Methods of authentication of potentials members, which were invited to join the group

FIELD: technological processes.

SUBSTANCE: invention is related to devices of users authentication. Inviter, who already belongs to the group, together with invitee use a secret password. Inviter uses the password to create the invitation, afterwards the invitation is presented to invitee and authenticator. Authenticator creates request key and value, and sends the request value to the invitee. Using password and information from the invitation, the invitee recreates request key, uses request key for derivation of response value from request value, and sends response value to authenticator. Authenticator compares response value with expected value and in case of their coincidence, is convinced that the invitee certainly has the possibility to recreate request key. Authenticator is convinced that the invitee is exactly the one who received the invitation of inviter, and admits the invitee in the group.

EFFECT: provides development of trust relationship for authentication with the purpose of joining the group.

43 cl, 9 dwg

 

The technical field

The present invention relates generally to computer communication, and in particular to authentication prospective members are invited to join the network group.

Prior art

In the "specially selected" group of computers, each computer directly accesses other computers group and together with them uses the computing resources and services. Groups of this type provide the collective computing power of all members for the benefit of the entire group. For example, a large amount of calculations, which requires significant processing power and resources can be distributed among several group members, and group members can directly access the results of the calculations. In addition, groups of this kind allow joining the group, new members, previously it did not take place.

For administration and support of specially selected group of each computer performs one of three functions, they have different powers, determining the nature of the interaction given way to other group members. In accordance with these three main functions, the computer acts as the "owner", "inviting" or "authenticator". Owner forms a group and is authorized to perform all actions, PR is provided in the group, including invite a new member, to authenticate a new member and, thus, to accept a new member into the group, change the member function and make changes in information about the group. Inviter has the same powers as the owner, except the powers of changes in the information group. The authenticator can authenticate a potential new group member, but is not authorized to invite a new member to join the group.

Security is one of the most important issues of the functioning of specially selected group. In order to ensure the safety of the group, a potential new member trying to join the group, share evidence-based authentication authenticator group. A new member of the group repeats the authentication process with each member of the group to which the new group member wants to communicate directly. (The first member of the group may indirectly communicate with the second member, in respect of which he is not authenticated, transmitting information through the third member, in respect of which the authenticated first and second members. Such indirect communication is always possible, but it is not relevant to the subject matter of the present invention and further will not be considered). In contrast to the group of fixed composition in specially selected (working) group new members mo is ut to request joining the group at any time. The authenticator group almost not able to maintain authentication information for all potential members of the group.

Another problem of authentication in a workgroup is that a potential new member may wish to communicate with the authenticator, which is not authorized to invite a new member to join the group. For example, Alice wants to join the working group to communicate with the authenticator Bob. Trent is inviting groups. Alice receives from Trent invitation to join the group, but at the moment wants to be authenticated Bob, because you want to communicate with him. Although Trent trusts Alice (otherwise he should not have invited her to join the group), and although Bob trusts Trent and trusts the invitation of Trent, this Alice, Bob knows nothing about Alice, and, therefore, does not trust her. Before allowing Alice to join the group, Bob need to "migrate" Alice of his trust Trent.

The authenticator group needs a mechanism to securely transfer their trust relationships with assigned host groups on potential group member.

The invention

In view of the foregoing, the present invention provides methods, according to which the computer (invite), establishing trust is inviting groups and received from him an invitation to join the group, developing these trusts, to the authenticator authenticates him to join the group.

Inviting and invite shared secret password, which must not be known to anyone else. Inviter creates a first pair of encryption keys shared/personal use by defining the function input (argument) which is a shared secret password. (This feature may have other inputs (arguments), namely the timestamp and the identity inviting, and invite group.) Then inviting prompts invite. The invitation contains an encryption key common areas of the first pair of encryption keys shared/personal use, as well as other arguments defining the function, in addition to the shared secret password. Using standard cryptographic techniques, inviting signs the invitation using the private encryption key of the inviting (note: personal encryption key inviter has no relation to the first pair of encryption keys shared/personal use, which is inviting just built). The invitation is sent as an invite, and the authenticator of the group.

To make sure that the invitation is issued by the host group, authentication is idicator, which well-known cryptographic keys common use of all the inviting group, checks the signature of the inviting person. After ascertaining the eligibility invitations, autotentification tries to authenticate the identity of the invite. To do this, the authenticator creates a second pair of encryption keys shared/personal use. Applying the well-known theory Diffie-Hellman (DH), the authenticator creates the shared encryption key request from the encryption key common areas of the first pair of encryption keys shared/personal use and encryption key personal use of the second pair of encryption keys shared/personal use. To check out whether the invite to recreate this shared encryption key request, the authenticator generates a request value and the expected value of the response to the request. Request value and the expected value of the response to the request related to each other through the operation, implementation-dependent, using the shared encryption key request. The authenticator delivers invite request value together with the second encryption key in common use.

Upon receiving the request, invite reproduces the procedure performed inviting. Using the contents of the invitation, and knowing the secret is the password which he uses together with the host, invite recreates the first private encryption key created inviting. Then, applying theory of HHS invite recreates the shared encryption key request from the reconstructed encryption key personal use of the first pair of encryption keys shared/personal use and encryption key common areas of the second pair of encryption keys shared/personal use. Recreating a shared encryption key request, invite uses the shared encryption key request for operations that depend on the implementation of the above obtained value of the query. The result of the operation we invite sends to the authenticator as the value of the response to the request.

The authenticator compares the value of the query response received from the invite, with the expected value of the response to the request. If they match, then the authenticator confirms that this is the invite that inviting issued the invitation. Shared-secret password to anyone over not known, so no-one can properly recreate the shared encryption key request and to perform the operation required for the output values of the query response from zachariadis. Then the authenticator accepts invite to the group.

Thus, a trust relationship between the inviter and the invitee, represented by their shared secret password, become the basis for establishing the trust relationship between the invite and the authenticator. Optionally authenticator authenticates itself to invite, thereby completing the process of mutual authentication.

We invite you, as a member of the group can reuse the invitation to authenticate himself to the other members of the group. (Inviter may restrict the use of prompts, marking the subject of a single application or set a deadline for its application.)

Brief description of drawings

Although features of the present invention is described in detail in the attached claims, to better understand the invention and to understand its objectives and advantages, refer to the following detailed description in conjunction with the attached drawings, on which:

1 is a diagram illustrating a working group containing inviting and a couple of authenticators, and we invite interceptor outside the group;

figure 2 is a General diagram that illustrates a computer system that allows realizou the th present invention;

figa and 3b is a sequence diagram illustrating messages and operations when making invite the working group, according to one aspect of the present invention;

4 is a logical flowchart illustrating a method of issuing invitations inviting;

5 is a diagram of a data structure showing the contents of the illustrative invitation according to one aspect of the present invention;

6 is a logical flowchart illustrating a method of testing a prompt and issuing a call to invite performed by the authenticator;

Fig.7 diagram of a data structure showing the contents of an illustrative call according to one aspect of the present invention; and

Fig is a logical flowchart illustrating a method, according to which we invite answers the call.

