Method and apparatus providing multiple single levels of security for distributed processing in communication systems

US 20040225883A1
Filed: 05/03/2004
Published: 11/11/2004
Est. Priority Date: 05/07/2003
Status: Abandoned Application

First Claim

Patent Images

1. A security system providing multiple single levels of security (MSLS) for associated apparatus, each of said associated apparatus including a respective plurality of ports and/or channels, and wherein said security system comprises:

label assignor means for assigning security labels to respective ones of said plurality of ports and/or channels of said associated apparatus;

programmable configuration generator means for requesting an interconnection of selected ports and/or channels of a first associated apparatus with specific designated ports and/or channels of a second associated apparatus for effecting communication therebetween;

switch policy means responsive to the port and/or channel security label assignments from said label assignor means, and port and/or channel interconnections requested by said programmable configuration generator, for both permitting only those ports and/or channels meeting both hierarchical and non-hierarchical label based mandatory access control requirements to be retained in the requested interconnection, and notifying said configuration generator means of the ports and/or channels denied interconnection; and

switching means responsive to said switch policy means for interconnecting only those ports and/or channels meeting both hierarchical and non-hierarchical label based mandatory access control requirements.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for operating a multiple single levels of security (MSLS) system comprising the step of providing switched-circuit functionality between channels operating at the same level of security whereby MSLS requirements are met and intelligence is distributed in a way to minimize security certification effort, and apparatus operative for said method.

83 Citations

View as Search Results

29 Claims

1. A security system providing multiple single levels of security (MSLS) for associated apparatus, each of said associated apparatus including a respective plurality of ports and/or channels, and wherein said security system comprises:
- label assignor means for assigning security labels to respective ones of said plurality of ports and/or channels of said associated apparatus;
  
  programmable configuration generator means for requesting an interconnection of selected ports and/or channels of a first associated apparatus with specific designated ports and/or channels of a second associated apparatus for effecting communication therebetween;
  
  switch policy means responsive to the port and/or channel security label assignments from said label assignor means, and port and/or channel interconnections requested by said programmable configuration generator, for both permitting only those ports and/or channels meeting both hierarchical and non-hierarchical label based mandatory access control requirements to be retained in the requested interconnection, and notifying said configuration generator means of the ports and/or channels denied interconnection; and
  
  switching means responsive to said switch policy means for interconnecting only those ports and/or channels meeting both hierarchical and non-hierarchical label based mandatory access control requirements.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The security system of claim 1 wherein said label assignor means is programmed to include the assigned security labels of said plurality of ports and channels.
  - 3. The security system of claim 1 wherein said programmable configuration generator means is programmed to include a requested configuration.
  - 4. The security system of claim 1 wherein said programmable configuration generator means is responsive to configuration information received from remotely located devices including personal computers.
  - 5. The security system of claim 1 wherein said switching means includes a plurality of switch fabric connection registers operable for electrically connecting an individual one of said plurality of ports and channels together.
  - 6. The security system of claim 5 wherein said switch fabric connection registers are provided by an application specific integrated circuit (ASIC).
  - 7. The security system of claim 5 wherein said switch fabric connection registers support N communication circuits and M port connections per circuit, whereby the values of N and M are application dependent.
  - 8. The security system of claim 7 wherein respective ones of said plurality of switch fabric connection registers are associated with individual ones of said N communication circuits.
  - 9. The security system of claim 5 wherein said plurality of ports and/or channels individually are designated to provide either one of a data connection, or an audio connection, to an associated user or apparatus in said system.
  - 10. The security system of claim 1 wherein said switch policy means is operative to enforce hierarchical and/or non-hierarchical mandatory access control for said plurality of ports and channels in the requested interconnection.
  - 11. The security system of claim 1 further including:
    - means for individually providing bidirectional communication between said switch policy means and a plurality of ports.
  - 12. The security system of claim 11 wherein said bidirectional communication providing means includes:
    - first through third interface circuits (Ifc'"'"'s) each having an individual connection to said switch policy means; and
      
