RU2726144C1 - Device for cryptographic protection of information transmitted over communication networks - Google Patents

Abstract

FIELD: communication network technologies.SUBSTANCE: technical result is achieved by a device for cryptographic protection of information transmitted over communication networks, comprising i subscriber modules (SM), where i=1÷N, one central data transmission module (CM) and telecommunication network, each of the SMs having an input / output unit, an interface, a processor, a memory unit, a transceiver, a packet forming unit, a subscriber encryption unit, a channel encryption unit, a subscriber decryption unit, a channel decryption unit, an information carrier, the device CM having a control unit, a control interface, an information security management interface, an encryption key memory unit, a subscriber authentication unit, a subscriber address memory unit, a subscriber encryption server, a CM memory unit, a channel encryption server, an encryption key control unit, a CM transceiver, a channel encryption unit, a channel decryption unit, a subscriber encryption unit of CM, a subscriber decryption unit of CM, a unit for generating CM packets.EFFECT: technical result consists in improvement of information protection level and possibility of confidential information transmission over open communication channels.1 cl, 1 dwg

Description

The invention relates to the field of communication and computer engineering and can be used in data transmission devices.

A device for data transmission with the preservation and protection of information (see the description of the utility model RU No. 158591, IPC Н04М 3/487).

A data protection device with translation is also known (see patent RU No. 2631983, IPC G06F 21/60).

The disadvantages of these devices include a low level of information protection from unauthorized access.

The closest analogue, i.e. the prototype is the device described in patent RU No. 2164038, IPC G06F 12/14, H04L 9/32, and containing information management system with topology "star", operating with confidential information. The device contains i subscriber modules and a central authentication module, wherein a key storage unit, a personal data unit and an encryption unit are introduced into the subscriber module, and the central module has a second encryption unit. A disadvantage of the known device is the low level of protection of information transmitted through a telecommunication network.

The technical result of the invention is to increase the level of information security and the ability to transmit classified information through open communication channels.

UKZI provides double encryption of the transmitted information at the channel and subscriber (representative) level using symmetric pair communication keys unique to each interaction session.

The essence of the proposed device lies in the fact that the device cryptographic protection of information transmitted over communication networks, containing i subscriber modules, where i = 1 ÷ N, and one central data transmission module (CM), each of the subscriber modules (AM) contains I / O block, an interface with three inputs / outputs, a processor with 8 inputs / outputs, a memory unit with 4, a transmitter-receiver with 4 inputs / outputs, where the second input / output interface is connected in series by double communication lines AM is connected by a double line of communication with the packet-forming unit, the input-output of which is connected to the 1st input-output of the subscriber encryption unit, and the 2nd, 3rd, 4th, 5th, 6th, 7th and the 8th processor input-output, respectively, are connected by double lines of communication with a subscriber encryption block, with a channel encryption block, with a transceiver, with a subscription encryption block, with a channel decryption block and a storage medium, and the 2nd, 3rd and the 4th input-output of the AM transceiver with responsibly connected by double lines of communication with a channel encryption unit, with a channel decryption unit and with a telecommunication communication network, the device’s CM has a control unit with 7 inputs / outputs, which are connected by double communication lines to a control interface, to an information security management interface, with a memory block of encryption keys, with a subscriber authentication block, the 2nd input-output of which is connected by a double communication line to the memory block of the addresses of subscribers, and the 5th, 6th and 7th inputs and outputs of the control unit are respectively connected to the subscriber server encryption, the memory unit of the CM and the channel encryption server, and the 1st input-output of the control unit of the dual communication lines is connected to the control interface, and the information security management interface of the double communication lines is connected to the control unit of the encryption keys, and the CM transceiver with 4 inputs outputs connected in series by double communication lines with telecommunication a communication network, with a channel encryption server, a channel encryption unit, with a channel decryption unit, the channel encryption server is connected in series with the digital memory unit, with a subscriber encryption server, the inputs and outputs of which are respectively connected by double lines to the digital subscriber encryption unit, block subscriber decryption of the digital module and the digital packet forming unit.

