor 3 (block 18) provides identification is isolates, what displays on the display of the computer to prompt the user to enter information into the computer with the carrier. Operations of identification and authentication are implemented in its own RAM 10 of the device.

The user installs your media AIP in the appropriate reader. As the carrier AIP can use the ID of the Touch Memory (TM), plastic card, USB-ID, biometric identifier, etc. For reading information to the unit interfaces to external devices 5 connected contact or reader for a specific media AIP, in particular, the contact device TM is connected to the interface 27, reader cards and biometric identifier to the interface 26, and the USB ID to the interface 28.

When presented to the media AIP is not registered in the registration file in block 22 of the processor 3, the program BIOS extensions, written in block 41 non-volatile memory 8, a display of the computer a warning and re-invitation to the identification of the user. After a predetermined unit 22 of the processor 3 number of failed attempts to identify the logged in user is prohibited, and in the event log (in block 42 nonvolatile memory 8) is an attempt unauthorized access to the computer.

In case the, when presented to the media AIP registered in the registration file in block 22 of the processor 3, the program BIOS extensions, written in block 41 non-volatile memory 8, in cooperation with the block 18 of the processor 3 performs the authentication of the user before displaying on the computer display a prompt asking you to enter your password from the computer's keyboard.

After the user enters a password, the microprocessor security 3 (block 18) determines the entered password and compares it with the reference image of the password registered in the block 43 non-volatile memory 8.

When controlling image submitted password does not match with the registered unit 43 nonvolatile memory 8 or overdue reserved for a password, time, program expansion BIOS written in the block 41 non-volatile memory 8, in cooperation with the block 18 of the CPU 3 displays on the computer display a warning and repeated the invitation to conduct user authentication. After a predetermined unit 22 of the processor 3 number of failed authentication attempts login the user is forbidden, and in the event log (in block 42 nonvolatile memory 8) is an attempt unauthorized access to the computer.

When the controlling image of the presented password is the same as for registrirovannix in block 43 the non-volatile memory 8, program expansion BIOS written in the block 41 non-volatile memory 8, in cooperation with the block 18 of the CPU 3 checks the integrity of the controlled objects for this user using software that is stored in the block 35 flash memory 7. For this specified calculates the values of the control vector objects (checksum values or values in the hash funktsii files and/or boot sectors of the hard disk of the computer, entered in the list of monitored objects placed in the block 36 flash memory 7, and then compares the obtained values with the corresponding values of the control vectors, listed earlier in the table of control vectors of controlled objects stored in the block 36 non-volatile memory 7. When checking the integrity of the controlled objects using the trusted OS is loaded into the computer from the block 39 flash memory 7 protection device.

When the discrepancy between the calculated values of the control vector objects for this user with the corresponding values of the control vectors, stored in the block 36 non-volatile memory 7, BIOS extensions, written in block 41 non-volatile memory 8, in cooperation with the block 18 of the processor 3 denies the user access to the computer, launch the computer's operating system is also prohibited.

When sempadan and calculated values of the control vector objects for this user with the corresponding values of the control vectors, stored in the block 36 non-volatile memory program. BIOS extensions, written in block 41 non-volatile memory 8, in cooperation with the block 18 of the processor 3 will allow the user access to the computer, it is also permitted to run the computer's operating system.

Next, the program BIOS extensions, written in block 41 non-volatile memory 8, in cooperation with the block 18 of the processor 3 prohibits unauthorized boot from removable media (floppy, CD-ROM and others) by blocking access to readers respective speakers when the computer starts.

After this program BIOS extensions, written in block 41 nonvolatile memory 8, and passes control to the native hardware-software means of the computer to shutdown BIOS, boot from the hard disk.

Upon successful completion of the OS restores the device access read removable storage special program-driver, part of the system of protection against unauthorized access.

