• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    The invention proposes a unidirectional communication system. This invention provides a solution for issuing alerts and notification to remote operators while overcoming the problem of protecting a secure network against cyberattacks when the secure network is required to communicate information from the secure network to the secure network. a public network. In practice, the solution is based on the use of a data diode (also known as a network diode or "data diode" in English) to enable the unidirectional transmission of the information of the secure network to a public network. which makes it impossible to attack the secure network from the public network. In addition, thanks to a controlled data diode, it is also guaranteed that no sensitive information can leak from the secure network via the system according to the invention. Indeed, the transmission of the message is performed only after the message to be sent has been cleaned sensitive information, then encrypted.
    公开号:FR3061389A1
    申请号:FR1663262
    申请日:2016-12-22
    公开日:2018-06-29
    发明作者:Gerard Dupont;Olivier Lagarde;Jean-Luc Marty
    申请人:Airbus Defence and Space SAS;
    IPC主号:
    专利说明:

    Holder (s): AIRBUS DEFENSE AND SPACE SAS Simplified joint-stock company.
    O Extension request (s):
    © Agent (s): CABINET PLASSERAUD.
    (54) UNIDIRECTIONAL COMMUNICATION SYSTEM AND METHOD.
    FR 3,061,389 - A1 (57) The invention proposes a one-way communication system. This invention provides a solution for issuing alerts and notification to remote operators while overcoming the problem of protecting a secure network against cyber attacks when the secure network is required to communicate information from the secure network to a public network. In practice, the solution is based on the use of a data diode (also known as a network diode or “data diode in English”) to allow unidirectional transmission of information from the secure network to a public network, which makes it impossible to attack the secure network from the public network. In addition, thanks to a controlled data diode, it is also guaranteed that no sensitive information can leak from the secure network via the system according to the invention. In fact, the message is only transmitted after the message to be sent has been cleaned of sensitive information and then encrypted.

    -1 Description
    Technical Field [001] The present invention relates to a communication system from a secure network to a network of lesser trust.
    Prior Art [002] The ISO 22301 standard defines the continuity of activity of an operating information system as its capacity to continue the supply of products or the provision of services at acceptable levels and defined beforehand after a disruptive incident. Also known by the acronym MCO for maintenance in operational condition, the continuity of activity of an information system in operation aims to define all the means and procedures necessary for the information system to remain, throughout its duration of use, suitable for the use assigned to it.
    In so-called critical information systems, MCO represents a significant operating cost because it often requires the presence on site of at least one maintenance technician who must be ready to intervene at any time, from the detection of a disruptive incident. This configuration is dictated in particular by the need for confidentiality of the information associated with the operation of these systems.
    [004] In order to reduce the operating cost of the MCO, operators of critical information systems are increasingly considering the use of remote monitoring as is often the case for non-critical information systems. In practice, when a disruptive event occurs, a warning message is automatically transmitted to the on-call maintenance technician, for example, via SMS, email or voice call on fixed or cellular telephony.
    However, the adoption of remote monitoring of critical information systems via a public network does not inspire confidence in the operators concerned. Indeed, the devices currently used to issue on-call calls do not guarantee sufficient security for the interconnection between the information system and the public network, so that there are risks of computer and / or intrusion loss of sensitive information.
    It is therefore important to propose a solution making it possible to solve these problems because such security faults can allow the carrying out of computer attacks causing, for example, the modification of the behavior of the information system, its unavailability by saturation of its resources or allow, for example, to retrieve sensitive information from the information system.
    -2Summary of the invention [007] To this end, a first object of the invention relates to a communication system for the transmission of at least one message from a first network from a first information system to a second network a second information system, the first network having a higher security classification than that of the second network. In practice, the system includes:
    - a system input capable of being connected to the first network, and designed to receive the message, the message comprising at least a first metadata associated with the operation of the first information system;
    - a system output capable of being connected to the second network;
    an information analysis and filtering unit coupled to the system input, and designed to generate a filtered message by filtering the message according to a filtering signal so that at least one sensitive information associated with the at least one first metadata is hidden;
    - an information encryption unit coupled to the information analysis and filtering unit, and intended to generate an encrypted message by encrypting the filtered message according to an encryption signal;
    - a data diode circuit coupled to the information encryption unit, and comprising a circuit input and a circuit output, the data diode circuit being designed to transfer the encrypted message unidirectionally between the circuit input and the circuit output, the data diode circuit further comprising a control input and activation means for preventing or allowing the passage of the encrypted message between the circuit input and the circuit output according to a control signal received at the control input;
    - a message transmission unit coupled between the circuit output and the system output, and intended to transmit a call message comprising the encrypted message; and,
    - a processor coupled to the information analysis and filtering unit, to the information encryption unit and to the circuit, and designed to generate the filtering signal, the encryption signal and the control signal.
