[go: up one dir, main page]

GB2627535A - Trusted multi-domain segregation - Google Patents

Trusted multi-domain segregation Download PDF

Info

Publication number
GB2627535A
GB2627535A GB2302866.5A GB202302866A GB2627535A GB 2627535 A GB2627535 A GB 2627535A GB 202302866 A GB202302866 A GB 202302866A GB 2627535 A GB2627535 A GB 2627535A
Authority
GB
United Kingdom
Prior art keywords
data
segregated
domain
network
shared
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB2302866.5A
Other versions
GB2627535B (en
GB202302866D0 (en
Inventor
Pont Anthony
Ison Graham
Smejka Stephan
Walker John
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Thales Holdings UK PLC
Original Assignee
Thales Holdings UK PLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Thales Holdings UK PLC filed Critical Thales Holdings UK PLC
Priority to GB2302866.5A priority Critical patent/GB2627535B/en
Publication of GB202302866D0 publication Critical patent/GB202302866D0/en
Publication of GB2627535A publication Critical patent/GB2627535A/en
Application granted granted Critical
Publication of GB2627535B publication Critical patent/GB2627535B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Power Engineering (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Embodiments secure the boundary between a shared network (arrows connecting sub systems 110,120,130) and a plurality of segregated networks (arrows between interfaces and data domains). Prior to allowing data to be passed from the shared network to a segregated network (that corresponds to a particular data domain), the embodiments described herein determine whether the received data includes a keyed hash and, if so, verify the keyed hash using a first domain-specific cryptographic key corresponding to the appropriate data domain. In addition, an attempt is made to decrypt the received data using a second domain-specific cryptographic key corresponding to the appropriate data domain. By assessing both a keyed hash and the encryption using corresponding domain-specific keys, the system is able to ensure that data is only able to access a segregated network if it has the appropriate privileges. The first and second key may be the same for a specific domain.

