Dynamic substitution of usb data for efficient coding/decoding

FIELD: physics, computer engineering.

SUBSTANCE: invention is related to protection systems. Unit of protection and method realise requests for data from USB device or other similar device, at that protected component may realise protected communication to device without variation of underlying USB bus protocol, or device, even where software that controls the bus is not trusted. Protection unit (physically separated or integrated in device or concentrator) intercepts data transmitted from device into protected component in response to request for data. Signal of data reception confirmation unavailability is transmitted into protected component, and data are coded. The following request for data is intercepted, and coded data are sent in response. Confirmation of data reception from protected component in device is allowed to reach the device. In order to process request for installation, permit command that contains coded and decoded installation command is sent to protection unit. If coding is checked successfully, then installation command sent to device (via protection unit), is allowed to reach the device.

EFFECT: provision of improved protection.

32 cl, 6 dwg

 

The technical FIELD TO WHICH the INVENTION RELATES.

The invention relates to methods and systems for the protection of digital data and, in particular, to methods and systems for the protection of digital data transmitted using a Protocol and architecture for a universal serial bus (USB) or similar Protocol and architecture.

PRIOR art

In the computer system and other peripheral devices can be connected to a computer system via a bus, such as USB. A computer system that uses the USB bus must contain level software USB, which will interact with the application and serve to transfer data from the Central host computing device to the peripheral device and receiving data from them.

A layer of software that supports USB basic hardware USB. Level software USB is comprehensive and flexible to support data exchange via USB. Level software USB, preferably, the driver supports several third-party hardware and should remain interchangeable. Therefore, the level of the software USB can often be modified to meet the requirements, such as changes in the hardware, what do other updates. Additionally, there are many different available hardware items USB, and the level of the software USB, preferably, can support this multiplicity of options.

Since the data on the USB bus are transmitted through unprotected software USB and these data are also available for any device on the bus, protection is of significant concern. For example, the computational model may contain protected component, software or hardware, which is required to transmit data on the USB bus. However, for simplicity, flexibility and opportunities for improvement it is preferable that a layer of software that USB was not part of the protected software component. However, if the level of the software USB is not part of the protected software component, the protection that is implemented in a protected software component, is exposed to danger.

Software or hardware attack (attempted penetration of the protected system) can make the system vulnerable. For example, an attacker can falsify the input device data from the hardware device to the information typed by the user on the keyboard are not passed to the application for which it is intended. The attacker can also obtain information about the input data the device, for example, remembering pressed by the user key to capture the password or other information about the data. Attacks in computer recording is also possible, modification or reproduction of the input data.

If the computer system works protected software, the communication with USB devices must pass through the tire and unprotected software USB. Such devices are often required to display data to the user and user input. Therefore, in order to secure the software was protected, must also be protected input and output protected software. If the security software does not exist a secure route to the user, the protected software is not able to get information about what action it is taking, is actually carried out on behalf of the user. Firstly, an attacker could fabricate the input user data (input data not coming from the user and, therefore, do not reflect the user's intention), fraudulently entering the protected software in a mode that was not provided a legitimate user. Secondly, if the output of highly reliable software does not pass to the floor the user directly via a secure route the legitimate user has no guarantee that he actually sees the real output of the protected software. However, the USB Protocol is an industry standard computer equipment, and modification of the architecture or the USB Protocol to protect eliminated would be the advantages of using a widely available and widely implemented architecture.

Therefore, there is a need for a method that provides the advantages of a USB connection and compatibility with existing devices and systems USB, while providing better protection.

The INVENTION

The present invention provides a means to encrypt/decrypt block protection, which is provided for the USB device. In particular, the present invention provides communication between the device and the protected component, such as sending commands requesting data from the device, the transmission of the data returned by the specified device back into the system, and sending commands setup to configure the device for the implementation of the secure processing even where these commands and data to achieve the protected component pass through unprotected hardware and/or software.

Encryption/decryption can be achieved in a physical and a separate device, for example, in a hardware element ("protective cap"), which is placed in the connection line between the USB device and the main computing device, or in hardware, through which connects a USB device, or as a separate device, which is connected through an unmodified USB device. As a variant encryption/decryption can be embedded in a device such as a keyboard with built-in hardware encryption/decryption, or integrated in the functionality of the hub upstream data flow.

The device may have multiple endpoints associated with the different functional parts of the device. Consequently, in one embodiment, the protective cap manages protection for all interfaces and all endpoint devices.

According to one variant of the invention, when the USB device receives the payload for transmission to a protected component, for example a package, HID (driver interface), such as caused by pressing a key or mouse button is pressed, the payload is transmitted from the upstream device in a protective cover in plaintext is encrypted in a protective cover and in the encrypted form is transmitted to the main computing device. Substitutions the transportation encrypting the payload is transparent to the host controller USB and device.

In addition, to ensure the specified transparency, protective cap prevents all unauthorized installation packages SETUP of the system in the device. To permit a protective cap transfer device of any team SETUP secure software passes in a protective cover signed by the command permissions ALLOW. And only after receiving a protective cap command permissions ALLOW, it allows only specified the specific team SETUP. Therefore, when you want to run SETUP, passed pre-command permissions ALLOW data containing the data set and the encrypted version of the data set. When data is retrieved (for example, when the signature confirmation command, the permissions ALLOW secure software, in one embodiment, by adding the hash using the secret information used in conjunction with a protective cover and secure software), protective cap allows the team SETUP, addressed to the endpoint with the appropriate data commands that should be passed to the endpoint and executed.

When the protected application is required to request data from a protected endpoint, protected by agenie to send the request to a specific endpoint uses the standard method of system software USB. However, the protective cap changes the way of passing the token of the request to the endpoint and the way to return data to the main system software as follows: when the system software USB transmits the token endpoint, the token is intercepted by the protection unit. Protection block passes the token to the device, but the main computing device transmits the NAK signal is no confirmation of reception data). When the device responds to the survey data, the protection unit stores the data and encrypts them. When the protection unit detects re-polling for the device and endpoint protection block "destroys" the request. ("Destruction" is a term that in the operation of USB means that data is sent to indicate an error in transmission.) In response to the second survey, the protection unit transmits the encrypted data, and when the main computing device acknowledges receipt of the data via the signal ACK (alarm acknowledgment data), it passes through the power protection device.

When the protected version of the implementation is required to transmit data in a secure device, it first passes the request directly to the protection unit. In the protection block token permissions ALLOW. As part of this package, is passed to the command (such as coma is Yes SETUP, which contains the command to the USB device as a data token permissions ALLOW. Protection block checks the command permissions ALLOW to determine that it came from the protected software and stores this data. Then when the protection unit is transferred to a new token command, if this token command corresponds to the marker command is transmitted as data in the command permissions ALLOW, the device is passed to the install command. The rest of the Protocol SETUP continues on the USB bus in a normal manner. If the command SETUP does not match the previously received command permissions ALLOW, the protective cap destroys the team SETUP before it completes.

The following describes other aspects of the present invention.

