The present invention pertains to an apparatus for a method of controlling communication between peripheral components in a communication system. More particularly, the present invention pertains to an improved apparatus for and method of assuring that classified or sensitive messages are not transmitted to peripheral components which do not have the appropriate access authority to receive the messages.
Various applications, particularly in a military environment, require secure communication of sensitive or classified information. By way of example, military aircraft must be able to send and receive classified information both between various components within an aircraft and between different aircraft. Information sent between aircraft, for example by radio communication, might be encrypted so as to prevent understanding of the information by someone for whom the information is not intended, but who nevertheless receives the information. Within a single aircraft, however, it is desirable to be able to send messages that are not encrypted between components of the aircraft. Otherwise, it is necessary to have numerous cryptographic units for encrypting and decrypting the messages as they are transmitted from and received by the various components. It is therefore necessary to assure that messages containing sensitive or classified information are not sent to a component that is not authorized to receive such messages. Such a component might transmit the classified or sensitive information to other equipment not authorized to receive the information, which might include equipment outside the aircraft.
In the past, it has been the practice to indicate the security level of a message by means such as a token transmitted with the message, or by placing messages of different security levels on different communication buses. This is not altogether satisfactory since it requires additional equipment to respond to the token, additional buses within the communication system, and input/output software developed to a higher level of assurance.
In addition, such prior art communication apparatuses have required operating systems, processors, and other communication equipment which have been specifically designed for a particular application. This is necessarily expensive. However, it has not previously been possible to use commercial operating systems or processors, since they did not provide the required assurance.
The present invention is a apparatus for and method of controlling communication between peripheral components in a secure communication system. The present invention permits use of commercial, off-the-shelf operating systems and processors, since it is not necessary to alter the operating systems or processors to permit secure communication of messages.
In accordance with the present invention, the sensitivity level of each peripheral component address in the communication system is fixed. When a message is communicated, the addresses of the originating peripheral component and the destination peripheral component are detected, and it is then determined whether the address of the destination peripheral component is an address to which a peripheral component at the originating address is permitted to communicate. Thus, the destination address must have a sensitivity level equal to or greater than the sensitivity level of the originating address. If not, then communication of further messages from the origination address is prevented, thereby preventing communication of messages of a particular sensitivity level to peripheral components of lower sensitivity level. If the address of the destination peripheral component is an address to which the peripheral component at the originating address is permitted to communicate, then communication of messages from the origination address is permitted to continue.
The apparatus of the present invention includes a first address detector for detecting the address of the originating peripheral component, a second address detector for detecting the address of the destination peripheral component, and an address comparison circuit for determining whether the address of the destination peripheral component is an address to which a peripheral component at the originating address is permitted to communicate. The address comparison circuit is responsive to the address of the destination peripheral component not being an address to the which the peripheral component at the originating address is permitted to communicate by generating an error signal, preventing communication of further messages from the origination address. If the address of the destination peripheral component is an address to which the peripheral component at the originating address is permitted to communicate, transmission of messages from the origination address is permitted to continue.
The originating and destination peripheral addresses might be on the same communication bus. Alternatively, they might be on different buses connected by one or more bridge circuits. The bridge circuit on the bus of the originating address detects the destination address of messages originating at addresses on its bus and determines whether the destination address is an address to which the peripheral component at the originating address is permitted to send a message. Thus, the sensitively level is always checked by the bridge circuit on the bus of the originating address. Consequently, no such check is necessary at the bus of the destination address.
The present invention is particularly applicable for use in communication within military aircraft. However, it is likewise usable in communication within other systems.