top - download
⟦c253d1c5f⟧ Wang Wps File
Length: 46510 (0xb5ae)
Types: Wang Wps File
Notes: Spelunked
Names: »~ORPHAN53.08«
Derivation
└─⟦5da7e0279⟧ Bits:30006225 8" Wang WCS floppy, CR 0210A
└─ ⟦this⟧ »~ORPHAN53.08«
WangText
2…09…2…0a……86…1
…02… …02…
…02…
…02…
…02…PEH/830411…02……02…#
SECURITY FILTER
…02……02…SYS.DIV.
T̲A̲B̲L̲E̲ ̲O̲F̲ ̲C̲O̲N̲T̲E̲N̲T̲S̲
Page
1 GENERAL .......................................
1.1 INTRODUCTION ...............................
1.2 TERMS AND ABBREVIATIONS ....................
2 TIME DIVISIN MULTIPLEXING ....................
2.1 ANALYSIS ...................................
2.1.1 The need ...............................
2.1.2 The requirements .......................
2.1.3 The problems ..........................
2.1.3.1 Security ...........................
2.1.3.2 Complexity .........................
2.1.3.3 Delay ..............................
2.1.3.4 Channel Capacity ...................
2.1.3.5 Overflo ...........................
2.1.4 Conclusion .............................
2.2 MULTICHANNEL SECURITY FILTER ...............
2.2.1 General Description ....................
2.2.2 Data flow .............................
2.2.3 Message Block Specification ............
2.2.3.1 The Header .........................
2.2.3.2 Message Body .......................
2.2.3.3 Trailer ............................
2.2.4 Interface Speification ................
2.2.4.1 Line Interface .....................
2.2.4.2 Input Bus ..........................
2.2.4.3 Internal Interface Specification ...
2.2.4.4 Output Bus .........................
2.2.5 Module Specification ...................
2.2.5.1 Line Terminator (LT) ...............
2.2.5.2 Multi Purpose Processor (MPP) ......
2.2.5.3 Input Control ......................
2.2.5.4 Output Control ....................
2.3 PERFORMANCE ................................
2.3.1 Security ...............................
2.3.1.1 Illegal Source/Validation table/sink
relationship .......................
2.3.1.2 Resdue ............................
2.3.1.3 Cross-talk .........................
2.3.2 Throughput .............................
2.3.3 Delay ..................................
3 SHARING OF HARDWARE ..........................
3.1 ANALYSIS ..................................
3.2 SECURITY ...................................
3.3 CONCLUSION .................................
…86…1 …02… …02… …02… …02…
1̲ ̲ ̲G̲E̲N̲E̲R̲A̲L̲
1.1 I̲N̲T̲R̲O̲D̲U̲C̲T̲I̲O̲N̲
This technical note represents the output of work package
no. 320, Configuration Study, within the framework
of the Security Filter Study, performd under contract
no. FK 8219 between the Air Material Command of the
RDAF and Christian Rovsing A/S.
The Configuration Study still examine the feasibility
and the performance of technical solutions to:
- Multiplexing two or more communication lnes through
one filter
- Sharing of hardware between two or more filters
- Other systems configurations (installation site,
security levels)
- Use of common software and hardware
- Use of commercially available hardware and software
(multi-ource)
- Use of electronic switches
Each point will be treated separately in the following
chapters.
1.2 T̲E̲R̲M̲S̲ ̲A̲N̲D̲ ̲A̲B̲B̲R̲E̲V̲I̲A̲T̲I̲O̲N̲S̲
2̲ ̲ ̲T̲I̲M̲E̲ ̲D̲I̲V̲I̲S̲I̲O̲N̲ ̲M̲U̲L̲T̲I̲P̲L̲E̲X̲I̲N̲G̲
2.1 A̲N̲A̲L̲Y̲S̲I̲S̲
2.1.1 T̲h̲e̲ ̲n̲e̲e̲d̲
ADP systems often have many communication lines in
and out. This raises a demand for a solution, which
is more cot efficient than a simple duplication of
hardware. This demand can often be met by time division
multiplexing or time slicing methods. The idea is to
utilise the hardware more efficiently by letting it
handle several channels on a time sliced basis The
slice may be either at bit level, often called time
division multiplex, or at a higher level (message),
often called time slicing.
2.1.2 T̲h̲e̲ ̲r̲e̲q̲u̲i̲r̲e̲m̲e̲n̲t̲s̲
The general requirements to the multiplexing functions
restricted to fixed point-to-oint communication.
See figure overleaf.
The channel of ADP system A using line no. 1A must
communicate only with the channel of ADP system C using
line no. 1B.
The particular characteristics which must be considered
when evaluating potentialsolutions are first of all
o Security in all aspects.
o The cost should be substantially reduced compared
to the simple hardware duplication.
o The design must accommodate certification.
o Delay must be kept low.
o The filter shall be trasparent to the connected
ADP systems except for the delay.
o The channel capacity must not be (significantly)
reduced.
o The design shall provide reliable operation.
o Behaviour in case of a failure must be acceptable.…86…1
…02… …02… …02… …02…
Multi Channel Security Filter
Communication paths
2.1.3 T̲h̲e̲ ̲p̲r̲o̲b̲l̲e̲m̲s̲
The potential problems in multiplexing have already
been suggested in the para 2.2. They are in summary
o Security
o Complexing
o Delay
o Channel Capaity
o Overflow
It is throughout this subsection assumed that sufficient
processing power is available to perform the validation
in negligible time.
2.1.3.1 S̲e̲c̲u̲r̲i̲t̲y̲
The multiplexing inherently introduces a multitude
of failure modes which ay lead to security breack.
The most obvious risks are
o Illegal source/validation table/sink relationship.
The mere fact that there are several channels increases
the risk of passing classified information to a
channel with too low channel leel.
o Residue
A residue of classified information may inadvertently
be carried along with a lower classified message.
o Cross-talk
The presence of several inputs and/or outputs gives
the risk of cross-talk, here used to describe any
mechnism which may inintendedly convey legible
information from one channel to another.