LIST of FIGURES

The following describes the protection unit in accordance with the present invention according to the attached drawings.

1 is a block diagram representing a computing system that may be implemented with the present invention.

2 is a block diagram representing a computer system containing a computer and other devices connected via USB, which can be implemented in the present invention.

Figure 3(A) - structural diagram representing a computing system containing a protective cover and in agrimony protection block, according to one variant embodiment of the invention.

Figure 3(B) is a structural diagram representing a computing system containing a protective cover and an integrated protection unit, according to another variant embodiment of the invention.

4 is a block diagram of a sequence of operations illustrating transaction input IN accordance with one variant embodiment of the invention.

5 is a block diagram of a sequence of operations illustrating transaction SETUP, according to one variant embodiment of the invention.

DETAILED DESCRIPTION of ILLUSTRATIVE embodiments

Illustrative computing environment

Figure 1 illustrates a possible variant of the environment 100 of a computer system, which may be implemented with the invention. The environment 100 of a computing system is only one possible variant of the corresponding computing environment and is not intended to impose any restrictions on the scope of use or functionality of the invention. Computing environment 100 should not be interpreted as dependent on any component or combination of components illustrated are possible environment 100.

To know the technique it is obvious that the computer or other client or device server can be used as part of the calc is kiteley network or in a distributed computing environment. In this respect, the present invention pertains to any computer system having any number of memory or storage devices, and any number of applications and processes on any number of storage devices or volumes, which may be used in connection with the present invention. The present invention can be applied to an environment with computers-servers-clients that are deployed in a network environment or a distributed computing environment, having remote or local storage device. The present invention can also be applied to standalone computing devices, having the possibility of interpretation, performance and functionality of a programming language for generating, receiving and transmitting information in connection with remote or local services.

The invention can be used for some other configurations and environments, computing systems for General and special purposes. Possible options are widely known computing systems, environments and/or configurations that may be used in connection with the present invention, include, for example, personal computers, server computers, handheld or portable computing device, a multiprocessor system, the system is warped on the microprocessor, set-top boxes, programmable consumer electronics, network personal computers (PCs), minicomputers, universal computers (mainframes), distributed computing environments that include any of the above systems or devices, etc.

The invention can be described in the context of mashinostryenia instructions, such as program modules, executed by the computer. Essentially, the software modules include procedures, programs, objects, components, data structures, etc. that perform particular tasks or implement certain abstract data types. The invention can be implemented practically in distributed computing environments where tasks are performed by remote processing unit connected through a communication network or other media. In a distributed computing environment, program modules and other data can be placed in the media local and remote computers, including storage devices. Distributed computing means share computing resources and services by direct exchange between computing devices and systems. These resources and services include the exchange of information, the cache and the storage drives for files. Distributed clicks the data processing has the advantage of connectivity of nodes in the network, providing customers the opportunity to increase their total capacity for the overall win. In this regard, many devices may have applications, objects or resources that may use the apparatus and method provided by the present invention.

According to figure 1 a possible system for implementing the invention includes a universal computing device in the form of a computer 110. Components of computer 110 may include, in particular, the processor 120, system memory 130, and a system bus 121 that connects various system components including the system memory to the processor 120. The system bus 121 may be any of several types of bus structures including a memory bus or memory controller, a peripheral bus and a local bus using any of the many bus architectures. As an example, but not limitation, such architectures include bus architecture, relevant industry standard (ISA)bus, a microchannel architecture (MCA), extended ISA (EISA), local bus Association standards in the field of video electronics (VESA) and the bus, the peripheral component interconnect (PCI) (also known as mezzanine bus), etc.

The computer 110 typically contains several machine-readable media. Machine-readable media can be any available media information and, to whom can access the computer 110 and includes both volatile and nonvolatile media, removable and non-removable media. As an example, but not limitation, computer-readable media may include storage media of the computer and the data transfer medium. Media information your computer includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Media information of the computer includes, in particular, random access memory (RAM, RAM), a persistent storage device (ROM, RAM), electrically-erasable programmable ROM (EEPROM), flash memory or other memory technology, the ROM on the CD-ROM (CD-ROM), digital versatile disks (DVD) or other optical disk drives, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to store the necessary information and to which can access the computer 110. The communication media typically embodies computer-readable instructions, data structures,program modules or other data in the signal, the modulated data, for example, the carrier signal or other mechanism for transferring information, and includes any medium of information delivery. The term "modulated data" means a signal that has one or more of its characteristics set or changed in such a way as to ensure the encoding of information in the signal. As an example, but not limitation, communication media includes wired environment, such as a wired network or direct cable connection, and the wireless environment, such as acoustic, RF, infrared and other wireless environment, etc. a combination of any of the above mentioned environments should also be included in the context of machine-readable media.

The system memory 130 includes a media computer in the form of volatile and/or nonvolatile memory, such as the permanent storage device (ROM) 131 and random access memory (RAM) 132. Basic system 133 input/output (BIOS), containing basic procedures that facilitate the transfer of information between elements within computer 110, for example, used to run, basically, is stored in ROM 131. RAM 132, mainly contains data and/or software modules that you can access immediately and/or in which the current lie is operated by the processor 120. As an example, but not limitation, figure 1 depicts the operating system 134, application programs 135, other program modules 136, and data 137 programs.

The computer 110 may also include other removable/non-removable, volatile/non-volatile storage media of the computer. Solely as an example, figure 1 depicts the drive 141 on hard magnetic disks, engaged in reading non-removable, nonvolatile magnetic media or written to, the disk 151 for magnetic disk, which carries out the reading with a removable, nonvolatile magnetic disk 152 or written to disk 155 for an optical disc, which carries out the reading with a removable, nonvolatile optical disk 156 such as a CD-ROM or other optical media, or write on it. Other removable/non-removable, volatile/non-volatile storage media of the computer, which can be used in a possible operating environment include cassette tape, cards, flash memory, digital versatile disks, digital videomagician tape, solid state RAM, solid state ROM, etc. Drive 141 on hard magnetic disks, mainly connected to the system bus 121 via an interface of the non-removable memory, such as the EP interface 140, and drive 151 for a magnetic disk and disk drive 155 for an optical disc, mainly connected to the system bus 121 via an interface, a removable memory, such as interface 150.

Drives and drives and their associated media computer, described above and depicted by figure 1, provide storage of computer readable instructions, data structures, program modules and other data for the computer 110. For example, in figure 1 the drive 141 on hard magnetic disks is depicted as storing operating system 144, application programs 145, other program modules 146, and data 147 programs. It should be noted that these components may be identical to the operating system 134, application programs 135, other program modules 136, and data 137 programs, or different from them. Here the operating system 144, application programs 145, other program modules 146, and data 147 programs are given different reference positions for clarifying that, at least, they are other copies. The user can enter commands and information into the computer 110 through input devices such as a keyboard 162 and pointing device 161, commonly defined as a mouse, trackball or touch pad. Other input devices (not illustrated) may include a microphone, joystick, game is anel, satellite antenna, scanner, etc. Often these and other input devices connected to the processor 120 via interface 160 user input, connected to the system bus, but they can be connected to the processor through another interface and other bus structures, such as a parallel port, game port or a universal serial bus (USB). Also to the system bus 121 via an interface, such as a video interface 190 may be connected to a monitor 191 or other type of display device. In addition to the monitor 191 computers may also include other peripheral output devices such as speakers 197 and printer 196, which may be connected through a peripheral interface 195 to output.