    In a first implementation, the data diode circuit further comprises a data diode element having a transmission unit provided for transmitting the encrypted message unidirectionally, the activation means being provided for being operable between a first position in which the activation means are arranged so as to interrupt the supply to the transmission unit and in a second position in which the activation means are arranged so as to activate the supply to the transmission unit transmission.
    In a second implementation, the information analysis and filtering unit is further provided for generating a first operation termination signal indicative of the completion of the operations of the analysis unit. and information filtering. In addition, the information encryption unit is further provided for generating a second signal
    -3 operation termination indicative of the completion of the operations of the information encryption unit. Finally, the processor is further provided to generate the control signal in response to the successive generation of the first operation termination signal and the second operation termination signal.
    In a third implementation, the system further comprises,
    - a memory port coupled to the processor, and designed to receive a portable memory; and,
    - a portable memory capable of being received in the memory port and configured to store filtering data and encryption data.
    In this case, the processor is further provided to configure the filtering signal and the encryption signal, from the filtering data and encryption data, respectively.
    According to an example of the third implementation,
    the portable memory is further configured to store at least one contact list comprising at least one call number from a mobile device to be contacted, each call number being associated with at least one second metadata relating to the operation of the first information system,
    the processor is further provided for including the contact list in the filtering signal,
    the information analysis and filtering unit is further provided for generating an association message associating the filtered message with at least one call number, the at least one second metadata of which coincides with the first metadata,
    - the information encryption unit is further provided for associating the association message with the encrypted message; and,
    - the message sending unit is further provided for sending the call message according to the association message.
    In this case, preferably, the message transmission unit is further provided for generating and transmitting a periodic heartbeat message while waiting for a call message.
    Advantageously, the message sending unit is further provided for destroying the call message following the transmission of the call message.
    In a particular arrangement, the message sending unit is configured to send the call message using a messaging protocol chosen from at least one of the following protocols: SMS, MMS, XMPP and SMTP.
    In another particular arrangement,
    - the information analysis and filtering unit, the information encryption unit and the processor are included in a first enclosure,
    - the data diode circuit is included in a second enclosure; and,
    - the message sending unit is included in a third enclosure.
    In this case, the first enclosure, the second enclosure and the third enclosure are
    -4 geographically distinct from each other so that no electromagnetic radiation can be picked up from one enclosure to another.
    Advantageously,
    - the information analysis and filtering unit, the information encryption unit, the processor and the message transmission unit are included in a first enclosure; and,
    - the data diode circuit is included in a second enclosure.
    In this case, the first enclosure and the second enclosure are geographically distinct from each other so that no electromagnetic radiation can be picked up from one enclosure to another.
    Finally, a second object of the invention relates to a method of transmitting at least one message from a first network of a first information system to a second network of a second information system, the first network having a security classification higher than that of the second network, the message comprising at least a first metadata associated with the operation of the first information system. In practice, the method comprises the following steps:
    generating a filtered message by filtering the message as a function of a filtering signal so that at least one sensitive item of information associated with the at least one first metadata is masked;
    - generate an encrypted message by encrypting the filtered message according to an encryption signal;
    - transfer the encrypted message unidirectionally from the secure network to the non-secure network according to a control signal, only when the filtering and encryption have been carried out.
    Brief Description of the Drawings The characteristics and advantages of the invention will be better understood on reading the description which follows and with reference to the appended drawings, given by way of illustration and in no way limiting.
    Figure 1 shows an example of implementation of the system according to the invention.
    Figure 2 shows an implementation of the data diode circuit according to the invention.
    Figure 3 shows a flow diagram of a method according to the invention.
    Description of the embodiments In the context of this description, the term “information system” means all of the hardware means, software means, databases and communication networks that can be arranged to supply products or services in a so-called critical area.
    In addition, the term “critical area” is understood to mean information systems for which a failure can have dramatic consequences, such as death, serious injury, significant material / economic damage, or serious consequences for [0024] [ 0025] [0027] [0028]
    -5the environment. Thus, this definition covers, for example, transport information systems (eg for piloting an airplane, train, car, boat), information systems energy (e.g. for controlling a nuclear power plant), health information systems (e.g. a medical device) or telecommunication information systems (e.g. a ground communication system) a satellite communication system). However, any information system conforming to the definition above is also envisaged in this description.
    In the description, the term “disruptive incident” also means all of the events related to the operating state of an information system such as: the failure of a storage component, the power supply failure of a motor of a device, the drop in control voltage of a machine, the drop in power (hydraulic, electrical, etc.) received by a machine, mechanical failure. However, it should be noted that the invention does not relate to the detection and diagnosis of a disturbing incident. In the remainder of the description, it will be considered that an incident at the level of an information system has been detected and diagnosed as being disruptive. The disruptive incident is then included in a message to be transmitted to a maintenance technician or a technical expert.
