Data Enclave
Individuals working in a departmental computing environment typically have a substantial amount of computing power on their desks in the form of personal computers and workstations. A workstation has a computational subsystem, keyboard, and display for user interaction, and typically substantial amounts of local data storage in the form of fixed and removable media.
In order for the individual in the departmental computing environment to interact and share data, their workstations are typically attached to a local area network (LAN) which permits the transfer of data files and electronic mail between the workstations. In addition, "servers" may be attached to the LAN to provide specialized services, such as the management of centralized databases, which are not practical for individual workstations.
Departmental computing environments are typically members of a larger organization or have other reasons to communicate with computing facilities outside themselves. They therefore make use of a special kind of server, called a "gateway", to gain access to a wide area network (WAN). WANs are often interconnected (called "internetting") to provide world-wide data transmission paths.
Departmental Computing Environment
A typical overall departmental computing environment is shown in FIG. 1. In the departmental computer environment 1, large amounts of valuable data are stored on magnetic or other electronic Media 2, 4 for processing in the Workstations 10 and file servers (not shown). This media offers the benefits of compact storage, easy retrieval, and in the case of removable Media 4 (e.g., "diskettes"), convenient sharing and distribution.
In addition, data is transmitted freely around the Local Area Network 12 and occasionally through a Gateway 14 to the Wide Area Network 16 and Remote Sites 18. This transmission is necessary in order for the organization performing departmental computing to perform its internal work and interact with the outside world.
There is also a requirement that certain operations, including but not limited to the transmission of data to the outside world, be restricted to individuals who possess special privileges. Examples of such operations are messages (electronic mail) which are directive in nature, such as users transferring funds, and operations such as the adding of new orders or the granting of limited access to departmental data to users on the Wide Area Network 16 (remote login and file transfer).
Threats Against Department Computing Environment
The threats against the departmental computing environment are shown in FIG. 2.
The data in this environment is vulnerable to theft and tampering. Removable media can be stolen, copied, and returned with no sign that loss has occurred. The fruits of thousands of hours of labor can be stolen in a package that fits easily in a coat pocket. Crucial data can be modified or destroyed, either directly or through the agency of technical entities such as "viruses", which are introduced into the Workstations 10 and servers through the agency of corrupted media or through the wide area network connection.
There are also threats to the privileged operations. Unauthorized individuals, masquerading as someone else, can cause disruptive or erroneous directives to be issued and thereby perpetrate sabotage and fraud. Malicious "hackers" with access to the wide area network can use that network to "reach in" to the departmental computing environment and masquerade as authorized users or otherwise obtain access to data, which they can then transfer worldwide, again with no sign that compromise has occurred.
Accordingly, there is a need for techniques whereby a departmental computing system 1 can be converted into a "data enclave." Within such an enclave:
(1) Data can be restricted to a single organization, such as a government agency or a corporation. PA1 (2) Sharing of data between organizational elements (directorates, departments, projects, etc.) can be controlled. For example, it may be required that data such as a telephone directory be accessible by every employee, but data such as engineering drawings should not be allowed to circulate throughout the whole corporation. PA1 (3) Sharing of data between individuals in organizational elements can be controlled. For example, even though an individual is a member of the engineering department, that individual may not have a "need to know" for all of the drawings in the department. PA1 (4) Data is protected from technical attacks such as "viruses" and "worms." PA1 (5) Intellectual property is protected irrespective of whether it is on electronic media, being processed in a Workstation, or being transferred around the local area network. PA1 (6) The protections are achieved with minimum cost and disruption of operations, such as would occur if access to the wide area network were forbidden. PA1 (7) Privileged operations are restricted to those users possessing the requisite privileges and cannot be invoked, through masquerading or other technical means, by unauthorized users. PA1 (1) Masquerade as a secure computer. In this attack, a bogus secure computer (not shown) is installed on the Network 12 and logically interposed between the legitimate Secure Computer 24 and the human user. The bogus secure computer then makes requests of the human user, displays forged or modified data, or otherwise induces the user to perform some insecure act. For example, the bogus secure computer may intercept and discard a message giving a critical order, while all the time presenting displays to the human user which indicate that the message was sent. PA1 (2) Masquerade as a user site. This is the symmetric attack to that described in the previous paragraph. A bogus user site (not shown) is interposed between the legitimate human user and the Secure Computer 24. This bogus user site then accesses data, or performs operations, which are in violation of the security policy. The location of the bogus user site enables it to intercept responses from the Secure Computer 24, so that the legitimate user is unaware that a bogus site is on the network. The bulk of the so-called "hacker" attacks that appear in the popular press are of this class. PA1 (3) Masquerade as another user. In this attack, a subverted or malicious individual gains access to a legitimate site, but then is able to masquerade as a different, and in general more privileged, human user. The majority of the so-called "insider" attacks are of this form. PA1 (4) Surreptitiously transform data. This is a sophisticated and extremely dangerous form of attack in which some intermediate element in the path between the human user 5 and the secure computer performs "two-faced" actions. That is, the element displays one set of data to the human user 5 while simultaneously transmitting something else to the Secure Computer 24. For example, malicious software in a Workstation may be programmed to detect a funds transfer order, and then modify the amount or the recipient in ways not intended for use by the human user 5. PA1 (5) Misdirect or appropriate cryptographic keys. In this attack, some intermediate element diverts, copies, or otherwise appropriates cryptographic keys destined to some authorized user 5 and methods and redirects them to unauthorized persons who have obtained cryptographic devices and wish to use them to either decrypt intercepted data or prepare and encipher forgeries of data to be submitted to the secure computer. PA1 (1) Identification and Authentication. In these operations, the human user is identifying himself or herself to the Secure Computer 24 for purposes of secure processing. There are two aspects to identification and authentication: authenticating the identity of the human user and authenticating the location (e.g. a Workstation 10) from which the human user is accessing the Secure Computer 24. Both aspects are used by the Secure Computer 24 to determine the nature of information it will display to, or the kinds of actions it will permit to be initiated by, the human user. The use of both aspects enables the implementation of sophisticated security policies by the Secure Computer 24. For example, an individual may be authorized to access engineering drawings, but only from terminals located inside the engineering area; even though the individual is authorized for information, the policy may prohibit the individual from exercising the authorization when in a residence or temporary lodgings. PA1 (2) Trusted Command Initiation. These are operations performed by the human user which have serious security consequences; they will, in general, involve the exercise of some special privilege by the user. An example of trusted command PA1 (3) Trusted Review. These are operations in which the human user wishes to be assure that some element of data contained in the Secure Computer 24 is exactly as the user intended. For example, a human user may wish to perform a trusted review of the aforementioned directive prior to performing the trusted command which adds an authenticator to the message and releases it as "signed" by that user. PA1 (4) Key Management. In these operations, the user is obtaining cryptographic keys from some central key distribution center and loading them in to local cryptographic devices 26 at the user's Workstation 10.
