One-way data transfer system with built-in data verification mechanism

US 7,675,867 B1
Filed: 04/18/2007
Issued: 03/09/2010
Est. Priority Date: 04/19/2006
Status: Active Grant

First Claim

Patent Images

1. A one-way data transfer system comprising:

a send node;

a receive node connected to the send node by a first one-way link for unidirectional transfer from the send node to the receive node; and

a dedicated feedback node for generating data verification information based on data that the receive node received from the send node via the first one-way link,wherein the dedicated feedback node is connected to the receive node by a second one-way link for unidirectional transfer from the receive node to the dedicated feedback node, and is also connected to the send node by a third one-way link for unidirectional transfer from the dedicated feedback node to the send node,wherein the dedicated feedback node does not transfer message data back to the send node.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention are directed to a one-way data transfer system with built-in data verification mechanism, comprising three nodes (Send Node, Receive Node, and Feedback Node) wherein (1) the three nodes are interconnected with each other by a one-way data link, and (2) the Feedback Node is designed solely for processing and relaying data verification information from the Receive Node to the Send Node. In these embodiments, the Send Node is capable of verifying the status of data it transferred to the Receive Node over a one-way data link without sacrificing the unidirectionality of data flow in the system and thereby compromising the level of security provided by use of one-way data links.

115 Citations

View as Search Results

77 Claims

1. A one-way data transfer system comprising:
- a send node;
  
  a receive node connected to the send node by a first one-way link for unidirectional transfer from the send node to the receive node; and
  
  a dedicated feedback node for generating data verification information based on data that the receive node received from the send node via the first one-way link,wherein the dedicated feedback node is connected to the receive node by a second one-way link for unidirectional transfer from the receive node to the dedicated feedback node, and is also connected to the send node by a third one-way link for unidirectional transfer from the dedicated feedback node to the send node,wherein the dedicated feedback node does not transfer message data back to the send node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 2. The one-way data transfer system of claim 1, wherein the dedicated feedback node comprises a minimum capacity machine for transferring only the data verification information and no other data to the send node.
  - 3. The one-way data transfer system of claim 1, wherein the communication channel capacity of the dedicated feedback node is user-configurable.
  - 4. The one-way data transfer system of claim 1, wherein the dedicated feedback node is configurable to operate only for predefined time intervals.
  - 5. The one-way data transfer system of claim 1, wherein the send node comprises a processor for generating a data verification request to be sent to the receive node over the first one-way link.
  - 6. The one-way data transfer system of claim 5, wherein the data verification information is generated only after the data verification request is received by the receive node.
  - 7. The one-way data transfer system of claim 5, wherein the data verification request is generated at a predefined time interval.
  - 8. The one-way data transfer system of claim 5, wherein the data verification request is generated at a periodic time interval.
  - 9. The one-way data transfer system of claim 5, wherein the data verification request is generated at a random time interval.
  - 10. The one-way data transfer system of claim 1, wherein the data verification information comprises a hash number.
  - 11. The one-way data transfer system of claim 10, wherein the hash number is an MD5 digest or a SHA-1 digest.
  - 12. The one-way data transfer system of claim 1, whereinthe send node comprises a processor for applying a hash algorithm to data that the send node sends to the receive node via the first one-way link to generate a first hash number;
    - andthe receive node comprises a processor for applying the hash algorithm to the data that the receive node receives from the send node via the first one-way link to generate a second hash number.
  - 13. The one-way data transfer system of claim 12, wherein the dedicated feedback node comprises a processor for generating the data verification information based on the second hash number received from the receive node via the second one-way link.
  - 14. The one-way data transfer system of claim 13, wherein the send node further comprises a processor for comparing the first hash number with the data verification information received from the dedicated feedback node via the third one-way link to verify the status of the data that the receive node received from the send node via the first one-way link.
  - 15. The one-way data transfer system of claim 12, wherein the receive node further comprises a processor for comparing the second hash number with the first hash number received from the send node.
  - 16. The one-way data transfer system of claim 15, wherein the receive node further comprises a processor for logging an error if the second hash number does not match the first hash number.
  - 17. The one-way data transfer system of claim 15, wherein the receive node is designed to drop the data received from the send node via the first one-way link if the second hash number does not match the first hash number.
  - 18. The one-way data transfer system of claim 12, wherein the dedicated feedback node comprises a processor for applying the hash algorithm to the second hash number received from the receive node to generate the data verification information.
  - 19. The one-way data transfer system of claim 18, wherein the send node further comprisesa processor for applying the hash algorithm to the first hash number to generate a first double hash number;
    - anda processor for comparing the first double hash number with the data verification information received from the dedicated feedback node via the third one-way link to verify the status of the data that the receive node received from the send node via the first one-way link.
  - 20. The one-way data transfer system of claim 19, wherein the send node further comprisesa processor for calculating expected double hash numbers from known hypothetical error scenarios;
    - anda processor for comparing the expected double hash numbers with the data verification information to identify an error in the data that the receive node received from the send node via the first one-way link, if the data verification information does not match the first double hash number.
  - 21. The one-way data transfer system of claim 19, wherein the send node further comprisesa table of expected double hash numbers from known hypothetical error scenarios;
    - anda processor for comparing the expected double hash numbers with the data verification information to identify an error in the data that the receive node received from the send node via the first one-way link, if the data verification information does not match the first double hash number.
  - 22. The one-way data transfer system of claim 1, whereinthe send node comprises a processor for determining status information of data that the send node sends to the receive node via the first one-way link;
    - andthe receive node comprises a processor for determining status information of the data that the receive node receives from the send node via the first one-way link.
  - 23. The one-way data transfer system of claim 22, wherein the receive node further comprises a processor for applying a hash algorithm to the status information of the received data to generate a received data status hash number.
  - 24. The one-way data transfer system of claim 23, wherein the dedicated feedback node comprises a processor for applying the hash algorithm to the received data status hash number received from the receive node via the second one-way link to generate the data verification information.
  - 25. The one-way data transfer system of claim 24, wherein the send node further comprises:
    - a processor for applying the hash algorithm to the status information of the sent data to generate a sent data status hash number;
      
