top - download
⟦39ee19ece⟧ Wang Wps File
Length: 70268 (0x1127c)
Types: Wang Wps File
Notes: SFS/TN/004
Names: »3489A «
Derivation
└─⟦2c1d27607⟧ Bits:30006216 8" Wang WCS floppy, CR 0284A
└─ ⟦this⟧ »3489A «
WangText
…00……00……00……16……02……16…
…00……00……16… …15……0e……15……07……14……0d……14……00……14……06……14……07……13……08……13……0d……13…
…12……09……12……0f……12……00……12……07……11……0a……11……0c……11……00……11……06……10……0b……10……00……10……05……0f……86…1 …02… …02… …02… …02…
NATO UNCLASSIFIED
NATO UNCLASSIFIED
SFS/TN/004 1983-05-30
CONFIGURATION STUDY Page #
T̲A̲B̲L̲E̲ ̲O̲F̲ ̲C̲O̲N̲T̲E̲N̲T̲S̲
Page
1 GENERAL .......................................
3
1.1 INTRODUCTION ...............................
3
1.2 TERMS AND ABBREVIATIONS ....................
3
1.2.1 Terms...................................
3
1.2.2 Abbreviations...........................
4
2 TIME DIVISION MULTIPLEXING ....................
5
2.1 ANALYSIS ...................................
5
2.1.1 The need ...............................
5
2.1.2 The requirements .......................
5
2.1.3 The problems ...........................
8
2.1.3.1 Security ...........................
8
2.1.3.2 Complexity .........................
9
2.1.3.3 Delay ..............................
9
2.1.3.4 Channel Capacity ...................
9
2.1.3.5 Overflow ...........................
9
2.1.4 Conclusion .............................
10
2.2 MULTICHANNEL SECURITY FILTER ...............
11
2.2.1 General Description ....................
11
2.2.2 Data flow ..............................
13
2.2.3 Message Block Specification ............
13
2.2.3.1 The Header .........................
14
2.2.3.2 Message Body .......................
16
2.2.3.3 Trailer ............................
16
2.2.4 Interface Specification ................
16
2.2.4.1 Line Interface .....................
16
2.2.4.2 Input Bus ..........................
17
2.2.4.3 Internal Interface Specification ...
19
2.2.4.4 Output Bus .........................
19
2.2.5 Module Specification ...................
20a
2.2.5.1 Line Terminator (LT) ...............
20a
2.2.5.2 Multi Purpose Processor (MPP) ......
26a
2.2.5.3 Input Control ......................
33a
2.2.5.4 Output Control .....................
33a
2.2.5.5 Gate Keeper ........................
34a
2.2.5.6 Tape Recorder ......................
37
2.2.5.7 Terminal ...........................
38
2.3 PERFORMANCE ................................
39
2.3.1 Security ...............................
39
2.3.1.1 Illegal Source/Validation table/sink
relationship .......................
39
2.3.1.2 Residue ............................
40
2.3.1.3 Cross-talk .........................
40
2.3.2 Throughput .............................
40
2.3.3 Delay ..................................
42
3 SHARING OF HARDWARE ...........................
44
3.1 ANALYSIS ..................................
44
3.2 SECURITY ...................................
45
3.3 CONCLUSION .................................
45
4 OTHER SYSTEM CONFIGURATIONS....................
47
4.1 INSTALLATION SITE...........................
47
4.2 UNCLASSIFIED SYSTEM LOW.....................
47
5 COMMON SOFTWARE AND HARDWARE...................
48
5.1 COMMON SOFTWARE.............................
48
5.2 COMMON HARDWARE.............................
48
6 COMMERCIALLY AVAILABLE HARDWARE
AND SOFTWARE...................................
49
6.1 HARDWARE....................................
49
6.2 SOFTWARE....................................
49
7 ELECTRONIC SWITCHER ...........................
50
7.1 DEFINITION .................................
50
7.2 ANALYSIS ...................................
50
7.2.1 Electromagnetic Coupling ...............
51
7.2.2 Parasitic Capacitance ..................
51
7.2.3 Transfer Characteristic ................
52
7.2.4 Galvanic Coupling ......................
52
7.2.5 Coupling through the Power Supply ......
52
7.3 SECURITY REQUIREMENTS ......................
52
7.4 SELECTED SWITCH TYPES ......................
53
7.4.1 Reed Relay .............................
53
7.4.2 Semiconductor Logic Switch .............
54
7.4.3 Electro-optical Switch .................
55
7.5 DESIGN EXAMPLES ...........................
55
7.5.1 Reed Relay .............................
55
7.5.2 Semiconductor Logic Switch .............
56
7.5.3 Electro-optical Switch ................
56
1̲ ̲ ̲G̲E̲N̲E̲R̲A̲L̲
1.1 I̲N̲T̲R̲O̲D̲U̲C̲T̲I̲O̲N̲
This technical note represents the output of work package
no. 320, Configuration Study, within the framework
of the Security Filter Study, performed under contract
no. FK 8219 between the Air Material Command of the
RDAF and Christian Rovsing A/S.
The Configuration Study shall examine the feasibility
and the performance of technical solutions to:
- Multiplexing two or more communication lines through
one filter
- Sharing of hardware between two or more filters
- Other systems configurations (installation site,
security levels)
- Use of common software and hardware
- Use of commercially available hardware and software
(multi-source)
- Use of electronic switches
Each point will be treated separately in the following
chapters.
1.2 T̲E̲R̲M̲S̲ ̲A̲N̲D̲ ̲A̲B̲B̲R̲E̲V̲I̲A̲T̲I̲O̲N̲S̲
Within this document, the definitions of terms and
abbreviations below are used.
1.2.1 T̲e̲r̲m̲s̲
Certification the verification given by a
national security agency, based
on a study of the system by
a technically competent independent
organization, that the system
as designed meets the security
specifications of the systems.
Corruption Transmission of a message with
a higher classification than
low side level from low to high.
Covert Channels Non-authorized means of conveying
information which could lead
to security breach
Migration Transmission of a message with
a higher classification level
than low side level from high
to low.
Security Breach The non-authorized disclosure
of classified information.
Validation The act of evaulating the legality
of a message.
1.2.2 A̲b̲b̲r̲e̲v̲i̲a̲t̲i̲o̲n̲s̲
ADP Automatic Data Processing
MTBF Mean Time Between Failure
MTTR Mean Time To Repair
PFSB Probability For Security Breach
SA Security Administrator
SF Security Filter (SYSTEM)
2̲ ̲ ̲T̲I̲M̲E̲ ̲D̲I̲V̲I̲S̲I̲O̲N̲ ̲M̲U̲L̲T̲I̲P̲L̲E̲X̲I̲N̲G̲
2.1 A̲N̲A̲L̲Y̲S̲I̲S̲
2.1.1 T̲h̲e̲ ̲n̲e̲e̲d̲
ADP systems often have many communication lines in
and out. This raises a demand for a solution, which
is more cost efficient than a simple duplication of
hardware. This demand can often be met by time division
multiplexing or time slicing methods. The idea is to
utilise the hardware more efficiently by letting it
handle several channels on a time sliced basis. The
slice may be either at bit level, often called time
division multiplex, or at a higher level (message),
often called time slicing.
2.1.2 T̲h̲e̲ ̲r̲e̲q̲u̲i̲r̲e̲m̲e̲n̲t̲s̲
The general requirement to the multiplexing functions
is a restriction to fixed point-to-point communication.
See figure 2-1 overleaf.
The channel of ADP system A using line no. 1A must
communicate only with the channel of ADP system C using
line no. 1C.
The particular characteristics which must be considered
when evaluating potential solutions are first of all
o Security in all aspects.
o The cost should be substantially reduced compared
to the simple hardware duplication.
o The design must accommodate certification.
o Delay must be kept low.
o The filter shall be transparent to the connected
ADP systems except for the delay.
o The channel capacity must not be (significantly)
reduced.
o The design shall provide reliable operation.
o Behaviour in case of a failure must be acceptable.
Fig. 2-1: Multi Channel Security Filter
Communication paths
2.1.3 T̲h̲e̲ ̲p̲r̲o̲b̲l̲e̲m̲s̲
The potential problems in multiplexing have already
been suggested in the para 2.2. They are in summary
o Security
o Complexing
o Delay
o Channel Capacity
o Overflow
It is throughout this subsection assumed that sufficient
processing power is available to perform the validation
in negligible time.
2.1.3.1 S̲e̲c̲u̲r̲i̲t̲y̲
The multiplexing inherently introduces a multitude
of failure modes which may lead to security breack.
The most obvious risks are
o Illegal source/validation table/sink relationship.