The computer 110 may operate in an environment with network structure using logical connections to one or more remote computers, such as a remote computer 180. The remote computer 180 may be a personal computer, a server, a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above with respect to computer 110, although figure 1 only depicts the memory device 181. Logical connection illustrated in figure 1, include lokalne the network connection (LAN, LAN) 171 and a global communications network (WAN WAN) 173, but may also include other networks. Such networking environments are often used in offices, computer networks enterprise-scale intranets (corporate local area networks high reliability with limited access) and the Internet.

When using in a network environment LAN computer 110 connects to the LAN 171 through a network interface or adapter 170. When using in a network environment HS computer 110 typically includes a modem 172 or other means for establishing a connection through HS 173, such as the Internet. The modem 172, which may be internal or external, may be connected to the system bus 121 via the user interface 160 for data entry or other appropriate mechanism. In an environment with a network structure of the software modules listed in the computer 110, or portions thereof, may be stored in a remote storage device. As an example, but not limitation, figure 1 depicts a remote application programs 185 as posted on the storage device 181. It is clear that depicts a network connection are possible and may be used other means of establishing lines of communication between computers.

The USB Protocol

The USB architecture provides a way of connection and interaction of devices with the main computing device. For example, according to figure 2, a universal serial bus (USB) can be used to connect to the computer 110 a mouse 161, a keyboard 162, tablet 163, speakers 197, microphone 164, phone 165 and monitor 191. The USB architecture provides connectivity between one or more USB devices, and one main computer USB device. Essentially, in this configuration, the computer 110 is the main computational USB device.

Used physical connection has a star topology. In a star topology to avoid looping is overlaid by a layer order. The result is a tree topology shown in figure 2. The hub is located in the centre of each star. The main computing device, the USB is for one hub. USB device with the appropriate functionality, can also be a hub. For example, in figure 2, a keyboard 162 and the monitor 191 are devices, each of which also functions as a hub. In the USB topology is also possible hubs without any specific functionality.

Additionally, several functions can be combined together in what appears as a separate physical device. For example, KLA is iature and pointing device (for example, the trackball) can be combined together in one package. When in a separate set of several functions combined with the hub, they are defined as a composite device. The hub and each attached functions within the composite device is assigned a unique device address. For example, in the keyboard 162 hub and the functionality of the keyboard will have a separate address.

The main computing device contains a USB interface to the main computer system, known as the main controller 167. The main controller 167 and system software provide USB interface to the USB network and main personal computer between your device and special software that manages this device. The main controller 167 manages all accesses to the USB resources for transmission and reception of all packets in these devices. System software together with root hub and any additional USB hubs keeps track of the topology of a bus and controls all devices addressing and routing data from a client software that uses the device, and directly by the device. When the client software on the host computing device Tr is required to communicate with some USB device it does so by interacting with the system software USB. System software USB communicates with the main controller 167. The main controller 167 via the USB bus transmits and receives signals to the USB device and endpoint device, as well as from them. Between the main controller 167 and the USB device may have one or more hubs. In the USB device signals takes level USB interface. This layer transmits the generated data to the device that routes data to different endpoints in the device and from them. Interfaces that consist of endpoints that provide the functionality. In some cases, these interfaces are grouped together in "functions", for example, the function of the loudspeaker in the loudspeaker 197 or function keyboard the keyboard 162 or two functions in a single device that contains the keyboard and mouse.

All USB devices are a standard USB interface in terms of their coverage of the USB Protocol, their response to standard USB operation and their descriptive information standard features. These interfaces are mostly defined by a standards body Working Group on USB devices, but can also be defined specialized interfaces specific manufacturer.

The bus is sabreena figure 2 in the form of lines, connecting objects, is a bus with a serial poll. The computer 110 via the main controller 167, initiates all data transfers. One such form of transfer is the transfer interrupts. The transmit interrupt is used for small amounts of data, non-periodic, low frequency and with limited waiting time (latency). Transmit interrupts provide a guaranteed maximum period of service for the connection and retry transmission in the next period. For example, using this type of USB transfer is implemented by polling the keyboard for keystrokes.

The USB transaction begins when the application is in the main computing device requests the main controller 167 transfer to the device or from the device. The main controller 167 sends the packet USB describing the type and direction of the transaction, the address of the USB device and the number of the endpoint. The specified package is "service-marker". Each USB device is defined by the USB address that is assigned when you attach a device to the main controller 167 and implemented with this numbering. Every USB device uses the address information included in the token to determine whether it is the destination of the token passed to the main computing device. The number of the endpoint horse determines the target point, and therefore, the interface, which is constantly placed the specified endpoint (or, in other words, the function of the USB device, which directed the transfer.

Then, in the phase of the data packet, the data is sent from the endpoint to the main computing device or from the main computing device at an end point in accordance with the instructions in the token packet. If the token is a token input IN the computing device requests information from the endpoint. If the token is a token output OUT, the computing device indicates that it will transmit information to the endpoint.

If the token is a token input IN, but still no data is available for transmission of the addressed device, instead of the data endpoint is transmitted the NAK packet. For example, if the polled keyboard 162, but there was no keystroke is transmitted NAK (no acknowledgment data). If you hit the breakpoint, endpoint, then transferred to the shutdown STALL. If there is data to transfer, the transfer of these data. In response, upon receiving data, the main computing device should transmit handshaking handshaking ACK.

Where was handed over to the marker output OUT from the main computing device in endpoint were passed on is installed, endpoint upon successful reception of the data must transmit the ACK packet for reception confirmation data. Handshaking handshaking STALL can be transferred if you hit the breakpoint, endpoints, and she could not receive the data. If the endpoint does not accept data that is transmitted NAK.

Team SETUP is the transaction type of the output, which causes the execution of commands is transmitted to the phase data at the endpoint.

A full description of the USB Protocol is contained in the USB specification, which is a document that is open for access. The document is available on the host web site Forum vehicles for the implementation of USB, www.USB.org.

Dynamic substitution USB data

Methods and systems conforming to the invention, implementing a protection connection through the network between the protected component and a device such as a USB device. The protection unit according to the invention can be placed inside the USB device and will be described primarily in relation to system USB, however, it is anticipated that any existing connection between the main computing device and the device may be implemented according to the invention. For example, the invention may be used any compound containing one or more local buses, the network (for example, a local area network (LAN) or other network) and USB.