The technical implementation of the device is carried out on the basis of computer technology using industrial hardware and software.

In FIG. 1 shows a functional diagram of the claimed device cryptographic protection of information transmitted over communication networks, where each subscriber module of the device contains:

- input-output unit - 1,

- interface - 2,

- packet forming unit - 3,

- processor - 4,

- storage medium - 5,

- memory block - 6,

- subscriber encryption unit - 7,

- subscriber decryption unit - 8,

- channel encryption block - 9,

- channel decryption unit - 10,

- transceiver - 11,

and the central data transfer module (DTM) of the device contains:

- CM transceiver - 12,

- channel encryption server - 13,

- block channel encryption CM - 14,

- channel decryption unit - 15,

- memory block ЦМ - 16,

- subscriber encryption server - 17,

- block subscriber encryption CM - 18,

- block subscriber decryption CM - 19,

- a block of packet formation CM - 20,

- control unit - 21,

- control interface - 22,

- information security management (IS) interface - 23,

- block encryption key management - 24,

- block memory encryption keys - 25,

- subscriber authentication unit - 26,

- block memory addresses of subscribers - 27.

The data packet transmitted to the CM consists of:

- the identification part, which allows the CM to perform reliable identification and authentication of the subscriber,

- the address part that defines the list of subscribers to whom the content of the subscriber information package should be transmitted through the digital center,

- the content part intended for transmission in encrypted form to the list of subscribers indicated in the address part.

The technical implementation of the device is shown by the example of the operation of one session of data packet transmission from the subscriber module of the sender (AMO) through the central module (CM) to the subscriber module of the receiver (AMP).