The mere fact that there are several channels increases
the risk of passing classified information to a
channel with too low security level.
o Residue
A residue of classified information may inadvertently
be carried along with a lower classified message.
o Cross-talk
The presence of several inputs and/or outputs gives
the risk of cross-talk, here used to describe any
mechanism which may unintendedly convey legible
information from one channel to another.
2.1.3.2 C̲o̲m̲p̲l̲e̲x̲i̲t̲y̲
Multiplexing hardware/software may be more or less
complex. Very high efficiency is typically achieved
through high complexity. High complexity typically
gives very complicated failure modes and is therefore
not attractive from a security point of view.
2.1.3.3 D̲e̲l̲a̲y̲
The delay will in general be increased by the multi-
plexing, but the amount of delay is heavily depending
upon the combination of multiplexing scheme and the
hardware configuration.
Multiplexing on bit or byte level gives only negligible
additional delay, while multiplexing of many channels
on message level may give excessive delays.
So, from a delay point of view the lowest level is
preferrred. However, considerations of security risks
lead to a multiplexing on message level. Hence, the
hardware configuration must be adjusted to provide
an acceptably low delay.
2.1.3.4 C̲h̲a̲n̲n̲e̲l̲ ̲C̲a̲p̲a̲c̲i̲t̲y̲
Channel capacity is another exposed parameter. The
reference capacity is, in this context, the capacity
of a particular channel without any filter. Insertion
of a multiplexed filter may reduce the capacity significant-
ly unless precautions are made.
2.1.3.5 O̲v̲e̲r̲f̲l̲o̲w̲
Message Overflow situations may occur, either as a
result of failures inside or outside the filter, or
perhaps even as an acceptable (rare) situation. In
all cases, the system must respond to such a situation
in a secure manner.
2.1.4 C̲o̲n̲c̲l̲u̲s̲i̲o̲n̲
The previous subsection suggests the following characteristics
of a viable solution.
o Multiplexing is on message level. Only one message
is processed at a time and the message is fully
processed without interference from other channels
or messages from the same channel.
o A Line Terminator is provided for each channel
to provide the necessary reception and storage
capacity for minimizing a decrease in the individual
channel capacities.
This also minimizes the risk of electromagnetic
or galvanic cross-talk.
o All information in common areas is erased before
a new message is entered.
o A dedicated, simple hardware/firmware control circuit
establishes the input/output path, validated according
to a preprogrammed table with legal combinations.
The control is backed up by an alternative (redundant)
communication path verification method.
o The channels are multiplexed by offering service
in a cyclic manner. The processing power shall
be sufficient to service a worst case situation
and secure methods with acceptable performance
shall be used in case of an overflow situation.
o The software complexity should be minimized f.ex.
by designing separate packages for each channel.
2.2 M̲U̲L̲T̲I̲C̲H̲A̲N̲N̲E̲L̲ ̲S̲E̲C̲U̲R̲I̲T̲Y̲ ̲F̲I̲L̲T̲E̲R̲
2.2.1 G̲e̲n̲e̲r̲a̲l̲ ̲D̲e̲s̲c̲r̲i̲p̲t̲i̲o̲n̲
Please refer to figure 2-2 overleaf. The Multichannel
Security Filter (MCSF) is a multi-input/multi-output
configuration where all channels share the Multi Purpose
Processor (MPP), the Gate Keepers GK and the terminal.
One Line Terminator is used for each channel, each
with storage capacity for two messages in each direction.
The received message is transferred to the MPP with
high speed over the Input Bus under supervision of
the Input control.
The message is preprocessed and validated in the same
way as if it were a single channel filter.
After validation, the message is transferred to the
buffer memory of the selected Line Terminator under
supervision of the Output Control. Finally, the Line
Terminator performs the transmission of the message.
The MCSF is a modular expansion of the single channel
filter using the same basic concept, only with a few
additional components to control the data paths.
The basic security is achieved by using a cellular
structure in several levels with both hardware and
software restrictions on the capabilities, in particular
the communication capabilities across the cell boundaries.
Fig. 2-2: MULTI CHANNEL SECURITY FILTER (MCSF)
2.2.2 D̲a̲t̲a̲ ̲f̲l̲o̲w̲
Messages from all input lines are received and stored
independently in the Line Terminators.
The Input Control interrogates the modules cyclically.
The interrogation is acknowledged if a full message
has been received, and the message is transferred in
byte-parallel to the MPP.
Message preprocessing and validation is performed exactly
as for the single channel security filter with the
remark that input and output channel identification
must be provided together with the message when logged
or displayed on the operators terminal for operator
assisted validation.
The validated message is transferred to the Line Terminator
addressed by the Output Control. The entire message
is transferred to the memory of the Line Terminator
at high speed.
The Operator Assisted Validation is performed in parallel
with the automated validation. The entire message is
transferred to and stored in the operator's terminal
during the partial validation. After this, the entire
message is transferred to the GK for automated validation
of the remaining fields.
A replica of the message is retained in the Mag Tape
Interface of the MPP.
The buffer is erased if the message has been accepted.
Otherwise, the message is logged onto the tape before
erasure of the buffer.
2.2.3 M̲e̲s̲s̲a̲g̲e̲ ̲B̲l̲o̲c̲k̲ ̲S̲p̲e̲c̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
The received message is augmented with auxilliary information
arranged in a header. The combined and formatted block
is called the Message Block. See figure 2-3 overleaf.
The header is generated in the Line Terminator from
the contents of the message.
The Message Block is transferred as an entity throughout
the Filter.
2.2.3.1 T̲h̲e̲ ̲H̲e̲a̲d̲e̲r̲
The Header is composed of the following elements
o Channel number
The channel number is provided by the Input Control
circuit.
o Reception and channel status
The status comprises the status provided by the
receiver circuit i.e. synchronisation status and
FCS check result. The channel status comprises
e.g. number of retransmissions before correct reception.
o Block Size
The number of bytes in the Message Block
o Header Size
The number of bytes in the Header
Header: Channel number
Reception and Input Line Status
Block size
Header size
CRC Check Word
Message Directory
Message: The received message
Trailer: Channel number
Fig. 2-3: MESSAGE BLOCK FORMAT
o CRC check word
The Cyclic Redundancy check word generated from
the message.
o Message Directory
A list of entry points for the sets and fields
of the message, generated by examining the received
characters of the message for the set and field
delimiters.
2.2.3.2 M̲e̲s̲s̲a̲g̲e̲ ̲B̲o̲d̲y̲
The Message Body is the received message, ordered into
bytes of characters.
2.2.3.3 T̲r̲a̲i̲l̲e̲r̲
The Trailer is a single byte with the channel number,
inserted by the Input Control circuit.
2.2.4 I̲n̲t̲e̲r̲f̲a̲c̲e̲ ̲S̲p̲e̲c̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
The following interface specifications describe the
internal as well as the external electrical interfaces
of the Multi Channel Security Filter.
2.2.4.1 L̲i̲n̲e̲ ̲I̲n̲t̲e̲r̲f̲a̲c̲e̲
The procedural and logical requirements are as specified
in the CCITT rec. X25.
2.2.4.1.1 Electrical interface: MIL-STD-188C
2.2.4.1.2 Electrical protection: TBS
2.2.4.2 I̲n̲p̲u̲t̲ ̲B̲u̲s̲
The Input Bus provides the common data path from the
line Terminator (input) to the Multi Purpose Processor.
2.2.4.2.1 P̲r̲o̲t̲o̲c̲o̲l̲
2.2.4.2.1.1 I̲n̲t̲e̲r̲r̲o̲g̲a̲t̲i̲o̲n̲
The Input Control issues an active level on one of
the Channel Select lines. This signal causes the selected
Line Terminator to present at the data output the channel
number (four bit) and the status.
The status indicates whether a buffer is ready for
transfer.
If a buffer is ready, the transfer is initiated, otherwise
the corresponding select line is set to inactive and
the next higher channel number (modulo the present
number of channels) is interrogated.
2.2.4.2.1.2 I̲n̲i̲t̲i̲a̲t̲i̲o̲n̲
The selected Line Terminator which has a buffer ready
for transfer will provide an active level on the Buffer
Ready Line.
This line is monitored by the Multi Purpose Processor
MPP which responds with a pulse on the Data Strobe
line when it is ready for input. This will cause the
first byte of the Message Block to appear on the Input
Bus data lines.
2.2.4.2.1.3 T̲r̲a̲n̲s̲f̲e̲r̲
The transfer is byte sequential. The MPP requests the
next byte of the Message Block to be presented on the
Input Bus data lines by issuing a pulse on the Data
Strobe line.
The MPP continues to request the next byte for as long
as the Buffer Ready line remains active.
An active-to-inactive transition indicates that the
present byte is the last in the current block.
2.2.4.2.1.4 T̲e̲r̲m̲i̲n̲a̲t̲i̲o̲n̲
The transfer is terminated by issuing a pulse while
the Buffer Ready line is inactive. This situation is
sensed by the Input Control which responds by de-activating
the current Channel Select line and interrogate the
next channel.