2.1.3.2 C̲o̲m̲p̲l̲e̲x̲i̲t̲y̲
Multiplexing hardware/software may be more or less
complex. Very high efficiency is typically achieved
through high complexity. High complexity typically
givesvery complicated failure modes and is therefore
not attractive from a security point of view.
2.1.3.3 D̲e̲l̲a̲y̲
The delay will in general be increased by the multi-
plexing, but the amount of delay is heavily depending
upon the combination of muliplexing scheme and the
hardware configuration.
Multiplexing on bit or byte level gives only negligible
additional delay, while multiplexing of many channels
on message level may give excessive delays.
So, from a delay point of view the lowestlevel is preferrred.
However, considerations of security risks lead to a
multiplexing on message level. Hence, the hardware
configuration must be adjusted to provide an acceptably
low delay.
2.1.3.4 C̲h̲a̲n̲n̲e̲l̲ ̲C̲a̲p̲a̲c̲i̲t̲y̲
Channel capacity is anotherexposed parameter. The reference
capacity is, in this context, the capacity of a particular
channel without any filter. Insertion of a multiplexed
filter may reduce the capacity significant-
ly unless precautions are made.
2.1.3.5 O̲v̲e̲r̲f̲l̲o̲w̲
Mesage Overflow situations may occur, either as a result
of failures inside or outside the filter, or perhaps
even as an acceptable (rare) situation. In both cases,
the system must respond to such a situation in a secure
manner. …86…1 …02… …02… …02… …02…
2.1.4 C̲o̲n̲c̲l̲u̲s̲i̲o̲n̲
The previous subsection suggests the following characteristics
of a viable solution.
o Multiplexing is on message level. Only one message
is processed at a tim and the message is processed
in entity without interference from other channels
or messages from the same channel.
o A Line Terminator is provided for each channel
to provide the necessary reception and storage
capacity for avoiding a decrease n the individual
channel capacities.
This also minimizes the risk of electromagnetic
or galvanic cross-talk.
o All information in common areas is erased before
a new message is entered.
o A dedicated, simple hardware/firmware control circut
establishes the input/output path, validated according
to a preprogrammed table with legal combinations.
The control is backed up by an alternative (redundant)
communication path verification method.
o The channels are multiplexed by offerig service
in a cyclic manner. The processing power shall
be sufficient to service a worst case situation
and secure methods with acceptable performance
shall be used in case of an overflow situation.
o The software complexity should be minimizedf.ex.
by designing separate packages for each channel.
2.2 M̲U̲L̲T̲I̲C̲H̲A̲N̲N̲E̲L̲ ̲S̲E̲C̲U̲R̲I̲T̲Y̲ ̲F̲I̲L̲T̲E̲R̲
2.2.1 G̲e̲n̲e̲r̲a̲l̲ ̲D̲e̲s̲c̲r̲i̲p̲t̲i̲o̲n̲
Please refer to figure overleaf. The Multichannel Security
Filter (MCSF) is a multi-input/multi-output configurationwhere
all channels share the Multi Purpose Processor (MPP),
the Gate Keepers GK and the terminal.
One Line Terminator is used for each channel, each
with storage capacity for two messages in each direction.
The received message is transferred to he MPP with
high speed over the Input Bus under supervision of
the Input control.
The message is preprocessed and validated in the same
way as if it were a single channel filter.
After validation, the message is transferred to the
butler memoryof the Selected Line Terminator under
supervision of the Output control. Finally, the Line
Terminator performs the transmission of the message.
The MCSF is a modular expansion of the single channel
filter using the same basic concept, only with afew
additional components to control the data paths.
The basic security is achieved by using a Cellular
Structure in several levels with both hardware and
software restructions on the capabilities, in particular
the communication capabilities acrss the cell boundaries.
MULTI CHANNEL SECURITY FILTER (MCSF)
2.2.2 D̲a̲t̲a̲ ̲f̲l̲o̲w̲
Messages from all input lines are received and stored
independently in the Line Terminators.
The Input Control interrogates the modules cyclically.
The interrogtion is acknowledged if a full message
has been received, and the message is transferred in
byte-parallel to the MPP.
Message preprocessing and validation is performed exactly
as for the single channel security filter with the
remark that input ad output channel identification
must be provided together with the message when logged
or displayed on the operators terminal for operator
assisted validation.
The validated message is transferred to the Line Terminator
addressed by the Output cotrol. The entire message
is transferred to the memory of the Line Terminator
at speed.
The Operator Assisted Validation is performed in parallel
with the automated validation. The entire message is
transferred to and stored in the operator's termnal
during the partial validation. After this, the entire
message is transferred to the GK for automated validation
of the remaining fields.
A replica of the message is retained in the Mg Tape
Interface of the MPP.
The butler is erased if the mssage has been accepted.
Otherwise, the message is logged onto the tape before
erasure of the buffer.
2.2.3 M̲e̲s̲s̲a̲g̲e̲ ̲B̲l̲o̲c̲k̲ ̲S̲p̲e̲c̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
The received message is augmented with auxilliary information
arranged in a header. The combined and formated block
is called the Message Block. See the figure overleaf.
The header is generated in the Line Terminator from
the contents of the message.
The Message Block is transferred as an entity throughout
the Filter.
2.2.3.1 T̲h̲e̲ ̲H̲e̲a̲d̲e̲r̲
The Header is composed of the following elements
o Channel number
The channel number is provided by the Input Control
Circuit.
o Reception and channel tatus
The status comprises the status provided by the
receiver circuit i.e. synchronisation status and
FCS check result. The channel status comprises
e.g. number of retransmissions before correct reception.
o Block Size
The number of byte in the Message Block
o Header Size
The number of bytes in the Header
Header: Channel number
Reception and Input Line Status
Block size
Header size
CRC Check Word
Message Directory
Message: The received message
Trailer: Channel number
MESSAGE BLOCK FORMAT
o CRC check word
The Cyclic Redundancy check word generated from
the message.
o Message Directory
A list of entry points for the sets and fields
of the message, generatedby examining the received
characters of the message for the set and field
delimiters.