In the system of Braunau figure 3(A), according to the invention the connection between the protected component in the computer 110 and mouse 361 and between the protected component and a tablet 163 protected. Mouse 361 includes an integrated protection unit 300, and the connection with the protected component is carried out indirectly through the protection unit. In the system of figure 3(A) to secure communication with a graphics tablet 163 protective cap 310, physically separate from the tablet 163, mediates the connection between a tablet 163 and protected component. The protection unit is contained in a protective cover 310. Block protection can be implemented anywhere in the system USB. The connection to the upstream network data (USB to the host computing device) protection unit or the protective cap is secured, but the link on top-down data flow (from the main computing device) block protection or protective caps may be vulnerable.

Physical layer system provides all the links between the main computing device and the protection device when passing through the block protection. In alternative embodiments, the implementation of the protection unit can be integrated into the protective cover, the hub upstream or directly into the protected device. Mainly to protect the system useful any encryption scheme that generates unreadable or Prov is Jaimie data. In one embodiment, system is provided with a pair of keys with the availability of key information in a secure component associated with the device, and protection unit. According to one variant of implementation to initialize opportunities encrypt/decrypt protected component and the protection block share a key partnership. One way to share a key partnership between the two devices is protected display is protected by a component of the key information and then receive protection unit input data from the keyboard downstream data or other input device data to establish key partnerships. For example, the protected component can display the key partnership to secure the monitor or other output device. Then if the protection unit is attached to the keyboard or is integrated into it, the keyboard can be used for input of key partnerships. In other embodiments, implementation of the shared key partnerships can also be encoded in hardware in the device and in a protected component, can also be inserted in the device and installed in the software is protected component during installation at the factory (or at the first boot after creation) or may be displayed by the protection unit and entered in the component by means of buttons, posted by on the screen randomly, which will be selected by the user with the mouse, as a consequence, preventing eavesdropping of information by unauthorized individuals. In one embodiment, the key partnership is used as a key to encrypt and decrypt data, and to validate the commands from the protected component in the protection block.

In one embodiment of the invention the main computing device (computer 110) contains protected software as a secure component, which must issue commands to the device. In this embodiment, the protected software is not managed directly addressed by the device, but must communicate with the device through an unprotected bus and possibly unprotected area of the main computing device. For example, if the main computing device enables secure processes, the protected software can be run as a secure process on the host computing device. Commands issued from the protected software must be encrypted or signed before sending it commands in the unprotected area of the main computing device and through an unprotected bus. Consequently, the protection is ensured even at that time what I when data is passed through possible vulnerable areas of the main computing device or bus.

In the system shown in figure 3(B), according to the invention protected component is protected server 350, a trusted computer that is running software that requires a secure connection with the user through mouse 361 and tablet 163. Untrusted computer 360, which contains the main controller 167, may be vulnerable to attacks that can be performed on the connections between untrusted computer 360 and secure server 350, an untrusted computer 360 and monitor 191, monitor 191 and keyboard 162 and between the keyboard 162 and a protective cap 310. However, since the information transmitted between the secure server 350 and mouse 361 and between a protected server 350 and a tablet 163 protected, according to the invention the vulnerability of these compounds and intermediates does unprotected communication between the secure server 350 and these devices.

To perform decryption/encryption in another embodiment, generated session keys for each session between the protected component and unit protection. This provides the possibility of increased protection is protection against replay attacks previously intercepted messages. Although W is frownie data can be recorded and reproduced, if the value of the session key is changed, then the encrypted data is identified as unauthorized. A session is established between the protected component and the device, or block protection. Protected component and the block protection data exchange, known as information at this time. Each of the protected component and protection unit calculates a hash function based on these two informations at this time, with certain key partnerships, which becomes the session key used to encrypt/decrypt. In one embodiment, the correct initialization is confirmed through the exchange of encrypted information.

Although the present invention is described in relation to the USB Protocol, it is obvious that the invention has broader applicability and may be implemented in virtually any Protocol, such as USB, as described in detail below. For example, it can be used for device addressing are performed using IEEE-1394.

Signal transmission for rapid encryption

According to the invention, when the protected component issues through the main computing device and a bus token input IN, addressed to an endpoint, which is outside the block protection block protection checks to determine whether the protected sludge is "covered" if the USB address and endpoint, to which is addressed to the token input IN. If the address and the endpoint is not covered by the protection unit simply skips any information from the main computing device in endpoint and any information from the endpoint to the main computing device (like a USB hub repeats the data from port upstream port downstream and Vice versa). However, if the endpoint is covered, the protection unit will be interposed between the protected component and the end point, as can be seen from figure 4.

As shown in figure 4, at step 410, the protection unit receives from the protected component, the request for data. Even if the address and the endpoint that sent the request for data, covered, at step 420 to covered endpoint token input IN. Then, at step 430, the protection block intercepts the requested data returned by the endpoint. Instead of sending these data to the bus protection unit at step 440 transmits to the main computing device a signal indicating that data is not available (using the standard package NAK) and waits for reception from the protected component of the second request for data at step 450. Meanwhile, the protection unit at step 460 encrypts the requested data. As with all endpoints interrupt for USB, the main system then repeats the command input IN. Kaggalipura completed and adopted a second request for data, protection block at step 470 transmits protected component encrypted data in response to a second request for data. A second request for the data is not transmitted in a given address of the device intact. Since the protection device must continue retransmission bits as receiving these bits, the protection device can not determine what the next token of the input IN is transmitted through a subject to address, if these bits have not already been retransmitted on a given address and endpoint. Therefore, upon detection of a protective cap such conditions, the protection device must destroy the rest of the package or lead to its destruction. Therefore, the USB endpoint will not return a new package, because it did not properly handle input IN, instead of the protective cap will be responsible for the device encrypted package to the main computing device. At step 480 when receiving from the protected component acknowledgment this data ACK data passes to the endpoint.

Where such operational encryption is performed on the host computing device with the protected and unprotected areas, the information used for encryption or signature data must be stored in the main computing device in a secure area, and the protection unit must with erati information required to decrypt or verify the data. There, where the shared key partnership is used in the form of data encryption and data validation, the specified key partnership is stored the main computing device in a secure area and in the protection block.

To implement this system with a USB request for data must be token input IN, a signal indicating that data is not available, there must be a signal NAK and ACK data should be the signal ACK.

If at step 430 the protection unit receives the signal indicating that the endpoint is in an error state (e.g., USB signal stop STALL), then this signal is transmitted to the bus.

Signal transmission for efficient decryption

In one embodiment, described above, all commands installed in a protected device (through protection unit) is not allowed and disposed of as described above. This is a problem when sending component protection in the legal device of the installation team. For this reason, must be a mechanism to resolve specific setup commands through the power protection device.

According to the invention is first protected component in the team "resolution" is passed to block protection the actual installation instruction for transmitting commands in samisen the Yu endpoint. The reality of this command will be confirmed in the same way as for all other commands sent from a trusted software in the protection block. According to figure 5, at step 510, the protection unit receives the command permissions from the protected component. This is accompanied, at step 520, the receiving unit of the data protection enable command, transmitted from the protected component containing an encrypted install command. At stage 530 is attempting to scan encrypted install command.