Detailed description of the invention

In the drawings, where similar elements are denoted by similar positions, illustrated implementation of the present invention in a suitable computing environment. The following description is based on variants of the invention and are not intended to limit the invention in regard to alternative embodiments that are not described here explicitly.

The following description of the present invention shown with the link is mi acts and symbolic representations of operations by one or more computing devices, unless otherwise specified. It is obvious that such acts and operations, which are sometimes called executable by a computer, includes a CPU computing device, the electrical signals representing data in a structured form. This processing converts the data or keeping them in memory of the computing device, thereby reconfigure or otherwise change the operation of the device in accordance with the method, known to specialists in this field. Data structures that support data that represent physical memory cells that have these or other properties, depending on the data format. However, although the invention is described in the aforesaid context, it is obvious to experts in this field, does not imply that the various steps and operations cannot also implement hardware.

The present invention provides an authentication method potential members invited to join the workgroup computing devices. According to figure 1, the number of full members of the working group 100 includes inviter 102 and the authenticator 104. Inviter 102 communicates with the device is STV, currently not members of the working group 100, namely with the computing device 106 (invite). Inviter 102 and invite 106 are in a trusted relationship with each other that expresses a secret password, which they share. Based on these trust relationships inviter 102 invites 106 invite to join the group 100. However, we invite 106 wishes to join the group, not 100 for communication with the host 102, and to communicate with one authenticator 104. Although the authenticator 104 may authenticate the invite 106, as we invite 106 was invited to join the group 100, the authenticator 104 is not authorized to invite invite 106 for connection. The authenticator 104 has no reason to trust invite. The present invention provides a method, according to which trust is inviting 102 to invite 106 is transmitted to the authenticator 104. In this case, trusting invite 106, the authenticator 104 allows the group 100.

Malicious interceptors (devices or operators) are often connected to the communication channels of the working groups. Particularly susceptible to interception group using wireless technology. Seize the information transmitted in the authentication process invite 106, the interceptor 108 m who may use this information to obtain access to the working group 100. Ways that meet present invention, are designed to provide protection group 100 even in the case when all the authentication information (only, except for the secret password shared by the inviter 102 and 106 invite) becomes known to the interceptor 108. The methods also allow you to protect your secret password, because the authenticator 104 does not need to know this password.

Inviter 102, the authenticator 104 and 106 invite depicted in figure 1, can be of any architecture. Figure 2 presents a block diagram illustrating, in General terms, an illustrative computer system in which it is possible to implement the present invention. Computer system shown in figure 2, is merely an example of a suitable environment and does not provide for any limitation of the scope of use or functionality of the invention. In addition, computing device 102 also should not be considered as having any dependency or requirement relating to any component shown in figure 2, or combinations thereof. The invention is applicable to numerous computing environments and configurations, General and special purpose. Examples of well known computing systems, environments and/or configurations in which it is possible to apply the invention, include, but not limited to, pers is based computers, servers, hand-held or portable devices, multiprocessor systems, systems based on microprocessor, set top boxes, programmable consumer electronics, network PCs, minicomputers, universal computers, and distributed computing environment, which may include any of the above systems or devices. In its basic, basic configuration, computing device 102 typically includes at least one processor 200 and memory 202. The memory 202 may be volatile (such as RAM) and non-volatile (such as ROM or flash memory), or a some combination of the three. This basic configuration is depicted in figure 2 is limited by the dashed line 204. Computing device 102 may have additional features and functions. For example, computing device 102 may include additional mass storage device (removable or fixed), including, but not limited to, magnetic and optical disks and tape. This is an additional storage device shown in figure 2 in the form of removable storage device 206 and stationary storage device 208. Medium storing computer data include volatile and nonvolatile, removable and fixed media, providing a variety of methods or technology for storage in the information, namely, the computer-readable commands, data structures, program modules or other data. Memory 202, a removable storage device 206 and stationary storage device 208 are examples of media storing computer data. Medium storing computer data include, but not limited to, RAM, ROM, EEPROM, flash memory, other memory, CD-ROM, digital versatile disks, other optical storage devices, magnetic cassettes, magnetic tape, a storage device based on the magnetic disk, other magnetic storage devices, or any other medium that can be used to store the necessary information, and in which the device 102 may access. The structure of the device 102 may include any similar medium storing computer information. The device 102 may also contain communication channels 210 that allows the device to communicate with other devices. The communication channels 210 are examples of communications environments. Communication media typically carry out the transfer of computer-executable commands, data structures, program modules or other data through a signal modulated data, for example, a carrier wave or other transport mechanism and include any medium of information delivery. The term "signal, the modulated data signals, in which the om code information, setting or changing one or more of its characteristics. For example, but not in the order of limitation, communication media include wired medium, such as wired networks and direct-wired connection, and wireless environments, such as acoustic, RF, infrared and other wireless environments. Used herein, the term "computer-readable medium" includes both the storage medium and the communication media. Computing device 102 may also include input device 212, for example, keyboard, mouse, light pen, voice input device, touch-input device, etc. It may also include output devices 214, for example, a display, speakers and printer. All these devices are well known and will not be explained in detail.

On figa and 3b shows the transmission of messages and transactions inviter 102, 106 and invite the authenticator 104 in the authentication process invite 106, according to one aspect of the present invention. On the two drawings shows a General view of a variant embodiment of the invention. Additional details are presented below with reference to Fig.4-8. On figa and 3b, the time axis is directed downward and moves from shape to shape.

This alternative implementation of the present invention begins at step 300 with the fact that priglashayushee is 102 and 106 invite share a secret password, which should not be known to anyone else. How is sharing a password is beyond the scope of the invention, we will refer to the security issue using this password. If the interceptor 108 will be known shared secret password, the security working group of 100 will be broken.

At step 302 inviter 102 creates an invitation to invite 106. Inviter 102 generates a first pair of encryption keys shared/personal use using the defining function argument (input value) which is a shared secret password. To ensure timely prompt is used, and only the proper parties, you can use other arguments (input values) defining functions, for example, the timestamp and the identity inviter 102, 106 and invite the working group 100. Then the inviter 102 creates an invitation containing the shared encryption key from the first pair of encryption keys shared/personal use, as well as other arguments defining the function except for the shared secret password. Using standard cryptographic techniques, inviter 102 signs the invitation using the private encryption key inviter 102. Note: personal (private) encryption key inviter 102 has no relation to the first pair of encryption keys shared/personal use which inviter 102 just built.) At step 304 inviter 102 sends the invitation as we invite 106, and the authenticator 104.

At step 306, the authenticator 104 tries to confirm that the invitation issued by the working group member 100. The authenticator 104, knowing cryptographic keys common use of all the inviting group 100, checks the signature of the inviting 102 contained in the invitation. After verifying the eligibility invitations, autotentification 104 attempts to authenticate the identity we invite 106. For this authenticator 104 at step 308 generates a second pair of encryption keys shared/personal use. Applying the well-known theory Diffie-Hellman (DH), the authenticator 104 creates the shared encryption key request from the General (public) encryption key of the first pair of encryption keys shared/personal use and personal encryption key of the second pair of encryption keys shared/personal use. To check out whether the offer 106 to recreate this shared encryption key request, the authenticator 104 generates a request value and the expected value of the response to seprona request and the expected value of the response to the request related to each other through the operation, implementation-dependent, with the use of jointly used by the CSOs encryption key request. Some examples of this operation are discussed below with reference to Fig.6. At step 310, the authenticator 104 delivers invite 106 the value of the request together with the second encryption key in common use (public key).