Description

TRUSTED MULTI-DOMAIN SEGREGATION TECHNICAL FIELD
The present disclosure relates to communication systems. In particular, but without limitation, this disclosure relates to communication systems configured to act as secure boundaries between shared networks and segregated networks.
BACKGROUND
Communication systems may transfer data having varying levels of security (e.g. confidentiality, or safety (e.g. criticality). Such communication systems may be carried by a platform or vehicle requiring communication (e.g. multi-media communication) between different interfaces in different or variable domains.
Network segmentation is the process of providing separate physical layers (subnetworks) for different sections of an overall network. Network segmentation can be used to provide separate sub-networks (separate segregated networks) for different data domains. This makes it easier to limit access to the data in the data domain by limiting access to the segregated network. This also provides robustness against attack, by preventing unauthorized network traffic or attacks from reaching other sections of the overall network.
By providing different segregated networks for different data domains, cross-contamination of data can be prevented and security can be improved. As an example, radio voice traffic for an aircraft may be separated between a secure channel for secure mission communication and an air traffic control audio channel of a lower security level. Similarly, safety critical data often requires segregation from non-safety critical traffic, such as in a passenger aircraft. In the commercial space, sensitive information from one manufacturer, such as performance monitoring of an engine, may need to be segregated from equivalent data from a competing manufacturer to maintain the security of commercially sensitive data.
SUMMARY
According to a first aspect there is provided a communication system configured to act as a secure boundary between a shared network and a plurality of segregated networks, each segregated network corresponding to one of a plurality of data domains. The communication system comprises: a shared interface configured to receive cryptographically protected (e.g. encrypted) data from the shared network; a plurality of segregated interfaces, wherein each segregated interface is configured to output data to a corresponding segregated network of the plurality of segregated networks; and a data segregation system. The data segregation system is configured to: receive, over the shared interface, data from the shared network that is addressed for one of the segregated networks; determine the data domain of the one of the segregated networks to which the data is addressed; determine whether the received data includes a keyed hash and, if so, verify the keyed hash using a first domain-specific cryptographic key corresponding to the data domain of the one of the segregated networks to which the data is addressed; attempt to decrypt the received data using a second domain-specific cryptographic key corresponding to the data domain of the one of the segregated networks to which the data is addressed; and in response to the received data containing a verified keyed hash and being successfully decrypted, output the decrypted data to the one of the segregated networks to which the data is addressed via the corresponding segregated interface.
Embodiments secure the boundary between a shared network and a plurality of segregated networks. Prior to allowing data to be passed from the shared network to a segregated network (that corresponds to a particular data domain), the embodiments described herein determine whether the received data includes a keyed hash and, if so, verify the keyed hash using a first domain-specific cryptographic key corresponding to the appropriate data domain. In addition, an attempt is made to decrypt the received data using a second domain-specific cryptographic key corresponding to the appropriate data domain. By assessing both a keyed hash and the encryption using corresponding domain-specific keys, the system is able to ensure that data is only able to access a segregated network if it has the appropriate privileges.
The data segregation system may comprise a plurality of segregated subsystems, each corresponding to one of the segregated interfaces, and a shared subsystem that is connected to the shared interface. The shared subsystem may be configured to implement the verification of the keyed hash. Each of the plurality of segregated subsystems may be configured to implement the decryption of the data received from the shared network using the corresponding second domain-specific cryptographic key that corresponds to the data domain of the corresponding segregated network.
The data segregation system may comprise a shared field programmable array configured to verify the keyed hash using the first domain-specific cryptographic key. Each of the segregated subsystems may include a corresponding field programmable array configured to implement the decryption for that segregated subsystem.
The first and second domain-specific cryptographic keys may be the same for a given data domain. That is, whilst each domain-specific key is specific (e.g. unique) to the given domain, the same key may be used for both the hashing and encryption/decryption.
The data segregation system may be configured to verify whether the received data has been successfully decrypted using the second domain-specific cryptographic key based on error detection code contained within the decrypted data.
According to one embodiment, each of the plurality of segregated interfaces is further configured to receive data from its corresponding segregated network and the shared interface is further configured to output cryptographically protected data to the shared network. The data segregation system according to an embodiment is further configured to: receive data from one of the segregated networks via the corresponding segregated interface; encrypt the data received from the one of the segregated networks using a third domain-specific cryptographic key that corresponds to the data domain of the one of the segregated networks from which the data is received; generate a keyed hash of the encrypted data using a fourth domain-specific cryptographic key that corresponds to the data domain of the one of the segregated networks from which the data is received; apply the generated keyed hash to the encrypted data; and output the encrypted data with the generated keyed hash on the shared network via the shared interface.
The data segregation system may be configured to add error detection code to the data received from the one of the segregated networks prior to encrypting the data, wherein the error detection code is for use in verifying decryption of the encrypted data. The error detection code may be cyclic redundancy check (CRC) code. The error detection code may be generated based on the data received from the one of the segregated networks.
At least one of the plurality of segregated interfaces may be a dynamic interface which is configured to switch between different data domains supported by the dynamic interface. In one embodiment, whilst a dynamic interface may switch between data domains, it may only serve a single domain at one time. The dynamic interface may be configured to reject (e.g. block transfer of) any data that relates to a data domain that is not currently served (e.g. that is not served by the dynamic interface at the time at which the data is received by the dynamic interface) According to a further aspect there is provided a communication system configured to act as a secure boundary between a shared network and a plurality of segregated networks, each segregated network corresponding to one of a plurality of data domains, the communication system comprising: a plurality of segregated interfaces, wherein each segregated interface is configured to receive data from a corresponding segregated network of the plurality of segregated networks; a shared interface configured to output cryptographically protected data to the shared network; and a data segregation system. The data segregation system is configured to: receive data from one of the segregated networks via the corresponding segregated interface; encrypt the received data using a first domain-specific cryptographic key that corresponds to the data domain of the one of the segregated networks from which the data is received; generate a keyed hash of the encrypted data using a second domain-specific cryptographic key that corresponds to the data domain of the one of the segregated networks from which the data is received; apply the keyed hash to the encrypted data; and output the encrypted data with the keyed hash on the shared network via the shared interface.
