Multi-level independent security architecture

US 10,114,766 B2
Filed: 11/18/2016
Issued: 10/30/2018
Est. Priority Date: 04/01/2013
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a plurality of data input ports, each port corresponding to one of a plurality of different levels of security classification;

a plurality of computing devices coupled to receive incoming data from the plurality of input ports, wherein the incoming data includes a first data packet having a first classification level, the first data packet comprises a tag that identifies one of the levels of security classification, and wherein each computing device is configured to perform, by at least one processor, security processing for at least one of the different levels of security classification;

wherein a first computing device of the plurality of computing devices is further configured to;

encrypt, using a first set of keys, the first data packet for sending to a data storage;

read the first data packet from the data storage;

after reading the first data packet from the data storage, detect that the first data packet is stored at the first classification level;

generate, based on detecting that the first data packet is stored at the first classification level, a key address to select a second set of keys; and

decrypt the first data packet using the second set of keys;

a multiplexer configured to route, based on the tag, the first data packet from one of the data input ports to the first computing device; and

a key manager configured to select the first set of keys from a plurality of key sets stored in at least one memory, each of the key sets corresponding to one of the different levels of security classification.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system includes a plurality of data input ports, each port corresponding to one of a plurality of different levels of security classification; a security device, configured for cryptographic processing, coupled to receive incoming data from each of the plurality of input ports, wherein the incoming data includes first data having a first classification level; a key manager configured to select and tag-identified first set of keys from a plurality of key sets, each of the key sets corresponding to one of the different levels of security classification, wherein the first set of keys is used by the security device to encrypt the first data; and a common encrypted data storage, coupled to receive the encrypted first data from the security device for storage.

227 Citations

16 Claims

1. A system, comprising:
- a plurality of data input ports, each port corresponding to one of a plurality of different levels of security classification;
  
  a plurality of computing devices coupled to receive incoming data from the plurality of input ports, wherein the incoming data includes a first data packet having a first classification level, the first data packet comprises a tag that identifies one of the levels of security classification, and wherein each computing device is configured to perform, by at least one processor, security processing for at least one of the different levels of security classification;
  
  wherein a first computing device of the plurality of computing devices is further configured to;
  
  encrypt, using a first set of keys, the first data packet for sending to a data storage;
  
  read the first data packet from the data storage;
  
  after reading the first data packet from the data storage, detect that the first data packet is stored at the first classification level;
  
  generate, based on detecting that the first data packet is stored at the first classification level, a key address to select a second set of keys; and
  
  decrypt the first data packet using the second set of keys;
  
  a multiplexer configured to route, based on the tag, the first data packet from one of the data input ports to the first computing device; and
  
  a key manager configured to select the first set of keys from a plurality of key sets stored in at least one memory, each of the key sets corresponding to one of the different levels of security classification.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the key manager is an internal key manager of one of the computing devices.
  - 3. The system of claim 1, further comprising a plurality of key caches, wherein the key manager is coupled to an external key manager, and keys received from the external key manager are stored in one of the associated key caches for use by one of the computing devices during encryption of incoming data packets.
  - 4. The system of claim 1, further comprising a plurality of key caches, wherein keys are stored in each of the key caches for use by a selected one of the computing devices during encryption of the incoming data.
  - 5. The system of claim 1, wherein the multiplexer is programmable to support different interface protocols, and each of the plurality of computing devices is programmable to support different encryption protocols.
  - 6. The system of claim 5, wherein each of the computing devices includes at least one field-programmable gate array programmable to support the different interface protocols.
  - 7. The system of claim 1, wherein each of the computing devices is physically isolated from the other of the computing devices.
  - 8. The system of claim 1, wherein each of the computing devices comprises a packet input engine and a cryptographic engine, each configured for data processing as part of a two-dimensional systolic array.