In another embodiment, the test includes the transcript of the installation team with the creation of the locally decoded version of the installation team. In one embodiment, the command data resolution adopted by the protection unit, contain unencrypted version of the installation team. The protection unit, to carry out inspections, compares this unencrypted version with locally decoded version.

In yet another embodiment, encrypting the installation command is a signed version of the installation and the validation checks the signature to ensure that the installation team was signed shared key.

If verification is not successful, the install command will not be passed to the endpoint. If the verification is successful, the block protection expect the AET get install command from the protected component on the stage 540. If the installation command coincides with a pre-tested installation command (step 550), then at step 570, the command is sent to the endpoint with the next phase data. If the install command does not match, it is not transmitted. Instead, the protection unit waits for the appropriate installation command.

Conclusion

Therefore, by continuing to use the USB Protocol, you can send encrypted data and commands from the protected component to the endpoint from the endpoint in a protected component, supporting the protection device from other types of reprogramming or reconfiguration.

As mentioned above, although the possible embodiments of the present invention have been described in relation to various computing devices and network architectures, the basic concepts can be applied to any computing device or system in which to perform encryption/decryption USB or similar connection. Therefore, the methods corresponding to the present invention can be applied to different applications and devices.

Various methods described herein may be implemented in hardware or software or combinations thereof, where it is appropriate. Therefore, the methods and the device corresponding to the present invention, or certain is that the aspects or parts may be in the form of program code (i.e. instructions), implemented on a tangible media, such as floppy disks, compact disks (CD-ROM), storage on hard drives or any other machine-readable media, and when loading and executing program code in the device, such as a computer, the device becomes a device for the practical implementation of the invention. In the case of the code execution on programmable computers, the computing device will mostly contain a processor, the computer-readable storage media (including volatile and non-volatile memory and/or storage elements), at least one input device and at least one output device. One or more programs that may use the services of signal processing according to the present invention, for example, through application programming interfaces (APIs) data processing or similar processing is preferably implemented in an object-oriented language programming or procedural programming language high-level communication with the computing system. However, if necessary, the program(s) may be implemented in Assembly or machine language. In any case, the language may be compiled or interpreter is consistent with the language and be combined with hardware implementations.

Methods and a device corresponding to the present invention can be implemented also through communications embodied in the form of program code transmitted over some transmission medium information, for example, through electrical wiring or cabling, through fiber optic cable or through any other kind of transfer, and, upon receipt, loading and executing the program code device such as an erasable ROM (EPROM), a gate matrix, programmable logic device (PLD), a client computer, VCR, etc. or receiving device, capable of processing signals, as described above the possible options for implementation, the device becomes a device for the practical implementation of the invention. When implemented on a General-purpose processor program code combines with the processor to provide a unique device that operates to activate the functionality of the present invention. Additionally, any method of storing information used for the present invention, without exception, can be a combination of hardware and software.

Although the present invention has been described in relation to preferred embodiments presented on p is slichnih drawings, it is obvious that without departing from the present invention can be used in other similar ways to implement or can be made in the described embodiments implement and add to them to implement the same function. For example, although the illustrative network environment corresponding to the invention described in the context of the network structure, such as peer-to-peer network, to know the technique it is obvious that this invention is not limited to such environments, and that the methods described in this application can be applied to any wired or wireless computing device or environment, such as a game console, laptop computer, laptop computer, etc. and can be applied to any number of such computing devices connected via a communications network and interacting across the network. Additionally it should be noted, that provides several computing platforms, including operating systems, mobile devices and other operating systems, depending on application, especially with the development and increase in the number of wireless network devices. Also the present invention can be implemented in multiple devices or circuits data or multiple devices or circuits processing and data and storage of information, similarly, can be accessed on multiple devices. Therefore, the present invention is not limited to any single embodiment, but rather should be considered across the breadth of the scope of the claims.

1. The indirect way data transmission between the device and the protected component, including the stages at which
take in the protection block of the first and second requests for data from the protected component,
after taking in the protection unit the first request for data to transmit the first request to the data in the above-mentioned device,
in response to the first request for data taking in the block protect data from these devices,
after taking in the protection block of the first request to transmit data in a secure component intentionally false the first signal indicating that data is not available
after receiving such data from these devices and encrypts said data unit protection
intercept in the protection block a second request for the data from the protected component in the above-mentioned device, and
after intercepting a second request to transmit data mentioned encrypted data in the secure component and transmit the above-mentioned device, the second signal, deliberately distorted to indicate the error.

2. The method according to claim 1, in which mention is the second encryption is performed by using the key and the protected component contains the protected part, contains a copy of the above key to decrypt.

3. The method according to claim 1 in which the said device is a universal serial bus (USB), secure the component is functionally connected to the main computing device USB referred to the request for data is a marker input IN USB referred data is USB and the above-mentioned signal in the protected component, indicating that data is available, is a signal there is no acknowledgement of data reception (NAK).

4. The method according to claim 1, further comprising steps, after which the above-mentioned transfer of the protection unit mentioned encrypted data in the secure component accept the acknowledgement data from the protected component,
following the reception in the protection block referred to confirm receipt of data from the protected component is passed the said acknowledgement data in the above-mentioned device.

5. The method according to claim 4, in which the said device is a USB device, the protected component is functionally connected to the main computer by the USB device and the above-mentioned ACK data is the confirmation signal receive data (ASC).

6. The method according to claim 1, in which said data received from these devices contain a signal indicating that the said device is located in an error state, after reception of the above-mentioned device data indicating that said device is in an error state, the said transfer in a protected component signal, indicating that data is not available, is a signal indicating that said device is in an error state.

7. The method according to claim 6 in which the said device is a USB device, the protected component is functionally connected to the main computer by the USB device and the said signal indicating that said device is in an error condition is a signal to stop STALL.

8. The indirect way data transfer between the USB device and the protected component, functionally connected to the main computing device universal sequence bus (USB), comprising the stages on which
intercept in the block protect data from a USB device in response to the first token of the input IN of the protected component,
passed from block protection on the protected component is intentionally false, the first signal indicating that data is not available
encrypt said data unit protection
intercept a second marker input IN, transferred to the protected component to a USB device, and
in response to intercepting the second token input IN transmit mentioned encrypted data in a secure components is t and transmit the USB device, the second signal, intentionally distorted to indicate the error.

9. The method of claim 8, further comprising the step, in which, after the interception of such data from the USB device, transmit a signal to the lack of acknowledgment data (NAK) in the protected component.

10. Block protection for mediated data transfer between the device and the protected component containing
means for receiving in the protection block of the first and second data requests,
means for transmitting a first request for data in said device after receiving the first request for data
means for receiving in the block protect data from these devices after transmitting the first request to the data in the above-mentioned device,
means for transmitting from the protection unit in the protected component intentionally false first signal indicating that data is available, after receiving the first request for data
encryption tool mentioned data protection unit after receiving the aforementioned data from these devices,
means for intercepting the protection block of the second request for the data from the protected component in the above-mentioned device, and
means for transmitting from the block protection referred to encrypted data in a secure component and transmission in the above-mentioned device of the second signal, deliberately distorted to indicate failure, after the second C the millet on the data.