2.2.4.2.1.5 P̲r̲e̲m̲a̲t̲u̲r̲e̲ ̲T̲e̲r̲m̲i̲n̲a̲t̲i̲o̲n̲
The MPP may enforce a termination (abnormal condition)
by forcing a low on the Buffer Ready line and subsequently
issue a pulse on the Data Strobe line.
2.2.4.2.2 L̲o̲g̲i̲c̲a̲l̲ ̲i̲n̲t̲e̲r̲f̲a̲c̲e̲ ̲s̲p̲e̲c̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
The transfer employs the following lines:
o Data, eight three-state lines.
The Signal source is the selected Line Terminator.
o Channel Select, source is Input Control
o Buffer Ready, Open Collector line, source is normally
selected Line Terminator, source is MPP in case
of premature termination
2.2.4.2.3 E̲l̲e̲c̲t̲r̲i̲c̲a̲l̲ ̲i̲n̲t̲e̲r̲f̲a̲c̲e̲ ̲s̲p̲e̲c̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
TBS
2.2.4.3 I̲n̲t̲e̲r̲n̲a̲l̲ ̲I̲n̲t̲e̲r̲f̲a̲c̲e̲ ̲S̲p̲e̲c̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
The Internal Interface Specification is applicable
to the interfaces between the MPP and the Gate Keeper.
2.2.4.3.1 P̲r̲o̲t̲o̲c̲o̲l̲
The protocol is as described in section 2.2.4.2.1 with
the remark that the Channel Select input is permanently
connected to an active level.
2.2.4.3.2 L̲o̲g̲i̲c̲a̲l̲ ̲I̲n̲t̲e̲r̲f̲a̲c̲e̲ ̲S̲p̲e̲c̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
As described in section 2.2.4.2.2 with the remark that
the Channel Select line is permanently connected to
an active level.
2.2.4.3.3 E̲l̲e̲c̲t̲r̲i̲c̲a̲l̲ ̲I̲n̲t̲e̲r̲f̲a̲c̲e̲ ̲S̲p̲e̲c̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
TBS
2.2.4.4 O̲u̲t̲p̲u̲t̲ ̲B̲u̲s̲
The Output Bus provides the common data path from the
Gater Keeper(s) to the Line Terminators.
2.2.4.4.1 P̲r̲o̲t̲o̲c̲o̲l̲
2.2.4.4.1.1 I̲n̲t̲e̲r̲r̲o̲g̲a̲t̲i̲o̲n̲
The output control logic alternately senses the Channel
Request input from the two Gate Keepers in idle periods.
When one of the Gate Keepers are requesting service,
the corresponding Channel Number lines are used to
select the proper Line Terminator by an active level
on the corresponding Channel Select Line and an active
level is issued on the corresponding Bus Grant Line.
The communication path has now been set up.
2.2.4.4.1.2 I̲n̲i̲t̲i̲a̲t̲i̲o̲n̲
The selected Line Terminator issues an active level
on the Buffer Ready line when selected while one of
the two buffers are free.
Otherwise, the active level is delayed until one of
the buffers has been released.
The Line Terminator will present the Channel address
and the Channel Status on the data lines while selected
and until an active level appears on the Data Strobe
line.
2.2.4.4.1.3 T̲r̲a̲n̲s̲f̲e̲r̲
The Gate Keeper issues a pulse on the Data Strobe line
to indicate the presence of the first byte of data
on the Data lines.
2.2.5 M̲o̲d̲u̲l̲e̲ ̲S̲p̲e̲c̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
The specifications given in this subsection comprise
the Line Terminator, the Multi Purpose Processor, the
Input Control and the Output Control.
The specifications given could be considered as draft
versions of part of the final specifications which
is to be provided later on.
It has been found necessary to work out the following
specifications in order to demonstrate the feasibility
of and analyse the security aspects of a Multi Channel
Security Filter.
2.2.5.1 L̲i̲n̲e̲ ̲T̲e̲r̲m̲i̲n̲a̲t̲o̲r̲ ̲(̲L̲T̲)̲
2.2.5.1.1 G̲e̲n̲e̲r̲a̲l̲
The LT implements the interface between the X.25 protocol
of the serial communication channel and the internal
byte parallel Message Block format of the Security
Filter.
2.2.5.1.2 F̲u̲n̲c̲t̲i̲o̲n̲a̲l̲ ̲S̲p̲e̲c̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
The functions are divided into the following groups
a) Serial Interface
b) Message Block generation
c) Message Block verification
d) Buffer handling
e) Parallel Output
f) Parallel Input
2.2.5.1.2.1 S̲e̲r̲i̲a̲l̲ ̲I̲n̲t̲e̲r̲f̲a̲c̲e̲
The Serial Interface is specified by the CCITT recommendation
X.25 levels 1 and 2, except for the electrical characteristics.
Level 1 specifies the physical, electrical, functional
and procedural characteristics to establish, maintain
and disconnect the physical link between the communi-
cating devices.
Level 2 specifies the link access procedure for data
interchange across the link between the communicating
devices.
2.2.5.1.2.2 M̲e̲s̲s̲a̲g̲e̲ ̲B̲l̲o̲c̲k̲ ̲G̲e̲n̲e̲r̲a̲t̲i̲o̲n̲
The Message Block is generated from the received information
as specified in section 2.2.3, Message Block Specification.
The message is stored byte-wise in the Buffer Memory
in the order it is received, and the header is supplied
in front of the message as specified.
2.2.5.1.2.3 M̲e̲s̲s̲a̲g̲e̲ ̲B̲l̲o̲c̲k̲ ̲V̲e̲r̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
The Message Block Verification is made prior to the
serial transmission of a validated message.
The following verifications shall be successfully completed
before the transmission can take place.
o Check that Output device number is correct
o Perform Cyclic Redundancy Check
2.2.5.1.2.4 B̲u̲f̲f̲e̲r̲ ̲h̲a̲n̲d̲l̲i̲n̲g̲
Two pairs of buffers are available for storage of messages,
one pair for input and one pair for output. The two
buffers of a pair are used alternately.
2.2.5.1.2.5 P̲a̲r̲a̲l̲l̲e̲l̲ ̲O̲u̲t̲p̲u̲t̲
The Line Terminator implements a byte-serial output
sequence of the full message block, i.e. all retrieval
from the buffer memory is performed by the Line Terminator.
The transfer employs the following lines:
o Channel Select, input
o Data, eight three-state output lines
o Buffer Ready, output
o Data Strobe, input
The transfer is initiated by an active level on the
Channel Select Line, indicating that the Multi Purpose
Processor is ready for a new message.
The module indicates the availability of a new Message
Block by activating the Buffer Ready line.
The transfer can start upon an active Buffer Ready
and the first byte of the Message Block will be available
on the eight data lines. Subsequent bytes are made
available each time a pulse is received on the Data
Strobe.
The Buffer Ready signal changes to the passive state
when the last byte of the Message Block has been made
available. The Multipurpose Processor responds by changing
the Channel Select to a passive state.
2.2.5.1.2.6 P̲a̲r̲a̲l̲l̲e̲l̲ ̲I̲n̲p̲u̲t̲
The Line Terminator receives the Message Block in a
byte-serial input sequence and stores the data in the
Buffer Memory.
The transfer employs the following lines:
o Channel Select, input
o Data, eight input lines
o Buffer Ready, output
o Data Strobe, input
The transfer is initiated by an active level on the
Channel Select line, indicating that the Multi Purpose
Processor wants to transfer a message.
The module indicates the availability of a free buffer
by activating the Buffer Ready line.
The transfer can start upon an active Buffer Ready,
and the message is received byte by byte each time
the Data Strobe is pulsed.
The Channel Select is set to a passive state when the
last byte has been transferred.
2.2.5.1.3 D̲e̲s̲i̲g̲n̲ ̲D̲e̲t̲a̲i̲l̲s̲
2.2.5.1.3.1 E̲l̲e̲c̲t̲r̲i̲c̲a̲l̲ ̲P̲r̲o̲t̲e̲c̲t̲i̲o̲n̲
The electrical protection circuit provides for the
following:
o Protection against permanent damage from transients
on the communication line as required
o Adaptation between the electrical levels on the
line and the internal logic levels
o Waveshaping and filtering as required
The interface is in accordance with MIL-STD-188C in
order to facilitate COMSEC certification on compromising
emanation.
2.2.5.1.3.2 S̲e̲r̲i̲a̲l̲ ̲I̲n̲t̲e̲r̲f̲a̲c̲e̲ ̲C̲o̲n̲t̲r̲o̲l̲l̲e̲r̲
The Serial Interface Controller performs all the basic
transport functions on bit and byte level in the support
of a full duplex X.25 channel.