2.2.3.2 M̲e̲s̲s̲a̲g̲e̲ ̲B̲o̲d̲y̲
The Message Body is the received message, ordered into
bytes of characters.
2.2.3.3 T̲r̲a̲i̲l̲e̲r̲
The Trailer is a single byte with the cannel number,
inserted by the Input Control Circuit.
2.2.4 I̲n̲t̲e̲r̲f̲a̲c̲e̲ ̲S̲p̲e̲c̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
The following interface specifications describe the
internal as well as the external electrical interfaces
of the Multi Channel Security Filter.
2.2.4.1 L̲i̲n̲e̲I̲n̲t̲e̲r̲f̲a̲c̲e̲
The procedural and logical requirements are as specified
in the CCITT rec. X25.
2.2.4.1.1 Electrical interface: MIL-STD-188C
2.2.4.1.2 Electrical protection: TBS
2.2.4.2 I̲n̲p̲u̲t̲ ̲B̲u̲s̲
The Input Bus provides the common data parafrom the
line Terminator (input) to the Multi Purpose Processor.
2.2.4.2.1 P̲r̲o̲t̲o̲c̲o̲l̲
2.2.4.2.1.1 I̲n̲t̲e̲r̲r̲o̲g̲a̲t̲i̲o̲n̲
The Input Control issues an active level on one of
the Channel Select lines. This signal causes the selected
Line Terminator to prsent at the data output the channel
number (bus bit) and the status.
The status indicates whether a buffer is ready for
transfer.
If a buffer is ready, the transfer is initiated, otherwise
the corresponding select line is set to inactive and
th next higher channel number (module the present number
of channels) is interrogated.
2.2.4.2.1.2 I̲n̲i̲t̲i̲a̲t̲i̲o̲n̲
The selected Line Terminator which has a buffer ready
for transfer will provide an active level on the Buffer
Ready Line.
This line i monitored by the Multi Purpose Processor
MPP which responds with a pulse on the Data Strobe
line when it is ready for input which will cause the
first byte of the Message Block to appear on the Input
Bus data lines.
2.2.4.2.1.3 T̲r̲a̲n̲s̲f̲e̲r̲
The tansfer is byte sequential. The MPP requests the
next byte of the Message Block to be presented on the
Input Bus data lines by issuing a pulse on the Data
Strobe line.
The MPP continues to request the next byte for as long
as the Buffer Ready lineremains active.
An active-to-inactive transition indicates that the
present byte is the last in the current block.
2.2.4.2.1.4 T̲e̲r̲m̲i̲n̲a̲t̲i̲o̲n̲
The transfer is terminated by issuing a pulse while
the Buffer Ready line is inactive. This situation is
sensed by the Input Control which responds by de-ctivating
the current Channel Select line and interrogate the
next channel.
2.2.4.2.1.5 P̲r̲e̲m̲a̲t̲u̲r̲e̲ ̲T̲e̲r̲m̲i̲n̲a̲t̲i̲o̲n̲
The MPP may enforce a termination (abnormal condition)
by forcing a low on the Buffer Ready line and subsequently
issue a phase on th Data Strobe line.
2.2.4.2.2 L̲o̲g̲i̲c̲a̲l̲ ̲i̲n̲t̲e̲r̲f̲a̲c̲e̲ ̲s̲p̲e̲c̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
The transfer employs the following lines:
o Data, eight three-state lines, source is selected
ILT
o Channel Select, source is Input Control
o Buffer Ready, Open Collector line,source is normally
selected ILT, source is MPP in case of premature
termination
2.2.4.2.3 E̲l̲e̲c̲t̲r̲i̲c̲a̲l̲ ̲i̲n̲t̲e̲r̲f̲a̲c̲e̲ ̲s̲p̲e̲c̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
TBS
2.2.4.3 I̲n̲t̲e̲r̲n̲a̲l̲ ̲I̲n̲t̲e̲r̲f̲a̲c̲e̲ ̲S̲p̲e̲c̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
The Internal Interface Specification is applicable
to the interfacesbetween the MPP and the Gate Keeper.
2.2.4.3.1 P̲r̲o̲t̲o̲c̲o̲l̲
The protocol is as described in section .2.1 with the
remark that the Channel Select input is permanently
connected to an active level.
2.2.4.3.2 L̲o̲g̲i̲c̲a̲l̲ ̲I̲n̲t̲e̲r̲f̲a̲c̲e̲ ̲S̲p̲e̲c̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
As described in section .2.2 with the remark that the
Channel Select line is permanently connected to an
active level.
2.2.4.3.3 E̲l̲e̲c̲r̲i̲c̲a̲l̲ ̲I̲n̲t̲e̲r̲f̲a̲c̲e̲ ̲S̲p̲e̲c̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
TBS
2.2.4.4 O̲u̲t̲p̲u̲t̲ ̲B̲u̲s̲
The Output Bus provides the common data path from the
Gater Keeper(s) to the Line Terminators.
2.2.4.4.1 P̲r̲o̲t̲o̲c̲o̲l̲
2.2.4.4.1.1 I̲n̲t̲e̲r̲r̲o̲g̲a̲t̲i̲o̲n̲
The output control logic alternately seses the Channel
Request input from the two Gate Keepers in idle periods.
When one of the Gate Keepers are requesting service,
the corresponding Channel Number lines are to select
the proper Line Terminator by an active level on the
corresponding Chnnel Select Line and an active level
is issued on the corresponding Bus Grant Line. The
communication path has now been set up.
2.2.4.4.1.2 I̲n̲i̲t̲i̲a̲t̲i̲o̲n̲
The selected Line Terminator issues an active level
on the Buffer Ready line when selected wile one of
the two buffers are free.