After a user logs into the system and boot in the course of further operation of the user device security software implements a number of additional features that enhances the functionality of your device trusted boot and the effectiveness of protection against unauthorized access to information stored and processed on a computer is Tere, and allows you to use your device as a backbone module.

First, the processor module 18 3 implements an additional function, not only effecting one-time user authentication when logging into the system, but further (continued) authentication, controlling thereby being permitted user of the computer. In the simplest case, it is not allowed to retrieve the identifier from the reader, otherwise the computer locks up. There is periodic after a certain period of time) survey ID verification information, authenticating the user and the device itself. In case of discrepancy read information to the control values, the computer is locked. Finally, through the respective interfaces of block 5 for continuous authentication can be used from the external device identification and authentication, such as biometric devices, lack or mismatch signal which also locks the computer. The presence of the channel constant authentication is necessary for exception of the substitution of the registered user during system operation. In the existing device authentication is performed one time only at logon when the computer is turned on, if the media AIP is not used which can be extracted from the reader. Further control over the user's operation is not performed, and work can anyone.

The presence of inter-module interface 29 enables communication devices with other hardware and software protection tool, for example, the device cryptographic data (UCSD). The device security using unit 23 of the CPU 3 provides control of the loading of encryption keys in UCSD, except getting the encryption keys in RAM of the computer. All necessary calculations thus are held in memory device 10, which completely eliminates the possibility of interception, encryption keys or interference in the boot process in UCSD key information.

Through the interface 30 is a communication device with the network adapters. The device consists of a microprocessor 3 module 21 managing network adapters with which you can connect your computer to a local network or disconnected from, that allows to create a local workstation and a local virtual network. If you are using a cryptographic network adapters (KSA), the proposed protection device allows you to organize a secured local network, the information is encrypted, in this case, as in the case of interaction with UCSD, the security device using the Loka 23 CPU 3 provides control of the loading of encryption keys in KSA through the intermodule interface 29, except getting the encryption keys in RAM of the computer. All necessary calculations thus are held in the RAM 10 of the device, which completely eliminates the possibility of interception, encryption keys or interference in the boot process in KSA key information. If KSA is not loaded keys, KSA is not functioning (it is in a disabled status).

The presence of the microprocessor 3 of the block 24 of the support system access (PSA) provides the unit's interaction with DDS PC, the device transmits in the DDS results of identification and authentication of the user and the ID, eliminating the need to repeat this procedure when running DDS. In addition, in the case of fixing DDS unauthorized access attempts Wed may pass protection device command on the hardware lock your computer or block access to the hard disk, and then the protection device fulfills the function block interfaces 31-34 included in module 6 blocking external devices. In the event log (in block 42 nonvolatile memory 8) is fixed DDS attempt unauthorized access to the computer.

With the help of block 25 in the microprocessor 3 is supported interaction with servers when running in remote administration mode, and when operating in the system, built on the architecture of "thin client".

The presence in the flash memory 7 block 40 with the client part of the software thin client allows you to use the device for terminal TC in protected mode. For mode TC with TC trusted boot the OS from the block 39 flash memory 7 device.

To commit the unauthorized access to the components of the computer and hardware components of the protection system with the purpose of removing or tampering in the protection device includes a microcontroller 12 of the sensor opening and removing components of a computer with its own independent power source 13. The microcontroller constantly monitors the status of sensors, and in the case of actuation of any of them shall register the attempts of unauthorized access to a computer in its own memory. When I turn on the computer registered the attempts of unauthorized access are displayed on the monitor screen, and the computer is blocked for analysis of the status of the components, which have been registered unauthorized access.

The protection device has a separate control channel electromagnetic latch to lock the computer (interface 32 module 6 safety devices). Access to this channel has only a user with administrative functions, and to open the computer case other floor is the user can not.

