Interface device
First Claim
1. An interface device comprising:
- a first interface for receiving data from a first zone in a first zone data format;
means for processing said received data through performance of a cryptographic operation on at least a portion thereof;
a second interface for sending said processed data to a second zone in a second zone data format; and
means arranged to pass said processed data exclusively from said processing means to said second interface;
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention relates to an interface device and, in particular an interface device for providing communication security services. The problem of providing communication security services to, for example, a pair of host computers that must communicate over an insecure public network is a widely addressed one. It is known to provide cryptographic functionality to a host computer such that data traffic transmitted by the host computer can be secured. However a major weakness of known methods is that such cryptographic processing is either carried out on the host or such that, following passing the data to be secured to an additional cryptographic accelerator device plugged into the host, the cryptographically processed data is passed back to the host before subsequent transmission. Both such methods give rise to a situation where, in the event of the host operating system being subverted, the original data and the cryptographically processed data are able to be simultaneously gathered on the host, giving rise to the classic “known plaintext” attack on the cryptographic key used in the encryption operation. According to the present invention however, an interface device is provided comprising a first interface for receiving data from a first zone in a first zone data format; means for processing said received data through performance of a cryptographic operation on at least a portion thereof; a second interface for sending said processed data to a second zone in a second zone data format; and means arranged to pass said processed data exclusively from said processing means to said second interface. In this way, in enforcing a unidirectional flow of information through the device and isolating all the necessary functionality (including, for example, the cryptographic key) on the device, the problems of the prior art are advantageously avoided.
107 Citations
12 Claims
-
1. An interface device comprising:
-
a first interface for receiving data from a first zone in a first zone data format;
means for processing said received data through performance of a cryptographic operation on at least a portion thereof;
a second interface for sending said processed data to a second zone in a second zone data format; and
means arranged to pass said processed data exclusively from said processing means to said second interface;
- View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An interface device comprising:
-
a first interface for receiving data from a first authorised party in a first data format;
means for processing said received data through performance of a computational operation on at least a portion thereof;
a second interface for sending said processed data to a second authorised party in a second data format;
means arranged to pass said processed data exclusively from said processing means to said second interface;
wherein said operation performed by said processing means is such that if said sent processed data is intercepted by an unauthorised party, the recovery of said received data from said processed data is computationally unfeasible.
-
-
9. A method of operating an interface device comprising:
-
receiving data at a first interface from a first zone in a first zone data format;
processing said received data through performance of a cryptographic operation on at least a portion thereof;
passing said processed data exclusively from said processing means to a second interface; and
sending said processed data from said second interface to a second zone in a second zone data format. - View Dependent Claims (10, 11)
-
-
12. A method of operating an interface device comprising:
-
receiving data at a first interface from a first authorised party in a first data format;
processing said received data through performance of a computational operation on at least a portion thereof;
passing said processed data exclusively to a second interface;
sending said processed data from said second interface to a second authorised party in a second data format;
wherein said performance of said computational operation is such that if said sent processed data is intercepted by an unauthorised party, the recovery of said received data from said processed data is computationally unfeasible.
-
Specification