Otherwise, the active level is delayed until one of
the buffers has been released.
The Line Terminator will present the Channel address
and the Channel Status on the data lines while selected
and until an ative level appears on the Data Strobe
line.…86…1 …02… …02… …02… …02…
2.2.4.4.1.3 T̲r̲a̲n̲s̲f̲e̲r̲
The Gate Keeper issues a pulse on the Data Strobe line
to indicate the presence of the first byte of data
on the Data lines.
2.2.5 M̲o̲d̲u̲l̲e̲ ̲S̲p̲e̲c̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
he specifications given in this subsection comprise
the Line Terminator, the Multi Purpose Processor, the
Input Control and the Output Control.
The specifications given could be considered as draft
versions of part of the final specifications whih is
to be provided later on.
It has been found necessary to work out the following
specifications in order to demonstrate the feasibility
of and analyse the security aspects of a Multi Channel
Security Filter.
2.2.5.1 L̲i̲n̲e̲ ̲T̲e̲r̲m̲i̲n̲a̲t̲o̲r̲ ̲(̲L̲T̲)̲
.2.5.1.1 G̲e̲n̲e̲r̲a̲l̲
The LT implements the interface between the X.25 protocol
of the serial communication channel and the internal
byte parallel Message Block format of the Security
Filter.
2.2.5.1.2 F̲u̲n̲c̲t̲i̲o̲n̲a̲l̲ ̲S̲p̲e̲c̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
The functions are dvided into the following groups
a) Serial Interface
b) Message Block generation (ILT)
c) Message Block verification (OLT)
d) Buffer handling
e) Parallel Output (ILT)
f) Parallel Input (OLT)
2.2.5.1.2.1 S̲e̲r̲i̲a̲l̲ ̲I̲n̲t̲e̲r̲f̲a̲c̲e̲
The Serial Interface is specified by the CCITT recommendation
X.25 levels 1 and 2, except for the electrical characteristics.
Level 1 specifies thephysical, electrical, functionel
and procedural characteristics to establish, maintain
and disconnect the physical link between the communi-
cating devices.
Level 2 specifies the link access procedure for data
interchange across the link betweenthe communicating
devices.
2.2.5.1.2.2 M̲e̲s̲s̲a̲g̲e̲ ̲B̲l̲o̲c̲k̲ ̲G̲e̲n̲e̲r̲a̲t̲i̲o̲n̲
The Message Block is generated from the received information
as specified in section 2.2.3, Message Block Specification.
The message is stored byte-wise in the Buffer Memory
in he order it is received, and the header is supplied
in front of the message as specified.
2.2.5.1.2.3 M̲e̲s̲s̲a̲g̲e̲ ̲B̲l̲o̲c̲k̲ ̲V̲e̲r̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
The Message Block Verification is made prior to the
serial transmission of a validated message.
The following veifications shall be successfully completed
before the transmission can take place.
o Check that Output device number is correct
o Perform Cyclic Redundancy Check
2.2.5.1.2.4 B̲u̲f̲f̲e̲r̲ ̲h̲a̲n̲d̲l̲i̲n̲g̲
Two pairs of buffers are available for storage o messages,
one pair for input and one pair for output. The two
buffers of a pair are used alternately.
2.2.5.1.2.5 P̲a̲r̲a̲l̲l̲e̲l̲ ̲O̲u̲t̲p̲u̲t̲
The Line Terminator implements a byte-serial output
sequence of the full message block, i.e. all retrieval
from the buffer memory is performed by the ine Terminator.
The transfer employs the following lines:
o Channel Select, input
o Data, eight three-state output lines
o Buffer Ready, output
o Data Strobe, input
The transfer is initiated by an active level on the
Channel Select Line, idicating that the Multi Purpose
Processor is ready for a new message.
The module indicates the availability of a new Message
Block by activating the Buffer Ready line.
The transfer can start upon an active Buffer Ready
and the first byte of theMessage Block will be available
on the eight data lines. Subsequent bytes are made
available each time a pulse is received on the Data
Strobe.
The Buffer Ready signal changes to the passive state
when the last byte of the Message Block has been mde
available. The Multipurpose Processor responds by changing
the Channel Select to a passive state.
2.2.5.1.2.6 P̲a̲r̲a̲l̲l̲e̲l̲ ̲I̲n̲p̲u̲t̲
The Line Terminator receives the Message Block in a
byte-serial input sequence and stores the data in the
Buffer Meory.
The transfer employs the following lines:
o Channel Select, input
o Data, eight input lines
o Buffer Ready, output
o Data Strobe, input…86…1 …02… …02… …02… …02…
The transfer is initiated by an active level on the
Channel Select line, indicating that the Multi Purpose
Processor wants to transfer a message.
The module indicates the availaility of a free buffer
by activating the Buffer Ready line.
The transfer can start upon an active Buffer Ready,
and the message is received byte by byte each time
the Data Strobe is pulsed.
The Channel Select is set to a passive state when the
ast byte has been transferred.
2.2.5.1.3 D̲e̲s̲i̲g̲n̲ ̲D̲e̲t̲a̲i̲l̲s̲
2.2.5.1.3.1 E̲l̲e̲c̲t̲r̲i̲c̲a̲l̲ ̲P̲r̲o̲t̲e̲c̲t̲i̲o̲n̲
The electrical protection circuit provides for the
following:
o Protection against permanent damage from transients
on the communication line as rquired
o Adaptation between the electrical levels on the
line and the internal logic levels
o Waveshaping and filtering as required
The interface is in accordance with MIL-STD-188C in
order to facilitate COMSEC certification on compromising
eanuation.
2.2.5.1.3.2 S̲e̲r̲i̲a̲l̲ ̲I̲n̲t̲e̲r̲f̲a̲c̲e̲ ̲C̲o̲n̲t̲r̲o̲l̲l̲e̲r̲
The Serial Interface Controller performs all the basic
transport functions on bit and byte level in the support
of a full duplex X.25 channel.