    In the invention, a solution is proposed to the problem of protecting a secure network against cyberattacks when the secure network is required to communicate information from the secure network to a public network, for example by issuing alerts. and notification to remote operators. In practice, the solution is based on the use of a data diode (also known as a network diode or data diode in English) to allow one-way transmission of information from the secure network to a public network. This has the effect of making an attack on the secure network from the public network impossible. Thus, this arrangement guarantees a physical separation between the secure network and the public network. Figure 1 shows a system 300 according to the invention. In the example of FIG. 1, the system 300 is arranged between a secure network 100 and an insecure network 200. The secure network 100 is associated with a first information system while the non-secure network 200 is associated with a second information system different from the first information system. In general, the secure network 100 is considered to be more secure than the non-secure network 200 because it has a higher security classification than that of the non-secure network 200.
    Structurally, the system 300 comprises a system input 301 and a system output 302. In addition, the system 300 comprises an information analysis and filtering unit 310, an information encryption unit 320, a circuit data diode 330, message sending unit 340 and processor 350.
    In the example of FIG. 1, the system input 301 is configured to be connected to the secure network 100 while the system output 302 is configured to be connected to the non-secure network 200. When the system 300 is in operation, the input [0029] [0030] [0031] [0032] [0033] [0034]
    Of the system 301 is provided for receiving a message comprising at least one metadata associated with the operation of the first information system.
    The term message means a set of digital signals put in a determined form. For example, the message received at the system input 301 can be a text message according to the RFC5424 standard or any other standard standardized or not. The message can include elements for identifying the message, timestamp for generating the message, identifying the source of the message or even identifying the event that caused the message to be generated. However, other elements can be added to the message to be transmitted.
    Metadata here means any information descriptive of the operation of the first information system. For example, in the field of transport, this may be data relating to the failure of a storage component, the state of health of the motors or even the temperature of a part or of a component.
    Returning to FIG. 1, the information analysis and filtering unit 310 is coupled to the system input 301. In operation, the information analysis and filtering unit 310 is configured to generate a filtered message by filtering the received message according to a filtering signal. The filtering signal contains all the information allowing the information analysis and filtering unit 310 to determine the extent of the information to be filtered. In practice, the information analysis and filtering unit 310 filters the metadata of the message received from the system input 301 so that at least one sensitive information item associated with the metadata is masked. This has the effect of preventing the leaking of sensitive information from the secure network 100.
    Sensitive information means information or knowledge obtained directly or indirectly, which if it is revealed to the public, would harm the information system to which it relates. In other words, it is information whose disclosure, misuse, modification or unauthorized access can adversely affect the security of the information system concerned. For example, it may be information associated with the identification of the computer servers of the information system such as IP addresses, names of the servers or even the size of the computer servers. Indeed, such information can, for example, inform about the attack or defense capabilities of the information system. In this case, if sensitive information falls into the wrong hands, it could adversely affect the security of an organization.
    In a first particular implementation of the information analysis and filtering unit 310, the masking is carried out by removing the sensitive information from the metadata. For example, the IP address of a server that has experienced a disruptive incident can be removed from the metadata.
    In a second implementation of the information analysis and filtering unit 310, the masking is carried out by replacing the sensitive information of the metadata with one or more non-sensitive information. For example, the name of a server that has undergone
    - 7a disruptive incident can be replaced by another name or an acronym different from the server's real name. In this case, the where the replacement words must be known to the operator who will receive the message. Another possibility of the same order can consist in replacing the sensitive information by a concealment for an encoding of the sensitive information.
    In a third implementation of the information analysis and filtering unit 310, the masking is carried out by a combination of deletion and replacement of the sensitive information. Thus, if a metadata includes the IP address and the name of a server having suffered a disruptive incident, the solutions of the first implementation and of the second implementation can be used jointly. For example, the IP address can be replaced with an acronym and the server name can be removed from the metadata.
    Still in FIG. 1, the information encryption unit 320 is coupled to the information analysis and filtering unit 310. In operation, the information encryption unit 320 is configured for generate an encrypted message by encrypting the filtered message based on an encryption signal. The encryption signal contains all the information allowing the information encryption unit 320 to encrypt the filtered invalidation. In practice, the encryption can be done using any encryption means known to those skilled in the art, in particular by the use of a symmetrical or asymmetrical algorithm. This has the effect of preventing the interception of notification messages sent from the secure network 100.
    Again in Figure 1, the data diode circuit 330 is coupled to the information encryption unit 320. The data diode circuit 330 includes a circuit input 331, a circuit output 332 is a data diode element 333. In operation, the data diode element 333 is configured to transfer the encrypted message unidirectionally between the circuit input 331 and the circuit output 332. Indeed, the diode element Data 333 which is also known as a network diode is a system which allows two computer networks to be interconnected by authorizing data transfer in one direction only. This type of system is generally used to connect a network requiring a high level of security to a network of less confidence (for example Internet). In this case, only the feedback of information from the lesser trusted network is authorized in order to guarantee the confidentiality of the secure network by preventing leakage of sensitive information. However, in the context of the invention it is envisaged to use the data diode element 333 in the opposite direction so that only the feedback of information from the secure network is possible. This has the effect that it is impossible to implement computer attacks from outside the secure network, since there is only one communication channel from the secure network to the less trusted network and not in the other direction.
