Multi-level independent security architecture
First Claim
1. A system, comprising:
- a plurality of data input ports, each port corresponding to one of a plurality of different levels of security classification;
a security device, configured for cryptographic processing, coupled to receive incoming data from each of the plurality of input ports, wherein the incoming data includes a first data packet having a first classification level, the first data packet comprises a tag that identifies one of the levels of security classification, and the security device comprises a plurality of cryptographic modules, each cryptographic module dedicated to perform security processing for only one of the different levels of security classification, and each cryptographic module comprising at least one processor configured to perform the security processing;
a multiplexer configured to route the first data packet from one of the data input ports to one of the cryptographic modules based on the tag, the multiplexer comprising at least one field-programmable gate array programmable to support different interface protocols;
at least one memory to store a plurality of key sets;
a key manager configured to select, via the at least one memory, a first set of keys from the plurality of key sets, each of the key sets corresponding to one of the different levels of security classification, wherein the first set of keys is used by the security device to encrypt the first data packet; and
a common encrypted data storage, coupled to receive the encrypted first data packet from the security device for storage.
1 Assignment
0 Petitions
Accused Products
Abstract
A system includes a plurality of data input ports, each port corresponding to one of a plurality of different levels of security classification; a security device, configured for cryptographic processing, coupled to receive incoming data from each of the plurality of input ports, wherein the incoming data includes first data having a first classification level; a key manager configured to select and tag-identified first set of keys from a plurality of key sets, each of the key sets corresponding to one of the different levels of security classification, wherein the first set of keys is used by the security device to encrypt the first data; and a common encrypted data storage, coupled to receive the encrypted first data from the security device for storage.
-
Citations
18 Claims
-
1. A system, comprising:
-
a plurality of data input ports, each port corresponding to one of a plurality of different levels of security classification; a security device, configured for cryptographic processing, coupled to receive incoming data from each of the plurality of input ports, wherein the incoming data includes a first data packet having a first classification level, the first data packet comprises a tag that identifies one of the levels of security classification, and the security device comprises a plurality of cryptographic modules, each cryptographic module dedicated to perform security processing for only one of the different levels of security classification, and each cryptographic module comprising at least one processor configured to perform the security processing; a multiplexer configured to route the first data packet from one of the data input ports to one of the cryptographic modules based on the tag, the multiplexer comprising at least one field-programmable gate array programmable to support different interface protocols; at least one memory to store a plurality of key sets; a key manager configured to select, via the at least one memory, a first set of keys from the plurality of key sets, each of the key sets corresponding to one of the different levels of security classification, wherein the first set of keys is used by the security device to encrypt the first data packet; and a common encrypted data storage, coupled to receive the encrypted first data packet from the security device for storage. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method, comprising:
-
providing a plurality of cryptographic modules, each cryptographic module dedicated to perform security processing for only one of different levels of security classification, the cryptographic modules including a first cryptographic module comprising at least one processor configured to perform the security processing for a first classification level; receiving incoming data from a plurality of data ports, each port corresponding to one of the levels of security classification, wherein the incoming data includes a first data packet comprising a tag that identifies the first classification level; routing, by a multiplexer, the first data packet from one of the data ports to the first cryptographic module based on the tag; encrypting, by the first cryptographic module, the first data packet using a first set of keys, the first set of keys selected from a plurality of key sets stored in at least one memory, each of the key sets corresponding to one of the different levels of security classification; and writing the encrypted first data packet into a common encrypted data storage. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
-
16. A security device, comprising:
-
a plurality of data ports, each port corresponding to one of a plurality of different levels of security classification; a plurality of cryptographic modules, each cryptographic module dedicated to perform encryption and decryption for only one of the different levels of security classification, each cryptographic module coupled to receive incoming data from one of the plurality of data ports, and the incoming data including a first data packet comprising a tag that identifies a first classification level, and each cryptographic module comprising at least one processor configured to perform the encryption and decryption; a multiplexer configured to route the first data packet from one of the data ports to one of the cryptographic modules based on the tag; at least one key cache storing, via at least one memory, a plurality of key sets, each of the key sets corresponding to one of the different levels of security classification, wherein a first set of keys is selected from the plurality of key sets to encrypt the first data packet by a first cryptographic module of the cryptographic modules; and a packet write engine, included in the first cryptographic module, configured to send the encrypted first data packet to a common data storage. - View Dependent Claims (17, 18)
-
Specification