This covers for the input
o Bit synchronisatio
o format synchronisation
o Integrity check (FCS)
o Serial to parallel conversion
and for the output
o Parallel to serial conversion
o Formatting
o FCS generation …86…1 …02… …02… …02… …02…
2.2.5.1.3.3 M̲i̲c̲r̲o̲p̲r̲o̲c̲e̲s̲s̲o̲r̲
The miniprocessor performs the higher level functions
of the level 1 and all level 2 functions, supported
by the serial interface controller. In additin the
following functions are performed
o Message Block generation
o Message Block verification
o Set up of parallel input and output
The microprocessor has on-chip program storage and
scratch pad memory. It is, both by hardware and software,restricted
to a write-only function on the Buffer Memory (input)
or a Read-only function (output).
The number of bytes (the block length) in the received
Message Block is written to the Output Interface when
the Message Block has been completed. he number of
bytes in the Message Block to be transmitted is read
from the Input Interface and compared to the corresponding
number in the header.
2.2.5.1.3.4 B̲u̲f̲f̲e̲r̲ ̲M̲e̲m̲o̲r̲y̲
The Buffer Memory is physically organized in two distinct
memory banks each corresponding to two message buffers.
The input buffers hold data received from the line.
The output buffers hold data while being transmitted.
2.2.5.1.3.5 I̲n̲p̲u̲t̲ ̲a̲n̲d̲ ̲O̲u̲t̲p̲u̲t̲ ̲I̲n̲t̲e̲r̲f̲a̲c̲e̲
The Interface performs all control functions for thetransfer
at data from the Buffer Memory to the Multi Purpose
Processor (input) or from the Gate Keeper to the Buffer
Memory (output).
The interface comprises the necessary address counter,
byte counter and memory read/write control circuit
to retieve or store data from/to the Buffer Memory.
As a specific security provision, the memory read function
(input) includes erasure of the memory contents, i.e.
writing a fixed bit pattern into all memory locations
of the used buffer.
Similarly, th memory write function (output) is preceeded
by an erasure of the buffer area as soon as the previous
message has been transmitted and acknowledged properly.
2.2.5.1.3.6 O̲p̲t̲o̲ ̲I̲s̲o̲l̲a̲t̲o̲r̲
The Opto Isolator provides the required isolation between
data on the Output Bus and the Line Terminators which
are not selected for the current transfe.
2.2.5.1.4 S̲u̲m̲m̲a̲r̲y̲ ̲o̲f̲ ̲c̲h̲a̲r̲a̲c̲t̲e̲r̲i̲s̲t̲i̲c̲s̲
G̲e̲n̲e̲r̲a̲l̲
o Message size: max. 8000 bytes
o Throughput rate: equal to serial input rate
o Storage capacity: Two Message Blocks of maximum
8 Kbytes each
o Cyclic Redundancy geeration and verification for
data integrity check
S̲e̲r̲i̲a̲l̲ ̲I̲n̲p̲u̲t̲
o Communication protocol: CCITT rec. X.25
o Electrical Interface: MIL-STD-188C
o Data rate: nominal 2400 Band, extendable to 9.600
Band
I̲n̲p̲u̲t̲ ̲a̲n̲d̲ ̲O̲u̲t̲p̲u̲t̲ ̲I̲n̲t̲e̲r̲f̲a̲c̲e̲
o tandardized Message Block format
o Byte-serial DMA transfer with handshake
o Destruction readout
o Optical isolation of output interface
2.2.5.2 M̲u̲l̲t̲i̲ ̲P̲u̲r̲p̲o̲s̲e̲ ̲P̲r̲o̲c̲e̲s̲s̲o̲r̲ ̲(̲M̲P̲P̲)̲
2.2.5.2.1 G̲e̲n̲e̲r̲a̲l̲
The MPP performs the preparation of the message for
validation, the logging onto a recorder in case of
rejection and implements the alert function. The preparaton
includes a check of the status byte of the received
message and identification of the type of message for
the purpose of selecting between automatic and operator
assisted validation. In the latter case, the fields
which require validation by theoperator are identified
and the message is transmitted to the Operator Terminal.
The loop test program also resides in this module.
2.2.5.2.2 F̲u̲n̲c̲t̲i̲o̲n̲a̲l̲ ̲S̲p̲e̲c̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
The functions are divided into the following groups
a) Data input
b) Tye identification
c) Control and monitoring
d) Preparation for automatic validation
e) Preparation for operator assisted validation
f) Data output and erasure
g) Logging
h) Loop test
2.2.5.2.2.1 D̲a̲t̲a̲ ̲I̲n̲p̲u̲t̲
The Message Block is transferredfrom the Line Termination
module to the Buffer Memory of the MPP under control
of the Input Interface. Simultaneously, the Message
Block is stored in the memory of both the Mog Tape
Interface and the Terminal Interface.
The transfer employs the fllowing issues
o Data, eight input lines
o Buffer Ready, input
o Data Strobe, output
The transfer starts upon an active level on the Buffer
Ready line, indicating that the first-byte of a message
is available on the input. The subsequent-byte are
recalled by pulling the Data Strobe. The transfer is
terminated when the Buffer Ready line goes passive.
2.2.5.2.2.2 T̲y̲p̲e̲ ̲I̲d̲e̲n̲t̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
The Microprocessor reads the header information in
order to check the status and to determine the message
type.
The status must be nominal and te message type must
be known, otherwise the message is rejected and logged.
The type identification may give the result that the
message shall be subject to either automatic validation
or operator assisted validation.
2.2.5.2.2.3 C̲o̲n̲t̲r̲o̲l̲ ̲a̲n̲d̲ ̲M̲n̲i̲t̲o̲r̲i̲n̲g̲
The alert function activates an audible alarm in case
of an abnormal frequency of rejected messages.