Upon receiving the request, invite 106 at step 312 represents the procedure performed inviter 102 at step 302. Using the contents of the invitation, and knowing the secret password, which it uses together with the host 102, 106 invite recreates the first encryption key personal use (private key)created inviter 102. Then, applying theory of HHS invite 106 reconstructs the shared encryption key request from the recreated personal encryption key of the first pair of encryption keys shared/personal use and shared encryption key of the second pair of encryption keys shared/personal use. Recreating a shared encryption key request, invite 106 uses the shared encryption key request for operations that depend on the implementation of the above obtained value of the query. At step 314 invite 106 sends to the authenticator 104 the result of the operation as the value of the response to the request.

At step 316, the authenticator 104 compares the value of the query response received from the invite 106, with gidemem value of the response to the request, generated by the authenticator 104 at step 308. If they match, the authenticator 104 convinced that this is the invite 106, which inviter 102 issued the invitation. Shared-secret password to anyone over not known, so no-one can properly recreate the shared encryption key request and to carry out the operation that is necessary to retrieve the value of the response to the query from the query values. Then the authenticator 104 receives 106 invite the working group is 100.

As an optional variant authenticator 104 authenticates himself in relation to invite 106, thereby completing the process of mutual authentication. The method presented on figa and 3b, can be repeated, when we invite 106 wishes to authenticate itself with respect to another authenticator 104 (unless provided by a single use of the invitation or has not passed its expiration date).

The operation illustrated in figure 4, illustrate in more detail the steps inviter 102 to create invitations. At step 300, shown in figa inviting 102 and 106 invite share a secret password. On the steps 400-404 indicated in figure 4, the inviter 102 generates a first pair of encryption keys shared/personal use of the jointly used which has been created secret password. In particular, at step 400 inviter 102 transmits the shared secret password defines the function f() as an argument (the input values). As the function f() can be used with a variety of functions that return large values, which are rarely, if ever, coincide for two different values of the argument. One of the possible functions f()satisfying these two criteria, is a cryptographic hash function.

In addition to the shared secret password that defines the function f() may have other arguments (input values). These additional arguments allow the recipients of the invitation to find out (1), whether proper side prompted ("specificity") and (2)has not expired period of validity of the invitation ("vitality"). To solve problem (1) as arguments, you can use the IDs working group 100, the inviter 102 and 106 invite. Information survivability is usually a time stamp indicating when it was issued, or the period during which the invitation is in force (such as "use before...").

In any case, the return value of a defining function f(), is used in step 402 to create the first personal encryption key. According to one variant of implementation and the uses the following equation:

where

PrivateKey1- the first private encryption key,

f() is the defining feature

s - secret password shared by the inviter 102 and 106 invite,

... - optional arguments survivability and specificity of the function f() and

p is a large Prime number (for security reasons, preferably 512 bits or more).

Then at step 404 the inviter 102 generates the first common (public) encryption key associated with the first personal (private) encryption key. According to one variant implementation uses the following well-known equation:

where

PublicKey1- first public encryption key corresponding to the first personal encryption key PrivateKey1and

g - generator (generating function) for large Prime numbers p (i.e., for any natural number x, the smaller R, there is a number y that gymodulo p=x).

At step 406 inviter 102 generates the invitation, including the first public encryption key and some information used to create it. Figure 5 presents an illustrative invitation 500. In addition to field 502 of the first common encryption key, the invitation 500 contains information specificity, i.e. information about who designed the invitation. is this case inviter, identified in field 506, invites welcome, identified in field 508, to join the group identified in field 504. To ensure that the invitation 500 can be used only when it is new, in the invitation 500 include information survivability, in this case, the timestamp 510 indicating the time of issuance of the invitation 500. The defining function f() is included in field 512. Note that for illustrative invitation 500 when the first personal encryption key using the function f(), arguments (input values) of the function f() include information specificity (field 504-508), information survivability (box 510) and shared secret password. The latter is not included in the invitation 500.

Before issuing the invitation 500, inviter 102 performs another action. At step 408 inviter 102 using standard cryptographic techniques, signs the invitation 500. For this purpose, the inviter 102 takes part or all of the information contained in the invitation 500, usually hashes it, and then encrypts the result using your own personal encryption key inviter 102. The encrypted result is a signature, which is placed in field 514 invitations. Personal encryption key inviter 102 no known. Note that a personal encryption key PR is glashauser 102 has no relation to the first pair of encryption keys shared/personal use generated on the steps 400-404.

At step 304 inviter 102 publishes the invitation 500, providing access to the information contained therein as invite 106, and the authenticator 104. It should be noted that you do not want the invitation 500 had the appearance of discrete messages. The information contained in the invitation, you can publish numerous ways, such as sending the message, putting it in a known available memory or in advance by accepting the agreement on the part of the information. The latter case can be illustrated by the example defines the function f() with associated Prime number and generator, which can be part of the common standards working group 100 and, therefore, are not subject to a separate publication. Note that regardless of the choice of means of publication it is assumed that the information contained in the invitation 500, available to the interceptor 108. Ways that meet present invention, described in more detail below, are designed to prevent the interceptor 108 in using this information to gain admission to the group 100 and, therefore, a violation of her security.

The sequence of operations depicted in Fig.6, illustrates in more detail steps authenticator 104 issuing the authentication request in response to the invitation 500. T is m or otherwise authenticator 104 understands the invitation 500: maybe we invite 106 host 102 sends the invitation 500 authenticator 104, or the authenticator 104 checks the available memory, in which, by agreement, a copy of the invitation. In any case, the authenticator 104, at step 306 checks the invitation 500. This test consists of two parts. First, the authenticator 104 checks the information specificity and robustness, if present, are contained in the invitation. Illustrative invitation 500 authenticator 104 checks field 504 to ensure that the invitation 500 presented for entry in the appropriate working group 100. Field 506 must contain the ID of the inviter 102 about which the authenticator 104 that is authorized to invite new members to join the group 100. The invitation 500 must be presented to the authenticator 104 106 invite identified in field 508. Finally, the authenticator 104 checks the timestamp 510 to determine the validity of the invitation 500 on this if you either of these conditions is not satisfied, the authenticator 104 cancels the invitation 500 and no longer produces any action.

Carrying out the second part of the test prompts 500, the authenticator 104 uses standard cryptographic techniques to verify the signature 514. In particular, the authenticator 104, to which the known common encryption key for each inviting the working group 100, decrypts the signature 514 using a shared (public) encryption key inviter 102 (identified in field 506 invitation 500). (Note, again, that common encryption key inviter 102 has nothing to do with the common encryption key contained in field 502 500 invitations.) If the signature was directly generated from other data prompt 500, then the authenticator 104 compares the decrypted signature with this information, contained in boxes of 500 invitations. If, more likely, the signature 514 was formed by hashing the data prompt 500, then the authenticator 104 reproduces the result of the hashing of the data prompt 500 and compares the resulting hash with the decrypted signature. In any case, the coincidence of the results allows the authenticator 104 to ensure that the invitation 500 was indeed issued by the inviter 102 identified in field 506. This follows from the fact that no one except the inviter 102 does not know the personal encryption key corresponding to the shared encryption key inviter 102, and therefore, no one can create a signature 514, which has withstood the test by decrypting using the shared encryption key inviter 102. If the signature 514 does not stand the test, then the authenticator 104 cancels the invitation 500 and bol is e does not produce any action.

