Multi-level independent security architecture

US 9,524,399 B1
Filed: 03/05/2014
Issued: 12/20/2016
Est. Priority Date: 04/01/2013
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a plurality of data input ports, each port corresponding to one of a plurality of different levels of security classification;

a security device, configured for cryptographic processing, coupled to receive incoming data from each of the plurality of input ports, wherein the incoming data includes a first data packet having a first classification level, the first data packet comprises a tag that identifies one of the levels of security classification, and the security device comprises a plurality of cryptographic modules, each cryptographic module dedicated to perform security processing for only one of the different levels of security classification, and each cryptographic module comprising at least one processor configured to perform the security processing;

a multiplexer configured to route the first data packet from one of the data input ports to one of the cryptographic modules based on the tag, the multiplexer comprising at least one field-programmable gate array programmable to support different interface protocols;

at least one memory to store a plurality of key sets;

a key manager configured to select, via the at least one memory, a first set of keys from the plurality of key sets, each of the key sets corresponding to one of the different levels of security classification, wherein the first set of keys is used by the security device to encrypt the first data packet; and

a common encrypted data storage, coupled to receive the encrypted first data packet from the security device for storage.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system includes a plurality of data input ports, each port corresponding to one of a plurality of different levels of security classification; a security device, configured for cryptographic processing, coupled to receive incoming data from each of the plurality of input ports, wherein the incoming data includes first data having a first classification level; a key manager configured to select and tag-identified first set of keys from a plurality of key sets, each of the key sets corresponding to one of the different levels of security classification, wherein the first set of keys is used by the security device to encrypt the first data; and a common encrypted data storage, coupled to receive the encrypted first data from the security device for storage.

Citations

18 Claims

1. A system, comprising:
- a plurality of data input ports, each port corresponding to one of a plurality of different levels of security classification;
  
  a security device, configured for cryptographic processing, coupled to receive incoming data from each of the plurality of input ports, wherein the incoming data includes a first data packet having a first classification level, the first data packet comprises a tag that identifies one of the levels of security classification, and the security device comprises a plurality of cryptographic modules, each cryptographic module dedicated to perform security processing for only one of the different levels of security classification, and each cryptographic module comprising at least one processor configured to perform the security processing;
  
  a multiplexer configured to route the first data packet from one of the data input ports to one of the cryptographic modules based on the tag, the multiplexer comprising at least one field-programmable gate array programmable to support different interface protocols;
  
  at least one memory to store a plurality of key sets;
  
  a key manager configured to select, via the at least one memory, a first set of keys from the plurality of key sets, each of the key sets corresponding to one of the different levels of security classification, wherein the first set of keys is used by the security device to encrypt the first data packet; and
  
  a common encrypted data storage, coupled to receive the encrypted first data packet from the security device for storage.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the key manager is an internal key manager of one of the cryptographic modules.
  - 3. The system of claim 1, further comprising a plurality of key caches of the at least one memory, wherein the key manager is coupled to an external key manager, and keys received from the external key manager are tagged-identified and stored in one of the associated key caches for use by the security device during encryption of incoming data packets.
  - 4. The system of claim 1, further comprising a plurality of key caches of the at least one memory, wherein keys are stored in each of the key caches for use by a selected one of the cryptographic modules during encryption of incoming data packets.
  - 5. The system of claim 1, wherein each of the plurality of cryptographic modules is programmable to support different encryption protocols.
  - 6. The system of claim 1, wherein each of the cryptographic modules is physically isolated from the other of the cryptographic modules.
  - 7. The system of claim 1, wherein each of the cryptographic modules comprises a packet input engine and a cryptographic engine, each configured for data processing as part of a two-dimensional systolic array.