    [0039] [0040] [0041] [0042] [0043]
    In addition, in FIG. 1, the data diode circuit 330 comprises a control input 335 and activation means 334 to prevent or allow the passage of the encrypted message between the circuit input 331 and the circuit output 332 as a function of a control signal received at the control input 335. The activation means 334 are designed to be actuable between a first position in which the activation means 334 prevent the passage of the encrypted message, and a second position in which the activation means 334 allow the passage of information. Finally, the activation means 334 are normally actuated in the first position.
    In Figure 2, there is shown a particular implementation of the data diode circuit 330 according to the invention. In the example of FIG. 2, the data diode element 333 of the data diode circuit 330 comprises a transmission element TX and a reception element RX, both provided in combination for transmitting the encrypted message unidirectionally between the TX transmission element and RX reception element. In one example, the data diode element 333 is made on the basis of an optical fiber comprising only one strand. In this case, the transmission element TX can be a light source intended to emit a light flux in the optical fiber and the receiving element RX can be a photo-receiver intended to receive the light flux. However, other unidirectional network link implementations can also be used with the invention. For example, it is also envisaged the use of a partial RS-232 serial link or even a partial RJ45 Ethernet link with corresponding transmission and reception elements.
    In a particular implementation of FIG. 2, the activation means 334 are actuated in the first position by controlling the interruption of the supply of the transmission element TX while the activation means 334 are actuated in the second position by controlling the activation of the supply of the transmission element TX. For this, the activation means 334 can be directly connected to the power supply of the transmission element TX.
    Returning to FIG. 1, the message sending unit 340 is coupled between the circuit output 332 and the system output 302. In operation, the message sending unit 340 is configured to send a message d call including the encrypted message. In a particular implementation, the message sending unit 340 is configured to send the call message using a messaging protocol chosen from at least one of the following protocols: SMS, E-mail, MMS, XMPP .... Thus, for better security, no copy of the message sent is kept at the system 300 level.
    In a particular implementation, the message transmission unit 340 is provided for destroying the call message following the transmission of the call message.
    In an example of the previous implementation, the message transmission unit 340 is provided to receive an acknowledgment message in response to the transmission of the message.
    -9 call and to destroy the call message in response to receipt of the acknowledgment message.
    In another particular implementation, the message transmission unit 340 is further provided for generating and transmitting a periodic heartbeat message (in English, heartbeat message or keep alive message) while waiting for a call message. The heartbeat message is intended to indicate to the recipient of the message that the system 300 is still running. In other words, the periodic heartbeat message indicates to the recipient of the message that the system 300 is still active. In one example, the period of generation and transmission of the heartbeat message can be fixed at every minute, every half hour or every hour. In a particular implementation, the periodic heartbeat message is encrypted and arranged so that it is not possible to intercept it and thus to be able to simulate the presence of the system 300 by replaying a sequence of transmission of the heartbeat message already used.
    Finally, in FIG. 1, the processor 350 is coupled to the information analysis and filtering unit 310, to the information encryption unit 320 and to the data diode circuit 330. In operation, the processor 350 is configured to generate the filtering signal, the encryption signal and the control signal.
    In a first implementation of the processor 350, all of the information making it possible to configure the filtering signal, the encryption signal and the control signal are included in a memory of the processor 350. In this case, it is the processor 350 which orders the generation of the encryption and control filter signals. In the context of this particular implementation, it is understood that the filtering signal is generated before the encryption signal so as to generate the control signal actuating the activation means 334 in the second position only when the masking operations and filtering were carried out. For example, the processor 350 can generate the encryption signal, on the one hand, and the control signal on the other hand, after a predetermined time delay following the generation of the filtering signal, on the one hand, and the encryption signal on the other hand. In this way, it can be guaranteed that the information transmitted has been previously filtered from all sensitive and encrypted information.
    In a second implementation of the processor 350, the generation of the control signal is conditioned by the execution of the operations of the information analysis and filtering unit 310 and then of the encryption unit of information 320. In practice, the information analysis and filtering unit 310 is further provided for generating a first operation termination signal indicative of the completion of the operations of the analysis and filtering unit 310. The same is true for the information encryption unit 320 which is also provided for generating a second operation termination signal indicative of the completion of the operations of the information encryption unit 320. Finally, the processor 350 is further provided for generating the signal
    - 10 command in response to generation of the first operation termination signal and the second operation termination signal. In the context of this particular implementation, it is understood that the first operation termination signal is generated before the second operation termination signal so as to generate the control signal actuating the activation means 334 in the second position only when the masking and filtering operations have been carried out. In this way, it can be guaranteed that the information transmitted has been previously filtered from all sensitive and encrypted information.