      a processor for applying the hash algorithm to the sent data status hash number to generate a sent data status double hash number; and
      
      a processor for comparing the sent data status double hash number with the data verification information received from the dedicated feedback node via the third one-way link to verify the status of the data that the receive node received from the send node via the first one-way link.
  - 26. The one-way data transfer system of claim 25, wherein the send node further comprisesa processor for calculating expected double hash numbers from known hypothetical error scenarios;
    - anda processor for comparing the expected double hash numbers with the data verification information to identify an error in the data that the receive node received from the send node via the first one-way link, if the data verification information does not match the sent data status double hash number.
  - 27. The one-way data transfer system of claim 25, wherein the send node further comprisesa table of expected double hash numbers from known hypothetical error scenarios;
    - anda processor for comparing the expected double hash numbers with the data verification information to identify an error in the data that the receive node received from the send node via the first one-way link, if the data verification information does not match the sent data status double hash number.

28. A one-way data transfer system comprising:
- a plurality of nodes comprising at least one send node and at least one receive node;
  
  a dedicated feedback node for generating data verification information based on data that one of the at least one receive node received from one of the at least one send node; and
  
  a central switch for controlling routing of data from any one of its inputs to any one of its outputs,wherein each of the plurality of nodes and the dedicated feedback node is connected to a corresponding one of the inputs of the central switch by a first one-way link for unidirectional transfer to the corresponding input and also connected to a corresponding one of the outputs of the central switch by a second one-way link for unidirectional transfer from the corresponding output,wherein the dedicated feedback node does not transfer message data back to the send node.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60)
- - 29. The one-way data transfer system of claim 28, wherein the central switch is based on crossbar switch logic.
  - 30. The one-way data transfer system of claim 28, wherein the central switch comprises a matrix of switch junctions for interconnecting the inputs and the outputs, wherein each of the switch junctions controls routing from one of the inputs to the corresponding output of the central switch.
  - 31. The one-way data transfer system of claim 28, wherein the central switch comprises an ATM switch.
  - 32. The one-way data transfer system of claim 31, wherein the central switch further comprises an ATM switch operator domain to control the ATM switch.
  - 33. The one-way data transfer system of claim 28, wherein the number of the inputs of the central switch is at least the number of the plurality of nodes and the dedicated feedback node.
  - 34. The one-way data transfer system of claim 28, wherein the number of the outputs of the central switch is at least the number of the plurality of nodes and the dedicated feedback node.
  - 35. The one-way data transfer system of claim 28, wherein the dedicated feedback node comprises a minimum capacity machine for transferring only the data verification information and no other data to the send node.
  - 36. The one-way data transfer system of claim 28, wherein the communication channel capacity of the dedicated feedback node is user-configurable.
  - 37. The one-way data transfer system of claim 28, wherein the dedicated feedback node is configurable to operate only for predefined time intervals.
  - 38. The one-way data transfer system of claim 28, wherein each of the at least one send node comprises a processor for generating a data verification request to be sent to a selected one of the at least one receive node.
  - 39. The one-way data transfer system of claim 38, wherein the data verification information is generated only after the data verification request is received by the selected receive node.
  - 40. The one-way data transfer system of claim 38, wherein the data verification request is generated at a predefined time interval.
  - 41. The one-way data transfer system of claim 38, wherein the data verification request is generated at a periodic time interval.
  - 42. The one-way data transfer system of claim 38, wherein the data verification request is generated at a random time interval.
  - 43. The one-way data transfer system of claim 28, wherein the data verification information comprises a hash number.
  - 44. The one-way data transfer system of claim 43, wherein the hash number is an MD5 digest or a SHA-1 digest.
  - 45. The one-way data transfer system of claim 28, whereineach of the at least one send node comprises a processor for applying a hash algorithm to data sent to the central switch to generate a first hash number;
    - andeach of the at least one receive node comprises a processor for applying the hash algorithm to data received from the central switch to generate a second hash number.