An important element of protecting your computer from unauthorized access to information stored and processed on it, is the control of access to storage devices of the computer in the first place to the hard drives. In the inventive security device in module 6 of blocking external devices is provided by the locking device and hard disk management 31 providing management access to the hard drives (hardware access) and block (implemented in the device - up to 4 HDD) through the switch used to their interface (e.g., IDE interface, or other interface to external memory devices, in particular, SATA). Configuration management access to the disks is set by the microprocessor 3 (block 22), and the enable signal on the output register is supplied from the control unit 4. So when you disable any of these components, hard drives will be locked (disabled).

The presence of additional channels lock the computer increases the effectiveness of protection. In the proposed device protection key lock provides: lock channel RESET (module 33)when attempting unauthorized access or other emergency situations, the computer begins to restart, lock via the control bus and data exchange 16 of the computer and the lock channel POWER interface (34), when disables the I powered up the computer.

For efficient and reliable lock the computer at various unauthorized actions relays used to control and lock have two duplicate of the contact group, connected in parallel, which reduces the likelihood of recontact. To control the reset signal are normally closed relay contacts that provides lock computer in case of failure of the device (no power supply, failure of a processor, a control unit or controller and other).

The proposed device of protection against unauthorized access to information stored and processed on a computer, may be implemented using known of purchased components.

For example, implemented by the applicant experienced the device instance blocks 2 and 4 and their interfaces implemented on the programmable logic of the PLD (130QC144-3). The microprocessor security 3 is implemented on the chip MSP430F149IPM, module 7 - FLASH-K9F2808UOB, and module 8 - EEPROM-memory S, allowing not less than 106rewriting cycles.

Hardware RNG 9 made in the form of random number generator on noise diodes GB and shaper digital signals LM319.

As the RAM 10 is used chip AS7C3256-15JI (Alliance, SOJ-28).

The power control 11 made in the form of supervisor power TPS3838K33DBVT microprocessor 3, which is controlling the t level voltage +3.3V Century This voltage is generated on-Board safety devices stabilizer LD1117DT-3.3 input voltage +5 V and used to power most of the components, including the microprocessor 3. If the voltage +3.3 V falls below the threshold supervisor, it generates a reset signal protection device. This signal stops the microprocessor 3. After the supply voltage returns to normal, the reset signal is removed, and the microprocessor begins to execute its program with the starting address. Thus the attack with power failures.

The microcontroller 12 of the sensor block components of the computer from intrusion and extraction is implemented on the microcontroller with ultra-low energy consumption and with its own memory for documenting unauthorized access to the components (for example, a series of MSP430 Ultra Low Power Microcontroller). As the power source 13 uses a standard battery. Reading the state of the sensors is carried out via the interface formed on the basis of the resistive assemblies and connectors type WK-8.

Block 14 is a piezoelectric transducer. In violation of the operating modes of the device, as well as attempting unauthorized access to the computer, the sound signal (horn) of a certain type, depending on the nature of the violation, in addition informing emergency sieve the operations in the system audio channel.

Unit 15, which sets the operating modes of the device is a switch SWD1-8.

Block 5 contains interfaces to external devices. The interface 26 is performed on the chip SN75LP185ADW (RS232) or MAX148CSA (RS485 interface) with DB9 connector. To work with intelligent card as an external media AIP can be installed in a dedicated interface on the chip SN74AHC244DW and connector, BH-10. When used as a carrier AIP electronic key of type TM it is connected via the block 27, and there are two ways to connect: an external connector TJ4-4P4C and through internal connector PLS-3. The USB interface 28 is a USB Host Controller, which can be performed on the chip CY7C67300 company Cypress. Module-to-module interface 29 is a serial interface implemented on the chip. SN74AHC125AD and connected via connector WK-R-2. The management interface network adapter 30 is made in the form of key schemes, carrying out enable/disable adapters, logical signals from safety devices is transmitted to the network adapters connectors WK-3. When using cryptographic network adapters communicate with them via the intermodule interface 29, and the adapter disconnects the computer from the network, if it is not loaded keys, or connects, if the key is agrogene. Loading operations of the keys are similar to the interaction device protection with UCSD described above.

