This invention relates to computer security, and more particularly, to a multilevel computer security system and a method for controlling user access which allows a computer to be used in a multilevel security environment, but prevents access of data at a particular security level by a computer user authorized to access the computer at a lower level.
Prior-art, multilevel-computer systems include the separation of the elements that store or process data at each security level through user controlled means such as a mechanical switch or by physical removal of secure storage components such as the hard drives. The security of such computer systems is dependent on the user and not the user""s assigned access privileges. It also leaves the data created, stored, or accessed by one user accessible to another unauthorized user. In addition, a switching mechanism that does not disable the operation of the storage and processing components that are not at the security level selected, creates the potential for data transfer between security levels through a covert transmission channel. Such channels only can be disabled through the removal of power from components at security levels that are not in use thereby disabling the channel at the source.
A general object of the invention is a computer security system and a method for controlling computer access which allows use of a common computer and operating system for different security levels, but makes it impossible for an authorized user at one security level to access data at a security level for which he is not authorized. In addition, access to specific processing assets and capabilities also may be controlled at and within each security level so that a user""s rights to these assets and capabilities can also be controlled through the same access control method.
According to the present invention, as embodied and broadly described herein, a multilevel computer security system is provided, comprising a core computer, a first security subsystem, a second security subsystem, a smart-card reader, a first electronically-activated switch for controlling the connection of power from the computer-power supply to either of the two security subsystems, a first sensor switch for identifying and selecting the security level of the security subsystem to which power is to be connected, and additional electronically-activated switches for controlling power to specific assets within each security subsystem and the computer. The core computer has, at a minimum, a central processor unit (CPU), random access memory (RAM), and a power supply. Any additional read-only memory devices such as a compact disk (CD) drive are included within the computer as are any data interfaces to a display system and keyboard.
The central processor unit is coupled to and controls the operation of the devices and data interfaces within the core computer and the security subsystems that are used for data processing, data communications, and data storage. Each security subsystem is defined by at least a memory device, an activation indicator, and electronic communications devices that can include a modem, an encryptor, and a network interface card (NIC) that are connected in parallel with respect to the power terminals for each device and the indicator.
The first security subsystem has a first memory device for storing data at a first security level, which, by definition, is a level with unrestricted access. The first security subsystem may further have a first modem which, when activated, is operating with the computer as the only means of telecommunications at a first security level. The first security subsystem may further have a first network-interface card, which, when activated, is operating with the computer as the only interface to an external network at the first security level. Any other computer memory devices such as a floppy disk drive that are used to read or write data at the first security level must also be included within the first security subsystem. When all of the first security subsystem devices are activated the power connection illuminates the first activation indicator.
The second security subsystem has a removable-memory device which is the only means for storing data at a second security level. The second security subsystem may further have a second modem and encryptor which, when activated, is operating with the computer as the only means for encrypting telecommunications at a second security level. The second security subsystem may further have a second network-interface card, which, when activated, is operating with the computer as the only interface to an external network at the second security level. When the selected second security subsystem devices are activated, the power connection illuminates the second activation indicator.
The smart-card reader and its software determine if a compatible smart card is in the card reader at computer start-up. If no smart card were present, then the computer operating system loads from the first security subsystem memory device which operates at the first security level. If a compatible smart card were in the card reader, then the smart-card reader prevents the loading of the computer operating system and begins processing the stored program in the smart card.
The smart card has identification information stored within its memory. The smart-card information includes information on the smart card owner and the smart-card owner""s allowed security access privileges. The smart-card reader interacts with the smart card and the identification information, and the computer user through the stored program in the smart-card memory. The smart-card program grants or denies access to a restricted security subsystem such as the second security subsystem in accordance with the acceptance of the identification information entered into the reader by the computer user. In response to granting access to the second security subsystem, the smart-card reader generates a first activation signal.
The first electronically-activated switch has a first contact connected to the first security subsystem, a second contact connected to the second security subsystem, and a common contact that is connected to the computer-power supply. The switch is activated by the first activation signal applied to an activation contact. If there were no activation signal, then the first electronically-activated switch is in a normally closed position in which the common contact is connected to the first contact. When the first activation signal is received at the activation contact, then the first electronically-activated switch connects the common contact with the second contact position.
The first sensor switch is a mechanically-activated cam switch. This switch is closed by the correct insertion of the removable memory for the second security subsystem into the computer memory receptacle. The removable memory for the second security subsystem has a mechanical cam that is physically located and configured to contact and close the first sensor switch.
The first electronically-activated switch normally is set at the first contact position which is the normally closed position. In the first contact position, the computer operates only with the first security subsystem since it is connected to the computer-power supply through the common contact. The first security subsystem stores unrestricted data at a first security level and is accessible by default without using the smart card when the computer is started. The first security subsystem also can be accessed via the smart card by selecting the first security subsystem via the smart-card program. If a user selected the first security subsystem, then the smart-card program terminates and no activation signal is transmitted to the first electronically activated switch. This maintains the power connection to the first security subsystem and the operating system on the first memory device begins loading after termination of the smart card program.