According to an embodiment: the data segregation system comprises a plurality of segregated subsystems, each corresponding to one of the segregated interfaces, and a shared subsystem that is connected to the shared interface; each of the plurality of segregated subsystems is configured to implement the encryption of data received from the corresponding segregated interface using a corresponding first domain-specific cryptographic key that corresponds to the data domain of the corresponding segregated network; and the shared subsystem is configured to implement the generation and application of keyed hashes using corresponding second domain-specific cryptographic keys that each corresponds to the data domain of the segregated network from which data is received.
The data segregation system may comprise a shared field programmable array configured to generate the keyed hash using the second domain-specific cryptographic key. Each of the segregated subsystems may include a corresponding field programmable array configured to implement the encryption for that segregated subsystem.
The first and second domain-specific cryptographic keys may be the same for a given data domain.
According to an embodiment, the shared interface is further configured to receive cryptographically protected data from the shared network; each of the segregated interfaces is further configured to output data to its corresponding segregated network; and the data segregation system is further configured to: receive, over the shared interface, data from the shared network that is addressed for one of the segregated networks; determine the data domain of the one of the segregated networks to which the data is addressed; determine whether the received data includes a keyed hash and, if so, verify the keyed hash using a third domain-specific cryptographic key corresponding to the data domain of the one of the segregated networks to which the data is addressed; attempt to decrypt the received data using a fourth domain-specific cryptographic key corresponding to the data domain of the one of the segregated networks to which the data is addressed; and in response to the received data containing a verified keyed hash and being successfully decrypted, output the decrypted data to the one of the segregated networks to which the data is addressed via the corresponding segregated interface.
BRIEF DESCRIPTION OF THE DRAWINGS
Arrangements of the present invention will be understood and appreciated more fully from the following detailed description, made by way of example only and taken in conjunction with drawings in which: FIG. 1 shows a communication system for transferring data relating to different data domains according to an embodiment; FIG. 2 shows a data composition for data on the shared network according to an embodiment; FIG. 3 shows a communication system including separate encryption and hashing subsystems according to an embodiment; FIG. 4 shows a communication system having separate segregated subsystems according to an embodiment; FIG. 5 shows a method for receiving data from a segregated network and encrypting the data for secure transmission on a shared network according to an embodiment; and FIG. 6 shows a method for receiving data from a shared network and decrypting the data for transmission on a segregated network according to an embodiment.
DETAILED DESCRIPTION
Embodiments relate to communication systems for segregating data between different data domains (e.g. safety or security domains).
Specific embodiments described herein solve the problem of exchanging information between systems and interfaces of different segregated data domains (e.g. information with different levels of sensitivity, e.g. classification or confidentiality, or different levels of criticality, e.g. safety impact) over a common network, whilst maintaining the required domain segregation. Some of these interfaces may be required to support multiple domains and may change domain dynamically. A dynamic interface may switch between domains over time. Whilst it may switch between different domains, it may only serve a single domain at any one time.
Specifically, within the example of a communication system for a vehicle, operators and/or equipment within the vehicle may need to be able to exchange information at various security levels dependant on their clearance and on a need to know basis. Within the vehicle there can be several operators and/or equipment with various levels of clearance that may need to exchange information either within the vehicle or external to the vehicle. The vehicle itself may be transmitting information on radio bearers at various security levels. These levels can change during operation, and the migration of information between these bearers needs to be prevented to protect the information. Similarly, systems may need to exchange information at different safety criticality levels; some information flows may have a high safety impact whereas other information flows have no safety impact but may be more exposed to threats.
The ability of a solution to solve this problem from a security and safety perspective may be subject to stringent constraints and certification from appropriate certification agencies.
Data may be segregated through the use of different, physically separate networks for each domain. These physically separate networks (segregated networks) may include wiring with trusted gateways and switching between them where required, e.g. when dynamic domains are involved.
Fixed networks and wiring are intrinsically less scaleable/extensible. Separate networks and wiring result in higher installation costs and complexity and drive higher total system size, weight and power, particularly as the number of domains increases.
This is because certain functionality may not be shared and may therefore be repeated across the different networks.
This can be particularly problematic for communication systems that are for mobile platforms such as vehicles (e.g. aircraft, cars, trains, etc.), as this can increase the weight and therefore make the devices less mobile and result in additional fuel being consumed during transit. This is more critical for airborne applications where every kilogram of weight results in higher fuel consumption and shorter operational range. Nevertheless, the additional weight can be problematic for other applications (e.g. for use in handheld devices).
The implementation of trusted gateways and switches tends to be bespoke to each application, requiring a higher evaluation/certification evaluation from relevant bodies (e.g. aviation certification authorities or security certification authorities).
Soft means of segregating data (software only) such as network segmentation may not provide a sufficiently high level of assurance when safety or security critical information is concerned.
In light of the above, it can be beneficial to combine the use of segregated networks for security or safety with a shared network for improved efficiency. For instance, external communication may be through segregated networks, whereas internal communication (e.g. between other subsystems within an overall device, such as a vehicle) may be over a shared network, with appropriate encryption in place to ensure segregation is maintained. Embodiments described herein provide communication systems that are able to act as a secure boundary between a shared network and multiple segregated networks whilst ensuring secure data segregation.
Digital Trust permits trusted systems to interact over an untrusted domain, by the use of Trust Layer, built on strong cryptographic techniques. It provides secure-data transfer over lower trust shared communication means, by providing authentication, integrity protection and encryption.
This enables the support of multiple safety and security domains across a single local area network (LAN) architecture (including less trusted switches and bearers). This is applicable to many different applications. In particular, this is applicable to aviation and is important to future connected aircraft architectures, where there will be greater sharing of bandwidth, ad-hoc networking and Machine to Machine (M2M) communications.
Certain embodiments implement two levels of cryptographic checks for improved security to ensure that data segregation is maintained when transitioning between the shared and segregated networks. Furthermore, specific embodiments implement certain features, such as encryption and hashing, via bespoke hardware subsystems (e.g. field programmable gate arrays, FPGA) for improved security and assurance.
FIG. 1 shows a communication system 100 for transferring data relating to different data domains according to an embodiment. A number of segregated networks are provided for different data domains (Data Domain 1, Data Domain 2, Data Domain 3), as shown by the arrows exiting the system boundary.