The frequency is currently updated by an algorithm,
implemented in software and a separate output line
is activated when the frequencyexceeds a pre-specified
limit.
The alert function may also be triggered by signals
on the Monitor Lines, indicating e.g. physical access
(green door) while on-line or data integrity error
under CRC check.
The warning function activates a visibl indicator upon
detection of conditions which are neither normal nor
critical e.g. off-line condition.
2.2.5.2.2.4 P̲r̲e̲p̲a̲r̲a̲t̲i̲o̲n̲ ̲f̲o̲r̲ ̲a̲u̲t̲o̲m̲a̲t̲i̲c̲ ̲v̲a̲l̲i̲d̲a̲t̲i̲o̲n̲
TBS
Finally a command is given to the Terminal Interface,
specifying that the messae in question shall be erased.
2.2.5.2.2.5 P̲r̲e̲p̲a̲r̲a̲t̲i̲o̲n̲ ̲f̲o̲r̲ ̲o̲p̲e̲r̲a̲t̲o̲r̲ ̲a̲s̲s̲i̲s̲t̲e̲d̲ ̲v̲a̲l̲i̲d̲a̲t̲i̲o̲n̲
The preparation involves identification of the field
or fields which requires validation by the operator.
The fields ar described by a table (with one or more
elements) of pointers to each field.
This table is written to the Terminal Interface and
finally a command is given to the Interface, specifying
that the message in question shall be subject to operator
asssted validation.
2.2.5.2.2.6 D̲a̲t̲a̲ ̲O̲u̲t̲p̲u̲t̲ ̲a̲n̲d̲ ̲e̲r̲a̲s̲u̲r̲e̲
The operation performed on the Message Block upon completion
of the Message prepraration depends upon the result.
a) A message which has been destinated for automatic
validation is transfered to the Gate Keeper. The
entire Message Block is transferred from the Buffer
Memory and the buffer area is erased. The copy
in the Mag Tape Interface is retained for possible
logging and the copy in the Terminal Interface
has been erased.
b) Amessage which has been destinated for operator
assisted validation is transferred to the Operator
Terminal from the copy at the Message Block stored
in the Terminal Interface and the buffer area is
erased. The copy in the Buffer Memory is erased,
bt the copy in the Mag Tape Interface is retained
for possible logging.
c) A message which has been rejected is logged onto
the Tape recorder. The copies, the Buffer Memory
and the Terminal Interface are erased.
2.2.5.2.2.7 L̲o̲g̲g̲i̲n̲g̲
All rejectd messages are logged on tape recorder together
with the approximate time and date of occurrence.
2.2.5.2.2.8 L̲o̲o̲p̲ ̲T̲e̲s̲t̲
The test program can be activated in off-line state
with the line outputs connected externally to the line
inputs. The program performs the test by transmiting
a set of preprogrammed messages (some legal, some illegal)
around the loop and verify the result.
2.2.5.2.3 D̲e̲s̲i̲g̲n̲ ̲D̲e̲t̲a̲i̲l̲s̲
2.2.5.2.3.1 I̲n̲p̲u̲t̲ ̲I̲n̲t̲e̲r̲f̲a̲c̲e̲
The Input Interface performs all the functions required
for the transfer of data fromthe Output Interface of
the Line Terminator to the MPP.
The interface comprises the necessary address counter
and memory write control circuit.
The Buffer Memory and the compartmentalised memories
of the Mag Tape Interface and the Terminal Inteface
are addressed simultaneously.
2.2.5.2.3.2 M̲i̲c̲r̲o̲p̲r̲o̲c̲e̲s̲s̲o̲r̲
The microprocessor performs the overall control and
monitoring functions of the MPP. In addition, the following
functions are performed
o Type identification
o Calculation of thefrequency of ellegal messages
o Identification of the fields which shall be subject
to validation by the operator
o Data output set-up
o Loop test generation
The memory write function is restricted, both by hardware
and firmware to an area of he Buffer Memory which is
outside the area used for the Message Block.
2.2.5.2.3.3 B̲u̲f̲f̲e̲r̲ ̲M̲e̲m̲o̲r̲y̲
The Buffer Memory is organized into one memory bank
corresponding to one buffer and an area which can be
accessed by the microprocessor for both read an write.
2.2.5.2.3.4 P̲r̲o̲g̲r̲a̲m̲ ̲M̲e̲m̲o̲r̲y̲
The program memory is a non-volatile Read-only memory
the contents of which can not be changed without using
external programming equipment.
2.2.5.2.3.5 M̲a̲g̲ ̲T̲a̲p̲e̲ ̲I̲n̲t̲e̲r̲f̲a̲c̲e̲ ̲(̲M̲T̲I̲)̲
The MTI is a small dedicaed microprocessing system.
The main elements are
o Common Bus interface
o Serial interface to tape recorder
o Control inputs
o Dual Buffer memory
o Monitoring and control
The incoming message is stored in one of the two buffers
and will remin there until a command is given, either
causing erasure or logging onto tape prior to erasure.
The interface to the Common Bus is designed such that
the only readable memory is a status register.
The serial interface to the tape recorder carres as
well control as data. The interface is hardware in
such a way that reading the recorder is not possible.
The control inputs are connected to the Gate Keeper.
The Gate Keeper will issue a signal indicating either
accept or reject of each mesage. This causes either
erasure of the corresponding buffer or logging onto
tape prior to erasure.
2.2.5.2.3.6 M̲o̲n̲i̲t̲o̲r̲ ̲a̲n̲d̲ ̲C̲o̲n̲t̲r̲o̲l̲ ̲I̲/̲O̲
This interface provides a number of separate digital
input and output lines. Input lines comprise on-line/
off-line switch and additional montor points which
may be required.
Output lines are the Alert Line which activates the
audible alarm and the (optional) Warning Line which
could activate a light indicator.