  - 46. The one-way data transfer system of claim 45, wherein the dedicated feedback node comprises a processor for generating the data verification information based on the second hash number received from the receive node via the central switch.
  - 47. The one-way data transfer system of claim 46, wherein the send node further comprises a processor for comparing the first hash number with the data verification information received from the dedicated feedback node via the central switch to verify the status of the data that the receive node received from the send node via the central switch.
  - 48. The one-way data transfer system of claim 45, wherein the receive node further comprises a processor for comparing the second hash number with the first hash number received from the send node via the central switch.
  - 49. The one-way data transfer system of claim 48, wherein the receive node further comprises a processor for logging an error if the second hash number does not match the first hash number.
  - 50. The one-way data transfer system of claim 48, wherein the receive node is designed to drop the data received from the send node via the central switch if the second hash number does not match the first hash number.
  - 51. The one-way data transfer system of claim 45, wherein the dedicated feedback node comprises a processor for applying the hash algorithm to the second hash number received from the receive node via the central switch to generate the data verification information.
  - 52. The one-way data transfer system of claim 51, wherein the send node further comprisesa processor for applying the hash algorithm to the first hash number to generate a first double hash number;
    - anda processor for comparing the first double hash number with the data verification information received from the dedicated feedback node via the central switch to verify the status of the data that the receive node received from the send node via the central switch.
  - 53. The one-way data transfer system of claim 52, wherein the send node further comprisesa processor for calculating expected double hash numbers from known hypothetical error scenarios;
    - anda processor for comparing the expected double hash numbers with the data verification information to identify an error in the data that the receive node received from the send node via the central switch, if the data verification information does not match the first double hash number.
  - 54. The one-way data transfer system of claim 52, wherein the send node further comprisesa table of expected double hash numbers from known hypothetical error scenarios;
    - anda processor for comparing the expected double hash numbers with the data verification information to identify an error in the data that the receive node received from the send node via the central switch, if the data verification information does not match the first double hash number.
  - 55. The one-way data transfer system of claim 28, whereineach of the at least one send node comprises a processor for determining status information of data sent to the central switch;
    - andeach of the at least one receive node comprises a processor for determining status information of data received from the central switch.
  - 56. The one-way data transfer system of claim 55, wherein the receive node further comprises a processor for applying a hash algorithm to the status information of the received data to generate a received data status hash number.
  - 57. The one-way data transfer system of claim 56, wherein the dedicated feedback node comprises a processor for applying the hash algorithm to the received data status hash number received from the receive node via the central switch to generate the data verification information.
  - 58. The one-way data transfer system of claim 57, wherein the send node further comprises:
    - a processor for applying the hash algorithm to the status information of the sent data to generate a sent data status hash number;
      
      a processor for applying the hash algorithm to the sent data status hash number to generate a sent data status double hash number; and
      
      a processor for comparing the sent data status double hash number with the data verification information received from the dedicated feedback node via the central switch to verify the status of the data that the receive node received from the send node via the central switch.
  - 59. The one-way data transfer system of claim 58, wherein the send node further comprisesa processor for calculating expected double hash numbers from known hypothetical error scenarios;
    - anda processor for comparing the expected double hash numbers with the data verification information to identify an error in the data that the receive node received from the send node via the central switch, if the data verification information does not match the sent data status double hash number.
  - 60. The one-way data transfer system of claim 58, wherein the send node further comprisesa table of expected double hash numbers from known hypothetical error scenarios;
    - anda processor for comparing the expected double hash numbers with the data verification information to identify an error in the data that the receive node received from the send node via the central switch, if the data verification information does not match the sent data status double hash number.