11. The protection block of claim 10, which is contained in the above-mentioned device.

12. The protection block of claim 10, which contains the hub.

13. The protection block of claim 10, which is contained in a separate device that is functionally connected with the protected component.

14. The protection block of claim 10 in which the said encryption is performed using the key, and the protection unit includes means for storing the above-mentioned key and the protected component contains a protected area that contains a copy of the above key to decrypt.

15. The protection block of claim 10 in which the said device is a universal serial bus (USB), secure the component is functionally connected to the main computing device USB referred to the request for data is a marker input IN USB referred data is USB and the above-mentioned signal in the protected component, indicating that data is available, is a signal there is no acknowledgement of data reception (NAK).

16. The protection block of claim 10, further comprising
means for receiving acknowledgment data of the protected component after the above mentioned transmission of encrypted data in a secure component,
means for transmitting the said acknowledgment data to the device after the reception mentioned is otverzhdenija receive data from the protected component.

17. Block protection clause 16, in which the said device is a USB device, the protected component is functionally connected to the main computer by the USB device and the above-mentioned ACK data is the confirmation signal receive data (ASC).

18. The protection block of claim 10, in which said data received from these devices contain a signal indicating that said device is in an error state, and after reception of the above-mentioned device data indicating that said device is in an error state, the transfer of protected component signal, indicating that data is available, is a signal indicating that said device is in an error state.

19. Block protection p, in which the said device is a USB device, the protected component is functionally connected to the main computer by the USB device and the said signal indicating that said device is in an error condition is a signal to stop STALL.

20. The protection block of claim 10, in which the protected component is placed in the first computer system, the said device is placed in a second computing system, and the aforementioned first and second computer system functionally connected and the above-mentioned functional with the Association belongs to at least one network, local bus and the USB bus.

21. The protection block of claim 10, in which the protected component contains a protected software component that performs at least one secure process, and the above-mentioned data transfer occurs between one of the said at least one secure process and the above-mentioned device.

22. Block protection for mediated data transfer between device universal serial bus (USB) and the protected component, functionally connected to the main computer by a USB device that contains
means for intercepting the block protection data from a USB device in response to the first token of the input IN of the protected component,
means for transmission to a protected component intentionally false first signal indicating that data is not available
encryption tool mentioned data protection unit,
means for intercepting the protection block of the second token of the input IN, transferred to the protected component to a USB device, and
means for transmitting from the block protection in protected component referred to encrypted data and transmission in the USB device of the second signal, deliberately distorted to indicate the error.

23. Block protection on p.22, optionally containing
a means for signal transmission there is no acknowledgement of data reception (NAK) in protected component after the first the grip referred to data from the USB device.

24. Tangible machine-readable medium for indirect data transfer between the device and the protected component containing computer-readable instructions, which when executed by one or more processors implement the stages, including
the reception in the protection block of the first and second data requests,
the transmission in the above-mentioned device, the first request for the data after receiving the first request for data
reception in the block protect data from these devices and after transfer in the above-mentioned device, a first request for data
the transfer of the protection unit in the protected component intentionally false first signal indicating that data is available, after receiving the first request for data
encryption mentioned data protection unit after receiving the aforementioned data from these devices,
the interception in the protection block of the second request for the data from the protected component in the above-mentioned device, and
the transfer referred to encrypted data in a secure component and the transmission in the above-mentioned device of the second signal, deliberately distorted to indicate failure, after the second request data.

25. The computer-readable storage medium according to paragraph 24, in which the said encryption is performed using the key and the protected component contains the protected part, the soda is containing a copy of the above key to decrypt.

26. The computer-readable storage medium according to paragraph 24, in which the said device is a universal serial bus (USB), secure the component is functionally connected to the main computing device USB referred to the request for data is a marker input IN USB referred data is USB and the above-mentioned signal in the protected component, indicating that data is available, is a signal there is no acknowledgement of data reception (NAK).

27. The computer-readable storage medium according to paragraph 24, in which the above-mentioned steps additionally include
the reception acknowledgment data from the protected component after the above mentioned transmission of encrypted data in a secure component,
the transfer of the said acknowledgment data to the device after the reception of the said acknowledgment data from the protected component.

28. The computer-readable storage medium according to item 27 in which the said device is a USB device, the protected component is functionally connected to the main computer by the USB device, and referred to the ACK data is the confirmation signal receive data (ASC).

29. The computer-readable storage medium according to paragraph 24, in which said data received from these devices contain with the persecuted, indicates that the device is in the error state and after administration of the above-mentioned device data indicating that said device is in an error state, the transfer of protected component signal, indicating that data is not available, is a signal indicating that said device is in an error state.

30. The computer-readable storage medium according to clause 29, in which the said device is a USB device, the protected component is functionally connected to the main computer by the USB device, and said signal indicating that said device is in an error condition is a signal to stop STALL.

31. Tangible machine-readable medium for indirect transfer data between your device universal serial bus (USB) and the protected component, functionally connected to the main computer by the USB device containing computer-readable instructions, which when executed by one or more processors, implement the steps that includes
interception in the block protect data from a USB device in response to the first token of the input IN of the protected component,
encryption of such data in the block protection
transfer to the protected component intentionally false first signal points is the future, data not available
the interception in the protection block of the second token of the input IN, transferred to the protected component to a USB device, and
the transfer of the protection block of encrypted data in a secure component and transfer to a USB device of the second signal, deliberately distorted to indicate the error.

32. The computer-readable storage medium according p, in which the above-mentioned steps additionally include
transmission in protected component signal of a lack of acknowledgment (NAK) after intercepting mentioned data from the USB device.



 

Same patents:

FIELD: physics; computer engineering.

SUBSTANCE: present invention pertains to authentication of applications. Identifier of the corresponding distributor is retrieved from meta data applications. Certificates are received. Each certificate contains one or more identifiers of corresponding distributors. The above mentioned identifiers are retrieved from certificates and certificates are chosen, based on comparison of identifiers, retrieved from meta data applications and certificates, such that, the relationship between the identifier and the distributor is controlled so that, certificates could be used only for identifying applications, distributed by identified distributors.

EFFECT: provision for selecting a certificate for authenticating an application, linked to a distributor.

15 cl, 4 dwg

FIELD: physics; computer engineering.

SUBSTANCE: present invention pertains to control of generation of cryptographic keys in an information media, comprising a party which generates the key and distributes the key information for the party using the key. Through a given unilateral function of deriving keys, a relationship between key generations is determined, which is such that, earlier generation of keys can be more efficiently derived from later generation, but not the opposite. Each time, when necessary, the party using the key iteratively receives the given unilateral function of deriving keys for outputting the key information of at least, one previous key generation from the key information of new key generation. That way, memory requirements for the party using the key can considerably be reduced.

EFFECT: protection of data during recording.