A given data domain may relate to data having a particular characteristic (e.g. of a particular level of security, safety, sensitivity, privacy or importance). For instance, in the context of an aircraft, different data domains may include a cockpit intercom, an aircraft control domain (ACD) (e.g. including air traffic control communication and aircraft operational control communication), an aircraft information service domain (AISD), a passenger information and entertainment services domain (PIESD), a cabin distribution network and any connected off-board networks. It can be important to keep different data domains segregated to ensure that safety or security critical functions are protected (e.g. isolated). Different data domains may also allow protection of private or secure (e.g. company specific) data over a shared network or an off-platform bearer (e.g. radio).
The system 100 comprises a number of sub-systems 110, 120 and 130, which are each configured to receive segregated data from a corresponding set of segregated networks and cryptographically protect (e.g. through encryption and hashing) the data for sending on a shared network (shown as arrows connecting the sub-systems 110, 120 and 130). Each sub-system 110, 120 and 130 is also able to process data received over the shared network, verify the authenticity of the received data and output the data to the segregated network according to the data domain for the data.
Each sub-system 110, 120 and 130 includes one or more interfaces. Each interface corresponds to a given set of one or more segregated networks. For static interfaces, one or more interfaces may be provided for each segregated network (each segregated network is assigned a corresponding set of one or more interfaces). For instance, sub-system 110 has separate interfaces for separate physical networks for each of Data Domain 1, Data Domain 2 and Data Domain 3. Similarly, sub-system 120 has separate interfaces for separate physical networks for each of Data Domain 1 and Data Domain 2.
Having said this, dynamic interfaces can switch between multiple segregated networks. In one such case, an audio interface can be used for one data domain at one time and then the user switches it to communicate for a different data domain at a later time. In the present example, sub-system 130 includes a dynamic interface that can be used for Data Domain 2 at one point in time and for Data Domain 3 at a later time. Whilst a dynamic interface can switch between domains, it only serves a single domain at any single point in time.
In light of the above, segregated networks may be segregated physically and/or temporally. Whilst a dynamic interface may support multiple domains, it is only able to support a single domain at one time, with the domains being segregated over time. It is important that data segregation is maintained until the data is cryptographically protected on entry to the shared network. Domain separation can then be maintained over the shared network through appropriate cryptographic protection. Data coming from the shared network to one of the segregated networks is verified and decrypted to ensure it is authorised for use of the segregated network before it is output onto the segregated network. This segregation can be trusted due to its implementation as a series of cryptographic protections.
Two separate layers, providing two different cryptographic protections, are used to provide protection against failures and defence in depth: encryption and keyed hashing, using cryptographic keys specific to the segregation domain of the information (domain-specific cryptographic keys).
When receiving data from the shared network for output to a segregated network, both the encryption and keyed hash need to match the segregation domain of that segregated network to allow payload data to be exported to the segregated network. One advantage of this approach is that the mechanism for segregation can remain agnostic to both the payload data and the network protocol.
When receiving data from a segregated network for output to the shared network, the data is encrypted using a domain-specific cryptographic key for the corresponding segregation domain, and a keyed hash is added to the encrypted data that is sent via the shared network. The encryption ensures segregation of data across the network by preventing access to the data without the corresponding key, whilst the keyed hash enables the data to be verified to detect any tampering. Both the encryption and hash make use of one or more domain-specific cryptographic keys. The same domain-specific key, or different domain-specific keys may be used for each of the encryption and hashing.
FIG. 2 shows a data composition for data on the shared network according to an embodiment. Data received from a segregated network includes payload data. This data is encrypted and header data is added (e.g. plaintext header data and cyclic redundancy check, CRC, data). As shall be described later, this encryption may be implemented through a first FPGA. Following this, a keyed-hash of the encrypted data is added to the encrypted data (e.g. appended to the encrypted data). This may be implemented through a second FPGA. Then address data is added for directing the data across the shared network.
On receipt, the address data is read to determine the segmentation domain (the segregated network) to which the data is directed. Based on this, the key for that domain may be accessed. A keyed hash of the encrypted data is determined using the corresponding key and the resultant keyed hash then compared with the keyed hash accompanying the encrypted data. Where these hashes match, then the data may be decrypted using the corresponding key before the payload data is output to the segregated network. Again, the decryption may be implemented through a first FPGA whilst the hashing may be implemented through a second FPGA. Different first FPGAs may be provided for each segregated network to ensure data segregation after decryption.
Utilising FPGAs (e.g. rather than software) ensures improved security and assurance. FPGAs operate at a lower level, are less transparent, and are often more isolated than general purpose processors. Accordingly, FPGAs are more opaque to attackers and harder to compromise. FPGAs also provide greater control over the logic that is implemented, resulting in a greater degree of customization and security.
FIG. 3 shows a communication system including separate encryption and hashing subsystems according to an embodiment. The system comprises n segregated subsystems 210, where n is the number of segregated networks (where n is an integer). Each segregated subsystem 210 is connected to an input/output interface (e.g. one or more input/output ports) for the corresponding segregated network. Each segregated subsystem 210 includes an interface processing module 212 and an encryption/decryption module 214 (e.g. a segregation FPGA). Each segregated subsystem 210 is physically isolated from each other segregated subsystem 210, at least for the connections between the input/output and the segregated subsystem 210.
The interface processing module 212 is configured to perform interface processing on data received at the corresponding input/output interface or data to be output to the corresponding input/output interface. This interface processing may include reading/writing headers and repackaging payload data. On receipt of data from the segregated network, the interface processing may include analogue to digital conversion. The interface processing includes adding metadata onto the received payload data, which is checked on decryption to verify whether decryption has been successful. Adding metadata may include adding a header (e.g. with an address), adding cyclic redundancy check (CRC) data and/or adding other error-detection code or error correction code.
The encryption/decryption subsystem 214 is configured to encrypt data as it is received from a segregated network and decrypt data as it is output to the segregated network.
The encryption/decryption module is configured to perform encryption and decryption using a key that is unique to the corresponding data domain for the segregated subsystem 210. Data is only output to the segregated network if it is successfully decrypted by the encryption/decryption subsystem 214. The encryption/decryption subsystem 214 may be implemented as an FPGA (e.g. a first segregation FPGA (SEG1)).
As shall be described in more detail with reference to FIG. 4, each segregated subsystem 210 is connected to a hashing subsystem 220. Optionally, the hashing subsystem 220 may be shared between the segregated subsystems 210. This hashing subsystem 220 may be implemented as an FPGA (e.g. a second segregation FPGA (SEG2)). The hashing subsystem 220 is configured to apply a keyed hash of the encrypted data on receipt of data from a segregated network. The hashing subsystem 220 is also configured to verify the keyed hash of the encrypted data on receipt of data from the shared network (for output to a segregated network). The key that is utilised in the keyed hash is a key that is unique to the data domain of the segregated network that the data is received from/output to. The keys utilised by the hashing subsystem 220 may be the same as the keys utilised by the encryption/decryption subsystem 214 or may be different.