After ascertaining the eligibility of the invitation 500, the authenticator 104 proceeds in stages 600-608, indicated at 6, to the verification of identity we invite 106, in other words, determines whether or not the party, calling themselves invite 106, it is the party which the inviter 102 issued this invitation 500. The authenticator 104 begins with step 600, creating a random second private encryption key. Corresponding to the second public encryption key can be derived using well-known equations:

PublicKey2=gPrivateKey2modulo p,

where

PrivateKey2- randomly generated second private encryption key,

PublicKey2- the second public encryption key corresponding to the second personal encryption key PrivateKey2,

R - same a large Prime number, which inviter 102 uses in the above equation 1, and

g - the same generator (generating function) for large primes p, which inviter 102 uses in the above equation 2.

At step 602 the authenticator 104 applies theory of DF to the first common encryption key (included in the invitation 500 as a field 502 and the second personal encryption key generated at step 600, to create a shared encryption key is requested. The equation is as follows:

where

ChallengeKey - shared encryption key request

PublicKey1- first public encryption key field 502 500 invitations,

PrivateKey2the second private encryption key that is randomly generated at step 600, shown in Fig.6, and

R - same a large Prime number, which inviter 102 uses in the above equation 1.

Then the authenticator 104 moves to the generation of query values and the expected values of the response to the request. Request value and the expected value of the response to the request related to each other by the operation, implementation-dependent, using the shared encryption key request. Thus, in order to derive the expected value of the query from the query values, the device must also be known shared encryption key request. You can apply multiple different operations. According to the first variant implementation, presented in Fig.6, the authenticator 104 at step 604 generates a random number and assigns it to the expected value of the response to the request. Optionally, the authenticator 104 logically combines (for example, using a bitwise exclusive OR) is a random number with information specificity, for example, a hash identifier p is the working group 100, the authenticator 104 and the sponsor 106. Then, at step 606, the authenticator 104 creates the value of the request, encrypting the random number is logically combined with information specificity, the selected authenticator 104, using the shared encryption key request generated at step 602, and cipher. Upon receiving the request, the legitimate offer 106 reconstructs the shared encryption key request, may use this key to decode the values of the query and return the decrypted value to the authenticator 104 (deleting information specificity, if any). (See details description Fig.) The authenticator 104, finding that the decrypted value obtained from the invite 106 coincides with its own expected value of the response to the request, accepts invite 106 in a working group 100 (step 316 fig.3b).

According to the second variant of implementation of the bind operation request/response, where the value of the query is a random number generated by the authenticator 104 at step 604, optionally, combined with information specificity. In this case, the expected value of the response to the request represents the value of the encrypted request using the shared encryption key request. As in the first embodiment, the OS is enforced, correctly deduce the expected value of the response to the query from the query values are only capable device that can recreate the shared encryption key request.

In an additional step, which is optional, can be combined with any bind request/response, invite 106, having an operation on a value of the query hashes the result before you send it in response to a request to the authenticator 104. Of course, the expected authenticator 104 is the answer to the query, in this case, represents the hash value of what it would be otherwise.

At step 608, the authenticator 104 packs a variety of information relating to the query to create a query like the illustrative query 700 presented on Fig.7. Request 700 contains the value of the request is placed in the field 702, and information specificity placed in the fields 704 (workgroup ID 100), 706 (ID authenticator 104) and 708 (ID 106 invite). This information specificity invite 106 may be used to verify the eligibility of the request 700 (see the description of the relevant steps 800 and 808 presented on Fig). The second public encryption key generated at step 600, included in field 710, and the cipher used for encryption in step 606, placed in the e 712. (Possible variants of implementation, which, unlike shown in Fig.6, box 712 cipher is not required.)

At step 310, the authenticator 104 publishes the request 700 to invite 106 could have access to it. Note that according to the above in respect of the invitation 500 this request 700 is a logical entry and does not require publication in the form shown in Fig.7.

The sequence of operations depicted in Fig, illustrates in more detail steps invite 106 for generating a response to the request 700. We invite 106 at step 800 optional has the ability to check the validity of the request. If the request 700 attached information specificity (field 704-708), then invite 106 verifies the correctness of this information and ignores the request 700, if something is wrong. This is important to prevent attacks "intermediary", in which a malicious device intercepts the request 700, modifies some fields and then sends invite 106 modified query.

Once you have the correct call 700, invite 106 proceeds to step 802 to recreate the first private encryption key. It was originally created inviter 102 in steps 400 and 402, shown on figure 4. To create the first personal encryption key used defines the function f() according to the above the alignment 1. As arguments (input values) of the function f() use the secret password shared by the inviter 102 and 106 invite, and can use the information specificity (for example, field 504-508 invitation 500) and information survivability (e.g., field 510 500 invitations). We invite 106 can apply equation 1, because (1) 106 invite well-known shared-secret password (2) of the invitation 500 you can retrieve the information specificity and robustness, if used, (3) the function f() can be removed from the invitation 500, or she is well-known, and (4) a large Prime number p is known. Note that all this information is also available to the interceptor 108, except for the shared secret password. This secret password does not allow anyone except invite 106 (more specifically, in addition to invite 106 and inviting 102) correctly answer the request 700.

At step 804, invite 106 uses just recreated the first private encryption key to re-create the shared encryption key request, originally created by the authenticator 104 at step 602, shown in Fig.6. According to theory of DFS shared cryptographic keys obey the following equation:

where

ChallengeKey together and the used encryption key request

PublicKey1- first public encryption key field 502 500 invitations,

PrivateKey2the second private encryption key randomly generated by the authenticator 104 at step 600, shown in Fig.6,

R - same a large Prime number, which inviter 102 used in the above equation 1,

PublicKey2- the second public encryption key from a field 710 request 700 and

PrivateKey1- the first private encryption key, recreated invite 106 at step 802, shown in Fig.

Equation 4 provides two ways to create a shared encryption key request. The first method is identical to the above equation 3 and is the method used by the authenticator 104 to create a shared encryption key request at step 602, presented on Fig.6. However, we invite 106 cannot use this method because it does not have access to the second personal encryption key, and can not recreate it. We invite 106 has all the information needed to apply the second method provided by equation 4. He does this and thus recreates the shared encryption key request.