32 cl, 6 dwg

FIELD: physics; computer engineering.

SUBSTANCE: present invention pertains to the architecture and method of establishing a secure multimedia channel for content delivery. The computer device has a secure multimedia channel for delivering content from a source to a receiver. In the secure channel, the multimedia base provides a secure environment in the computer device and comprises a common infrastructure of key components, processing content from any specified source and delivering the processed content to any specified receiver, and also comprises a policy implementation unit, providing for compliance with policy on behalf of the source. The policy corresponds to the content from the source and comprises rules and requirements for accessing the content and its playback. The multimedia base provides for secure transmission of content through the computer device and allows for arbitrary processing of protected content in the computer device.

EFFECT: increased security of content from unauthorised use.

23 cl, 6 dwg

FIELD: information technologies.

SUBSTANCE: invention can be used in system of the forced performance of requirements which provides access possibility to the enciphered digital content on a computing mechanism only according to parametres the certain rights of the license got by the user of digital contents. The first confidential builder on the first computing mechanism carries out cryptographic, an estimate and the forced performance of requirements and forcedly contacts it, the first certificate of the user device corresponding to the first computing mechanism, forcedly contacts the user. Accordingly, the second confidential builder on the second computing mechanism carries out cryptographic processing, an estimate and the forced performance of requirements and forcedly contacts it, the second certificate of the user device corresponding to the second computing mechanism, also forcefully contacts the user. The first competent builder gains contents for reproduction on the first computing mechanism by means of the first certificate of the user device and the license, and the second confidential builder gains contents for reproduction on the second computing mechanism by means of the second certificate of the user device and the same license.

EFFECT: prevention of non-authorised duplication of digital content by the user related to the digital license and having of some computing mechanisms.

16 cl, 6 dwg

FIELD: physics, computer technology.

SUBSTANCE: invention concerns digital rights management system. (DRM) features multiple DRM servers with DRM functionality, and incoming server DRM-I is registered in the system by registration server DRM-R, so that incoming server DRM-I should be a trust server in this system. DRM-I server sends registration request to DRM-R server including representative identification data and public key (PU-E). DRM-R server checks validity of representative identification data, and if the request can be met, DRM-R server generates digital registration certificate by (PU-E) for DRM-I server for registration of DRM-I server in DRM system. Just registered DRM-I server with generated registration certificate can use it for delivery of documents with DRM in DRM system.

EFFECT: possible controlled reproduction or replay of arbitrary digital content forms in medium where documents are shared by a definite group of users.

74 cl, 17 dwg

FIELD: physics, computer technology.

SUBSTANCE: invention deals with data protection systems. Certificate-based encryptation mechanism failing to envisage the client source computer access to the whole of the certificate corresponding to the client target computer during encryptation of the e-message to be transferred to the client target computer. Instead the client source computer addresses the certificate server a request for but part of the certificate. The certificate part referred to contains encryptation information but may fail to include (completely or partly) the certificate self-checking information. The certificate server preferably carries out any check of the certificate authenticity before transfer of encryptation information to the client source computer which enables obviation of the need to specifically perform certificate authenticity check with the client source computer especially if the certificate server has been checked for trustworthiness with the client source computer.

EFFECT: reduction of amount of memory and processor resources used for certificate-based encryptation as well as minimisation of requirements to the width of band between certificate server and client source device.

36 cl, 8 dwg

FIELD: physics.

SUBSTANCE: invention is related to methods of usage data collection for television broadcast receivers. Method of usage data collection from broadcast receiver is suggested, whereat receiver is arranged to detect and save such usage data. Method involves representation (16, 18) of confidentiality policy to receiver that identifies not only the usage data subjected to collection, but also preset usage of such data. On receiver interactive or automatic determination (22) whether received policy of confidentiality is acceptable is carried out. If yes, receiver picks up (30) usage data identified in confidentiality policy from storage, and sends them (28) to sender of confidentiality policy.

EFFECT: increased confidentiality of usage of information about habits of users viewing.

15 cl, 3 dwg

FIELD: physics.

SUBSTANCE: invention is related to method for data recording for memory of portable terminal and to memory carrier. Method for recording data for memory of portable terminal contains a stage of reading, at which data is read that is saved on memory carrier of portable terminal; stage of data comparison, at which identifying data are compared, which are individual for user of portable terminal and read from memory carrier, with user registration data registered earlier, and a record command is brought to device of data reading/recording, only when data is approved; recording stage involving recording applied data required for portable terminal to memory carrier under the condition that at the stage of data comparison a record command is sent; stage of activation involving activation of portable terminal, to which memory carrier is connected. Memory carrier contains program, by means of which actions of the said method are enabled.

EFFECT: safety of saving data required for activation of portable telephone.

2 cl, 44 dwg

FIELD: information technology.

SUBSTANCE: registration page with the interface for user mandate input is available on the client system and the entered mandate is sent to the server. As a response to receipt of the user mandate, the server generates a unique session identifier for the client system. The server also receives a digital signature for the user mandate based on the current key in the memory of cyclically changed keys and unique session identifier. Then the server encrypts the digital signature and the user mandate based on the encryption key obtained from the current key and unique session identifier. The encrypted mandate being received with the client system, the keys from the memory of cyclically changed keys are used for checking validity of the mandate. With the user mandate not approved, the user is again transferred to the registration page.

EFFECT: provision of encrypted user mandate processing.

12 cl, 7 dwg

FIELD: information technology.

SUBSTANCE: publishing user is provided with the publication certificate from the DRM server, creates the content, ciphers it with the content key (CK), creates a rights mark for this content with open key of the DRM-server (PU-DRM), for generation (PU-DRM(CK)), restores (PU-ENTITY(PR-OLP)) from the publication certificate, applies secret key (PR-ENTITY) of the corresponding (PU-ENTITY) to the (PU-ENTITY(PR-OLP)) for obtaining (PR-OLP), sign the created rights mark using (PR-OLP), connects SRL and the publication certificate with encrypted content for creation a content package distributed to another user, that must connect with the DRM-server for obtaining a license with CK for playback of the content, creates the license data corresponding with the content package, with (CK), encrypted (PU-ENTITY) for generation of (PU-ENTITY(CK)), signs the license data using (PR-OLP) and attaches the publication certificate to the publication license.

EFFECT: possibility of the content publishing without initial receipt of permission from the server and license issuing for playback of the published content without permission from the server.

20 cl, 17 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention is related to methods and devices for performance of operation requested by user over content element. Invention is intended for authorization of operation requested by the first user over content element on the basis of user right. User right may identify the first user or second user and authorise performance of requested operation by user over content element. If user right identifies the second user, then operation is authorised on reception of information on relation of the user right of the first user and user right of the second user. It is preferable that information consists of one or more domain certificates that identify the first and second users as members of one and the same authorised domain. It is preferable that right for content is used, which permits the operation, at that user right authorises performance of right for content by the second user.

EFFECT: provides control of rights for content for groups of people on the basis of persons, not devices.