When an owner of a smart card is granted access to the second security subsystem, then the first activation signal is outputted from the smart card. The first activation signal is connected to the activation contact of the first electronically-activated switch if the removable memory for the second security subsystem is correctly inserted in the memory receptacle. In response to the first activation signal, the first electronically activated switch disconnects the common contact from the first contact and connects the common contact with the second contact. In this second contact position, the computer operates only with the second security subsystem which is the only security subsystem connected to the computer-power supply.
The present invention also includes a multilevel computer security method, for use with a computer. The method comprises the steps for implementing high assurance data access control and secure data processing, data storage, and data communications for data at a first security level and data at a second security level within a common computer. The first step is to maintain physical separation of the data at a first security level from the data at a second security level by performing all data storage, data communications, and network communications at each level with devices dedicated to that level. The second step connects all of the dedicated devices for the first security level to a first power circuit so that they comprise a first security subsystem and all of the dedicated devices for the second security level to a second power circuit so that they comprise a second security subsystem. The third step utilizes an electronically-activated switch to switch the power from the computer-power supply from the first security subsystem to the second security subsystem in response to the first activation signal. The fourth step utilizes a smart card reader to read a smart card if a smart card were in the smart-card reader when the computer is started. The fifth step includes the smart card reader interrupting the loading of the operating system from the first memory device in the first security subsystem if the smart-card were valid. The sixth step has the smart card reader comparing a users identification data with the data stored on the smart-card to validate the identity of the user and to then initiate the security level access control process from the program stored in the smart-card. The seventh step is for the smart card program to compare the users access request for access to data at the second security level with the stored access privileges on the smart-card and either grant or deny access. The eighth step has the smart-card reader generate the first activation signal for the second security subsystem if access were granted or terminate the smart-card reader software and allow the operating system from the first memory device to load for default access to the unrestricted data in the first security subsystem. The ninth step transmits the first activation signal for the second security subsystem to the electronically activated switch via a closed sensor switch and activate the second security subsystem. The tenth step is for the sensor switch to disable the transmission of the first activation signal if the second security subsystem were not available, which prevents the activation of the second security subsystem until it is properly installed and disable the default activation of the first security subsystem until the smart-card is removed.
A simple refinement to the access control apparatus and method described above allows access privileges stored on a users smart card to limit access to specific assets within the second security subsystem. A user, for example, could have privileges that allow access to the hard drive within the second security subsystem but not to the modem, encryptor, or network interface card. Since access to the hard drive in the second security subsystem is necessary for the operation of the subsystem other combinations with the hard drive would also be possible. These could include the hard drive, encryptor, and modem or hard drive, encryptor, and network interface card.
The refinement could be implemented by having the smart-card reader read the access privileges on the smart-card and output an activation signal, such as the first activation signal, having multiple bits in a serial word. The output word would then be stored in a register wherein each bit in the stored word corresponds to an activation signal for an electronically-activated switch. In such an apparatus and method the first bit could correspond to the first activation signal. As before the first activation signal is connected to the activation contact of the first electronically-activated switch if the removable memory for the second security subsystem is correctly inserted in the memory receptacle.
The additional bits are used as activation signals for additional electronically-activated switches that control power to the other assets within the second subsystem. One bit would be used to control power to the modem, a second to control power to the network interface card, and a third to control power to the encryptor. Additional bits also could be used to control power to assets outside the subsystem such as parallel and serial output ports. This modification to the described access control apparatus and method would significantly increase the capability to refine and modify access control privileges through simple reprogramming of a users smart-card.
The conversion of the personal computer to a computer with multi-level security is simplified through the utilization of power interface devices that can control the application of power to the computer components that interface with the computers CPU such as modems, NICs, and the removable-memory devices. In the case of components such as NICs and modems this interface is via the computer motherboard and its ISA or PCI bus which also directly provide power to the components that are inserted in the ISA or PCI bus slots. The control of this power can be implemented by physically modifying the motherboard so that a switch is inserted between the power line from the motherboard to the ISA or PCI slot. This is very difficult and time consuming and is not always possible on complex multi-layer boards. A better solution is to utilize a circuit board that can be inserted into the slot to pass all the electronic signals to the component and has a switch already inserted in the power line. This PCI/ISA Power Control Interface Circuit Card would have a connector at one end designed for the motherboard PCI or ISA slot and a PCI or ISA slot at the other end that would accept the component that was being controlled. A control line interface would also be provided to enable or disable power to the inserted component.
A removable memory device could be controlled by placing a switch in the circuit that connects the device to the computer power supply. This switch could be implemented within the removable memory device""s internal power line so that the computer power cables would not have to be modified. The memory device would then be activated when a signal was received that indicated that the memory device for that security subsystem was to be powered on. A refinement to this approach would include a processing capability within the removable memory device that would only activate the memory device if a specific set of bits was received in addition to the activation signal for the memory device. These received bits would correspond to the identity of the user and their smart card and the security level of the drive. This would allow access to the removable drive to be linked to the identity of the user and their smart card as well as to the security subsystem.
Additional objects and advantages of the invention are set forth in part in the description which follows, and in part are obvious from the description, or may be learned by practice of the invention. The objects and advantages of the invention also may be realized and attained by means of the instrumentalities and combinations particularly pointed out in the appended claims. These include physical implementations of the multilevel computer security method that can be easily applied to existing personal computers. This would allow an existing personal computer to be easily converted to a computer with multi-level security.