A network processing subsystem 230 is connected to the hashing subsystem 220 and is configured to perform addressing and routing of data to/from the shared network.
FIG. 4 shows a communication system having separate segregated subsystems 210 according to an embodiment.
As discussed above, a segregated subsystem 210 is provided for each segregated network at one time. In the present example, one network is provided having switchable domains for data, one network is provided having switchable domains for audio, one network is provided for a (generic or unclassified) discrete input/output domain, and a number of independent domains for audio data are provided. A network having switchable domains is able to switch between domains, but can only support a single domain at one time. For audio, the interface is set up to allow audio on one domain at a time, out of a set of domains the user is permitted to access. For data, the interface supports a single domain at a time, but is switchable to the domain or domains that the connected equipment currently supports. Whilst FIG. 4 shows one example having a specific number of networks and domains, any type or number of networks and/or data domains may be utilised.
In the present embodiment, the segregated subsystems 210 are physically isolated from each other until the data has been encrypted. Each segregated subsystem 210 is connected to a corresponding set of one or more input/output ports for communication with the corresponding segregated network. The network processing subsystem 230 is connected to one or more input/output ports for communication with the shared network.
Each segregated subsystem 210 for contains a corresponding encryption/decryption 214 subsystem. Each segregated subsystem 210 other than the segregated subsystem for the discrete input/output domain also includes an interface processing subsystem 212. This is because the discrete data does not require interface processing (e.g., it does not relate to sensitive or safety critical information).
As shown in FIGs. 3 and 4, the cryptographic functions may be implemented in separate devices (the encryption/decryption subsystem and the hashing subsystem) to provide protection against failures and defence in depth. FPGA may be used for the cryptographic functions as they can more easily demonstrate assurance, provide improved security and are easier to achieve certification by appropriate agencies (e.g. security or safety agencies). Each encryption/decryption subsystem 214 (each first segregation FPGA (SEG1)) applies encryption or decryption for a corresponding interface domain. The hashing subsystem 220 (the second segregation FPGA (SEG2)) applies and checks a keyed-hash in a device shared across all interfaces to reduce size, weight, cost and power. Nevertheless, it is not essential for this functionality to be implemented in separate devices (e.g. in separate FPGAs).
Isolation (e.g. physical and/ortemporal isolation) is required for external interfaces until the segregation functions have been passed -then the segregated data may safely share the network domain. Multiple network protocols are possible; the segregation capability is independent of the shared network type.
Whilst physical or temporal isolation is required for the external interfaces (i.e. each interface is assigned to only one domain at a time), the segregation functions may be performed on the same processing device (e.g. the same FPGA). That is, in one embodiment the segregated subsystems 210 include segregated interfaces, but shared processing. These segregated subsystems 210 may alternatively be considered domain-specific sub-systems. Having said this, in other embodiments, the segregated subsystems 210 have segregated processing as well, to avoid mixing of domains before cryptographic checks have been passed.
FIG. 5 shows a method 300 for receiving data from a segregated network and cryptographically protecting the data for secure transmission on a shared network according to an embodiment.
Data is received from a segregated network via a corresponding segregated interface 310. As described herein, this data is processed by the corresponding segregated subsystem 210 before being passed to the hashing system 220. Interface processing may be performed by an interface processing subsystem 212. As this is optional, this is not shown in FIG. 5.
The received (and potentially processed data) is encrypted using a (first) domain-specific cryptographic key corresponding to the segregated network 320. The key may be unique for data domain of the segregated network. If multiple segregated networks process data of the same data domain, then the key may correspond to the data domain and may be used at various interfaces with the various segregated networks. This allows data to be securely transferred to the various segregated networks via the shared network.
A keyed hash of the encrypted data is generated using a (second) domain-specific cryptographic key 330 and the keyed hash is applied to the encrypted data 340. This may be performed by a shared hashing subsystem 220 such as that shown in FIGs. 3 and 4. Having said this, alternative embodiments may implement separate hashing subsystems for each segregated network.
The hash is a keyed hash that is generated using a particular key. The key may be unique for the data domain of the segregated network. The key may be the same or different to the key utilised for encryption. By applying a keyed hash, the data may be authenticated to ensure that it has not been tampered with. The use of the key ensures that data that does not correspond to the given data domain (i.e. that has been hashed using a different key) cannot pass to a segregated network for that domain. The keyed hash may be applied to the encrypted data as a header and/or via concatenation.
The encrypted data with keyed hash is then output to the shared network via a shared interface 350. This may include addressing and routing via the network processing subsystem 230. For instance, the network processing subsystem 230 may determine an address on the shared network and add this to the package to be sent over the shared network.
FIG. 6 shows a method 400 for receiving data from a shared network and decrypting the data for transmission on a segregated network according to an embodiment.
Data is received from the shared network via the shared interface 410. As described herein, this data is processed by the network processor 230 and hashing subsystem 220 before being passed to a corresponding segregated subsystem 210 relating to the segregated network to which the data is addressed.
The method may determine the data domain of the segregated network to which data is addressed 420. To do this, the network processor 230 reads an address from the received data. The data may then be forwarded to the hashing subsystem 220. By determining the segregated network, the data domain for the data may be determined.
The method then verifies any keyed hash included in the received data using a domain-specific cryptographic key corresponding to the data domain for the segregated network to which the data is addressed 430. To do this, the system may determine whether the received data includes a keyed hash and, if so, verify the keyed hash using the domain-specific cryptographic key. To verify a keyed hash, the hashing subsystem 220 may extract payload data (e.g. encrypted data) from the received data and generate a keyed hash of the payload data using the domain-specific cryptographic key. If the generated keyed hash matches the keyed hash in the received data, then the payload data (the encrypted data) is passed to the segregated subsystem 210 for the relevant segregated network. The hashing subsystem 220 only has access to keys (domain-specific keys) for the data domains that it supports. If no keyed hash is included with the received data, or if the keyed hash is not valid (i.e. if it does not match the keyed hash generated by the hashing subsystem), then the data is not permitted to access the segregated network. This ensures that data that has been misrouted is not permitted to pass onto a domain for which it is not cleared.
After a verification of the keyed hash, the system attempts to decrypt the received data using a domain-specific cryptographic key. This key may be the same as that used in the hashing or may be different. Again, for this purpose, the system only has access to domain-specific keys for its relevant domain. That is, each encryption/decryption subsystem 214 may only have access to the domain-specific key(s) for the domain(s) that it provides an interface for. The data that the decryption applies to may be a subset of the received data (e.g. encrypted payload data after the removal of metadata (e.g. the keyed hash, error correction data and address data)).