    In another particular implementation of the system 300, a memory port and a portable memory are incorporated. In this implementation, the memory port is coupled to processor 350 and configured to receive portable memory. In addition, the portable memory is configured to store filtering data and encryption data. Finally, the processor 350 is adapted to configure, respectively, the filtering signal and the encryption signal from the filtering data and encryption data. Thus, in this particular implementation, the data making it possible to configure the filtering signal and the encryption signal are obtained from the portable memory. This offers the owners of the secure information system 100 the possibility of determining how the filtering and encryption should be carried out.
    In an example of this particular implementation of the system 300, the portable memory can also be configured to store control data usable by the processor 350 to configure the control signal.
    In an example of the previous implementation, the portable memory is further configured to store at least one contact list comprising at least the call number of a mobile or fixed device to contact. In this example, each call number is associated with at least one second metadata relating to the operation of the secure network 100. In addition, the processor 350 is also designed to include the contact list in the filtering signal. Furthermore, the information analysis and filtering unit 310 is also configured to generate an association message associating the filtered message with at least one call number, the second metadata of which coincides with the first metadata. The effect of this arrangement is to allow the notification of the occurrence of an incident to one or more technicians most suitable for resolving the incident.
    We say that the first metadata and the second metadata coincide when they both include information relating to the same disruptive incident of the secure network 100. For example, if the first metadata can include information indicating that a failure of a storage component takes place, then a second metadata which coincides with the first metadata also includes information relating to the failure of a storage component. In practice, as each call number is associated with a specialist technician from one or more
    - 11 disruptive incidents of the secure network 100, then, the coincidence according to the invention aims to limit the call list to only the numbers associated with the technicians who are specialists in the disruptive incident that has occurred.
    In a particular implementation, we can consider the establishment of a coincidence table to associate a technical specialty with a disruptive incident. For example, all the failures of the first information system which are related to mechanics can be put in coincidence with the technical specialty of a mechanic. Thus, thanks to the coincidence table and the contact list, the information analysis and filtering unit 310 is capable of determining the relevant call number or numbers which are associated with the occurrence of an incident. particular disruptor by making the disruptive incident coincide with a particular technical specialty. In practice, it is possible to envisage storing the coincidence table in a memory of the information analysis and filtering unit 310 or even in the processor 350.
    In another example of the previous implementation, it is possible to envisage outsourcing the functionality making it possible to determine the relevant telephone number or numbers which are associated with the occurrence of a particular disruptive incident, in a unit. separate from the information analysis and filtering unit 310. For example, a routing unit coupled to the analysis unit can be used. In this case, the routing unit can include a memory and a processor. The memory may then include including the contact list and the coincidence table, both of which are mentioned above. In this particular example, the information analysis and filtering unit 310 is configured to supply the second metadata relating to the operation of the secure network 100 to the routing unit. Thereafter, the routing unit is configured to determine and return to the information analysis and filtering unit 310, at least one call number, the second metadata of which coincides with the first metadata. In addition, the routing unit is also configured to determine and return to the information analysis and filtering unit 310, the relevant telephone number or numbers which are associated with the occurrence of a disruptive incident. particular by making the disturbing incident coincide with a particular technical specialty.
    Thereafter, the information encryption unit 320 is also configured to associate the association message with the encrypted message. Finally, the message transmission unit 340 is also configured to transmit the call message according to the association message. In another example of this implementation, it is possible to envisage including the contact list in a memory of the processor 350.
    In an implementation of the invention, one can consider physically arranging the different elements of the system 300 according to several arrangements.
    For example, in a first arrangement, the information analysis and filtering unit 310, the information encryption unit 320 and the processor 350 are grouped together in a first enclosure. Next, the data diode circuit in a second enclosure separate from the first enclosure. Finally, we position the transmission unit of
    - 12message 340 in a third enclosure separate from the first enclosure and the second enclosure. In this arrangement, the first enclosure, the second enclosure and the third enclosure can be geographically distinct from one another so that no electromagnetic radiation can be picked up from one enclosure to another.
    In a second arrangement, the information analysis and filtering unit 310, the information encryption unit 320, are grouped together in a first enclosure, the processor 350 is the message transmission unit 340 Next, the data diode circuit 330 is positioned in a second enclosure separate from the first enclosure. In this arrangement, the first enclosure and the second enclosure are geographically distinct from each other so that no electromagnetic radiation can be picked up from one enclosure to another.
