Multi-level independent security architecture
First Claim
1. A system, comprising:
- a plurality of data input ports, each port corresponding to one of a plurality of different levels of security classification;
a plurality of computing devices coupled to receive incoming data from the plurality of input ports, wherein the incoming data includes a first data packet having a first classification level, the first data packet comprises a tag that identifies one of the levels of security classification, and wherein each computing device is configured to perform, by at least one processor, security processing for at least one of the different levels of security classification;
wherein a first computing device of the plurality of computing devices is further configured to;
encrypt, using a first set of keys, the first data packet for sending to a data storage;
read the first data packet from the data storage;
after reading the first data packet from the data storage, detect that the first data packet is stored at the first classification level;
generate, based on detecting that the first data packet is stored at the first classification level, a key address to select a second set of keys; and
decrypt the first data packet using the second set of keys;
a multiplexer configured to route, based on the tag, the first data packet from one of the data input ports to the first computing device; and
a key manager configured to select the first set of keys from a plurality of key sets stored in at least one memory, each of the key sets corresponding to one of the different levels of security classification.
1 Assignment
0 Petitions
Accused Products
Abstract
A system includes a plurality of data input ports, each port corresponding to one of a plurality of different levels of security classification; a security device, configured for cryptographic processing, coupled to receive incoming data from each of the plurality of input ports, wherein the incoming data includes first data having a first classification level; a key manager configured to select and tag-identified first set of keys from a plurality of key sets, each of the key sets corresponding to one of the different levels of security classification, wherein the first set of keys is used by the security device to encrypt the first data; and a common encrypted data storage, coupled to receive the encrypted first data from the security device for storage.
227 Citations
16 Claims
-
1. A system, comprising:
-
a plurality of data input ports, each port corresponding to one of a plurality of different levels of security classification; a plurality of computing devices coupled to receive incoming data from the plurality of input ports, wherein the incoming data includes a first data packet having a first classification level, the first data packet comprises a tag that identifies one of the levels of security classification, and wherein each computing device is configured to perform, by at least one processor, security processing for at least one of the different levels of security classification; wherein a first computing device of the plurality of computing devices is further configured to; encrypt, using a first set of keys, the first data packet for sending to a data storage; read the first data packet from the data storage; after reading the first data packet from the data storage, detect that the first data packet is stored at the first classification level; generate, based on detecting that the first data packet is stored at the first classification level, a key address to select a second set of keys; and decrypt the first data packet using the second set of keys; a multiplexer configured to route, based on the tag, the first data packet from one of the data input ports to the first computing device; and a key manager configured to select the first set of keys from a plurality of key sets stored in at least one memory, each of the key sets corresponding to one of the different levels of security classification. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method, comprising:
-
providing a plurality of computing devices, each computing device comprising at least one processor configured to perform security processing for at least one of a plurality of different levels of security classification, including a first computing device to perform processing for a first classification level; receiving incoming data from a plurality of data ports, each port corresponding to one of the plurality of different levels of security classification, wherein the incoming data includes a first data packet having the first classification level; routing, by a multiplexer and based on the first classification level, the first data packet from one of the data ports to the first computing device; encrypting, by the first computing device, the first data packet using a first set of keys, the first set of keys selected from a plurality of key sets stored in at least one memory; after encrypting the first data packet using the first set of keys, adding a tag to a header of the first data packet, the tag indicating that the first data packet is stored at the first classification level; sending the first data packet to a data storage, wherein the first data packet is stored in the data storage as indicated by the tag; reading the first data packet from the data storage; after reading the first data packet from the data storage, detecting, based on the tag, that the first data packet is stored at the first classification level; generating, based on detecting that the first data packet is stored at the first classification level, a key address to select a second set of keys; and decrypting the first data packet using the second set of keys. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A system, comprising:
-
a plurality of data ports to receive incoming data, each port corresponding to one of a plurality of different levels of security classification, wherein the incoming data includes a first data packet having a first classification level; a plurality of computing devices, each computing device configured to perform encryption for at least one of the different levels of security classification, wherein each computing device comprises at least one processor configured to perform the encryption; wherein a first computing device of the plurality of computing devices is further configured to; encrypt, using a first set of keys, the first data packet for writing to a data storage; read the first data packet from the data storage; after reading the first data packet from the data storage, detect, based on a tag in a header of the first data packet, that the first data packet is stored at the first classification level; generate, based on detecting that the first data packet is stored at the first classification level, a key address to select a second set of keys; and decrypt the first data packet using the second set of keys; a multiplexer configured to route, based on the first classification level, the first data packet from one of the data ports to the first computing device; at least one key cache storing, via at least one memory, a plurality of key sets, wherein the first set of keys is selected from the plurality of key sets; and a packet write engine configured to, after encrypting the first data packet by the first computing device; add the tag to the header of the first data packet; and write the encrypted first data packet to the data storage.
-
Specification