9. A method, comprising:
- providing a plurality of computing devices, each computing device comprising at least one processor configured to perform security processing for at least one of a plurality of different levels of security classification, including a first computing device to perform processing for a first classification level;
  
  receiving incoming data from a plurality of data ports, each port corresponding to one of the plurality of different levels of security classification, wherein the incoming data includes a first data packet having the first classification level;
  
  routing, by a multiplexer and based on the first classification level, the first data packet from one of the data ports to the first computing device;
  
  encrypting, by the first computing device, the first data packet using a first set of keys, the first set of keys selected from a plurality of key sets stored in at least one memory;
  
  after encrypting the first data packet using the first set of keys, adding a tag to a header of the first data packet, the tag indicating that the first data packet is stored at the first classification level;
  
  sending the first data packet to a data storage, wherein the first data packet is stored in the data storage as indicated by the tag;
  
  reading the first data packet from the data storage;
  
  after reading the first data packet from the data storage, detecting, based on the tag, that the first data packet is stored at the first classification level;
  
  generating, based on detecting that the first data packet is stored at the first classification level, a key address to select a second set of keys; and
  
  decrypting the first data packet using the second set of keys.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, further comprising zeroizing the first computing device after the encrypting of the first data packet.
  - 11. The method of claim 9, further comprising:
    - verifying the first classification level of the first data packet using the tag; and
      
      addressing a key store controller to select a key associated with the first data packet for use in decrypting the first data packet.
  - 12. The method of claim 11, further comprising:
    - selecting, by the key store controller, one of the data ports; and
      
      routing the decrypted first data packet to the data port selected by the key store controller.
  - 13. The method of claim 11, further comprising:
    - zeroizing the multiplexer after each classified level of data is processed.
  - 14. The method of claim 9, further comprising:
    - verifying the first classification level of the first data packet using the tag; and
      
      after verifying the first classification level using the tag, addressing a key store controller to select the first set of keys.
  - 15. The method of claim 14, further comprising:
    - zeroizing the multiplexer after each classified level of data is processed.

16. A system, comprising:
- a plurality of data ports to receive incoming data, each port corresponding to one of a plurality of different levels of security classification, wherein the incoming data includes a first data packet having a first classification level;
  
  a plurality of computing devices, each computing device configured to perform encryption for at least one of the different levels of security classification, wherein each computing device comprises at least one processor configured to perform the encryption;
  
  wherein a first computing device of the plurality of computing devices is further configured to;
  
  encrypt, using a first set of keys, the first data packet for writing to a data storage;
  
  read the first data packet from the data storage;
  
  after reading the first data packet from the data storage, detect, based on a tag in a header of the first data packet, that the first data packet is stored at the first classification level;
  
  generate, based on detecting that the first data packet is stored at the first classification level, a key address to select a second set of keys; and
  
  decrypt the first data packet using the second set of keys;
  
  a multiplexer configured to route, based on the first classification level, the first data packet from one of the data ports to the first computing device;
  
  at least one key cache storing, via at least one memory, a plurality of key sets, wherein the first set of keys is selected from the plurality of key sets; and
  
  a packet write engine configured to, after encrypting the first data packet by the first computing device;
  
  add the tag to the header of the first data packet; and
  
  write the encrypted first data packet to the data storage.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Secturion Systems, Inc.
Original Assignee
Secturion Systems, Inc.
Inventors
Takahashi, Richard J.
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US15/355,303
Publication Number

US 20170075821A1
Time in Patent Office

711 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/0802   Addressing of a memory leve...

G06F 12/1408   by using cryptography for d...

G06F 12/1466   Key-lock mechanism

G06F 21/575   Secure boot

G06F 21/72   in cryptographic circuits

G06F 21/78   to assure secure storage of...

G06F 2212/1052   Security improvement

G06F 2212/402   Encrypted data

G06F 2212/60   Details of cache memory

H04L 63/0435   wherein the sending and rec...

H04L 63/0485   Networking architectures fo...

H04L 63/105   Multiple levels of security

H04L 9/14   using a plurality of keys o...

Multi-level independent security architecture

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

227 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-level independent security architecture

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

227 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links