    In the description, it has been considered that the information transmitted from the secure network 100 to the secure network 200 was linked to a malfunction of the first information system. This has the effect of allowing corrective maintenance to be implemented under remote on-call support for the first information system via a public network. However, thanks to the invention, information which is not necessarily linked to a malfunction of the first information system can also be transmitted outside this system. In this case, the information analysis and filtering unit 310 must be configured to let the corresponding information pass. This will have the effect of enabling remote monitoring of the first information system.
    The invention also relates to a transmitter (not shown) of a wired or wireless type communication system comprising the system 300 as described above. Such a transmitter allows the establishment of a one-way encrypted communication through any communication network, and in particular a public network.
    The invention also relates to a method 400 for the transmission of at least a first metadata from the secure network 100 to the non-secure network 200 according to the technical aspects described above. In FIG. 3, the method 400 comprises the following steps consisting in:
    generating a filtered message 410 by filtering the first metadata as a function of the filtering signal as described above, so that at least one sensitive item of information associated with the first metadata is masked;
    - Generate an encrypted message 420 by encrypting the filtered message according to the encryption signal as described above;
    - Unidirectionally transfer 430 the encrypted message from the secure network 100 to the non-secure network 200, conditionally, by controlling the passage of the encrypted message as a function of the control signal as described above.
    The invention described provides a solution to the problem of protecting a secure network against cyberattacks when the secure network is required to communicate information from the secure network to a public network. Indeed, as a whole, the system according to the invention can hardly be compromised by a cyber attack. More specifically, only the message sending unit is likely to be compromised or damaged by such an attack. However, since this unit is positioned downstream of the physical security limit of the system (i.e. after the data diode circuit), its loss has no impact on the overall security of the secure network. . Thus, the addition of a system according to the invention to an existing information system does not provide an opportunity for the implementation of cyberattack against the network of this information system. In addition, thanks to the use of a controlled data diode circuit, it is also guaranteed that no sensitive information can leak from the secure network via the system according to the invention. We can also use the concept of data thyristor. Indeed, as a thyristor allows the unidirectional conduction of the current thanks to the command of a trigger, the data thyristor allows the unidirectional transmission of a message after the message to be sent has been cleaned of sensitive information, then encrypted. In this case, the message acts as current, while both the cleaning confirmation information and the encryption of the message acts as a trigger for the thyristor.
    权利要求:
    Claims (11)
    [1" id="c-fr-0001]
    Claims
    1. Communication system (300) for the transmission of at least one message from a first network (100) of a first information system to a second network (200) of a second information system, the first network (100) having a higher security classification than that of the second network, the system (300) comprising
    - a system input (301) capable of being connected to the first network, and designed to receive the message, the message comprising at least a first metadata associated with the operation of the first information system;
    - a system output (302) capable of being connected to the second network;
    - an information analysis and filtering unit (310) coupled to the system input, and designed to generate a filtered message by filtering the message according to a filtering signal so that at least one piece of information sensitive associated with the at least one first metadata is masked;
    - an information encryption unit (320) coupled to the information analysis and filtering unit, and intended to generate an encrypted message by encrypting the filtered message according to an encryption signal;
    - a data diode circuit (330) coupled to the information encryption unit (320), and comprising a circuit input (331) and a circuit output (332), the data diode circuit (330 ) being designed to transfer the encrypted message unidirectionally between the circuit input (331) and the circuit output (332), the data diode circuit further comprising a control input (335) and activation means ( 334) to prevent or allow the passage of the encrypted message between the circuit input (331) and the circuit output (332) based on a control signal received at the control input (335);
    - a message transmission unit (340) coupled between the circuit output (332) and the system output (302), and intended to transmit a call message comprising the encrypted message; and,
    - a processor (350) coupled to the information analysis and filtering unit (310), to the information encryption unit (320) and to the circuit (330), and designed to generate the signal filtering, the encryption signal and the control signal.
    [2" id="c-fr-0002]
    2. The system as claimed in claim 1, in which the data diode circuit further comprises a data diode element (333) having a transmission unit intended to transmit the encrypted message unidirectionally, the activation means (334) being designed to be operable between a first position in which the activation means (334) are arranged so as to interrupt the supply to the transmission unit and in a second position in which the activation means (334) are arranged so as to activate the power supply to the transmission unit.
    [3" id="c-fr-0003]
    3. System according to any one of claims 1 or 2 in which,
    - the information analysis and filtering unit (310) is further provided for generating a first operation termination signal indicative of the completion of the operations of the information analysis and filtering unit (310);
    - the information encryption unit (320) is further provided for generating a second operation termination signal indicative of the completion of the operations of the information encryption unit (320); and,
    - The processor (350) is further provided for generating the control signal in response to the successive generation of the first operation termination signal and the second operation termination signal.
    [4" id="c-fr-0004]
    4. System according to any one of claims 1,2 or 3 further comprising,
    - a memory port coupled to the processor, and designed to receive a portable memory; and,
    - a portable memory capable of being received in the memory port and configured to store filtering data and encryption data;
    wherein the processor is further provided to configure the filtering signal and the encryption signal, from the filtering data and encryption data, respectively.