This covers for the input
o Bit synchronisation
o format synchronisation
o Integrity check (FCS)
o Serial to parallel conversion
and for the output
o Parallel to serial conversion
o Formatting
o FCS generation
2.2.5.1.3.3 M̲i̲c̲r̲o̲p̲r̲o̲c̲e̲s̲s̲o̲r̲
The microprocessor performs the higher level functions
of the level 1 and all level 2 functions, supported
by the serial interface controller. In addition the
following functions are performed
o Message Block generation
o Message Block verification
o Set up of parallel input and output
The microprocessor has on-chip program storage and
scratch pad memory. It is, both by hardware and software,
restricted to a write-only function on the Buffer Memory
(input) or a Read-only function (output).
The number of bytes (the block length) in the received
Message Block is written to the Output Interface when
the Message Block has been completed. The number of
bytes in the Message Block to be transmitted is read
from the Input Interface and compared to the corresponding
number in the header.
2.2.5.1.3.4 B̲u̲f̲f̲e̲r̲ ̲M̲e̲m̲o̲r̲y̲
The Buffer Memory is physically organized in two distinct
memory banks, each corresponding to two message buffers.
The input buffers hold data received from the line.
The output buffers hold data while being transmitted.
2.2.5.1.3.5 I̲n̲p̲u̲t̲ ̲a̲n̲d̲ ̲O̲u̲t̲p̲u̲t̲ ̲I̲n̲t̲e̲r̲f̲a̲c̲e̲
The Interface performs all control functions for the
transfer at data from the Buffer Memory to the Multi
Purpose Processor (input) or from the Gate Keeper to
the Buffer Memory (output).
The interface comprises the necessary address counter,
byte counter and memory read/write control circuit
to retrieve or store data from/to the Buffer Memory.
As a specific security provision, the memory read function
(input) includes erasure of the memory contents, i.e.
writing a fixed bit pattern into all memory locations
of the used buffer.
Similarly, the memory write function (output) is preceeded
by an erasure of the buffer area as soon as the previous
message has been transmitted and acknowledged properly.
2.2.5.1.3.6 O̲p̲t̲o̲ ̲I̲s̲o̲l̲a̲t̲o̲r̲
The Opto Isolator provides the required isolation between
data on the Output Bus and the Line Terminators which
are not selected for the current transfer.
2.2.5.1.4 S̲u̲m̲m̲a̲r̲y̲ ̲o̲f̲ ̲c̲h̲a̲r̲a̲c̲t̲e̲r̲i̲s̲t̲i̲c̲s̲
G̲e̲n̲e̲r̲a̲l̲
o Message size: max. 8000 bytes
o Throughput rate: equal to serial input rate
o Storage capacity: Two Message Blocks of maximum
8 Kbytes each
o FCS pattern generation and verification for data
integrity check.
S̲e̲r̲i̲a̲l̲ ̲I̲n̲p̲u̲t̲
o Communication protocol: CCITT rec. X.25
o Electrical Interface: MIL-STD-188C
o Data rate: nominal 2400 Baud, extendable to 9.600
Baud
I̲n̲p̲u̲t̲ ̲a̲n̲d̲ ̲O̲u̲t̲p̲u̲t̲ ̲I̲n̲t̲e̲r̲f̲a̲c̲e̲
o Standardized Message Block format
o Byte-serial DMA transfer with handshake
o Destructive readout
o Optical isolation of output interface
2.2.5.2 M̲u̲l̲t̲i̲ ̲P̲u̲r̲p̲o̲s̲e̲ ̲P̲r̲o̲c̲e̲s̲s̲o̲r̲ ̲(̲M̲P̲P̲)̲
2.2.5.2.1 G̲e̲n̲e̲r̲a̲l̲
The MPP performs the preparation of the message for
validation, the logging onto a recorder in case of
rejection and implements the alert function. The preparation
includes a check of the status byte of the received
message and identification of the type of message for
the purpose of selecting between automatic and operator
assisted validation. In the latter case, the fields
which require validation by the operator are identified
and the message is transmitted to the Operator Terminal.
The loop test program also resides in this module.
2.2.5.2.2 F̲u̲n̲c̲t̲i̲o̲n̲a̲l̲ ̲S̲p̲e̲c̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
The functions are divided into the following groups
a) Data input
b) Type identification
c) Control and monitoring
d) Preparation for automatic validation
e) Preparation for operator assisted validation
f) Data output and erasure
g) Logging
h) Loop test
2.2.5.2.2.1 D̲a̲t̲a̲ ̲I̲n̲p̲u̲t̲
The Message Block is transferred from the Line Termination
module to the Buffer Memory of the MPP under control
of the Input Interface. Simultaneously, the Message
Block is stored in the memory of both the Mag Tape
Interface and the Terminal Interface.
The transfer employs the following issues
o Data, eight input lines
o Buffer Ready, input
o Data Strobe, output
The transfer starts upon an active level on the Buffer
Ready line, indicating that the first-byte of a message
is available on the input. The subsequent-bytes are
recalled by pulsing the Data Strobe. The transfer is
terminated when the Buffer Ready line goes passive.
2.2.5.2.2.2 T̲y̲p̲e̲ ̲I̲d̲e̲n̲t̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
The Microprocessor reads the header information in
order to check the status and to determine the message
type.
The status must be nominal and the message type must
be known, otherwise the message is rejected and logged.
The type identification may give the result that the
message shall be subject to either automatic validation
or operator assisted validation.
2.2.5.2.2.3 C̲o̲n̲t̲r̲o̲l̲ ̲a̲n̲d̲ ̲M̲o̲n̲i̲t̲o̲r̲i̲n̲g̲
The alert function activates an audible alarm in case
of an abnormal frequency of rejected messages.
The frequency is currently updated by an algorithm,
implemented in software and a separate output line
is activated when the frequency exceeds a pre-specified
limit.
The alert function may also be triggered by signals
on the Monitor Lines, indicating e.g. physical access
(open door) while on-line or data integrity error under
CRC check.
The warning function activates a visible indicator
upon detection of conditions which are neither normal
nor critical e.g. off-line condition.
2.2.5.2.2.4 P̲r̲e̲p̲a̲r̲a̲t̲i̲o̲n̲ ̲f̲o̲r̲ ̲a̲u̲t̲o̲m̲a̲t̲i̲c̲ ̲v̲a̲l̲i̲d̲a̲t̲i̲o̲n̲
The microprocessor gives a transfer command to the
Output Interface. The transfer to the Gate Keeper will
take place as soon as the Gate Keeper is ready to accept
the message.
Finally a command is given to the Terminal Interface,
specifying that the message in question shall be erased.
2.2.5.2.2.5 P̲r̲e̲p̲a̲r̲a̲t̲i̲o̲n̲ ̲f̲o̲r̲ ̲o̲p̲e̲r̲a̲t̲o̲r̲ ̲a̲s̲s̲i̲s̲t̲e̲d̲ ̲v̲a̲l̲i̲d̲a̲t̲i̲o̲n̲
The preparation involves identification of the field
or fields which requires validation by the operator.
The fields are described by a table (with one or more
elements) of pointers to each field.
This table is written to the Terminal Interface and
finally a command is given to the Interface, specifying
that the message in question shall be subject to operator
assisted validation.
2.2.5.2.2.6 D̲a̲t̲a̲ ̲O̲u̲t̲p̲u̲t̲ ̲a̲n̲d̲ ̲e̲r̲a̲s̲u̲r̲e̲
The operation performed on the Message Block upon completion
of the Message prepraration depends upon the result.
a) A message which has been destinated for automatic
validation is transferred to the Gate Keeper. The
entire Message Block is transferred from the Buffer
Memory and the buffer area is erased. The copy
in the Mag Tape Interface is retained for possible
logging and the copy in the Terminal Interface
has been erased.
b) A message which has been destinated for operator
assisted validation is transferred to the Operator
Terminal from the copy of the Message Block stored
in the Terminal Interface and the buffer area is
erased. The copy in the Buffer Memory is erased,
but the copy in the Mag Tape Interface is retained
for possible logging.
c) A message which has been rejected is logged onto
the Tape recorder. The copies in the Buffer Memory
and the Terminal Interface are erased.
2.2.5.2.2.7 L̲o̲g̲g̲i̲n̲g̲
All rejected messages are logged on tape recorder together
with the approximate time and date of occurrence.
2.2.5.2.2.8 L̲o̲o̲p̲ ̲T̲e̲s̲t̲
The test program can be activated in off-line state
with the line outputs connected externally to the line
inputs. The program performs the test by transmitting
a set of preprogrammed messages (some legal, some illegal)
around the loop and verify the result.