We invite 106, steps 806 and 808, recreated using the shared encryption key request, applies the peratio binding request/response, corresponding to this implementation. According to a variant implementation, presented at Fig (which can be used in conjunction with the embodiment of the authenticator 104 depicted in Fig.6), we invite 106 decrypts the request value contained in field 702 of the request 700, recreated using the shared encryption key request and cipher contained in field 712 request 700. If the authenticator 104 logically combines information specificity with a random value in response to the query at step 604, presented on Fig.6, we invite 106 removes this information specificity at step 808. Note that this is the second aspect of the use of information specificity to prevent attacks intermediaries. If a malicious device will change the values in the fields of specificity, then, removing the modified information specificity at step 808, 106 invite will create an incorrect value in response to the request. Thus, it is possible to prevent the reception invite 106 in a working group of 100, based on the modified request 700. If the request 700 is not changed, then at step 808 generates the same initial value to the authenticator 104 randomly generated at step 604.

According to the second variant of implementation of the bind operation request/response, inviting 106 neoba which consequently adds information specificity to the value of the request and encrypts the result using the restored encryption key in response to the request and cipher.

According to the above, after applying the bind operation request/response invite 106 may hash the result before sending it in response to a request to the authenticator 104. Specifically used the bind request/response and options that are complementary to its use in advance known to the authenticator 104 and 106 invite, most likely, as implementation options.

The final stages discussed above with reference to fig.3b. At step 314 invite 106 sends to the authenticator 104 is answering the request (and, according to the above-mentioned second variant implementation, the cipher used to encrypt values of the response to the request). At step 316, the authenticator 104 compares the value of the query, returned invite 106, with what it expects. Their coincidence allows the authenticator 104 to ensure that invite 106 - it is he who is the inviter 102 issued the invitation 500. In this case, the authenticator 104 accepts invite 106 in a working group 100. Optionally, at step 318 the authenticator 104 uses known methods to authenticate yourself regarding invite 106.

Although the interceptor 108 may have access to the invitation 500 and to request 700, he does not know the secret password shared by the inviter 102, priglashe the nd 106. Therefore, the hook 108 is not able to properly recreate the shared encryption key request and is not able to properly respond to the request 700.

Due to the large number of possible options for the implementation of the principles of the present invention, it should be understood that embodiments of described herein with reference to the drawings are for illustrative purposes and are not intended to limit the scope of the invention. For example, specialists in this field it is obvious that the illustrated embodiments of can be modified in relation to layout and details, not departing from the essence of the invention. Although the invention is described as applied to software modules or components, specialists in this field it is obvious that they can be seen equivalent hardware components. So open here, the invention includes all such embodiments of covered by the scope the following claims and its equivalents.

1. Method of issuance inviting invitations invite you to join the ad hoc group used in the computing environment with the mentioned group ad hoc, where the inviter computing device and the computing device authenticator are members of the mentioned groups, and computing device offer is not a member of the nome of the above mentioned groups, in which the inviter and the invited share a secret password containing phases in which

the computing device inviter

generate a first private encryption key based on the aforementioned secret shared password

generate a first encryption key associated with the first private encryption key,

create an invitation that contains the first public encryption key,

sign the invitation using the private encryption key sponsor and

provide an invite to the authenticator access to the invitation,

the authenticator

form on the basis of the said invitation, the authentication request and the expected response to this query, and make the above query, the available computing device, invite, allow, invite them to join the ad hoc group on the basis of a positive result of the comparison of the expected response to the authentication request and response to the authentication request received from the computing device to invite.

2. The method according to claim 1, characterized in that the step of generating the first personal encryption key using the determinant function and pass the defining function of the shared secret password in the quality of the ve input values, moreover, the crucial factor is the function that outputs for different values of the arguments mismatched large values.

3. The method according to claim 2, characterized in that the step of generating the first personal encryption key, additionally transmit defining the function as an additional input value information selected from the group consisting of a group identifier ad hoc, ID sponsor ID invite, timestamps, and period of the validity of the invitation.

4. The method according to claim 3, wherein the invitation further comprises an additional input value passed to the defining function.

5. The method according to claim 2, characterized in that during use of the defining features used cryptographic hash function to the shared secret password.

6. The method according to claim 2, characterized in that the step of generating the first personal encryption key additionally assign the first personal ciphering key output value obtained by applying the operation of taking modulo a Prime number is a defining feature.

7. The method according to claim 6, characterized in that the step of generating the first common encryption key assigned a value generating function for these Prime numbers raised to the power of the first personal encryption key modulo mentioned primes the first common encryption key.

8. The method according to claim 7, wherein the invitation further comprises mentioned Prime number and referred to a generating function.

9. The method according to claim 1, characterized in that the step of generating the first common encryption key associated with the first private encryption key, generate a first encryption key so that the value encrypted using one of these two keys can be decrypted using the other.

10. The method according to claim 1, characterized in that at the stage of signing apply a hash function to the content of the invitation and encrypting the hash using the private encryption key of the sponsor.

11. The method according to claim 1, characterized in that the step of providing access to the invitation using an operation selected from the group consisting of sending a message containing the invitation, placing the invitation in a location that is accessible and inviting to the authenticator, and fixing the values of some of the elements of the invitation to create the invitation.

12. Machine-readable medium containing commands for implementing the method of issuing the computing device inviting invitations to a computing device you are welcome to join the group, ad hoc, and inviting and computing device authenticator is Vlada members of the mentioned groups, and the invite is not a member of the said group, whereby inviting together with invite uses a secret password, and the method comprises steps, in which

the computing device inviter

generate a first private encryption key based on a secret shared password

generate a first encryption key associated with the first private encryption key,

create an invitation that contains the first public encryption key,

sign the invitation using the private encryption key sponsor and

make the invitation is available and invite the authenticator,

the authenticator

form on the basis of the said invitation, the authentication request and the expected response to this query, and make the above query, the available computing device offer,

allow invite you to join the ad hoc group on the basis of a positive result of the comparison of the expected response to the authentication request and response to the authentication request received from the computing device to invite.

13. The method of issuing the authenticator invite request authentication used in the computing environment with the ad hoc group, where vychislitel the e inviter device and computing device authenticator are members of the mentioned groups, as computing device offer is not a member of these groups, and inviting gives a welcome invitation to join that group-containing phases in which

the authenticator

shall appeal to the invitation,

check the validity of the invitation and

if the invitation is valid, then

generate a second private encryption key,

generate a second public encryption key associated with the second private encryption key,

generate a shared encryption key request from the first common encryption key contained in the invitation, and the second personal encryption key,

generate the value of the request by generating a random number,

create the authentication request, containing the above-mentioned request value and the second public encryption key, and

make the authentication request is available for the invite,

allow invite you to join the ad hoc group on the basis of

a positive result of the comparison of the expected response to the authentication request and response to the authentication request received from the computing device to invite.

14. The method according to item 13, wherein the step of accessing the invitation ISOE is isout operation, selected from the group consisting of the receipt of a message containing an invitation and appeal to the invitation in a location that is accessible and inviting to the authenticator.

15. The method according to item 13, wherein the step of checking the validity of the invitation verify the information contained in the invitation and the information is chosen from the group containing the ID of the ad hoc group, the ID of the inviter, the ID of the invite, the timestamp and the period of validity of the invitation.

16. The method according to item 13, wherein the step of checking the validity of the invitation decrypt the signature invitations using a shared encryption key inviter, hachirou the contents of the invitation and compare the hash function with the decrypted signature.