2.2.5.2.3.7 T̲e̲r̲m̲i̲n̲a̲l̲ ̲I̲n̲t̲e̲r̲f̲a̲c̲e̲
Ter Terminal Interface is a small dediated microprocessing
system. The main elements are
o Common bus interface
o Serial interface to the terminal
o Buffer Memory
o General control and monitoring
The incoming message is stored in the buffer and remains
there until a command is gven, either causing erasure
or output to the terminal prior to erasure.
The interface to the common bus is designed such that
only the status register is readable. The serial interface
to the terminal is unidirectional. Simple handshaking
is provded such that transmission will take place only
when the terminal is ready.
2.2.5.2.4 S̲u̲m̲m̲a̲r̲y̲ ̲o̲f̲ ̲c̲h̲a̲r̲a̲c̲t̲e̲r̲i̲s̲t̲i̲c̲s̲
G̲e̲n̲e̲r̲a̲l̲
o Performs message preparation
o Interfaces to the terminal, logging recorder and
provides for control and monitoring iput/output
P̲a̲r̲a̲l̲l̲e̲l̲ ̲i̲n̲t̲e̲r̲f̲a̲c̲e̲
o Standardized parallel input and output
o Byte-serial DMA transfer with handshake
o Destructive readout
S̲e̲r̲i̲a̲l̲ ̲i̲n̲t̲e̲r̲f̲a̲c̲e̲
o Mag Tape and Terminal interface is RS232 serial
interface
M̲o̲n̲i̲t̲o̲r̲ ̲a̲n̲d̲ ̲C̲o̲n̲t̲r̲o̲l̲
o Separate digital lines are provided for optional
monitor and control poins
2.2.5.3 I̲n̲p̲u̲t̲ ̲C̲o̲n̲t̲r̲o̲l̲
The Input Control is a small, dedicated controller
which performs set-up and supervision of the data transfer
between the Line Termination modules and the Multi
Purpose Processor.
A single of the Channel Select Lines re activated at
a time. The selected Line Termination module will respond
with an active level on the Buffer Ready Line if a
full buffer is available simultaneously the module
will output the Module Address on the Input Bus. This
address is compose with the expected. The transfer
is initiated if they compare, otherwise, this error
situation will be indicated in the status word on the
Input Bus, the Buffer Ready will be overridden by the
Input Control and the channel select will subsequently
e removed.
If there is no full buffer in this module, the counter
is incremented and the next module is interrogated.
2.2.5.4 O̲u̲t̲p̲u̲t̲ ̲C̲o̲n̲t̲r̲o̲l̲
The Output Control logic performs the set-up and supervision
of the message transfer from the Gate Keper to the
Line Termination module.
The destination address for the validated message is
supplied by the Bus Supervisor module of the Gate Keeper.
This address is decoded to one out of m separate lines
which are connected to the Channel selectlines of each
Input Interface of the Termination module.
The Input Enable is activated when the Output Address
Ready line indicates Valid address. This causes that
the selected module to output its module address together
with device sttus. This address is compared with the
address from the Gate Keeper, and the status is checked.
Destination Module Ready is signalled to the Output
Interface of the Gate Keeper if the addresses compare
and if there is a free buffer and the data trasfer
can commence.
Service is offered to the other Gate Keeper if both
buffers of the Line Termination module are full.
The Bus Supervisor takes down the Output Address Ready
when the last byte has been transferred. This causes
the Output Contrl to deactivate Destination Module
Ready, which in turn causes deactivation of the Buffer
Ready line by the Output Interface of the Gate Keeper.
This change is sensed by the Line Termination module
and interpreted as an End of Transfer.
The Outpu Termnination Module responds with module
address and device status on the Output Bus.
The two Gate Keepers are serviced alternately.
2.3 P̲E̲R̲F̲O̲R̲M̲A̲N̲C̲E̲
2.3.1 S̲e̲c̲u̲r̲i̲t̲y̲
The Multichannel Configuration introduces in principle
a number of risks n addition to those of the single
channel filter as described in section 2.1.3.1.
These risks are listed in the following subsections
together with the precautions made.
2.3.1.1 I̲l̲l̲e̲g̲a̲l̲ ̲S̲o̲u̲r̲c̲e̲/̲V̲a̲l̲i̲d̲a̲t̲i̲o̲n̲ ̲t̲a̲b̲l̲e̲/̲s̲i̲n̲k̲ ̲r̲e̲l̲a̲t̲i̲o̲n̲s̲h̲i̲p̲
This is the rsk of performing the Validation with a
table, specified for another channel or the risk of
transferring the message to a wrong output line.
The mechanisms which shall assure the correct relation-
ship are the following:
o The set up of the path from the Line Terminator
to the Multi Purpose Processor is controlled ad
monitored using feedback by a simple hardware circuit
in the Input Control to assure a secure knowledge
of the source.
o The Line Terminator (input) writes the input line
number in the header of the message Block.
o The Gate Keeper reads the eader for determining
the channel number. This number is stored into
the register in the Bus Supervisor of the GK which
by a simple hardware circuit controls as well the
request for output line number as the validation
table to be used.
o The setup of the path from the Gate Keeper to the
Line Terminator (output) is controlled and monitored
using feedback by a simple hardware circuit in
the Output Control to assure a secure routing.
o The Line Terminator (output) checks the input line
numer of the header for correct relationship with
the output line number.
2.3.1.2 R̲e̲s̲i̲d̲u̲e̲
The risk of by failure to have information from one
message adhered to another is minimised by the following
precautions:
o Multiplexing is on message bass. Messages are physically
separated in separate memory areas.
o Buffer areas used for storage of messages are erased
before the next message arrives.
o Buffer areas are fixed i.e. no software controlled
dynamic memory allocation.
2.3.1.3 C̲r̲o̲s̲s̲-̲t̲a̲l̲k̲
The risk of transfer of information to other channels
in parallel with the intended by failure caused by
e.g. electromagnetic coupling or galvanic leakage isminimised
by
o Physical separation and shielding of Line Terminators
o Galvanic isolation between the Line Terminators
by opto-isolators. See the separate section on
electronic switches.