    [5" id="c-fr-0005]
    5. System according to claim 4, in which,
    the portable memory is further configured to store at least one contact list comprising at least one call number from a mobile device to be contacted, each call number being associated with at least one second metadata relating to the operation of the first information system,
    the processor is further provided for including the contact list in the filtering signal,
    the information analysis and filtering unit is further provided for generating an association message associating the filtered message with at least one call number, the at least one second metadata of which coincides with the first metadata,
    - the information encryption unit is further provided for associating the association message with the encrypted message; and,
    - the message sending unit is further provided for sending the call message according to the association message.
    [6" id="c-fr-0006]
    The system of claim 5 wherein the message sending unit is further provided for generating and transmitting a periodic heartbeat message while waiting for a call message.
    [7" id="c-fr-0007]
    7. System according to any one of claims 1, 2, 3, 4, 5 or 6 wherein the message transmission unit is further provided for destroying the call message following the transmission of the message d 'call.
    [8" id="c-fr-0008]
    8. System according to any one of claims 1,2, 3, 4, 5, 6 or 7 in which the message transmission unit is configured to transmit the call message using a messaging protocol chosen from at least one of the following protocols: SMS, MMS, XMPP and SMTP.
    [9" id="c-fr-0009]
    9. System according to any one of claims 1, 2, 3, 4, 5, 6, 7 or 8 in which,
    - the information analysis and filtering unit, the information encryption unit and the processor are included in a first enclosure,
    - the data diode circuit is included in a second enclosure; and,
    - the message sending unit is included in a third enclosure;
    wherein the first enclosure, the second enclosure and the third enclosure are geographically distinct from each other so that no electromagnetic radiation can be picked up from one enclosure to another.
    [10" id="c-fr-0010]
    10. System according to any one of claims 1, 2, 3, 4, 5, 6, 7, 8 or 9 in which,
    - the information analysis and filtering unit, the information encryption unit, the processor and the message transmission unit are included in a first enclosure; and,
    - the data diode circuit is included in a second enclosure;
    wherein, the first enclosure and the second enclosure are geographically distinct from each other so that no electromagnetic radiation can be picked up from one enclosure to another.
    [11" id="c-fr-0011]
    11. Method (400) for transmitting at least one message from a first network (100) of a first information system to a second network (200) of a second information system, the first network (100 ) having a security classification higher than that of the second network, the message comprising at least a first metadata associated with the operation of the first information system, the method comprising the following steps:
    - generating (410) a filtered message by filtering the message according to a filtering signal so that at least one sensitive item of information associated with the at least one first metadata is masked;
    - generating (420) an encrypted message by encrypting the filtered message according to an encryption signal;
    - unidirectionally transfer (430) the encrypted message from the secure network (100) to the non-secure network (200) according to a control signal, only when the filtering and encryption have been carried out.
    1/3
    2/3
    类似技术:
    公开号 | 公开日 | 专利标题
    EP3485418B1|2020-03-11|System and method for unidirectional communication
    US20170048195A1|2017-02-16|Security information and event management
    US8650256B2|2014-02-11|Communications security by enforcing offline consumption and auto-termination of electronic messages
    CN102075450B|2015-03-04|Utility method for recording chatting content of instant messaging device
    EP2215801B1|2011-04-13|Method for securing a bi-directional communication channel and device for implementing said method
    CN102006186B|2012-10-17|System for monitoring illegal external connection of intranet equipment and method thereof
    WO2016055750A1|2016-04-14|Method for dynamic adjustment of a level of verbosity of a component of a communications network
    US10606817B2|2020-03-31|System and method for capturing data sent by a mobile device
    EP2517139A1|2012-10-31|Method for detecting the hijacking of computer resources
    US20200193019A1|2020-06-18|Managing data exfiltration risk
    EP2773067B1|2019-08-07|Method for improving the reliability of alert message generation on a synchronised data network
    WO2013092514A1|2013-06-27|Method of pairing an electronic apparatus and a user account within an on-line service
    EP3716073A1|2020-09-30|On-board system on board an aircraft for detecting and responding to incidents with storage of logs
    FR2835673A1|2003-08-08|Automation equipment having an instant messaging communication capability enabling its remote real-time command and control via a third party connected to an instant messaging server
    FR2917256A1|2008-12-12|INTERNET COMMUNICATION SYSTEM WITH INTEGRATED LINK VERIFICATION AND CORRESPONDING METHOD
    FR3042624A1|2017-04-21|METHOD FOR AIDING THE DETECTION OF INFECTION OF A TERMINAL BY MALWARE SOFTWARE
    FR3071946B1|2019-09-27|ELECTRONIC DEVICE AND METHOD OF MONITORING DATA STORED IN AN AVIONIC APPARATUS, COMPUTER PROGRAM
    EP2464068B1|2019-06-19|System for overall management of personalised filtering based on a secured information exchange circuit and related method
    FR3079642A1|2019-10-04|COMPUTER INTRUSION SENSOR AND METHOD FOR CREATING AN INTRUSION SENSOR
    EP3068101A1|2016-09-14|Electronic system for securely retransmitting messages, associated retransmission method and computer program product
    FR3105486A1|2021-06-25|Method for detecting malicious behavior in a communication network, device, equipment for accessing said network, method for detecting a distributed attack in said network, device, node equipment and corresponding computer programs
    FR3105467A1|2021-06-25|secure asynchronous serial link
    CH714466A2|2019-06-28|Device for monitoring and management of a technical installation, method implemented by this device and associated system.