Module 6 block external device contains blocks with communication interfaces and connectors for the organization of the channel of interaction with those objects blocking and control. The locking device and hard disk management 31 to control the operation and locking of hard disks, for example, IDE interface, can be performed on the chip SN74HCT574DW provide control switches IDE interface (implemented in the sample protection device supports the connection of up to 4 IDE devices) and connectors WK-R-4, used for connection of the switches IDE interface. The remaining blocks of module 6 contain the locking device and the solenoid latch chassis (block 32), the locking device and the computer control signal RESET (block 33) and nutrition (block 34), which are implemented on the chip SN74AHC125AD, relay TX2-12V and connectors WF-3R and PLD-6. The keys to control the relay and blocking of external devices is performed on the chip ULN2003AD.

On the basis of these components by the applicant implemented a prototype device to protect the information stored and processed on computers from unauthorized access to computer information systems (e-lock KRYPTON Zam is/PCI"). Held by the applicant and the certifying organizations testing the prototype confirmed the possibility of its realization with the achievement of specified positive technical result.

The above data suggest the implementation of the use of the claimed technical solution the following cumulative conditions:

tools embodying the claimed device in its implementation, are intended for use in industry, namely, automated systems of information processing on the basis of a computer for the protection of processed and stored information from unauthorized access;

- for the claimed device as it is described in the independent clause sets out the claims, confirmed the possibility of its implementation using the steps described in the application resources.

Therefore, the claimed technical solution meets the criterion of "industrial applicability".

Using the proposed device protection against unauthorized access to information stored and processed on a computer in a computing system is provided to prevent access to information resources unregistered users by creating for each user closed programmable logic environment.

While located on a common circuit Board 1 device is recession security 3 in collaboration with program expansion BIOS recorded in block 41 non-volatile memory 8, also posted on the General Board 1 devices are not only program of identification and authentication of users, but all critical operations entrusted to the computer to control all critical time intervals when possible unauthorized human intervention in the startup procedure. In addition, all operations associated with the transformation of critical information, in particular carrying out cryptographic operations and key generation encryption AIP, conducted by the security processor 3 in the RAM 10, and not by the CPU in the RAM of the computer, when using a hardware RNG 9, installed on the circuit Board, and a private trusted OS, and achieved a positive result is a reliable execution of the most important protection operations in a trusted environment, which ensures the safety of their implementation and effectiveness of protection against unauthorized access.

Increases the reliability and efficiency of protection of the presence of additional locks implemented with various unauthorized actions. The device is implemented testing its hardware components, provided the multiplayer mode of operation with the remote control required for EZ designed to protect information and with a high level of confidentiality, the possibility of limiting and controlling access to hardware and software components of the computer. In particular, a hardware access to the hard drives, which significantly increases the protection against unauthorized access to information stored on computer hard drives, and also provides management of network interface adapters that allows you to build a secure virtual network or, on the contrary, the hardware to disconnect the computer from the network when processing information with high secrecy, creating a local workstation. When installing KSA, as already mentioned, the inventive security device can provide load management of encryption keys in KSA, except getting the encryption keys in RAM of the computer. The necessary calculations can be carried out in the RAM 10 protection device, which completely eliminates the possibility of interception, encryption keys or interference in the boot process in KSA key information.

In addition, a higher level of functionality and high efficiency of protection of the proposed device are provided by the presence of interfaces with other means of protection (encryption, access control, device lock and others)that allows the use of the claimed device in image quality is as the backbone of the module and build based on it hardware and software systems to protect information from unauthorized access on the basis of existing remedies, that is not achieved with known devices of similar purpose. The device takes into account new trends in the development of computing systems, in particular, provides reliable protection for remote control and remote access, and data-processing systems that use a technology called "thin client".