2.2.5.2.3 D̲e̲s̲i̲g̲n̲ ̲D̲e̲t̲a̲i̲l̲s̲
2.2.5.2.3.1 I̲n̲p̲u̲t̲ ̲I̲n̲t̲e̲r̲f̲a̲c̲e̲
The Input Interface performs all the functions required
for the transfer of data from the Output Interface
of the Line Terminator to the MPP.
The interface comprises the necessary address counter
and memory write control circuit.
The Buffer Memory and the compartmentalised memories
of the Mag Tape Interface and the Terminal Interface
are addressed simultaneously.
2.2.5.2.3.2 M̲i̲c̲r̲o̲p̲r̲o̲c̲e̲s̲s̲o̲r̲
The microprocessor performs the overall control and
monitoring functions of the MPP. In addition, the following
functions are performed
o Type identification
o Calculation of the frequency of illegal messages
o Identification of the fields which shall be subject
to validation by the operator
o Data output set-up
o Loop test generation
The memory write function is restricted, both by hardware
and firmware to an area of the Buffer Memory which
is outside the area used for the Message Block.
2.2.5.2.3.3 B̲u̲f̲f̲e̲r̲ ̲M̲e̲m̲o̲r̲y̲
The Buffer Memory is organized into one memory bank
corresponding to one buffer and an area which can be
accessed by the microprocessor for both read and write.
2.2.5.2.3.4 P̲r̲o̲g̲r̲a̲m̲ ̲M̲e̲m̲o̲r̲y̲
The program memory is a non-volatile Read-only memory
the contents of which can not be changed without using
external programming equipment.
2.2.5.2.3.5 M̲a̲g̲ ̲T̲a̲p̲e̲ ̲I̲n̲t̲e̲r̲f̲a̲c̲e̲ ̲(̲M̲T̲I̲)̲
The MTI is a small dedicated microprocessing system.
The main elements are
o Common Bus interface
o Serial interface to tape recorder
o Control inputs
o Dual Buffer memory
o Monitoring and control
The incoming message is stored in one of the two buffers
and will remain there until a command is given, either
causing erasure or logging onto tape prior to erasure.
The interface to the Common Bus is designed such that
the only readable memory is a status register.
The serial interface to the tape recorder carries as
well control as data. The interface is hardwire in
such a way that reading the recorder is not possible.
The control inputs are connected to the Gate Keeper.
The Gate Keeper will issue a signal indicating either
accept or reject of each message. This causes either
erasure of the corresponding buffer or logging onto
tape prior to erasure.
2.2.5.2.3.6 M̲o̲n̲i̲t̲o̲r̲ ̲a̲n̲d̲ ̲C̲o̲n̲t̲r̲o̲l̲ ̲I̲/̲O̲
This interface provides a number of separate digital
input and output lines. Input lines comprise on-line/
off-line switch and additional monitor points which
may be required.
Output lines are the Alert Line which activates the
audible alarm and the (optional) Warning Line which
could activate a light indicator.
2.2.5.2.3.7 T̲e̲r̲m̲i̲n̲a̲l̲ ̲I̲n̲t̲e̲r̲f̲a̲c̲e̲
Ter Terminal Interface is a small dedicated microprocessing
system. The main elements are
o Common bus interface
o Serial interface to the terminal
o Buffer Memory
o General control and monitoring
The incoming message is stored in the buffer and remains
there until a command is given, either causing erasure
or output to the terminal prior to erasure.
The interface to the common bus is designed such that
only the status register is readable. The serial interface
to the terminal is unidirectional. Simple handshaking
is provided such that transmission will take place
only when the terminal is ready.
2.2.5.2.4 S̲u̲m̲m̲a̲r̲y̲ ̲o̲f̲ ̲c̲h̲a̲r̲a̲c̲t̲e̲r̲i̲s̲t̲i̲c̲s̲
G̲e̲n̲e̲r̲a̲l̲
o Performs message preparation
o Interfaces to the terminal, logging recorder and
provides for control and monitoring input/output
P̲a̲r̲a̲l̲l̲e̲l̲ ̲i̲n̲t̲e̲r̲f̲a̲c̲e̲
o Standardized parallel input and output
o Byte-serial DMA transfer with handshake
o Destructive readout
S̲e̲r̲i̲a̲l̲ ̲i̲n̲t̲e̲r̲f̲a̲c̲e̲
o Mag Tape and Terminal interface is low level RS232
serial interface
M̲o̲n̲i̲t̲o̲r̲ ̲a̲n̲d̲ ̲C̲o̲n̲t̲r̲o̲l̲
o Separate digital lines are provided for optional
monitor and control points
2.2.5.3 I̲n̲p̲u̲t̲ ̲C̲o̲n̲t̲r̲o̲l̲
The Input Control is a small, dedicated controller
which performs set-up and supervision of the data transfer
between the Line Termination modules and the Multi
Purpose Processor.
A single of the Channel Select Lines are activated
at a time. The selected Line Termination module will
respond with an active level on the Buffer Ready Line
if a full buffer is available simultaneously the module
will output the Module Address on the Input Bus. This
address is composed with the expected. The transfer
is initiated if they compare, otherwise, this error
situation will be indicated in the status word on the
Input Bus, the Buffer Ready will be overridden by the
Input Control and the channel select will subsequently
be removed.
If there is no full buffer in this module, the counter
is incremented and the next module is interrogated.
2.2.5.4 O̲u̲t̲p̲u̲t̲ ̲C̲o̲n̲t̲r̲o̲l̲
The Output Control logic performs the set-up and supervision
of the message transfer from the Gate Keeper to the
Line Termination module.
The destination address for the validated message is
supplied by the Bus Supervisor module of the Gate Keeper.
This address is decoded to one out of m separate lines
which are connected to the Channel select lines of
each Input Interface of the Termination module.
The Input Enable is activated when the Output Address
Ready line indicates Valid address. This causes that
the selected module to output its module address together
with device status. This address is compared with the
address from the Gate Keeper, and the status is checked.
Destination Module Ready is signalled to the Output
Interface of the Gate Keeper if the addresses compare
and if there is a free buffer and the data transfer
can commence.
Service is offered to the other Gate Keeper if both
buffers of the Line Termination module are full.
The Bus Supervisor takes down the Output Address Ready
when the last byte has been transferred. This causes
the Output Control to deactivate Destination Module
Ready, which in turn causes deactivation of the Buffer
Ready line by the Output Interface of the Gate Keeper.
This change is sensed by the Line Termination module
and interpreted as an End of Transfer.
The Output Termination Module responds with module
address and device status on the Output Bus.
The two Gate Keepers are serviced alternately.
2.2.5.5 G̲a̲t̲e̲ ̲K̲e̲e̲p̲e̲r̲
See figure overleaf
G̲e̲n̲e̲r̲a̲l̲
The Gate Keeper (GK) performs the validation of the
message. For details of the validation process is referred
to the software description. In this section only the
underlying hardware facilities are specified.
2.2.5.5.2 F̲u̲n̲c̲t̲i̲o̲n̲a̲l̲ ̲S̲p̲e̲c̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
The following functions are performed
a. Data input
b Type and source identification
c. Validation
d. Data output
2.2.5.5.2.1 D̲a̲t̲a̲ ̲I̲n̲p̲u̲t̲
The message block is transferred from the Multi Purpose
Processor to the Buffer Memory under control of the
GK. The protocol for the transfer is identical to that
for the Line Terminator-to-Multi Purpose Processor
(see sect. 2.2.5.2.2.1).
2.2.5.5.2.2 T̲y̲p̲e̲ ̲a̲n̲d̲ ̲So̲u̲r̲c̲e̲ ̲I̲d̲e̲n̲t̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
The microprocessor determines the type of the message
by analysing the appropriate fields. Once the type
has been determined, a unique code for this type is
loaded into a register of the Bus Supervisor.
In the Multi Channel configuration, also the number
of the input channel is determined and loaded into
the Bus Supervisor
The above information is used by the Bus Supervisor
to restrict the address space of the Validation Information
Storage to that required for that particular type of
message conveyed on that particular channel.
2.2.5.5.2.3 V̲a̲l̲i̲d̲a̲t̲i̲o̲n̲
The validation process is performed by the microprocessor(s)
as described in the software specification.
2.2.5.5.2.4 D̲a̲t̲a̲ ̲O̲u̲t̲p̲u̲t̲ ̲a̲n̲d̲/̲o̲r̲ ̲Er̲a̲s̲u̲r̲e̲
When the validation process ends up with an acceptance
of the message, a channel request is issued to the
Output Control (specifying a particular channel number
based upon the input channel number, in the Multi Channel
configuration).
The data transfer takes place according to the protocol
described in section 2.2.4.4. The contents of the Buffer
Memory is erased during read out.
In the case of a rejected message, the Bus Supervisor
is instructed to provide a signal on the Log Control
line, enforcing the Tape Interface at the Multi Purpose
Processor to record the message onto the tape recorder.