17. The method according to item 13, wherein the step of generating the second personal encryption key assigned a randomly generated number to the second personal encryption key.

18. The method according to item 13, wherein the step of generating the second common encryption key assigned a value generating function for Prime numbers raised to the power of the second personal encryption key, modulo the aforementioned Prime numbers, the second common encryption key.

19. The method according to p, wherein in the generation step is used n conjunction encryption key request assigns the value of the first shared encryption key, raised to the power of the second personal encryption key, modulo mentioned primes shared encryption key request.

20. The method according to item 13, wherein the step of generating the second common encryption key associated with the second private encryption key, generate a second public encryption key so that the value encrypted using one of these two keys can be decrypted using the other.

21. The method according to item 13, wherein the step of generating the query values additionally

encrypt mentioned random number using the shared encryption key request and cipher and

assign the encrypted random number to the value of the request, the authentication request further comprises a cipher.

22. The method according to item 13, wherein the step of generating the query values additionally unite mentioned random number with hashed information specificity, and specificity selected from the group consisting of a group ID of the ad hoc ID, authenticator and identifier invite.

23. The method according to item 22, wherein the step of generating the query values additionally

encrypt the combined random number and the hash function is information specificity using the shared encryption key request and cipher and

assign the encrypted random number and the hash value of the information function of the specificity value of the query

moreover, the authentication request further comprises a cipher.

24. The method according to item 13, wherein the step of ensuring authentication request using an operation selected from the group consisting of sending a message containing the authentication request, the placement of the authentication request in a location that is accessible to the authenticator and invite and fixing the values of some of the elements of the authentication request to create the authentication request.

25. Machine-readable medium containing commands for implementing the method of issuing the authentication request computing device authenticator to a computing device of the invitee, and the inviter computing device and the authenticator are members of ad hoc groups, and invite is not a member of these groups, while inviting prompts invite you to join that group, and the method comprises steps, in which

the authenticator

shall appeal to the said invitation,

check the validity of the invitation and

if the invitation is valid, then

generate a second personal of shifroval is th key,

generate a second public encryption key associated with the second private encryption key,

generate a shared encryption key request from the first common encryption key contained in the invitation, and the second personal encryption key,

generate the value of the request by generating a random number, generate an authentication request containing the request value and the second public encryption key, and

make the authentication request is available for the invite,

allow invite you to join the ad hoc group on the basis of a positive result of the comparison of the expected response to the authentication request and response to the authentication request received from the computing device to invite.

26. Method of issuance invite response to the authentication request is used in an environment with a group of ad hoc, where the inviter computing device and the computing device authenticator are members of the mentioned groups, and computing device offer is not a member of the aforementioned group in which the inviter to invite shared secret password, inviting prompts invite you to join that group, the authenticator generates the expected response n the request and issues an invite request authentication containing phases in which

the computing device invite

refer to the authentication request, received from the authenticator,

generate a first private encryption key based on the aforementioned secret shared password

generate a shared encryption key request based on the generated first personal encryption key and the second shared encryption key contained in the authentication request,

generate a response to the request based on the value of the request contained in the authentication request,

create a response to the authentication request, containing the value of the response to the request, and

do reply to the authentication request is available for the authenticator,

the authenticator

allow invite you to join the ad hoc group on the basis of a positive result of the comparison of the expected response to the request and response received from the computing device to invite.

27. The method according to p, characterized in that the step of accessing the authentication request using an operation selected from the group consisting of receiving a message containing the authentication request, and the access authentication request where we invite and autentificat the Roux.

28. The method according to p, characterized in that the step of generating the first personal encryption key using the determinant function and pass the defining functions as the input values of the shared secret password, and is defining a function that outputs a large value that is not the same for different values of the arguments.

29. The method according to p, characterized in that it further comprises a stage on which access the invitation, and at the stage of generation of the first personal encryption key, additionally transmit defining the function as an additional input value information contained in the invitation and the information is chosen from the group containing the ID of the ad hoc group, the ID of the inviter, the ID of the invite, the timestamp and the period of validity of the invitation.

30. The method according to p, characterized in that during use of the defining features used cryptographic hashing the shared secret password.

31. The method according to p, characterized in that the step of generating the first personal encryption key additionally assign the output value determining function modulo a Prime number, the first personal encryption key.

32. The method according to p, characterized in that at the stage of the gene is then shared encryption key request assigns the value of the second common encryption key, raised to the power generated by the first personal encryption key, modulo a Prime number, the shared encryption key request.

33. The method according to p, characterized in that the step of generating the value of the response to a request to encrypt the value of the query using the shared encryption key request and cipher, and the response to the authentication request further comprises a cipher.

34. The method according to p, characterized in that the step of generating the value of the response to the request optionally assign a value to the hash function encrypted value query value query response.

35. The method according to p, characterized in that the step of generating the value of the query response combine the value of the query with the value of the hash function information specificity, and specificity is selected from the group consisting of the ID of the ad hoc group, the identifier of the authenticator and identifier invite.

36. The method according to p, characterized in that the step of generating the value of the response to the request optionally encrypt the combined value of the query and the value of the hash function information specificity using the shared encryption key request and cipher, and the response to the authentication request further comprises a cipher.

37. The method according to p, featuring the the action scene, that at the stage of generating the value of the response to the request optionally set the value of the query response is a hash function encrypted combined query values and hashed information specificity.

38. The method according to p, characterized in that the step of generating the value of the query response decode the meaning of the query by using the shared encryption key request and code contained in the authentication request.

39. The method according to 38, wherein the step of generating the value of the response to the request optionally assign a value to the hash decrypted value query value query response.

40. The method according to 38, wherein the step of generating the value of the query response is additionally removed from the decoded values of the hashed query information specificity, and specificity selected from the group consisting of a group ID of the ad hoc ID, authenticator and identifier invite.

41. The method according to p, characterized in that the step of generating the value of the response to the request optionally set the value of the query response is a hash function of the decoded values of the query from which removed heshirovanie information specificity.

42. The method according to p, characterized in that the step of providing otvety the authentication request is available using the operation selected from the group consisting of sending a message containing the response to the authentication request, and the placement of the response to the authentication request in a location that is accessible to the authenticator and invite.

43. Machine-readable medium containing commands for implementing the method giving the answer computing device welcome to the authentication request, and the inviter computing device and the computing device authenticator are members of ad hoc groups, and invite is not a member of the said group, whereby inviting together with invite is secret password, inviting prompts invite you to join that group, and the authenticator generates the expected response to the request and issues an invite request authentication, and the method comprises steps, in which

the computing device invite

refer to the above request authentication

generate a first private encryption key based on the aforementioned secret shared password

generate a shared encryption key request based on the generated first personal encryption key and the second shared encryption key contained in the request autentificat and,

generate a response to the request based on the value of the request contained in the authentication request,

create a response to the authentication request, containing the value of the response to the request, and

provide a response to the authentication request is available for the authenticator,

the authenticator

allow invite you to join the ad hoc group on the basis of a positive result of the comparison of the expected response to the authentication request and response received from the computing device to invite.



 

Same patents:

FIELD: methods and system for processing visualized digital information.