8. A method, comprising:
- providing a plurality of cryptographic modules, each cryptographic module dedicated to perform security processing for only one of different levels of security classification, the cryptographic modules including a first cryptographic module comprising at least one processor configured to perform the security processing for a first classification level;
  
  receiving incoming data from a plurality of data ports, each port corresponding to one of the levels of security classification, wherein the incoming data includes a first data packet comprising a tag that identifies the first classification level;
  
  routing, by a multiplexer, the first data packet from one of the data ports to the first cryptographic module based on the tag;
  
  encrypting, by the first cryptographic module, the first data packet using a first set of keys, the first set of keys selected from a plurality of key sets stored in at least one memory, each of the key sets corresponding to one of the different levels of security classification; and
  
  writing the encrypted first data packet into a common encrypted data storage.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The method of claim 8, further comprising zeroizing the first cryptographic module after the encrypting of the first data packet.
  - 10. The method of claim 8, wherein the tag is a tag in a header of the first data packet, the tag indicating that the first data packet is stored at the first classification level.
  - 11. The method of claim 10, further comprising:
    - reading the first data packet from the common encrypted data storage;
      
      verifying the classification level of the first data packet using the tag; and
      
      addressing a key store controller to select a key associated with the first data packet to use in decrypting the first data packet;
      
      loading the selected key into a cryptographic core; and
      
      decrypting the first data packet using the cryptographic core.
  - 12. The method of claim 11, further comprising:
    - selecting, by the key store controller, one of the data ports; and
      
      routing the decrypted first data packet to the data port selected by the key store controller.
  - 13. The method of claim 11, further comprising:
    - routing the first data packet from the common encrypted data storage using a fail safe multiplexer;
      
      sending the first data packet to the cryptographic core for decryption; and
      
      zeroizing the fail safe multiplexer and the cryptographic core after each classified level of data is processed.
  - 14. The method of claim 10, further comprising:
    - reading the first data packet from a common un-encrypted data network;
      
      verifying the first classification level of the first data packet using the tag;
      
      addressing a key store controller to select a key associated with the first data packet to use in encrypting the first data packet;
      
      loading the selected key into a cryptographic core; and
      
      encrypting the first data packet using the cryptographic core.
  - 15. The method of claim 14, further comprising:
    - routing the first data packet from the common un-encrypted data network using a fail safe multiplexer;
      
      sending the first data packet to the cryptographic core for encryption; and
      
      zeroizing the fail safe multiplexer and the cryptographic core after each classified level of data is processed.

16. A security device, comprising:
- a plurality of data ports, each port corresponding to one of a plurality of different levels of security classification;
  
  a plurality of cryptographic modules, each cryptographic module dedicated to perform encryption and decryption for only one of the different levels of security classification, each cryptographic module coupled to receive incoming data from one of the plurality of data ports, and the incoming data including a first data packet comprising a tag that identifies a first classification level, and each cryptographic module comprising at least one processor configured to perform the encryption and decryption;
  
  a multiplexer configured to route the first data packet from one of the data ports to one of the cryptographic modules based on the tag;
  
  at least one key cache storing, via at least one memory, a plurality of key sets, each of the key sets corresponding to one of the different levels of security classification, wherein a first set of keys is selected from the plurality of key sets to encrypt the first data packet by a first cryptographic module of the cryptographic modules; and
  
  a packet write engine, included in the first cryptographic module, configured to send the encrypted first data packet to a common data storage.
- View Dependent Claims (17, 18)
- - 17. The security device of claim 16, wherein each of the plurality of cryptographic modules comprises a programmable systolic packet input engine, a programmable systolic cryptographic engine, and a programmable systolic packet output engine.
  - 18. The security device of claim 16, further comprising:
    - a controller configured to select, based on a signal, a second set of keys from the plurality of key sets to use in decrypting the first data packet; and
      
      a packet read engine, coupled to provide the signal to the controller, configured to read the encrypted first data packet from the common data storage.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Secturion Systems, Inc.
Original Assignee
Secturion Systems, Inc.
Inventors
Takahashi, Richard J.
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US14/198,097
Time in Patent Office

1,021 Days
Field of Search

713/193, 713/166
US Class Current

1/1
CPC Class Codes

G06F 12/0802   Addressing of a memory leve...

G06F 12/1408   by using cryptography for d...

G06F 12/1466   Key-lock mechanism

G06F 21/575   Secure boot

G06F 21/72   in cryptographic circuits

G06F 21/78   to assure secure storage of...

G06F 2212/1052   Security improvement

G06F 2212/402   Encrypted data

G06F 2212/60   Details of cache memory

H04L 63/0435   wherein the sending and rec...

H04L 63/0485   Networking architectures fo...

H04L 63/105   Multiple levels of security

H04L 9/14   using a plurality of keys o...

Multi-level independent security architecture

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-level independent security architecture

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links