19 cl, 3 dwg

FIELD: physics; computer engineering.

SUBSTANCE: present invention pertains to control of generation of cryptographic keys in an information media, comprising a party which generates the key and distributes the key information for the party using the key. Through a given unilateral function of deriving keys, a relationship between key generations is determined, which is such that, earlier generation of keys can be more efficiently derived from later generation, but not the opposite. Each time, when necessary, the party using the key iteratively receives the given unilateral function of deriving keys for outputting the key information of at least, one previous key generation from the key information of new key generation. That way, memory requirements for the party using the key can considerably be reduced.

EFFECT: protection of data during recording.

32 cl, 6 dwg

FIELD: physics, computer facilities.

SUBSTANCE: invention concerns an information processing device, system and method of updating of the software. When user computer 103 sends the identifier of the user to central computer 102, central computer 102 orders to user computer 103 to gain the URL-address of field of 104 storages of modules which corresponds to the identifier of the user and stores modules which the user should gain. User computer 103 provides access to field of storage of modules by means of the URL-address, gains the list of modules, and compares the list to modules which are placed by the current moment on it, and the solution on makes, whether it is necessary to gain modules. If the solution on necessity of reception of modules, the user computer 103 recurringly is accepted access provides to field of storage of modules and gains the module.

EFFECT: simple and convenient updating of the software and simultaneous decrease of load on users, suppliers of the software and the central computer.

11 cl, 17 dwg

FIELD: physics, computer technology.

SUBSTANCE: invention concerns network management, particularly system and method of principal identification in network environment. Improved network architecture applies superauthorised unit holding identification data catalogue for forwarding request identification tasks to logical input of relevant authorised units. Identification tasks can be implemented by authorised units over name space boundaries if superauthorised unit prescribes so, resulting in principal account transition without account ID change. Version of invention implementation identification data catalogue containing a list connecting account identifiers to the relevant identifying authorised units.

EFFECT: possible transition of principals over security boundaries without changing account identifiers and resource protection level.

25 cl, 8 dwg

FIELD: physics, computer technology.

SUBSTANCE: invention concerns method of first radio communication network (WLAN) user identification and payment charging for services of communication between user device (laptop) and first radio communication network (WLAN), involving use of mobile radio communication system including mobile station (MS) and mobile radio communication network (PLMN). User and/or mobile station (MS) identification data is transmitted by user device (laptop) from first radio communication network (WLAN) to mobile radio communication network (PLMN), or mobile station (MS) sends information request signal to mobile radio communication network (PLMN) for access to first radio communication network (WLAN). In response, mobile radio communication network (PLMN) sends charged short message to mobile station (MS), containing information on access to first radio communication network (WLAN). Payment charging for communication between user device (laptop) and first radio communication network (WLAN) is performed by charging for short message in mobile radio communication system.

EFFECT: possible user identification and payment charging for the use of first radio communication network (WLAN) without involving new equipment and additional investments.

8 cl, 3 dwg

FIELD: physics, computer technology.

SUBSTANCE: invention concerns digital rights management system. (DRM) features multiple DRM servers with DRM functionality, and incoming server DRM-I is registered in the system by registration server DRM-R, so that incoming server DRM-I should be a trust server in this system. DRM-I server sends registration request to DRM-R server including representative identification data and public key (PU-E). DRM-R server checks validity of representative identification data, and if the request can be met, DRM-R server generates digital registration certificate by (PU-E) for DRM-I server for registration of DRM-I server in DRM system. Just registered DRM-I server with generated registration certificate can use it for delivery of documents with DRM in DRM system.

EFFECT: possible controlled reproduction or replay of arbitrary digital content forms in medium where documents are shared by a definite group of users.

74 cl, 17 dwg

FIELD: physics, computer facilities.

SUBSTANCE: invention concerns methods of guidance of document circulation in safety system. Develop inquiry about change of access rights of the subordinated employee by higher means of input by the higher employee of data about change of access rights in the IT system, thus a system web portal carries out activities over inquiry during inquiry life cycle. Then handle inquiry about change of access rights of the subordinated employee, for the purpose of definition of the information necessary for performance of the further procedure of processing of inquiry and development of instructions. After process of decision-making concerning granting of access rights to resources of the IT-system to the employee who is in submission authorise inquiry. The method also includes inquiry about realisation by means of appointment of the executor for all instructions of inquiry and modification of text instructions and performance of instructions by means of change of a state of IT system by the appointed executor. The expedient can include the control over performance of instructions by means of monitoring of a correctness of changes of access rights and acknowledgement of conformity of these changes to blanket instructions.

EFFECT: integrating and the self-acting coordination of procedures of guidance of identification of users and access rights.

9 cl, 17 dwg

FIELD: information technologies.

SUBSTANCE: software packer comprises packer interface that provides controlled access to file of applied program. Applied program file is encapsulated with the help of software code of security provision for its protection against its unauthorized access. Software packer comprises license key for application of program package, which identifies license policy that determines limitations for application within the bounds of geographical border. Software packer comprises mechanism of license certification, which periodically determines compliance to license policy. Mechanism of license certification allows access to the other process, which operates in local computer via packer interface, in response to signal of license validity confirmation received from license server.

EFFECT: protection of software suppliers rights by software distribution by supplier, limitations on their application and support of safety on end user platform.

13 cl, 18 dwg

FIELD: information technologies.

SUBSTANCE: when user specifies (explicitly or implicitly) that he or she tries or intends to open file, this file may further be locked for edit. Therefore, default action executed, when user requests file opening, results in the fact that access of other users to this file is not prohibited. Then, when user specifies that editing should take place, file is locked.

EFFECT: provision of possibility of file opening modified action.

4 dwg

FIELD: physics; computer technology.

SUBSTANCE: present invention pertains to computer technology. The computer makes an authentication attempt at the server for automatic access to the first network. The server determines that the computer system is not authorised to access the first network. The computer system is authorised to access the second network with the objective of loading files, required for gaining access to the first network. A user interface is automatically provided in the computer system, for receiving the user-supplied signup information. The first document, based on a given layout which contains the user-supplied information, is sent to the server. If the server determines that, the user-supplied information is acceptable then a second document is received, which contains of an instruction for authorising access to the first network. The computer system provides a third document for compatible configuration of the computer system to gain access to the first network.

EFFECT: higher level of automation during initialisation and configuration of a computer system for accessing a network.

32 cl, 4 dwg

FIELD: physics; computer engineering.

SUBSTANCE: present invention pertains to control of generation of cryptographic keys in an information media, comprising a party which generates the key and distributes the key information for the party using the key. Through a given unilateral function of deriving keys, a relationship between key generations is determined, which is such that, earlier generation of keys can be more efficiently derived from later generation, but not the opposite. Each time, when necessary, the party using the key iteratively receives the given unilateral function of deriving keys for outputting the key information of at least, one previous key generation from the key information of new key generation. That way, memory requirements for the party using the key can considerably be reduced.

EFFECT: protection of data during recording.

32 cl, 6 dwg

Up!