If the data is successfully decrypted using the domain-specific cryptographic key, then the decrypted data is output to the segregated network 450 (e.g. via the interface processing subsystem 212). Successful decryption can be assessed based on metadata within the decrypted data (e.g. cyclic redundancy code, CRC). If the data is not successfully decrypted, then the data is not permitted to access the segregated network.
In the case where data is not permitted to access a segregated network, the received data may be discarded (e.g. deleted), may be stored locally (e.g. in a buffer), or may be returned to the source of the received data (the sender). A message detailing the access refusal may be sent to the source of the received data.
In light of the above, two levels of cryptographic checks are applied when assessing whether data can transition from a shared network to a segregated network. The data is checked to determine if it contains a keyed hash that is valid according to a domain-specific key; and data is checked to see if it can be successfully decrypted using a domain-specific cryptographic key (which may be the same or different to the key used for the keyed hash). Only if the keyed hash is valid and the data can be decrypted will the decrypted data be passed to the segregated network. This ensures that data belonging to a different domain is not passed to the segregated network.
Similarly, when sending data over a shared network, the data is both encrypted using a domain-specific cryptographic key and a keyed hash is applied using a domain-specific cryptographic key. The encryption and keyed hash provide two means of checking that data is of the appropriate domain when crossing onto a segregated network. The encryption and keyed hash can ensure that the data cannot be accessed (e.g. decrypted) by entities or devices without the appropriate clearance for the given data domain, and ensures that any tampering of the data can be detected. The two levels of security allow segregated data belonging to different data domains to be sent securely along a shared network without compromising the segregation of data.
The segregation capability can be embedded into multiple communications subsystems to exploit the common network. Multiple types of interface can be supported as the segregation functions are agnostic to the traffic carried. Real-time and IP based traffic can also be supported. Interfaces may be grouped into common domains for efficiency.
Supporting functionality can ensure that the available keys are controlled securely.
Keys may be changed using closed-loop controls that avoid reliance on software.
FPGA and hardware control interlocks may be used to ensure that keys are changed securely to prevent information crossing domain boundaries incorrectly.
The methods described herein fail safe by ensuring that any mismatch in keys (e.g. in validating the keyed hash or decrypting the data) results in the blocking of data transmission to the network. Each cryptographic sub-system (e.g. SEG 1 or SEG 2) is able to make cross-checks against those that have provided it data.
The solution is agnostic of the actual cryptographic algorithms used. The only criteria in selecting algorithms is ready availability and probability of an accidental match.
Therefore commercial grade algorithms can be used for convenience. Notably, it is not essential to provide confidentiality protection of the data via encryption (though this is possible). The primary focus is to cryptographically assure the segregation of domains. Cryptographic algorithms that are obsolete for confidentiality protection purposes could be used to assure segregation using this approach. Nevertheless, specific embodiments make use of Advanced Encryption Standard (AES) encryption and Secure Hashing Algorithm (SHA) hashing.
The proposed solution is intrinsically scalable, i.e. it makes extension of the system or network straightforward. Re-certification by certification organisations is more straightforward as the segregation functionality is fully agnostic to the data passing over it. Unlike a trusted gateway, it does not need to be programmed to account for the protocol or data schema of the connected interfaces.
A further advantage is that the solution facilitates the sharing of cryptographic units between transceivers (e.g. radios, Satcom) allowing a further reduction in total system size, weight, power and cost. The system allows common wiring/network to be implemented which simplifies installation, reducing cost, size, weight and total system power. It can also be embedded in other systems or technology to provide a trusted gateway to the shared network, further reducing total system cost, size, weight and power.
Whilst certain embodiments are described herein that show certain sub-systems, it will be appreciated that these sub-systems are primarily logical collections of electronic and/or software functionality. Accordingly, unless otherwise specified, these sub-systems may be implemented across multiple devices or within one device. In addition, certain sub-systems may be split into separate sub-systems for different functionalities (e.g. separate encryption and decryption subsystems may be provided).
Whilst certain embodiments make use of shared hardware (e.g. sharing the hashing subsystem 220 and network processor 230 across different segregated subsystems 210), alternative embodiments provide separate hardware (e.g. separate hashing subsystems 220 and/or network processors 230 for one or more of the segregated subsystems 210).
Segregated networks as described herein may be physically or temporally segregated. Physically segregated networks operate on different physical communication channels. Temporally segregated networks may operate on the same physical communication channel, but are segregated over time. Each segregated network is considered to correspond to a certain data domain. For temporally segregated networks, only one data domain may operate a given physical communication channel at any one time.
A certain data domain may include multiple different but complimentary classifications (e.g. a security classification level, a company confidentiality level, a safety level, etc.).
Accordingly, a "data domain" may actually relate to a combination of multiple sub-domains. Where this is the case, a domain-specific key may be applied to the overall data domain (the combination of sub-domains), or separate keys, encryption and hashing may be applied for each sub-domain.
Whilst certain embodiments make use of separate hardware modules (e.g. FPGAs) for certain functions, alternative embodiments implement equivalent functionality through software implemented one or more general purpose processors.
Implementations of the subject matter and the operations described in this specification can be realized in digital electronic circuitry, or in computer software, firmware, or hardware, including the structures disclosed in this specification and their structural equivalents, or in combinations of one or more of them. For instance, hardware may include processors, microprocessors, electronic circuitry, electronic components, integrated circuits, circuits, circuit elements (e.g., transistors, resistors. capacitors, inductors, and so forth), application specific integrated circuits (ASIC), programmable logic devices (PLD), digital signal processors (DSP), field programmable gate arrays (FPGA), logic gates, registers, semiconductor devices, chips, microchips, chip sets, and so forth. Implementations of the subject matter described in this specification can be realized using one or more computer programs, i.e., one or more modules of computer program instructions, encoded on computer storage medium for execution by, or to control the operation of, data processing apparatus. Alternatively or in addition, the program instructions can be encoded on an artificially-generated propagated signal, e.g., a machine-generated electrical, optical, or electromagnetic signal that is generated to encode information for transmission to suitable receiver apparatus for execution by a data processing apparatus. A computer storage medium can be, or be included in, a computer-readable storage device, a computer-readable storage substrate, a random or serial access memory array or device, or a combination of one or more of them. Moreover, while a computer storage medium is not a propagated signal, a computer storage medium can be a source or destination of computer program instructions encoded in an artificially-generated propagated signal.
The computer storage medium can also be, or be included in, one or more separate physical components or media (e.g., multiple CDs, disks, or other storage devices).
While certain arrangements have been described, the arrangements have been presented by way of example only, and are not intended to limit the scope of protection. The inventive concepts described herein may be implemented in a variety of other forms. In addition, various omissions, substitutions and changes to the specific implementations described herein may be made without departing from the scope of protection defined in the following claims.