SUBSTANCE: the system for protecting visualized digital data contains a set of computing devices, where at least one of them is the main device, and at least another one is a remote computing device, where each one of aforementioned devices contains one or more processing components, configured for usage in data processing chain, consisting of components for processing protected information, subject to visualization for user, individual processing components which support one or more of such interfaces, such as authentication interface and intermediary authentication interface, where the intermediary authentication interface ensures reading of authentication identifiers and recording of authentication identifiers, and authentication identifier uses for each one of one or more lists for checking each component in each one of aforementioned one or more lists, to determine authorized components, where an authorized component may receive non-encrypted data. Methods describe operation of the system.

EFFECT: protection from unsanctioned access or duplication of unprotected information immediately after that information reaches visualization device, such as a user computer.

20 cl, 8 dwg

FIELD: computer engineering, possible use for trusted loading of a computer and for protection from unsanctioned access to information, which is stored in personal computers and in computerized informational and computing systems.

SUBSTANCE: device contains controller for exchanging information with external information carrier, controller for exchanging information with computer, processor for identification and authentication of users, blocks of energy-independent memory, module for blocking common control bus and exchanging computer data when an attempt of unsanctioned access to it is made, power management device, block of interfaces of external devices, module for blocking external devices, energy-independent flash memory, hardware indicator of random numbers, microcontroller of sensors of opening and extraction of computer components, random-access memory device, where introduced additionally to identification and authentication processor are module of constant user authentication, module for checking integrity and conditions of hardware components of protection device, module for controlling load on switches of hardware encoder, module for controlling network adapters, module for interaction with system for delimiting access and module for interaction with servers of informational and computing system.

EFFECT: expanded functional capabilities and increased efficiency of protection of information from unsanctioned access.

1 dwg

FIELD: forensic examination of electronic information carriers and, in particular, technology for accessing password-protected information, contained in electronic pocket-books.

SUBSTANCE: in accordance to the invention, code generation block generates a code series, which is injected into electronic pocket-book being examined. Visual control block receives and analyzes information from the screen of electronic pocket-book. Signal from visual control block is received at control block. If the signal from visual control block indicates a wrong password, control block outputs a command to code generation block to generate next code series. If the signal from visual control block indicates correct password, control block outputs a signal which is received by indication block.

EFFECT: possible automation of selection of password for accessing information contained in electronic pocket-books which do not have external interface.

3 dwg

FIELD: protocols for interaction of peer entities of network structure and, in particular, concerns protective infrastructures for protocols of interaction of peer entities.

SUBSTANCE: methods are provided, which suppress capability of malicious node to disrupt normal operation of peer-to-peer network. Claimed methods allow nodes to use both protected and unprotected data about identity, ensuring self-check thereof. Then necessary or comfortable, association of ID is checked by "enclosing" a trustworthiness checking procedure into appropriate messages. Probability of connection to malicious node is initially reduced due to random selection of node with which connection is established. Also, information from malicious nodes is identified and may be discarded by recording information about previous connections, which will require a response in the future.

EFFECT: creation of protection infrastructure for a system with peer-to-peer network structure.

4 cl, 6 dwg

FIELD: protection and management of information access in automated control systems.

SUBSTANCE: in accordance to the invention, commutators for enabling power for individual functional modules of computer are introduced into system, which are determined during setting of electronic key according to identification information, recorded in it.

EFFECT: increased efficiency of information protection, more reliable control of information access.

4 cl, 5 dwg

FIELD: electric communications and computer engineering, in particular, method for ensuring information protection, possible use when it is necessary to protect computer networks from unsanctioned intrusion and access to confidential information.

SUBSTANCE: method for processing network traffic datagrams for delimiting access to informational and computing resources of computer networks is based on such processing of network packets, during which inter-network screen checks network datagrams in accordance to a list of computer network access rules set by operator, records marks in datagrams, which marks correspond to access rules, and then performs transparent relaying of correct datagrams, and at receiver side it lets through or blocks network datagrams in accordance with aforementioned marks provided inside.

EFFECT: creation of mechanism for block actions of malefactor including faking of computer addresses of sender and receiver of network datagrams with simultaneous reduction of computing resources needed to solve the problem of delimiting access to informational and computing resources.

4 dwg

FIELD: engineering of devices meant for protecting informational resources of computer network connected to external information network from unsanctioned access of users and from transmission of messages.

SUBSTANCE: claimed device contains servers with memory blocks, intermediate memory, commutators, connectors, data exchange lines, control block. Aforementioned servers are made in form of a server of computing network and a server of external computing network, which contain additionally introduced checking blocks.

EFFECT: increased degree of protection afforded to interaction of external and local networks and realized registration of all messages transmitted between networks for purposes of logging the exchange of information.

1 dwg

Protected device // 2313122

FIELD: protected devices provided with means to prevent unauthorized usage of content.

SUBSTANCE: device has memory blocks with different levels of protection, software receipt block, which receives the software and corresponding additional information, which is used to determine memory block for storage of received software, finding block for finding memory blocks with free space among memory blocks having level of protection not below the required level of protection, determining block for determining a memory block among found blocks which corresponds to the highest protection level. The data is stored in determined memory block.

EFFECT: ensured capability of loading a software, size of which exceeds capacity of memory area, while ensuring the level of protection required by administrator of the software.

8 cl, 7 dwg

FIELD: devices and methods for controlling content reproduction.

SUBSTANCE: content reproduction device contains an accumulator block, meant for storing a list of source ID and system recognition information, block for taking the decision about reproduction control system, first block for determining possibility of reproduction, meant for taking the decision that reproduction control system represents a first system, about possible reproduction of content, on basis of whether the source ID added to content is present in source ID list, second block for determining reproduction possibility, meant for taking decision in case if it is determined that reproduction control system represents a second system, about possibility of content reproduction, on basis of information about conditions of license usage, enclosed with content, and reproduction realization block, for which a decision was taken about possibility of its reproduction.

EFFECT: control of content reproduction in accordance to a set of methods for controlling copyright.

2 cl, 63 dwg

FIELD: game devices, such as game machines, in particular for methods for ensuring authenticity of game software.

SUBSTANCE: safe smart-card or different safe memory device is inserted into port of controller board positioned inside the game machine. Smart-card is programmed for detection of encrypted "request" from CPU host processor and for dispensing an encrypted "response". If host processor determines that response matches expected characteristics, CPU considers the software to be authentic and game begins. Request-response exchange may be performed before beginning of each game on a machine or at any other time. If the response is wrong, host CPU outputs a command to stop the game. Control of access to appropriately programmed smart-card allows prevention of execution of unauthorized copies of game software by game machine.

EFFECT: prevented unsanctioned changing, copying and unsanctioned usage of game software.

2 cl, 13 dwg

FIELD: methods and system for processing visualized digital information.

SUBSTANCE: the system for protecting visualized digital data contains a set of computing devices, where at least one of them is the main device, and at least another one is a remote computing device, where each one of aforementioned devices contains one or more processing components, configured for usage in data processing chain, consisting of components for processing protected information, subject to visualization for user, individual processing components which support one or more of such interfaces, such as authentication interface and intermediary authentication interface, where the intermediary authentication interface ensures reading of authentication identifiers and recording of authentication identifiers, and authentication identifier uses for each one of one or more lists for checking each component in each one of aforementioned one or more lists, to determine authorized components, where an authorized component may receive non-encrypted data. Methods describe operation of the system.