The output function is suppressed but the erasure of
the Buffer Memory is performed.
2.2.5.5.3 D̲e̲s̲i̲g̲n̲ ̲D̲e̲t̲a̲i̲l̲s̲
2.2.5.5.3.1 I̲n̲p̲u̲t̲ ̲I̲n̲t̲e̲r̲f̲a̲c̲e̲
The Input Interface performs all the functions required
for the transfer of data from the Multi Purpose Processor
to the Buffer Memory of the GK. This comprises the
necessary address counter and memory write circuit.
2.2.5.5.3.2 M̲i̲c̲r̲o̲p̲r̲o̲c̲e̲s̲s̲o̲r̲(̲s̲)̲
The figure shows a number of microprocessors. It should,
however, just be regarded as a design option to use
more than one. Single-chip microprocessors are envisaged
i.e. processors with on-chip ROM and RAM.
The microprocessor performs the validation task by
executing the program residing on-chip and using the
on-chip RAM as scratch-pad. In this way there is no
need for writing into the Buffer Memory.
2.2.5.5.3.3 B̲u̲f̲f̲e̲r̲ ̲M̲e̲m̲o̲r̲y̲
The Buffer Memory is organised into a single memory
bank, capable of storing one message. The Buffer
memory is accessible from the Input Interface for the
write function, while the microprosessors are only
capable of reading the contents. The Output Interface
can read and erase the Buffer Memory.
2.2.5.5.3.4 B̲u̲s̲ ̲S̲u̲p̲e̲r̲v̲i̲s̲o̲r̲
The Bus Supervisor is intended as the highly trusted
and simple hardware, which performs the following functions:
o Restrictions on memory access according to identified
message type and channel number.
o Issues the Log control signal when a message is
considered illegal.
o Issues a request for a particular channel number
(Multi Channel Configuration) based upon the identified
input channel (e.g. through a look-up
table)
2.2.5.5.3.5 V̲a̲l̲i̲d̲a̲t̲i̲o̲n̲ ̲I̲n̲f̲o̲r̲m̲a̲t̲i̲o̲n̲ ̲S̲t̲o̲r̲a̲g̲e̲
This non volatile storage contains the Validation Information
tables. The memory is accessible only from the microprocessors.
2.2.5.5.3.6 O̲u̲t̲p̲u̲t̲ ̲I̲n̲t̲e̲r̲f̲a̲c̲e̲
The output Interface performs all the functions required
for the transfer of the message from the Buffer Memory
to the Output Bus according to the protocol described
in section 2.2.4.4. and the subsequent memory erasure.
This includes the necessary address counter and memory
read and write circuits.
2.2.5.6 T̲a̲p̲e̲ ̲R̲e̲c̲o̲r̲d̲e̲r̲
The tape recorder shall record the illegal messages.
It is assumed to be a standard product with the following
characteristics
o Serial data input according to the RS 232 specification.
o Start and stop via control characters on the serial
data input.
o Cartridge tape casette with storage capacity for
at least 100 messages (worst case 0.8 mega characters).
o Adequate facilities for monitoring of proper function
e.g. cartridge loaded, end of tape.etc.
A number of suitable types are available and the "best
choice" is fully depending upon detailed requirements
to e.g. storage capacity, reliability and overall system
design.
2.2.5.7 T̲e̲r̲m̲i̲n̲a̲l̲
The terminal shall store and display the message during
the operator assisted validation. The "keyboard" should
comprise:
o An "ACCEPT" button
o A "REJECT" button
o Keys for log-in
The design of the Terminal shall assure that all of
the message is displayable e.g. by a scrolling function.
Socalled non-printable characters shall be clearly
indicated in the fields which are validated by the
operator.
The Terminal shall highlight the field, which has been
marked as being subject to operator validation.
Activation of the "ACCEPT" button shall cause the setting
of a flag bit corresponding to the particular field.
If more than one field in the same message requires
validation by the operator, this next field is highlighted
and so on.
The message is transferred to the Gate Keeper when
all the marked fields have been accepted by the operator.
If a particular field is not accepted, the "REJECT"
button is activated causing the setting of a "REJECT"
flag bit before transmission to the Gate Keeper.
2.3 P̲E̲R̲F̲O̲R̲M̲A̲N̲C̲E̲
2.3.1 S̲e̲c̲u̲r̲i̲t̲y̲
The Multichannel Configuration introduces in principle
a number of risks in addition to those of the single
channel filter as described in section 2.1.3.1.
These risks are listed in the following subsections
together with the precautions made.
2.3.1.1 I̲l̲l̲e̲g̲a̲l̲ ̲S̲o̲u̲r̲c̲e̲/̲V̲a̲l̲i̲d̲a̲t̲i̲o̲n̲ ̲t̲a̲b̲l̲e̲/̲s̲i̲n̲k̲ ̲r̲e̲l̲a̲t̲i̲o̲n̲s̲h̲i̲p̲
This is the risk of performing the Validation with
a table, specified for another channel or the risk
of transferring the message to a wrong output line.
The mechanisms which shall assure the correct relation-
ship are the following:
o The set up of the path from the Line Terminator
to the Multi Purpose Processor is controlled and
monitored using feedback by a simple hardware circuit
in the Input Control to assure a secure knowledge
of the source.
o The Line Terminator (input) writes the input line
number in the header of the message Block.
o The Gate Keeper reads the header for determining
the channel number. This number is stored into
the register in the Bus Supervisor of the GK which
by a simple hardware circuit controls as well the
request for output line number as the validation
table to be used.
o The set up of the path from the Gate Keeper to
the Line Terminator (output) is controlled and
monitored using feedback by a simple hardware circuit
in the Output Control to assure a secure routing.
o The Line Terminator (output) checks the input line
number of the header for correct relationship with
the output line number.
2.3.1.2 R̲e̲s̲i̲d̲u̲e̲
The risk of by failure to have information from one
message adhered to another is minimised by the following
precautions:
o Multiplexing is on message basis. Messages are
physically separated in separate memory areas.
o Buffer areas used for storage of messages are erased
before the next message arrives.
o Buffer areas are fixed i.e. no software controlled
dynamic memory allocation.
2.3.1.3 C̲r̲o̲s̲s̲-̲t̲a̲l̲k̲
The risk of transfer of information to other channels
in parallel with the intended by failure caused by
e.g. electromagnetic coupling or galvanic leakage is
minimised by
o Physical separation and shielding of Line Terminators
o Galvanic isolation between the Line Terminators
by opto-isolators. See the separate section on
electronic switches.
2.3.2 T̲h̲r̲o̲u̲g̲h̲p̲u̲t̲
The throughput of the filter is determined by the processing
time required in the common path, i.e. the Multi-Purpose
Processor and the Gate Keeper for automatically validated
messages. Here, the bottlenect will obviously be the
Gate Keeper.
The requirements for the processing of a "worst case
message" is given by the following:
A "Worst case message" is here defined as a message
with the following characteristics
a) Message size is 8000 characters
b) The mean field size is 10 characters
c) The message is divided into 200 sets of 4 fields
each
d) All fields shall be validated either against discrate
tabular values or the format shall be checked
The following estimates have been made:
Check syntax: 40 instructions/set
Check against tabular values or
check field formats: 50 instructions/field
This gives the following number of instructions for
the validation of each message:
40 x 200 + 50 x 800 = 48.000 instructions/msg.
Assuming an instruction time of 5 micro-seconds (mean),
the worst case message is processed in 240 milliseconds.
Adding the transfer time and processing time in the
MPP gives a processing time of less than 0.33 seconds.
Hence, the throughput of the common path for automatically
validated messages is more than 3 messages/
second.
The worst case load from one channel is less than
̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲2̲4̲0̲0̲ ̲B̲a̲u̲d̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲
8000 characters x 8 bit/character
or one message each 27 seconds in each direction.
This gives a capability of servicing up to 40 channels
by one Gate Keeper.
The throughput for the operator assisted validation
will obviously be set by the human validation process
and is therefore determined by factors external to
the filter.
The conclusion is that the processing performance of
the Multi Channel Security Filter is sufficiently high
for handling several channels.