Thus, due to the wide functionality and performance of the most critical operations directly in the protection device proposed device trusted boot and protection from unauthorized access of stored and processed information can perform a strategic function, and on its basis it becomes possible to build a comprehensive system for effective protection not only of a personal computer (workstation - workstation), but also information and computing systems based on local computer networks, including virtual.

The trusted device download and information protection from unauthorized access to computers, information and computing systems containing the controller to exchange information with a computer, processor identification and authentication of users, regardless of the CPU module lock control bus and data exchange the computer when attempting unauthorized access to, controller information exchange with external storage media, the blocks of the nonvolatile memory with the user's credentials, the device settings and e-magazine, as well as power control, and external main input/output controller to exchange information with a computer connected to the control bus and data exchange computer, its control input connected to the control module output block control bus and data exchange computer, and the internal main entrance/exit connected with line local bus device; inner trunk input/output processor identification and authentication of users via highway local bus devices are connected to the main input/output non-volatile memory and to the input of the module lock control bus and computer data exchange, external main input/output processor connected to the controller information exchange with external storage medium, and the signal input of the processor is connected to the output power control, characterized in that the device entered the block interfaces to external devices, including the inter-module interface hardware encoder and the interface control network adapters whose inputs are connected to an external main inputs/outputs of the processor identification and authentication, and outputs with the inputs of the hardware encoder and network adapters, respectively; module block external devices, including device lock and hard disk management, electromagnetic latch on the chassis, the signals RESET and POWER of the computer, the inputs of which are connected to additional control outputs lock control bus and data exchange computer and the control output of the processor identification and authentication, and outputs to the inputs/outputs of the respective managed and blocking devices; non-volatile flash memory storage units, a trusted operating system software integrity control device components, remote administration and control device, control all critical intervals procedure time startup and boot, client side SOFTWARE "thin client", main input/output which is connected with highway local bus device; a microcontroller of the sensor opening and removing components of a computer with its own independent power source, external inputs of which are connected to the outputs of the respective sensors, and the output to the signal input of the processor identification and authentication; hardware random number sensor the output of which is connected to the input of module b is okidoki control bus and data exchange computer; random access memory, main input/output which is connected through a local bus device with internal trunk input/output processor identification and authentication; and part of processor identification and authentication have been added to the streaming module user authentication module for managing keys hardware encoder and the control module network adapters that implement through the block interfaces to external devices interfacing with external storage media, hardware encoder and network adapters, respectively; the module checks the integrity and status of hardware components safety devices engaged in their diagnosis on the communication channels, internal trunk input/output processor identification and authentication with the components of the device; a module interaction with the system access control, providing information communication processor identification and authentication through the local bus device controller to exchange information with the computer and the control bus and data sharing computer system access control computer; and the module communicate with the server computing system comprising a computer in the remote control mode or "t is nkiye" the client using the software, loaded into system memory from the corresponding blocks of non-volatile flash memory through its main entrance/exit, local bus devices, the controller exchange information with the computer and the control bus and computer data exchange.



 

Same patents:

FIELD: forensic examination of electronic information carriers and, in particular, technology for accessing password-protected information, contained in electronic pocket-books.

SUBSTANCE: in accordance to the invention, code generation block generates a code series, which is injected into electronic pocket-book being examined. Visual control block receives and analyzes information from the screen of electronic pocket-book. Signal from visual control block is received at control block. If the signal from visual control block indicates a wrong password, control block outputs a command to code generation block to generate next code series. If the signal from visual control block indicates correct password, control block outputs a signal which is received by indication block.

EFFECT: possible automation of selection of password for accessing information contained in electronic pocket-books which do not have external interface.

3 dwg

FIELD: protocols for interaction of peer entities of network structure and, in particular, concerns protective infrastructures for protocols of interaction of peer entities.

SUBSTANCE: methods are provided, which suppress capability of malicious node to disrupt normal operation of peer-to-peer network. Claimed methods allow nodes to use both protected and unprotected data about identity, ensuring self-check thereof. Then necessary or comfortable, association of ID is checked by "enclosing" a trustworthiness checking procedure into appropriate messages. Probability of connection to malicious node is initially reduced due to random selection of node with which connection is established. Also, information from malicious nodes is identified and may be discarded by recording information about previous connections, which will require a response in the future.