      first through third MUX devices individually connected between said first Ifc and a JTR, said second Ifc and a local CDD, and said third Ifc and a remote CDD, respectively.
  - 13. The security system of claim 1 wherein said switch policy means further includes means for making a one-to-one association between labels or assignments received from said label assignor means and port and channel interconnections requested by said configuration generator means.
  - 14. The security system of claim 1 wherein said switch policy means and said switching means in combination provide a means for enforcing a mandatory access control (MAC) policy for MSLS.
  - 15. The security system of claim 1 wherein said programmable configuration generator means is further operative for requesting the deactivation of selected ports and/or channels of said first and second associated apparatus, respectively.
  - 16. The security system of claim 15 wherein said switch policy means operates said switching means for interconnecting or deactivating one of said plurality of ports and/or channels at a time, thereby preventing interference with other switching circuits of the associated apparatus.
  - 17. The security system of claim 1 wherein said configuration generator means includes:
    - authentication means for authenticating an associated configuration file as being received from a trusted source; and
      
      a Security Manager for authenticating I/O security labels from said authentication means, forwarding an I/O security label file to the label assignor means for authentication, marking the file as being authenticated, and passing the file to said switch policy means.
  - 18. The security system of claim 1 wherein said switch policy means includes:
    - an input/output (I/O) port/channel security label table developed from information received from said label assignor means and said configuration generator means, said table showing the security labels assigned to said plurality of ports and/or channels; and
      
      a circuit connection table showing active circuit connections between said plurality of ports and/or channels.
  - 19. The security system of claim 18, wherein said switch policy means further includes a table for system security labels showing circuit connections between a plurality of systems.

20. A method for providing multiple single levels of security (MSLS) for associated apparatus, each of said associated apparatus including a respective plurality of ports and/or channels, said method comprising the steps of:
- assigning security labels to respective ones of said plurality of ports and/or channels of said associated apparatus;
  
  requesting the interconnection of selected ones of said plurality of ports and/or channels of said associated apparatus;
  
  determining which of the selected ones of said plurality of ports and/or channels have compatible security labels; and
  
  interconnecting only those ports and/or channels determined to have compatible security labels;
  
  wherein said determining and interconnecting steps in combination provide for enforcing a hierarchical and non-hierarchical, label-based mandatory access control (MAC) policy for MSLS.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 21. The method of claim 20 wherein said interconnecting step further includes only connecting one circuit of said plurality of ports and/or channels at a time.
  - 22. The method of claim 20 wherein said determining step includes the step of communicating the ones of said plurality of ports and/or channels having compatible security labels to a plurality of devices including a Joint Tactical Radio (JTR), a local CDD and a remote CDD.
  - 23. The method of claim 22 wherein said communicating step is made via a plurality of multiplexers (MUX'"'"'s) to said plurality of devices, respectively.
  - 24. The method of claim 20 wherein said determining step is responsive to said assigning step and said requesting step for individually making a one to one association between the assigned security labels of each one of said plurality of ports and/or channels respectively requested to be interconnected.
  - 25. The method of claim 20 further including the step of configuring said plurality of ports and/or channels to each provide either one of a data connection or an audio connection to an associated user or apparatus in said system.
  - 26. The method of claim 20, wherein said requesting step further includes the step of designating selected ones of said ports and/or channels, that are presently active, to be deactivated.
  - 27. The method of claim 20 wherein said requesting step further includes the steps of:
    - authenticating an associated label file as being received from a trusted source; and
      
      blocking use of label files not received from a trusted source.
  - 28. The method of claim 20 wherein said determining step further includes the steps of:
    - developing an I/O port/channel security label table showing the security labels assigned to each one of said plurality of ports and/or channels; and
      
      developing a circuit connection table showing active circuit connections between said plurality of ports and/or channels.
  - 29. The method of claim 28 wherein said determining step further includes the step of:
    - developing a table for system classification showing circuit connections between a plurality of systems.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
BAE Systems Information and Electronic Systems Integration Incorporated (BAE Systems Plc)
Original Assignee
BAE Systems Information and Electronic Systems Integration Incorporated (BAE Systems Plc)
Inventors
Rontanini, Fabrizio, Pizzirusso, Michael A., Canter, Jeffrey B., Weller, Michael K.

Application Number

US10/837,790
Publication Number

US 20040225883A1
Time in Patent Office

Days
Field of Search
US Class Current

713/166
CPC Class Codes

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 49/25   Routing or path finding in ...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04W 12/08   Access security

Method and apparatus providing multiple single levels of security for distributed processing in communication systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

83 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus providing multiple single levels of security for distributed processing in communication systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links