2.3.3 D̲e̲l̲a̲y̲
The total delay of a message caused by the Multi Channel
Security Filter is composed of the following
a) Time elapsed from reception of the last character
of a message to the message can be transferred
to the MPP.
b) LT to MPP transfer time
c) MPP preprocessing time
d) MPP to GK transfer time
e) GK processing time
f) Time elapsed from completion of the validation
to start of transfer
g) GK to LT transfer time
h) Time elapsed from the message has been transferred
to the LT until the first character appears on
the line
The following estimates and assumptions are made
o The message is a worst case message
o The MPP is ready to receive the message immediately
o The Line Terminator (output) is ready to receive
the message immediately
o Internal parallel transfers are controlled by Direct
Memory Access at a rate of 500 Kbytes per second,
giving a total transfer time of 16 milliseconds
(T…0f…tr)…0e…
o MPP processing time is less than 30 milliseconds
(T…0f…Pr…0e…)
o Validation time m GK is less than 240 milliseconds
(T…0f…va…0e…) (see previous subsection)
o The other contributions totals to less than 10
milliseconds (T…0f…o…0e…)
We have then the worst case total delay time in case
of no contention:
T…0f…tot…0e… = T…0f…o…0e… + 3 x T…0f…tr…0e… + T…0f…pr…0e… + T…0f…va…0e…
= 10 + 3 x 16 + 30 + 240 = 3̲2̲8̲ ̲m̲i̲l̲l̲i̲s̲e̲c̲o̲n̲d̲s̲
The worst case if a worst case contention occurs is
the situation where the GK has just delivered a message
of maximum size to the Line Terminator (output) and
another very short message follows immediately after
on the same channel and in the same direction. The
transmission out of the filter will in this case be
delayed by approximately the time required for transmitting
the previous message, i.e. approx. 27 seconds.
3̲ ̲ ̲S̲H̲A̲R̲I̲N̲G̲ ̲O̲F̲ ̲H̲A̲R̲D̲W̲A̲R̲E̲
3.1 A̲N̲A̲L̲Y̲S̲I̲S̲
Target applications of the filter show generally several
channels emerging from the same computer site. It is
therefore obvious to seek for possibilities to reduce
the overall cost by sharing hardware if possible.
Regarding the Multi Channel Filter Configuration it
is seen that it actually represents such a sharing
of hardware. Additional channels require only additional
Line Terminators and the validation Table firmware
required for that particular channel.
The other hardware modules i.e. the Multi Purpose Processor,
the Gate Keppers, the Operator Terminal and the logging
recorder are shared among the channels.
A more efficient sharing of hardware is not achievable
unless use of the same Line Terminator to serve several
channels is considered.
It is a rather straight forward task to design a Multi-
channel Line Terminator (e.g. four channels in one
module) and the cost per channel can be significantly
reduced as compared to the one-channel Line Terminator.
However, the basic security characteristics of the
filter with Multichannel Line Terminators will be adversely
affected since unintended paths within the Line Terminator
(e.g. caused by design error or hardware failure) may
cause a security breach.
A design which minimises this risk is likely to cost
more on a per-channel basis than the single Channel
Line Terminator.
A particular case where sharing of hardware could be
cost efficient is the case where a number of single
channel and/or Multi channel filters is collocated.
Here, the tape recorder and/or the Operator Terminal
could be readily shared among the collocated filters.
The only prerequisite for sharing these peripherals
is a switch (e.g. mechanical or electro-optical) which
provides a secure separation between the individual
filters.
See the figure overleaf.
3.2 S̲E̲C̲U̲R̲I̲T̲Y̲
The use of common tape recorder will require a trusted
switch in order to efficiently separate the individual
filters.
The use of a common terminal will also require a trusted
switch.
In addition, the requirements to the security of the
erasure of the storage areas of the terminal may be
strengthened if the same terminal shall serve channels
of different classification levels.
3.3 C̲O̲N̲C̲L̲U̲S̲I̲O̲N̲
The primary objective for optional sharing of hardware
is accommodated by the Multi Channel Security Filter.
The particular case of several collocated filters can
use common tape recorder and operator terminal if a
simple (but trusted!) switch is introduced.
Sharing of Peripherals
4 O̲T̲H̲E̲R̲ ̲S̲Y̲S̲T̲E̲M̲ ̲C̲O̲N̲F̲I̲G̲U̲R̲A̲T̲I̲O̲N̲S̲
4.1 I̲N̲S̲T̲A̲L̲L̲A̲T̲I̲O̲N̲ ̲S̲I̲T̲E̲
The filter is not from technical reasons constrained
to be located near system high. Installation outside
the system high area requires attention to the following
points:
o Access control must be the same as for system high.
o Additional crypto units will be required.
4.2 U̲N̲C̲L̲A̲S̲S̲I̲F̲I̲E̲D̲ ̲S̲Y̲S̲T̲E̲M̲ ̲L̲O̲W̲
The case of an unclassified system low means that no
crypto units are required. In this case two situations
can occur:
o The distance between system high and system low
is so short that the transmission is directly in
RS 232 level signals. In this case the requirements
to the electrical protection of the input/output
may be particularly severe due to e.g. lines running
in unsupervised environment.
o If the distance is more than a few hundred meters,
a modem will usually be required and this will
be an identical situation to the security filter
as the baseline situation.
5 C̲O̲M̲M̲O̲N̲ ̲S̲O̲F̲T̲W̲A̲R̲E̲ ̲A̲N̲D̲ ̲H̲A̲R̲D̲W̲A̲R̲E̲
5.1 C̲O̲M̲M̲O̲N̲ ̲S̲O̲F̲T̲W̲A̲R̲E̲
The security filter software can logically be divided
into two parts:
The operational software (computer programs) and the
validation information (data tables).
Once verified and certified the operational software
can be used without special restrictions at any security
filter site. The presence or absence of certain validation
information is the factor determining the legal traffic
at each site, and the validation information shall
in principle be compiled separately for each security
filter site.
5.2 C̲O̲M̲M̲O̲N̲ ̲H̲A̲R̲D̲W̲A̲R̲E̲
The design has been made in such a way that the adaptation
to different channels is made by firmware.
The hardware modules will therefore be common for all
filters.
6 C̲O̲M̲M̲E̲R̲C̲I̲A̲L̲L̲Y̲ ̲A̲V̲A̲I̲L̲A̲B̲L̲E̲ ̲H̲A̲R̲D̲W̲A̲R̲E̲ ̲A̲N̲D̲ ̲S̲O̲F̲T̲W̲A̲R̲E̲
6.1 H̲A̲R̲D̲W̲A̲R̲E̲
Due to the highly specific security requirements only
the tape recorder can be procured as an off-the-shelf
item. The terminal is functionally very close to a
normal dumb
terminal, but e.g. the Tempest requirement precludes
an off-the shelf procurement.
6.2 S̲O̲F̲T̲W̲A̲R̲E̲
The constraints mentioned above for hardware are equally
valid for the operational software of the security
filter.
The line interface software (protocol handling etc.),
which probably will be stored in hardware or firmware,
may though be an off-the-shelf type, if the line termination
hardware unit can be found on a shelf.
All software used in the critical or most critical
part of the security filter must be coded specifically
for the filter, or derived from general software for
the hardware in question.
7̲ ̲ ̲E̲L̲E̲C̲T̲R̲O̲N̲I̲C̲ ̲S̲W̲I̲T̲C̲H̲E̲S̲
7.1 D̲E̲F̲I̲N̲I̲T̲I̲O̲N̲
The electronic switch is in this context defined to
be a device which can assume an "ON" condition and
an "OFF" condition. In the ON condition, the switch
will pass binary information from the signal source
to the signal sink.
In the OFF condition, the switch will not pass legible
information to the output. Furthermore, the following
characteristics shall apply in order to assure suitability
for use in digital equipment.
o The electrical characteristics of the input
and output is compatible with normal semiconducter
logic circuits e.g. TTL or RS 232 levels.
o The ON/OFF function is controlled by a normal
logic signal.
o Physical dimensions and packaging suitable
for use on printed circuit board.
o ON/OFF switching time not higher than one millisecond.
o The attenuation shall be a minimum of 100 dB
in the OFF condition.
7.2 A̲N̲A̲L̲Y̲S̲I̲S̲
A switch with adequate characteristics for secure electronic
communications equipment is required at several places
in the security filter. The purpose of the switch is
to isolate units from each other in a highly efficient
and inherently secure way and to establish the connection
where required.
In electronic equipment the following mechanisms are
limiting the attennation:
a) Electromagnetic Coupling between wires
b) Parasitic capacitance e.g. across open relay contacts
or between the input and output circuit within
a semi-
conductor chip.
c) Transfer characteristic.
Electronic switches may have, even in the OFF condition
a finite amplification ratio between the input
and the output voltage.
d) Galvanic coupling.
e) Coupling through the power supply.
7.2.1 E̲l̲e̲c̲t̲r̲o̲m̲a̲g̲n̲e̲t̲i̲c̲ ̲C̲o̲u̲p̲l̲i̲n̲g̲
Eloctromagnetic coupling is minimised by careful control
of the electrical design, by separating input and output
leads and by shielding. This is a general problem for
all types of electronic circuits.
7.2.2 P̲a̲r̲a̲s̲i̲t̲i̲c̲ ̲C̲a̲p̲a̲c̲i̲t̲a̲n̲c̲e̲
The parasitic capacitance across the switch in OFF
condition is usually the coupling mechanism which limits
the attenuation, in particular for a mechanical switch.