EFFECT: creation of protection infrastructure for a system with peer-to-peer network structure.

4 cl, 6 dwg

FIELD: protection and management of information access in automated control systems.

SUBSTANCE: in accordance to the invention, commutators for enabling power for individual functional modules of computer are introduced into system, which are determined during setting of electronic key according to identification information, recorded in it.

EFFECT: increased efficiency of information protection, more reliable control of information access.

4 cl, 5 dwg

FIELD: electric communications and computer engineering, in particular, method for ensuring information protection, possible use when it is necessary to protect computer networks from unsanctioned intrusion and access to confidential information.

SUBSTANCE: method for processing network traffic datagrams for delimiting access to informational and computing resources of computer networks is based on such processing of network packets, during which inter-network screen checks network datagrams in accordance to a list of computer network access rules set by operator, records marks in datagrams, which marks correspond to access rules, and then performs transparent relaying of correct datagrams, and at receiver side it lets through or blocks network datagrams in accordance with aforementioned marks provided inside.

EFFECT: creation of mechanism for block actions of malefactor including faking of computer addresses of sender and receiver of network datagrams with simultaneous reduction of computing resources needed to solve the problem of delimiting access to informational and computing resources.

4 dwg

FIELD: engineering of devices meant for protecting informational resources of computer network connected to external information network from unsanctioned access of users and from transmission of messages.

SUBSTANCE: claimed device contains servers with memory blocks, intermediate memory, commutators, connectors, data exchange lines, control block. Aforementioned servers are made in form of a server of computing network and a server of external computing network, which contain additionally introduced checking blocks.

EFFECT: increased degree of protection afforded to interaction of external and local networks and realized registration of all messages transmitted between networks for purposes of logging the exchange of information.

1 dwg

Protected device // 2313122

FIELD: protected devices provided with means to prevent unauthorized usage of content.

SUBSTANCE: device has memory blocks with different levels of protection, software receipt block, which receives the software and corresponding additional information, which is used to determine memory block for storage of received software, finding block for finding memory blocks with free space among memory blocks having level of protection not below the required level of protection, determining block for determining a memory block among found blocks which corresponds to the highest protection level. The data is stored in determined memory block.

EFFECT: ensured capability of loading a software, size of which exceeds capacity of memory area, while ensuring the level of protection required by administrator of the software.

8 cl, 7 dwg

FIELD: devices and methods for controlling content reproduction.

SUBSTANCE: content reproduction device contains an accumulator block, meant for storing a list of source ID and system recognition information, block for taking the decision about reproduction control system, first block for determining possibility of reproduction, meant for taking the decision that reproduction control system represents a first system, about possible reproduction of content, on basis of whether the source ID added to content is present in source ID list, second block for determining reproduction possibility, meant for taking decision in case if it is determined that reproduction control system represents a second system, about possibility of content reproduction, on basis of information about conditions of license usage, enclosed with content, and reproduction realization block, for which a decision was taken about possibility of its reproduction.

EFFECT: control of content reproduction in accordance to a set of methods for controlling copyright.

2 cl, 63 dwg

FIELD: game devices, such as game machines, in particular for methods for ensuring authenticity of game software.

SUBSTANCE: safe smart-card or different safe memory device is inserted into port of controller board positioned inside the game machine. Smart-card is programmed for detection of encrypted "request" from CPU host processor and for dispensing an encrypted "response". If host processor determines that response matches expected characteristics, CPU considers the software to be authentic and game begins. Request-response exchange may be performed before beginning of each game on a machine or at any other time. If the response is wrong, host CPU outputs a command to stop the game. Control of access to appropriately programmed smart-card allows prevention of execution of unauthorized copies of game software by game machine.