The input / output unit AM (1) transfers the processor (4) to the subscriber encryption mode via the AM interface (2) and transfers open subscriber data intended for encryption from the storage medium (5) and, via the AM (2) interface and the processor (4) transmitting to one or more subscribers of the device to the packet forming unit (3). The I / O block AM (1) through the interface (2) initiates the operation of the subscriber encryption block (7) to encrypt the content of the packet, and at the same time it encrypts the content of the subscriber data stored in the packet generation block (3) using cryptographic pairing with a central module of a synchronous key of subscriber encryption. The content portion encrypted at the subscriber level is stored in the packet generation unit (3). The input / output unit AM (1) through the interface (2) and the processor (4) forms in the packet generation unit (3) a transmission packet consisting of an identification part (packet code, subscriber module identifier, etc.), address part , including the addresses of M recipients, and previously encrypted at the subscriber level of the content of the subscriber data. The I / O block AM (1) through the interface (2) and the processor (4) initiates the storage of the previously generated packet in the AM memory block (6). After saving in the memory unit (6), the packet from the packet forming unit (3) is deleted. The input-output unit AM (1) through the interface (2) puts the processor (3) in the channel encryption mode and through the interface (2) and the processor (3) initiates the transfer of the packet prepared in the memory unit (6). The processor (3) through the transceiver (11) and the telecommunication network transmits to the transceiver DTM (12) a signal containing a unique AM code about readiness for transmission. The transceiver transmits a unique AM code via the channel encryption server (13) to the control unit (21). The control unit (21), in accordance with the unique AM code, authenticates the sender's AM through the subscriber authentication unit (26) and, after successful completion of the operation, through the information security management interface (25) and the encryption key management unit (24) unloads the encryption keys from the memory unit ( 25) the channel encryption key corresponding to AMO and downloads it through the channel encryption server (13) to the channel encryption block (15). After downloading the key, the channel encryption server (13) transmits a “true” signal through the transceiver CM (12) and the telecommunication network to the sender transceiver AM (11). After receiving the “true” signal, the AM transceiver (11) initiates the transfer of a previously prepared packet from the AM memory block (6) to the channel encryption block (9), in which the packet is encrypted at the channel level using a synchronous channel encryption key paired with the digital module stored in the channel encryption block (9), and transmitted through the transceiver (11) and the telecommunications network to the transceiver CM (12). From the CM transceiver (12), the packet encrypted at the subscriber and channel level enters the channel decryption block (15), in which the packet is decrypted at the channel level using the synchronous channel encryption key paired with the CM loaded in the channel encryption block (9) . The channel-decrypted packet from the channel decryption block (15) is transmitted to the channel encryption server (13), which writes the packet to the digital memory (16) and sequentially transmits the signal “true” and the decrypted identification and address parts of the packet to the control unit (21 ) If the decryption process was not successfully completed, the channel encryption server (12) transmits a failure signal through the CM transceiver (12) and the telecommunication network to the AM transceiver (11) and synchronously to the control unit (21). The process of transmitting the packet by the device is interrupted. After receiving the signals (p. 12), the control unit (21) transmits the identification and address parts of the packet to the subscriber authentication unit (26). The subscriber authentication unit (26) extracts from the memory block of the addresses of the subscribers (27) records corresponding to the AM sender and AM recipients and performs authentication AM. The signal "true", confirming the successful authentication of the sender AM and recipients AM is transmitted through the control unit (21) to the control interface (22). The control interface (22), having received the “true” signal from the control unit (21), forms in the control unit (21) a sequential series of M commands to start decrypting the packet using the synchronous subscriber key of the subscriber encryption of the encrypted subscriber data stored in the memory block of the digital memory (16) and subscriber simultaneous decryption and encryption using paired with each of the M subscribers synchronous keys of the customer encryption stored in the memory block of the encryption keys (25), and the formation in the memory of the digital memory (16) of M encrypted packets for sending to subscribers . After generating the commands, the control unit (21) generates and transmits a “true” signal to the IS control interface (23). The IS control interface (23) verifies the generated commands and initiates the transfer of encryption keys (25) from the memory unit through the key management unit (24) of the subscription encryption keys to the control unit (21) corresponding to the sender AM and M subscriber keys and M channel encryption keys matching AM recipients. After receiving the necessary keys, the control unit (21) transmits a “true” signal to the control interface (22). After receiving the “true” signal, the control interface (22) initiates a control signal initiating a series of transmissions to the control unit (21). The control unit (21) generates and transmits sequentially a series of M control signals to the subscriber encryption server (17), containing in each signal the subscriber encryption key AM of the sender and the subscriber encryption key of the i-th recipient AM and simultaneously a series of control signals to the channel encryption block ( 14), containing the channel encryption key of the i-th recipient AM. After receiving the control signal, the subscriber encryption server (17) sequentially M times extracts the data encrypted at the subscriber level from the memory unit (16) and decrypts it using the subscriber decryption unit (19) using the synchronous key pair from the sender AM received from the control unit (21) and through the subscriber encryption unit (18) encryption of the content of the packet using synchronous keys paired with the corresponding i-th AM recipient. The decryption operation is performed as a single command without an intermediate record of decryption results in the memory unit (16). After re-encryption of the content part of the packet, the subscriber encryption server (17) forms in the packet generation block (20) a transmission packet including the content part encrypted at the subscriber level, the identification part corresponding to the sender’s AM and the address part corresponding to the ith AM recipient. The packet generated in the packet forming unit (20) through the subscriber encryption server (17) is recorded in the memory unit (16) and after the recording is completed, the subscriber encryption server (17) transmits a “true” signal to the control unit (21). After receiving the “true” signal from the subscriber encryption server (17), the control unit (21) generates and transmits a control signal to the channel encryption server (13). The channel encryption server (13) transmits the prepared packet to the channel encryption block (15) containing the loaded channel encryption key corresponding to the ith AM of the recipient. In the channel encryption block (15), the packet is encrypted at the channel level using the channel encryption pairing key and the encrypted packet is transmitted through the CM transceiver (12) and the telecommunication network to the ith AMP transceiver (11). The processes of subscriber re-encryption, downloading to the memory unit (16), channel encryption and transmission are repeated M times using M synchronous pair communication keys at the subscriber and channel level. The AMP transceiver (11) transmits the packet to the channel decryption unit of the AMP (10), in which data is automatically decrypted at the channel level using a synchronous channel encryption key paired with the digital module stored in the channel decryption block of the AMP (10) and then transmitted to the processor ( 4). The processor (4), in stationary mode in a channel encryption state, receives a packet encrypted at the subscriber level from the channel decryption unit APM (10) and writes it to the memory unit (6). After recording, the processor (4) transmits a true signal through the interface (2) to the input-output unit (1), confirming the receipt of the packet. The input / output unit (1), having received a signal about the reception of the packet, puts the processor (4) into subscriber encryption mode. The input-output unit (1) through the interface (2) transmits a control signal to the processor (4) and initiates the subscriber decryption process. The content of the packet is transmitted through the processor (4) from the AMP memory block (6) to the subscriber decryption block (8), in which the decryption takes place using the synchronous subscriber encryption key paired with the CM stored in the subscriber decryption block (8). The decrypted content of the packet from the subscriber decryption unit (8) through the processor (4) is recorded in a separate area of the memory unit (6). After recording is completed, the processor (4) transmits a true signal through the interface (2) to the input-output unit (1). The input-output unit (1) through the interface (2) transmits a control signal to the processor (4). The processor (4) extracts the content and identification parts of the packet from the corresponding zones of the memory block (6) and writes them to the storage medium (5). After recording on the storage medium (5) is completed, the processor (4) generates a control signal in the memory unit (6) and the information previously recorded in the memory unit (5) is deleted.