61. A method of verifying one-way data transfer from a send node to a receive node across a one-way link, comprising the steps of:
- applying a data verification algorithm to data sent from the send node to the one-way link to generate a sent data verification information;
  
  applying the data verification algorithm to data received by the receive node from the one-way link to generate a received data verification information;
  
  sending the received data verification information to the send node over a dedicated feedback one-way link; and
  
  wherein the dedicated feedback node does not transfer message data back to the send node; and
  
  comparing the received data verification information with the sent data verification information to verify the status of the data that the receive node received from the send node via the one-way link.
- View Dependent Claims (62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77)
- - 62. The method of claim 61, whereinthe first applying step comprises the steps of applying a hash algorithm to the data sent from the send node to the one-way link to generate a first hash number and applying the hash algorithm to the first hash number to generate the sent data verification information;
    - andthe second applying step comprises the step of applying the hash algorithm to the data received by the receive node from the one-way link to generate a second hash number and applying the hash algorithm to the second hash number to generate the received data verification information.
  - 63. The method of claim 62, wherein the second applying step further comprises the step of sending the second hash number to a dedicated feedback node over an intermediate one-way link prior to the step of applying the hash algorithm to the second hash number.
  - 64. The method of claim 63, wherein the dedicated feedback node comprises a minimum capacity machine for transferring only the received data verification information and no other data to the send node.
  - 65. The method of claim 63, further comprising the step of configuring the communication channel capacity of the dedicated feedback node.
  - 66. The method of claim 63, further comprising the step of configuring the dedicated feedback node to operate only for predefined time intervals.
  - 67. The method of claim 61, further comprising the step of sending a data verification request to the receive node prior to the second applying step.
  - 68. The method of claim 61, wherein the data verification algorithm is a hash algorithm.
  - 69. The method of claim 68, wherein the hash algorithm is MD5 or SHA-1.
  - 70. The method of claim 62, further comprising the step of comparing the second hash number with the first hash number.
  - 71. The method of claim 70, further comprising the step of logging an error if the second hash number does not match the first hash number.
  - 72. The method of claim 70, further comprising the step of dropping the data received from the send node via the one-way link if the second hash number does not match the first hash number.
  - 73. The method of claim 62, further comprising the steps of:
    - calculating expected double hash numbers from known hypothetical error scenarios; and
      
      comparing the expected double hash numbers with the received data verification information to identify an error in the data that the receive node received from the send node via the one-way link, if the received data verification information does not match the sent data verification information.
  - 74. The method of claim 62, further comprising the steps of:
    - generating a table of expected double hash numbers from known hypothetical error scenarios; and
      
      comparing the expected double hash numbers with the received data verification information to identify an error in the data that the receive node received from the send node via the one-way link, if the received data verification information does not match the sent data verification information.
  - 75. The method of claim 61, whereinthe first applying step comprises the steps of determining status information of the sent data, applying a hash algorithm to the status information of the sent data to generate a sent data status hash number, and applying the hash algorithm to the sent data status hash number to generate the sent data verification information;
    - andthe second applying step comprises the steps of determining status information of the received data, applying the hash algorithm to the status information of the received data to generate a received data status hash number, and applying the hash algorithm to the received data status hash number to generate the received data verification information.
  - 76. The method of claim 75, further comprising the steps of:
    - calculating expected double hash numbers from known hypothetical error scenarios; and
      
      comparing the expected double hash numbers with the received data verification information to identify an error in the data that the receive node received from the send node via the one-way link, if the received data verification information does not match the sent data verification information.
  - 77. The method of claim 75, further comprising the steps of:
    - generating a table of expected double hash numbers from known hypothetical error scenarios; and
      
      comparing the expected double hash numbers with the received data verification information to identify an error in the data that the receive node received from the send node via the one-way link, if the received data verification information does not match the sent data verification information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OWL Cyber Defense Solutions LLC
Original Assignee
Owl Computing Technologies, Inc.
Inventors
Mirante, Dennis P., Menoher, Jeffrey, Hope, James, Mraz, Ronald
Primary Examiner(s)
Kumar; Pankaj
Assistant Examiner(s)
Sharma; Gautam

Application Number

US11/787,801
Time in Patent Office

1,056 Days
Field of Search

None
US Class Current

370/254
CPC Class Codes

H04L 63/123 received data contents, e.g...

One-way data transfer system with built-in data verification mechanism

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

115 Citations

77 Claims

Specification

Solutions

Use Cases

Quick Links

One-way data transfer system with built-in data verification mechanism

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

115 Citations

77 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links