For a semiconductor switch, the parasitic capacitance
may be composed of as well capacitance between input
and output leads of the component as of capacitance
within the microcircuit.
The influence on the attenuation can be controlled
by the following:
o Filtering
The impedance of the parasitic capacitance is inversely
proportional with the frequency. Filtering of the
input signal in order to reduce higher harmonious
(waveshaping) is therefore advantageous.
o Low load impedance on the output of the switch
gives a high voltage attenuation ratio between
the impedance of the parasitic capacitance
and the load impedance.
7.2.3 T̲r̲a̲n̲s̲f̲e̲r̲ ̲C̲h̲a̲r̲a̲c̲t̲e̲r̲i̲s̲t̲i̲c̲
The transfer characteristic of an ideal switch is a
step function i.e. zero amplification in the OFF condition
and an amplification factor of one in the ON condition.
Normal semiconductor logic gates have, however, a non-ideal
characteristic with a significant (compared to 100dB
attenuation) "feed-through" in the OFF condition.
An obvious and efficient solution to this is to use
semiconductor logic gates with hysteresis.
7.2.4 G̲a̲l̲v̲a̲n̲i̲c̲ ̲C̲o̲u̲p̲l̲i̲n̲g̲
Galvanic coupling between input and output can be caused
by e.g. bad isolation materials, humidity or dirt.
For most semiconductor circuits there is, however,
a particular mechanism which can provide a direct coupling
between input and output. If the input voltage of a
logic gate exceeds the supply voltage, a parasitic
diode to the substrate may provide a direct path to
the output.
7.2.5 C̲o̲u̲p̲l̲i̲n̲g̲ ̲t̲h̲r̲o̲u̲g̲h̲ ̲t̲h̲e̲ ̲P̲o̲w̲e̲r̲ ̲S̲u̲p̲p̲l̲y̲
A signal superposed on the DC supply voltage to a semiconductor
circuit will be coupled to the output.
This coupling is avoided by filtering the DC-supply
or even use a separate power supply for these output
circuits.
7.3 S̲E̲C̲U̲R̲I̲T̲Y̲ ̲R̲E̲Q̲U̲I̲R̲E̲M̲E̲N̲T̲S̲
The security requirements to the switch are in summary:
a) Trusted switch function i.e. high reliability.
In particular, the probability of an ON state by
failure must be very low.
b) Attenuation better than 100 dB in the OFF condition
7.4 S̲E̲L̲E̲C̲T̲E̲D̲ ̲S̲W̲I̲T̲C̲H̲ ̲T̲Y̲P̲E̲S̲
Three switch types have been selected. They are each
representative at a class of circuit elements.
a) The Reed relay is a mechanical relay type
b) The semiconductor logic switch is representative
for the semiconductor logic gates
c) Opto-electronic isolator is a particular type of
semiconductor arrangement which provides galvanic
isolation.
7.4.1 R̲e̲e̲d̲ ̲R̲e̲l̲a̲y̲
The Reed relay is a pair of magnetic contact levers,
hermetically enclosed in a small glass tube. The glass
tube is surrounded by a coil for providing the magnetic
field to activate the contact lever.
Reed relays are manufactured in versions with mechanical
and electrical characteristics directly matched to
TTL Logic, i.e. dual-in-line package and TTL level
specifications for the coil drive voltage and current.
The advantages are:
o Extremely high galvanic isolation in dry environment,
10…0e…11…0f… ohms.
o High galvanic isolation between control and signal
lines
Disadvantages are:
o Bulky, approx. 20 x 10 x 6 mm each single pole
switch
o Low reliability, contacts may stick after excessive
current flow or "make" action may be performed
by e.g. a permanent magnet close to the relay.
o Non-negligible parasitic capacitance in of condition
o Switching time (approx. one millisecond) is not
negligible in fast communication systems.
7.4.2 S̲e̲m̲i̲c̲o̲n̲d̲u̲c̲t̲o̲r̲ ̲L̲o̲g̲i̲c̲ ̲S̲w̲i̲t̲c̲h̲
The Semiconductor Logic Switch is extensively used
as the interface to the common bus in all sizes of
computers. The circuits are provided on small-scale
integrated silicon chips, encapsulated in dual-in-line
packages, each with typically eight drivers or eight
receivers.
The drivers can assume three states:
o Logic level 1 (low impedance)
o Logic level 0 (low impedance)
o High impedance i.e. OFF-condition.
The receivers have hysteresis and can be enabled or
disabled i.e. the signal can be allowed to pass or
it can be inhibited from passing to the signal output
of the receiver.
High or low impendance is selected by the logic level
on a control line.
The advantages are:
o Very compact, eight drivers or eight receivers
in one 20-pin dual-in-line package
o Low cost
o High bandwidth
o Extremely low ON/OFF switching time
o Perfectly suited for bus applications i.e. several
outputs and several inputs connected to the same
lines.
Disadvantages:
o Vulnerable to abnormal conditions, excessive current
or voltage may lead to permanent damage which could
cause security breach.
o No galvanic isolation in OFF condition
7.4.3 E̲l̲e̲c̲t̲r̲o̲-̲o̲p̲t̲i̲c̲a̲l̲ ̲S̲w̲i̲t̲c̲h̲
The electro-optical switch is in principle a light
emitting diode the light of which is exciting a phototransistor
into the conducting state.
The physical arrangement can be made in three principally
different ways:
a) The most simple configuration is a separately packaged
light emitting diode, placed close to the photo-
transistor but separated by a transparent sheet
of e.g. glass.
b) As above, but the light is conducted from the light
emitting diode to the phototransistor through an
optical fiber.
c) In a more compact version, both the light emitting
diode and the phototransistor are mounted onto
the same substrate in a very small microcircuit
package.
7.5 D̲E̲S̲I̲G̲N̲ ̲E̲X̲A̲M̲P̲L̲E̲S̲
Design examples are given for each of the three selected
types. See the figure overleaf.
7.5.1 R̲e̲e̲d̲ ̲R̲e̲l̲a̲y̲
See figure 7-1.
Signals from digital circuits have a considerable energy
in the higher harmonics due to the fast transitions
between the two logic levels. The low pass filter attenuates
these higher harmonics and thereby the effect of the
parasitic capacitance. The load impedance R…0f…L…0e… assures
a minimum loading of the output and thereby a minimum
attenuation factor in the OFF condition.
The attennation for a sincsoidal signal with a frequency
of f is:
̲ ̲ ̲ ̲ ̲ ̲ ̲1̲ ̲ ̲ ̲ ̲ ̲
20 Log ( 1 + f.C…0f…s…0e….Z…0f…L…0e…) (dB)
Assuming R…0f…L…0e… = 1 Kohm and f = 10 KHz we have the
required 100 dB for a stray capacitance C…0f…s…0e… = 0,3 picofarad.
Available Reed relays have capacitances in this order
of magnitude.
Predicted failure rate of a Reed relay (MIL-HDBK-217)
is in the order of magnitude of one failure each one
million operations (ON/OFF). This failure rate is obviously
too high unless the number of operations per hour is
very low.
7.5.2 S̲e̲m̲i̲c̲o̲n̲d̲u̲c̲t̲o̲r̲ ̲L̲o̲g̲i̲c̲ ̲S̲w̲i̲t̲c̲h̲
See figure 7-2.
The logic gate in the input provides the basic switching
function.
A high level on the switch control line gives the ON
condition while a low level gives the OFF condition.
The symbol shown in the two gates indicates hysteresis.
The R-C circuit constitutes a low pass filter which
shall attenuate higher harmonics of the signal. These
higher harmonics could otherwise propagate to the output
through the parasitic capacitance between the input
and output leads of the output-gate. The switch is
shown with separated DC-supply to the input stage and
output stage in order to avoid coupling through the
supply leads.
The predicted failure rate for the semiconductor switch
is approx. one failure per 10…0e…8…0f… hours or one failure
each 10.000 years and most failures even lead to and
OFF condition
7.5.3 E̲l̲e̲c̲t̲r̲o̲-̲o̲p̲t̲i̲c̲a̲l̲ ̲S̲w̲i̲t̲c̲h̲
See figure 7-3.
The electro-optical switch is galvanically separated
in the input section and the output section.
The Diode driver (e.g. a transistor) modulates the
current through the light emitting diode according
to the binary signal input. The current is supplied
through the switch control line. The output section
consists of a light sensitive phototransistor and an
amplifier with hysteresis which converts the modulated
light into normal logic levels.
A glass sheet provides a tangible evidence of good
galvanic isolation, even in humid (non-condensing)
environment.
Another valuable property is that no failure in the
components can lead to an ON condition while the switch
control signal is low (zero volts).
Figure 7-3: Electro-optical Switch