The economic result of the invention is to increase the efficiency, reliability and security of information exchange between market participants.

Claims (1)

A cryptographic protection device for information transmitted over communication networks containing i subscriber modules, where i = 1 ÷ N, and one central data transmission module (CM), while each of the subscriber modules (AM) contains an input unit connected in series with double communication lines an output, an interface with three inputs / outputs, a processor with 8 inputs / outputs, a memory block with 4 inputs / outputs, a transceiver with 4 inputs and outputs, where the second input / output of the AM interface is connected by a double communication line to the packet forming unit, input / output which is connected to the 1st input-output of the subscriber encryption unit, and the 2nd, 3rd, 4th, 5th, 6th, 7th and 8th input-output of the processor are respectively connected by double communication lines with a subscriber encryption block, with a channel encryption block, with a transceiver, with a subscriber decryption block, with a channel decryption block and with a storage medium, and the 2nd, 3rd and 4th input-output of the transceiver AM are respectively connected by double communication lines with a channel encryption unit, with a channel decryption unit and with a telecommunication communication network, the device’s CM has a control unit with 7 inputs / outputs, which are connected via dual communication lines to a control interface, an information security management interface, an encryption key memory block, and a block subscriber authentication, the 2nd input-output of which is connected by a double communication line to the memory block of the addresses of the subscribers, and the 5th, 6th and 7th inputs and outputs of the control unit are respectively connected to the subscriber encryption server, the memory block of the digital memory and the channel server encryption, and the 1st input-output of the control unit of the double communication lines is connected to the control interface, and the information security management interface of the double communication lines is connected to the control unit of the encryption keys, and the CM transceiver with 4 inputs / outputs is connected in series by double communication lines to the telecommunication network communication with the channel encryption server, bl with the channel encryption window, with the channel decryption unit, the channel encryption server is connected in series with the digital memory block, with the subscriber encryption server, the inputs and outputs of which are respectively connected by double lines to the digital subscriber encryption block, the digital subscriber decryption block, and the digital packet generation block.

Images