Claims (15)

  1. 21 CLAIMS 1. A communication system configured to act as a secure boundary between a shared network and a plurality of segregated networks, each segregated network corresponding to one of a plurality of data domains, the communication system comprising: a shared interface configured to receive cryptographically protected data from the shared network; a plurality of segregated interfaces, wherein each segregated interface is configured to output data to a corresponding segregated network of the plurality of segregated networks; and a data segregation system configured to: receive, over the shared interface, data from the shared network that is addressed for one of the segregated networks; determine the data domain of the one of the segregated networks to which the data is addressed; determine whether the received data includes a keyed hash and, if so, verify the keyed hash using a first domain-specific cryptographic key corresponding to the data domain of the one of the segregated networks to which the data is addressed; attempt to decrypt the received data using a second domain-specific cryptographic key corresponding to the data domain of the one of the segregated networks to which the data is addressed; and in response to the received data containing a verified keyed hash and being successfully decrypted, output the decrypted data to the one of the segregated networks to which the data is addressed via the corresponding segregated interface.
  2. 2. The communication system of claim 1 wherein: the data segregation system comprises a plurality of segregated subsystems, each corresponding to one of the segregated interfaces, and a shared subsystem that is connected to the shared interface; the shared subsystem is configured to implement the verification of the keyed hash; and each of the plurality of segregated subsystems is configured to implement the decryption of the data received from the shared network using the corresponding second domain-specific cryptographic key that corresponds to the data domain of the corresponding segregated network.
  3. 3. The communication system of claim 2 wherein the data segregation system comprises a shared field programmable array configured to verify the keyed hash using the first domain-specific cryptographic key.
  4. 4. The communication system of claim 2 or claim 3 wherein each of the segregated subsystems includes a corresponding field programmable array configured to implement the decryption for that segregated subsystem.
  5. 5. The communication system of any preceding claim wherein the first and second domain-specific cryptographic keys are the same for a given data domain.
  6. 6. The communication system of any preceding claim wherein the data segregation system is configured to verify whether the received data has been successfully decrypted using the second domain-specific cryptographic key based on error detection code contained within the decrypted data.
  7. 7. The communication system of any preceding claim wherein: each of the plurality of segregated interfaces is further configured to receive data from its corresponding segregated network; the shared interface is further configured to output cryptographically protected data to the shared network; and the data segregation system is further configured to: receive data from one of the segregated networks via the corresponding segregated interface; encrypt the data received from the one of the segregated networks using a third domain-specific cryptographic key that corresponds to the data domain of the one of the segregated networks from which the data is received; generate a keyed hash of the encrypted data using a fourth domain-specific cryptographic key that corresponds to the data domain of the one of the segregated networks from which the data is received; apply the generated keyed hash to the encrypted data; and output the encrypted data with the generated keyed hash on the shared network via the shared interface.
  8. 8. The communication system of claim 7 wherein the data segregation system is configured to add error detection code to the data received from the one of the segregated networks prior to encrypting the data, wherein the error detection code is for use in verifying decryption of the encrypted data.
  9. 9. The communication system of any preceding claim wherein at least one of the plurality of segregated interfaces is a dynamic interface which is configured to switch between different data domains supported by the dynamic interface.
  10. 10. A communication system configured to act as a secure boundary between a shared network and a plurality of segregated networks, each segregated network corresponding to one of a plurality of data domains, the communication system comprising: a plurality of segregated interfaces, wherein each segregated interface is configured to receive data from a corresponding segregated network of the plurality of segregated networks; a shared interface configured to output cryptographically protected data to the shared network; and a data segregation system configured to: receive data from one of the segregated networks via the corresponding segregated interface; encrypt the received data using a first domain-specific cryptographic key that corresponds to the data domain of the one of the segregated networks from which the data is received; generate a keyed hash of the encrypted data using a second domain-specific cryptographic key that corresponds to the data domain of the one of the segregated networks from which the data is received; apply the keyed hash to the encrypted data; and output the encrypted data with the keyed hash on the shared network via the shared interface.
  11. 11. The communication system of claim 10 wherein: the data segregation system comprises a plurality of segregated subsystems, each corresponding to one of the segregated interfaces, and a shared subsystem that is connected to the shared interface; each of the plurality of segregated subsystems is configured to implement the encryption of data received from the corresponding segregated interface using a corresponding first domain-specific cryptographic key that corresponds to the data domain of the corresponding segregated network; and the shared subsystem is configured to implement the generation and application of keyed hashes using corresponding second domain-specific cryptographic keys that each corresponds to the data domain of the segregated network from which data is received.
  12. 12. The communication system of claim 11 wherein the data segregation system comprises a shared field programmable array configured to generate the keyed hash using the second domain-specific cryptographic key.
  13. 13. The communication system of claim 11 or claim 12 wherein each of the segregated subsystems includes a corresponding field programmable array configured to implement the encryption for that segregated subsystem.
  14. 14. The communication system of any of claims 10-13 wherein the first and second domain-specific cryptographic keys are the same for a given data domain.
  15. 15. The communication system of any of claims 10-14 wherein: the shared interface is further configured to receive cryptographically protected data from the shared network; each of the segregated interfaces is further configured to output data to its corresponding segregated network; and the data segregation system is further configured to: receive, over the shared interface, data from the shared network that is addressed for one of the segregated networks; determine the data domain of the one of the segregated networks to which the data is addressed; determine whether the received data includes a keyed hash and, if so, verify the keyed hash using a third domain-specific cryptographic key corresponding to the data domain of the one of the segregated networks to which the data is addressed; attempt to decrypt the received data using a fourth domain-specific cryptographic key corresponding to the data domain of the one of the segregated networks to which the data is addressed; and in response to the received data containing a verified keyed hash and being successfully decrypted, output the decrypted data to the one of the segregated networks to which the data is addressed via the corresponding segregated interface.
GB2302866.5A 2023-02-27 2023-02-27 Trusted multi-domain segregation Active GB2627535B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB2302866.5A GB2627535B (en) 2023-02-27 2023-02-27 Trusted multi-domain segregation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB2302866.5A GB2627535B (en) 2023-02-27 2023-02-27 Trusted multi-domain segregation