EFFECT: protection from unsanctioned access or duplication of unprotected information immediately after that information reaches visualization device, such as a user computer.

20 cl, 8 dwg

FIELD: computer engineering, possible use for trusted loading of a computer and for protection from unsanctioned access to information, which is stored in personal computers and in computerized informational and computing systems.

SUBSTANCE: device contains controller for exchanging information with external information carrier, controller for exchanging information with computer, processor for identification and authentication of users, blocks of energy-independent memory, module for blocking common control bus and exchanging computer data when an attempt of unsanctioned access to it is made, power management device, block of interfaces of external devices, module for blocking external devices, energy-independent flash memory, hardware indicator of random numbers, microcontroller of sensors of opening and extraction of computer components, random-access memory device, where introduced additionally to identification and authentication processor are module of constant user authentication, module for checking integrity and conditions of hardware components of protection device, module for controlling load on switches of hardware encoder, module for controlling network adapters, module for interaction with system for delimiting access and module for interaction with servers of informational and computing system.

EFFECT: expanded functional capabilities and increased efficiency of protection of information from unsanctioned access.

1 dwg

FIELD: forensic examination of electronic information carriers and, in particular, technology for accessing password-protected information, contained in electronic pocket-books.

SUBSTANCE: in accordance to the invention, code generation block generates a code series, which is injected into electronic pocket-book being examined. Visual control block receives and analyzes information from the screen of electronic pocket-book. Signal from visual control block is received at control block. If the signal from visual control block indicates a wrong password, control block outputs a command to code generation block to generate next code series. If the signal from visual control block indicates correct password, control block outputs a signal which is received by indication block.

EFFECT: possible automation of selection of password for accessing information contained in electronic pocket-books which do not have external interface.

3 dwg

FIELD: protocols for interaction of peer entities of network structure and, in particular, concerns protective infrastructures for protocols of interaction of peer entities.

SUBSTANCE: methods are provided, which suppress capability of malicious node to disrupt normal operation of peer-to-peer network. Claimed methods allow nodes to use both protected and unprotected data about identity, ensuring self-check thereof. Then necessary or comfortable, association of ID is checked by "enclosing" a trustworthiness checking procedure into appropriate messages. Probability of connection to malicious node is initially reduced due to random selection of node with which connection is established. Also, information from malicious nodes is identified and may be discarded by recording information about previous connections, which will require a response in the future.

EFFECT: creation of protection infrastructure for a system with peer-to-peer network structure.

4 cl, 6 dwg

FIELD: protection and management of information access in automated control systems.

SUBSTANCE: in accordance to the invention, commutators for enabling power for individual functional modules of computer are introduced into system, which are determined during setting of electronic key according to identification information, recorded in it.

EFFECT: increased efficiency of information protection, more reliable control of information access.

4 cl, 5 dwg

FIELD: electric communications and computer engineering, in particular, method for ensuring information protection, possible use when it is necessary to protect computer networks from unsanctioned intrusion and access to confidential information.

SUBSTANCE: method for processing network traffic datagrams for delimiting access to informational and computing resources of computer networks is based on such processing of network packets, during which inter-network screen checks network datagrams in accordance to a list of computer network access rules set by operator, records marks in datagrams, which marks correspond to access rules, and then performs transparent relaying of correct datagrams, and at receiver side it lets through or blocks network datagrams in accordance with aforementioned marks provided inside.

EFFECT: creation of mechanism for block actions of malefactor including faking of computer addresses of sender and receiver of network datagrams with simultaneous reduction of computing resources needed to solve the problem of delimiting access to informational and computing resources.

4 dwg

FIELD: engineering of devices meant for protecting informational resources of computer network connected to external information network from unsanctioned access of users and from transmission of messages.

SUBSTANCE: claimed device contains servers with memory blocks, intermediate memory, commutators, connectors, data exchange lines, control block. Aforementioned servers are made in form of a server of computing network and a server of external computing network, which contain additionally introduced checking blocks.

EFFECT: increased degree of protection afforded to interaction of external and local networks and realized registration of all messages transmitted between networks for purposes of logging the exchange of information.

1 dwg

Protected device // 2313122

FIELD: protected devices provided with means to prevent unauthorized usage of content.

SUBSTANCE: device has memory blocks with different levels of protection, software receipt block, which receives the software and corresponding additional information, which is used to determine memory block for storage of received software, finding block for finding memory blocks with free space among memory blocks having level of protection not below the required level of protection, determining block for determining a memory block among found blocks which corresponds to the highest protection level. The data is stored in determined memory block.

EFFECT: ensured capability of loading a software, size of which exceeds capacity of memory area, while ensuring the level of protection required by administrator of the software.

8 cl, 7 dwg

FIELD: devices and methods for controlling content reproduction.

SUBSTANCE: content reproduction device contains an accumulator block, meant for storing a list of source ID and system recognition information, block for taking the decision about reproduction control system, first block for determining possibility of reproduction, meant for taking the decision that reproduction control system represents a first system, about possible reproduction of content, on basis of whether the source ID added to content is present in source ID list, second block for determining reproduction possibility, meant for taking decision in case if it is determined that reproduction control system represents a second system, about possibility of content reproduction, on basis of information about conditions of license usage, enclosed with content, and reproduction realization block, for which a decision was taken about possibility of its reproduction.

EFFECT: control of content reproduction in accordance to a set of methods for controlling copyright.

2 cl, 63 dwg

FIELD: game devices, such as game machines, in particular for methods for ensuring authenticity of game software.

SUBSTANCE: safe smart-card or different safe memory device is inserted into port of controller board positioned inside the game machine. Smart-card is programmed for detection of encrypted "request" from CPU host processor and for dispensing an encrypted "response". If host processor determines that response matches expected characteristics, CPU considers the software to be authentic and game begins. Request-response exchange may be performed before beginning of each game on a machine or at any other time. If the response is wrong, host CPU outputs a command to stop the game. Control of access to appropriately programmed smart-card allows prevention of execution of unauthorized copies of game software by game machine.

EFFECT: prevented unsanctioned changing, copying and unsanctioned usage of game software.

2 cl, 13 dwg

FIELD: engineering of devices and methods for using server for access to processing server, which performs given processing.

SUBSTANCE: for this in accordance to method reservation is requested, reservation is confirmed, authentication information included in reservation information is stored, service is requested on basis of authentication information, server utilization is authenticated and server is utilized on basis of authentication result, while on stage of reservation confirmation device for controlling reservation transfers reservation setting information, and on stage of authentication server utilization is only confirmed when authentication information matches authentication information transferred from user terminal. Device contains receiving means, information generation device and transmitting means.

EFFECT: creation of method for using server, device for controlling server reservation and means for storing a program, capable of providing multiple users with efficient utilization of functions of processing server with simultaneous decrease of interference from unauthorized users without complicated processing or authentication operations.

6 cl, 51 dwg

Up!