2.3.2 T̲h̲r̲o̲u̲g̲h̲p̲u̲t̲
The throughput at the filter is detrmined by the processing
time required in the common path, i.e. the Multi-Purpose
Processor and the Gate Keeper for automatically validated
messages. Here, the bottlenect will obviously be the
Gate Keeper.
The requirements for the processing of a"worst case
message" is given by the following:
A "Worst case message" is here defined as a message
with the following characteristics
a) Message size is 8000 characters
b) The mean field size is 10 characters
c) The message is divided into 20 sets of 4 fields
each
d) All fields shall be validated either against discrate
tabular values or the format shall be checked
The following estimates have been made:
Check yntax: 40 instructions/set
Check against tabular values or
check field formats: 50 instructions/field
This gives the following number of instructions for
the validation of each message:
40 x 200 + 50 x 800 = 48.000 instructions/msg.
Assuming an instruction time of 5 micro-seconds (mean),
the worst case message is processed in 240 milliseconds.
Adding the transfer time and processing time in the
MPP gives a rocessing time of less than 0.33 seconds.
Hence, the throughput of the common path for automatically
validated messages is more than 3 messages/
second.
The worst case load from one channel is less than
̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲2̲4̲0̲0̲ ̲B̲a̲n̲d̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲
8000 characters x 8 bit/character
or one message each 27 seconds in each direction.
This gives a capability of servicing up to 40 channels
by one Gate Keeper.
The throughput for the operator assisted validation
will obviously be set y the human validation process
and is therefore determined by factors external to
the filter.
The conclusion is that the processing performance of
the Multi Channel Security Filter is sufficiently high
for handling several channels.
2.3.3 D̲e̲l̲a̲
The total delay of a message caused by the Multi Channel
Security Filter is composed of the following
a) Time elapsed from reception of the last character
of a message to the message can be transferred
to the MPP.
b) LT to MPP transfer time
c) MPP preprocessing time
d) MPP to GK transfer time
e) GK processing time
f) Time elapsed from completion of the validation
to start of transfer
g) GK to LT transfer time
h) Time elapsed from the message has been transferred
to the LT util the first character appears on the
line
The following estimates and assumptions are made
o The message is a worst case message
o The MPP is ready to receive the message immediately
o The Line Terminator (outpu) is ready to receive
the message immediately
o Internal parallel transfers are controlled by Direct
Memory Access at a rate of 500 Kbytes per second,
giving a total transfer time of 16 milliseconds
(T…0f…tr)…0e…
o MPP processing time is less than 30milliseconds
(T…0f…Pr…0e…)
o Validation time m GK is less than 240 milliseconds
(T…0f…va…0e…) (see previous subsection)
o The other contributions totals to less than 10
milliseconds (T…0f…o…0e…)
We have then the worst case total delay time in case
of no contenion:
T…0f…tot…0e… = T…0f…o…0e… + 3 x T…0f…tr…0e… + T…0f…pr…0e… + T…0f…va…0e…
= 10 + 3 x 16 + 30 + 240 = 3̲2̲8̲ ̲m̲i̲l̲l̲i̲s̲e̲c̲o̲n̲d̲s̲
The worst case if a worst case contention occurs is
the situation where the GK has just delivered a message
of maximum size to the Line Terminato (output) and
another very short message follows immediately after
on the same channel and in the same direction. The
transmission out of the filter will in this case be
delayed by approximately the time required for transmitting
the previous messae, i.e. approx. 27 seconds.
3̲ ̲ ̲S̲H̲A̲R̲I̲N̲G̲ ̲O̲F̲ ̲H̲A̲R̲D̲W̲A̲R̲E̲
3.1 A̲N̲A̲L̲Y̲S̲I̲S̲
Target applications of the filter show generally several
channels emerging from the same computer site. It is
therefore obvious to sek for possibilities to reduce
the overall cost by sharing hardware if possible.
Regarding the Multi Channel Filter Configuration it
is seen that it actually represents such a sharing
of hardware. Additional channels require only additional
Line Trminators and the validation Table firmware required
for that particular channel.
The other hardware modules i.e. the Multi Purpose Processor,
the Gate Keppers, the Operator Terminal and the logging
recorder are shared among the channels.
A mor efficient sharing of hardware is not achievable
unless use of the same Line Terminator to serve several
channels is considered.
It is a rather straight forward task to design a Multi-
channel Line Terminator (e.g. four channels in one
module) ad the cost per channel can be significantly
reduced as compared to the one-channel Line Terminator.
However, the basic security characteristics of the
filter with Multichannel Line Terminators will be adversely
affected since unintended paths witin the Line Terminator
(e.g. caused by design error or hardware failure) may
cause a security breach.
A design which minimises this risk is likely to cost
more on a per-channel basis than the single Channel
Line Terminator.
A particular case whre sharing of hardware could be
cost efficient is the case where a number of single
channel and/or Multi channel filters is collocated.
Here, the tape recorder and/or the Operator Terminal
could be readily shared among the collocated filters.
Te only prerequisite for sharing these peripherals
is a switch (e.g. mechanical or electro-optical) which
provides a secure separation between the individual
filters.
See the figure overleaf.
3.2 S̲E̲C̲U̲R̲I̲T̲Y̲
The use of common tape recorder will require a secure
switch in order to efficiently separate the individual
filters.
The use of a common terminal will also reuire a secure
switch.
In addition, the requirements to the security of the
erasure of the storage areas of the terminal may be
strengthened if the same terminal shall serve channels
of different classification levels.
3.3 C̲O̲N̲C̲L̲U̲S̲I̲O̲N̲
The pimary objective for optional sharing of hardware
is accommodated by the Multi Channel Security Filter.
The particular case of several collocated filters can
use common tape recorder and operator terminal if a
simple (but secure!) switch is introducd.
Sharing of Peripherals