EFFECT: prevented unsanctioned changing, copying and unsanctioned usage of game software.

2 cl, 13 dwg

FIELD: methods and systems for checking authenticity of components when using a graphical system, which ensures cryptographic protection of content dispatched through graphic conveyer.

SUBSTANCE: in accordance to the invention, graphic board authentication methods are ensured in relation with the system, which ensures cryptographic protection of content dispatched through graphic conveyer, this way application or device may show to high reliability graphic platform that the application or the device are highly reliable users of graphic platform. Graphic platform may send a message to highly reliable application or device, that application or device may trust the graphic platform.

EFFECT: ensured authentication with usage of highly reliable graphic platform.

4 cl, 18 dwg, 2 tbl

FIELD: protected transmission of data and provision of services in open or closed network options.

SUBSTANCE: in accordance to the invention, safe, stable network connections and efficient network transactions among a set of users are supported by open and distributed client-server architecture. Datagram model is adapted for provision of dynamic commutation of datagrams to support a set of network applications and services. Mobile intellectual data carriers are provided, which make realization of authentication and encoding model possible. Intellectual data carriers are made with possible targeted delivery of applications to authorized users. Authentication and encoding model in one variant of realization is based on physical or working biometry. Methods and systems are meant for usage in network environment of an enterprise for support of broad spectrum of business, research and administrative operations.

EFFECT: increased reliability and flexibility of data transmission in a network.

5 cl, 8 dwg, 3 ann

FIELD: computer engineering.

SUBSTANCE: in accordance to the method, standards of known attacks are set, as well as required coefficients, a set of N support packets is memorized, the graph of data packets addressed to client is observed, incoming data packets are checked for compliance with given rules, and in accordance to these rules a signal is dispatched for activating attack protection measures, before checking whether received data packets match rules, each packet is checked for compliance with fragmentation condition, while for each new type of IP-packet a queue of fragments is created, correctness of fragmentation of each packet in the queue is checked and in case of incorrect fragmentation of any packet in the queue a signal is dispatched to activate attack protection measures, and received fragment and all following and prior fragments of that type are dropped, and then incoming data packets are checked for compliance with defined rules.

EFFECT: improved probability of detection and prevention of remote attacks against automated systems.

4 dwg, 1 tbl

FIELD: encoding of information, possible use in systems for protecting information from unsanctioned access.

SUBSTANCE: device contains bitwise transposition decoder (1), shift register of data (2), double buffer register for accumulation and storage of formatted data (3), control code register (4), clock impulse generator (5), control block (6).

EFFECT: increased speed of transformation of data formats by transposition method with use of control codes.

2 dwg

FIELD: engineering of systems for protecting communication channels, which realize claimed method for user authentication on basis of biometric data by means of provision and extraction of cryptographic key and user authentication.

SUBSTANCE: in accordance to the invention, neither biometric template nor cryptographic user key are explicitly represented in information storage device, without provision of biometric sample and information storage device with a pack stored on it, any cryptographic operations with data are impossible.

EFFECT: creation of biometric access system and method for provision/extraction of cryptographic key and user authentication on basis of biometry, increased key secrecy level, increased reliability, expanded functional capabilities and simplified system creation process.

2 cl, 2 dwg

FIELD: engineering of devices meant for protecting informational resources of computer network connected to external information network from unsanctioned access of users and from transmission of messages.

SUBSTANCE: claimed device contains servers with memory blocks, intermediate memory, commutators, connectors, data exchange lines, control block. Aforementioned servers are made in form of a server of computing network and a server of external computing network, which contain additionally introduced checking blocks.

EFFECT: increased degree of protection afforded to interaction of external and local networks and realized registration of all messages transmitted between networks for purposes of logging the exchange of information.

1 dwg

FIELD: computing systems, possible use for protecting informational resources in corporate networks.