As shown in overview form in FIG. 3, and as will be described more fully in the Detailed Description of the Invention, the facilities provided by the present invention convert a departmental computing environment into a "data enclave" 20 with a well-defined perimeter 22. Sharing of data within the Enclave 20 is controlled, and movement of data within and outside the enclave can only be effected by authorized individuals with suitable privilege. There are no "sneak paths" or "holes" that exist.
The present invention also minimizes the damage that can be done by privileged individuals who become subverted. Cryptographic keys are transmitted and stored entirely in enciphered form, and well-known techniques (called "antitamper" technology) can be used to protect an enclave key when it is in use inside a cryptographic device. Theft of elements of the present invention does not compromise any part of the operation of the invention.
Individuals desiring access to Media 2,4 have to deal with a Secure Computer 24, in this case a security server, only when Media 2,4 is initialized. "Unlocking" a unit of Media 2,4 requires an operation no more complicated than using a television remote control. Overhead and delay is concentrated at the time a Media 2,4 is "unlocked", and no delays or incompatibilities are introduced during operations using the Media 2 or 4.
Remotely invoked privileged operations at the security server 24 are under the positive control of the user. That control is cryptographically protected and mutually authenticated.
Identification and authentication of users to the security server 24 is both simpler and more robust than former implementations such as passwords. The same basic steps are used for security operations dealing with Media 2,4 and dealing with the security server 24.
In the data protection area, the system associates Media 2 or 4 primarily with users and secondarily with machines or Workstations 10. This is a more natural structure than one where media is only useable on a single machine or Workstation 10.
Control logic computes allowed access at the last possible moment using the combination of an "access vector" assigned to an individual and the "device attributes" assigned to a particular Workstation 10, which can be used to enforce a variety of security policies. For example, an individual's access to data may be restricted not only on the basis of the individual's attributes but also to protected physical locations. Thus an individual's access vector may grant "read" access to a unit of media which contains proprietary engineering data, but the comparison against the device attributes making the access, may restrict display of the contents of the unit of media to those machines inside a particular facility or office. Physical security measures can then be used to restrict who may be in the vicinity when the data is displayed. Previous implementations in this area have permitted only an "all or nothing" approach to access.
Trusted Path
The problems addressed by the Trusted Path functions arise because of the use of networks 12 and Workstations 10 to communicate between human users and secure computers 24. Malicious hardware and/or software in the Workstation 10 or network, possibly operating in concert with a subverted user, has the ability to perform the following hostile actions.
The Trusted Path, according to the present invention, is used for security-relevant interactions between a human user and a Secure Computer 24. These interactions fall into four broad categories, as set forth below.
initiation is the decision to override the security policy enforced by the secure computer and release data to persons who would normally be unauthorized to access it. Such a facility is necessary to prevent the security policy from interfering with proper operation in exceptional or emergency situations. Another example is the exercise of a human user of the privilege to send an official, cryptographically authenticated message which has the effect of an order or directive.
The protocols of the Trusted Path are arranged so that all security alarms are raised at specified secure computers 24, and there is no user responsibility for responding to an alarm. This feature is an improvement over traditional cryptographic checksum and other means which display alarms to users and require them to notify the proper authorities, since it permits the present invention to provide security for users 5 who may be in physical locations where such notification is not possible.
The protocols in the Trusted Path operate at Layers 5, 6, and 7 of the ISO standard for communications protocols. This means that they are independent of the nature or topology of the network. All prior means for achieving Trusted Path have depended somewhat on the nature or topology of the network.
The elements of the present invention are either free-standing units, parts of an already distinguished Secure Computer 24, or devices which attach to existing interfaces to commercial Workstations 10. The only modification required to a commercial Workstation 10 is a software modification. No security reliance is placed on this modification, so that it can be rapidly and economically made to the software of a wide variety of commercial units.
The present invention uses a small number of special elements in a wide variety of ways. Maximum use is made of the cryptographic devices, which are typically the most expensive parts of a data security device. The same devices are used for media protection and authenticated interactions with the Secure Computer 24. Moreover, the elements of the invention are such that they can be constructed from readily available commercial technology.