Publications (3)

Publication Number Publication Date
GB202302866D0 GB202302866D0 (en) 2023-04-12
GB2627535A true GB2627535A (en) 2024-08-28
GB2627535B GB2627535B (en) 2025-09-03

Family

ID=85793934

Family Applications (1)

Application Number Title Priority Date Filing Date
GB2302866.5A Active GB2627535B (en) 2023-02-27 2023-02-27 Trusted multi-domain segregation

Country Status (1)

Country Link
GB (1) GB2627535B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070183435A1 (en) * 2005-12-02 2007-08-09 Kettering Christopher B Methods and apparatus providing an airborne e-enabled architecture as a system of systems

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070183435A1 (en) * 2005-12-02 2007-08-09 Kettering Christopher B Methods and apparatus providing an airborne e-enabled architecture as a system of systems

Also Published As

Publication number Publication date
GB2627535B (en) 2025-09-03
GB202302866D0 (en) 2023-04-12

Similar Documents

Publication Publication Date Title
US11637696B2 (en) End-to-end communication security
EP2823619B1 (en) Policy for secure packet transmission using required node paths and cryptographic signatures
EP3254418B1 (en) Packet obfuscation and packet forwarding
Hu et al. Review of secure communication approaches for in-vehicle network
US8577036B2 (en) Method and device for transmitting messages in real time
US20050198412A1 (en) Trusted interface unit (TIU) and method of making and using the same
US11271901B2 (en) Integrated circuit
US6396929B1 (en) Apparatus, method, and computer program product for high-availability multi-agent cryptographic key recovery
Oyler et al. Security in automotive telematics: a survey of threats and risk mitigation strategies to counter the existing and emerging attack vectors
IL274628B (en) A system for transferring information with related fields and methods
Stapko Practical embedded security: building secure resource-constrained systems
GB2627535A (en) Trusted multi-domain segregation
Sahana et al. Survey on can-bus packet filtering firewall
Amirtahmasebi et al. Vehicular networks–security, vulnerabilities and countermeasures
KR20240129318A (en) Method for controlling access to in-vehicle network for external devices and gateway therefor
Filipe Analysis of Security in Railway Communication Networks based on 5G and WiFi
Nsour et al. Enhanced modified SecOC protocol for secure automotive networks a comprehensive cryptographic framework
CN120729543A (en) Data transmission method, device and electronic device
US20250047691A1 (en) Vehicle network security system and method
Sakon et al. Simple Cryptographic Key Management Scheme of the Electronic Control Unit in the Lifecycle of a Vehicle
US9781076B2 (en) Secure communication system
CN118036061A (en) Supervision government block chain data privacy protection method
Birrane Delay-Tolerant Security
Kohli et al. Secure Message Communication using Digital Signatures and Attribute Based Cryptographic Method in VANET
Capillon et al. Combining security assurance and high performance in hostile environments