    FR2806503A1|2001-09-21|Security data analyzing method for building up security audit trail for computer network fire-walls in which data is processed locally before being sent to a central server to reduce data traffic and central processing
    EP2325772A2|2011-05-25|Method and apparatus for protecting encryption equipment from a potential security incident.
    同族专利:
    公开号 | 公开日
    US11178119B2|2021-11-16|
    FR3061389B1|2019-05-31|
    EP3485418B1|2020-03-11|
    EP3485418A1|2019-05-22|
    US20200412700A1|2020-12-31|
    ES2795109T3|2020-11-20|
    CA3086426C|2021-06-01|
    WO2018115359A1|2018-06-28|
    CA3086426A1|2018-06-28|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    US20150161397A1|2013-12-08|2015-06-11|Microsoft Corporation|Managing sensitive production data|
    US20160063269A1|2014-09-03|2016-03-03|Microsoft Corporation|Outsourcing Document-Transformation Tasks while Protecting Sensitive Information|
    US8065725B2|2003-05-30|2011-11-22|Yuliang Zheng|Systems and methods for enhanced network security|
    US9015301B2|2007-01-05|2015-04-21|Digital Doors, Inc.|Information infrastructure management tools with extractor, secure storage, content analysis and classification and method therefor|
    US8156159B2|2009-02-11|2012-04-10|Verizon Patent And Licensing, Inc.|Data masking and unmasking of sensitive data|
    US8250358B2|2009-04-01|2012-08-21|Raytheon Company|Data diode system|
    US8930381B2|2011-04-07|2015-01-06|Infosys Limited|Methods and systems for runtime data anonymization|
    US20160203264A1|2015-01-09|2016-07-14|Intelemage, Llc|Systems, methods, and computer program products for processing medical images to address privacy concerns|
    US10049227B1|2015-03-27|2018-08-14|State Farm Mutual Automobile Insurance Company|Data field masking and logging system and method|
    US9684798B2|2015-05-01|2017-06-20|International Business Machines Corporation|Audience-based sensitive information handling for shared collaborative documents|
    WO2016196575A1|2015-06-02|2016-12-08|Aerdos, Inc.|Method and system for ambient proximity sensing techniques between mobile wireless devices for imagery redaction and other applicable uses|DE102017217432A1|2017-09-29|2019-04-04|Siemens Mobility GmbH|Concept for unidirectional transfer of data|
    GB201815120D0|2018-09-17|2018-10-31|Sec Dep For Foreign And Commonwealth Affairs|A method and device for transferring electronic information|
    CN110414189B|2019-07-08|2021-06-11|厦门美亚亿安信息科技有限公司|Remote non-inductive examination method and system for computer|
    法律状态:
    2017-12-20| PLFP| Fee payment|Year of fee payment: 2 |
    2018-06-29| PLSC| Publication of the preliminary search report|Effective date: 20180629 |
    2018-12-18| PLFP| Fee payment|Year of fee payment: 3 |
    2019-12-13| PLFP| Fee payment|Year of fee payment: 4 |
    2020-12-21| PLFP| Fee payment|Year of fee payment: 5 |
    优先权:
    申请号 | 申请日 | 专利标题
    FR1663262|2016-12-22|
    FR1663262A|FR3061389B1|2016-12-22|2016-12-22|SYSTEM AND METHOD FOR UNIDIRECTIONAL COMMUNICATION|FR1663262A| FR3061389B1|2016-12-22|2016-12-22|SYSTEM AND METHOD FOR UNIDIRECTIONAL COMMUNICATION|
    US16/472,723| US11178119B2|2016-12-22|2017-12-21|Unidirectional communication system and method|
    ES17822302T| ES2795109T3|2016-12-22|2017-12-21|One-way communication system and procedure|
    EP17822302.0A| EP3485418B1|2016-12-22|2017-12-21|System and method for unidirectional communication|
    PCT/EP2017/084232| WO2018115359A1|2016-12-22|2017-12-21|Unidirectional communication system and method|
    CA3086426A| CA3086426C|2016-12-22|2017-12-21|Unidirectional communication system and method|
    [返回顶部]