SUBSTANCE: in accordance to the invention, during registration of user, user identifier and user image identifier signals are assigned and memorized, user inputs identifier and creates corporate network access and service request signal, which is transferred into system core, user image identifier signals are read from memory, authentication of user and his image is performed, and, if user access rank signal is equal to or exceeds acceptable rank, signal is generated to permit execution of actions, description of which is contained in service request signal, where during registration of user, number of mobile device and/or identifier of other source of wireless communications given by user is additionally inputted into memory, prior to taking a decision about access to corporate network by user, a password which is active for one session is generated and sent to the source given by user.

EFFECT: increased protection of systems from unsanctioned access.

3 cl, 1 dwg

FIELD: devices and methods for controlling content reproduction.

SUBSTANCE: content reproduction device contains an accumulator block, meant for storing a list of source ID and system recognition information, block for taking the decision about reproduction control system, first block for determining possibility of reproduction, meant for taking the decision that reproduction control system represents a first system, about possible reproduction of content, on basis of whether the source ID added to content is present in source ID list, second block for determining reproduction possibility, meant for taking decision in case if it is determined that reproduction control system represents a second system, about possibility of content reproduction, on basis of information about conditions of license usage, enclosed with content, and reproduction realization block, for which a decision was taken about possibility of its reproduction.

EFFECT: control of content reproduction in accordance to a set of methods for controlling copyright.

2 cl, 63 dwg

FIELD: computer systems and information processing systems.

SUBSTANCE: in accordance to the invention, generation of services of information processing system is performed from a set of functional blocks accessible to user (situated on different servers of system); working information of user is subjected to transformation, unique for each access of user to information processing system, information about storage of user account are is also subjected to unique transformation for given case and stored in other locations of information processing system. In case of repeated access, the user after passing his identification and authentication procedure, provides identifying features known to him, and parts of his working information are called to his workplace.

EFFECT: mobility of user during selection of workplace, communication channels and information storage locations; reliable protection and guaranteed restoration of information in case of accidental loss of its parts; no need to memorize passwords, keys and locations where parts of information are stored.

7 cl, 5 dwg

FIELD: device, software and method for processing a license.

SUBSTANCE: license source block contains a message creation block, meant for creating a message, including a license, manipulation type which determines license processing type between license source block and license assignment block, and block attribute, which determines attribute autonomously. License assignment block for receiving a message, including a license, manipulation type, determining type of license processing between license source block and license allocation block, and block attribute, determining attribute of license source block, and also license processing block, meant for processing of license, received from message receipt block, on basis of manipulation type and block attribute. Methods describe operation of license source block and license assignment block.

EFFECT: expanded functional capabilities due to possible transfer of content during content exchange for limited use of content.

6 cl, 38 dwg

FIELD: processing of applications, in particular, storage of applications in file structure and limiting of access of applications to memory area in computer device.

SUBSTANCE: system for limiting application access to memory area contains means for receiving application in device, means for storage of at least one application in one of areas of device memory and device for limiting application access privilege to other memory area of device depending on access privilege of user to aforementioned device. The application may use part of memory by creating separate file structures in that part, modifying, reading and recording files contained therein. Methods describe operation of aforementioned system.

EFFECT: creation of safe environment for storing applications and limitation of access of certain application to memory areas, unassociated with it.

7 cl, 5 dwg

FIELD: computer engineering, namely, informational computing systems and networks.

SUBSTANCE: system contains user interface, block for filtration of file system, operation system core, buffer, control block, block for processing registration records and block for storing data about file system objects.

EFFECT: ensured trustworthiness of published information concerning objects of file system.

2 dwg

Processor // 2248608

FIELD: computers, data protection.

SUBSTANCE: processor has bus interface device, device for selection/decoding of commands, device for dispatching/execution, program string decoding device, which string is selected from program and loaded in first levels command cash, which contains a set of N two-input elements XOR, keys memory, storing different N-bit decoding keys.

EFFECT: higher efficiency.

2 dwg

Up!