CN-116325651-B - Payload assurance method and system, export control system, computing device, network

Abstract

A payload assurance method and system, export control system, computing device, network are provided. A method and apparatus for payload assurance of payloads to be transmitted across a network boundary via any one of a plurality of predetermined boundary control devices that may be grouped together, each predetermined boundary control device having dedicated permanent identity information. The first electronic entity provides an electronic authorization token defining characteristics of the payload and determines the temporary ID array based on persistent identity information of each of the border control devices in the border control group and the authorization token. An electronic release token to be forwarded to the second electronic entity is generated from the temporary ID array and the authorization token, the release token being valid for use with the boundary control means provided in the defined boundary control group.

Inventors

• P. T. McComb
• J. Thorpe a

Assignees

• 外交联邦和发展事务大臣通过政府通讯总部行事

Dates

Publication Date

20260505

Application Date

20210715

Priority Date

20200716

Claims (20)

1. 1. A method for payload assurance of a payload X to be transmitted across a network boundary via any one of a plurality of predetermined boundary control means, the method comprising the steps of: When a request is received at a first electronic entity: Providing an electronic authorization token defining characteristics of said payload X to be transmitted; defining a boundary control group located at the network boundary, the boundary control group comprising a plurality of boundary control means having dedicated permanent identity information associated with each of them; Determining a temporary ID array from the permanent identity information of each of the border control devices in the border control group and the electronic authorization token, and Generating an electronic release token to be forwarded to a second electronic entity from said temporary ID array and said electronic authorization token, said electronic release token being valid when used with said boundary control means provided in the defined group of boundary controls, Wherein the electronic release token is used to create a header that is appended to the front of the payload X to enable the boundary control means in the defined boundary control group to determine whether a signed payload has been authorized by the first electronic entity and whether the payload X is compatible with the header.
2. 2. The method of claim 1, further comprising the step of generating at least one entropy element to form part of the electronic authorization token to ensure that multiple electronic authorization tokens authorizing the same payload characteristic are unique.
3. 3. The method of claim 1, wherein the electronic release token is applied to one or more payload transfer authorization requests during a validity period of the electronic release token.
4. 4. A method according to claim 3, wherein the validity period of the electronic release token depends on a predetermined period of time defined within the electronic authorization token by the first electronic entity.
5. 5. The method of claim 1, wherein upon receipt of the electronic release token and in accordance with a payload transfer request, the second electronic entity creates a file token for each border control device in the border control group from the temporary ID array, a local token comprising parameters defined remotely from the first electronic entity, and a hash digest of the payload X to be transferred to provide a file token array { F t }.
6. 6. The method of claim 5, wherein the hash digest is provided by passing the payload X through a one-way function before the payload X is received by the second electronic entity as part of the payload transfer request.
7. 7. The method of claim 5, wherein the local token comprises an entropy element.
8. 8. The method of claim 5, wherein at least one of the parameters of the local token is provided by a third electronic entity to verify expected payload parameters of payload transmissions across the network boundary.
9. 9. The method of claim 8, wherein a fourth electronic entity acting as a payload sender entity and a sole electronic entity in contact with the boundary control means in the boundary control group defines at least one of the parameters of the local token.
10. 10. The method of claim 8, wherein the third electronic entity validates the payload against a predetermined rule provided upon receipt of the payload transfer request and/or an intended payload transfer destination, and provides the validated evidence object for inclusion in the local token.
11. 11. The method of claim 5, wherein the second electronic entity is configured to subsequently generate a payload header from the electronic authorization token, the local token, the file token array, and the hash digest of the payload.
12. 12. The method of claim 11, wherein the payload header is placed before a fourth electronic entity forwards the payload X to one or more border control devices in the border control group.
13. 13. The method of claim 12, wherein when at least a portion of the payload with a payload header E arrives at a boundary control means, the boundary control means regenerates a session ID using the persistent identity information of the boundary control means and the electronic authorization token from the payload header (S i ) g .
14. 14. The method of claim 13, wherein at one of the plurality of boundary control means, a file token F t ' is calculated using the session ID along with parameters within the payload header.
15. 15. The method of claim 14, wherein, F t '=#(#(X), L, J, HMAC(K G ’, A)), # Is a hash operation, # (X) is a hash digest of the payload X, K G 'is the permanent identity information of the boundary control means, L is the local token, J is the name of the payload, a is the electronic authorization token, wherein # (X), L, J, A are from the payload header, wherein the session ID is HMAC (K G ', a).
16. 16. The method of claim 15, wherein the boundary control means compares the file token F t ' with the file token array located in the payload header E to determine if the file token is the same as a value in the file token array { F t } and, if there is a match, then generates a first positive event result identifier.
17. 17. The method of claim 16, wherein the boundary control means passes the payload through a one-way function to provide # (X) g from X and compare # (X) g to # (X) of the payload header E and, if there is a match, then generate a second positive event result identifier.
18. 18. The method of claim 17, the boundary control means further comparing other control criteria included in an export or import header to ensure that the other control criteria are within predetermined limits and providing a third positive result identifier if the other control criteria are within the predetermined limits.
19. 19. The method of claim 18, wherein the boundary control means identifies a first positive result identifier, a second positive result identifier, and a third positive result identifier, and then determines a positive boundary control result.
20. 20. The method of claim 19, wherein the boundary control means transmits the payload X with header E through the boundary control means and across a network boundary if a positive boundary control result has been met.

Description

Payload assurance method and system, export control system, computing device, network Technical Field The present invention is in the field of data assurance at multiple network boundaries or gateways, and in particular, provides assurance of suitability and authorization to transfer payloads between networks with different degrees of trust. Background In high-trust networks, one of the most significant risks is leakage of data to low-trust networks, resulting in compromised confidentiality. In many cases, the outgoing path on a high confidence network will be formed by a high guaranteed boundary control such as a data diode. Because the boundary control is the state of a "gatekeeper" of a high-confidence network, any process used by the boundary control must have high assurance, i.e., provide control with high certainty that the correct decision is made in all possible cases. The requirement for high assurances limits the possibilities of hardware boundary control. For example, highly complex data (or information) formats require complex algorithms and processes to guarantee them, and it is difficult to obtain high assurance of correctness of the implementation of the complex algorithms. In addition, some information formats are ambiguous in terms of specification and change over time, so it is impractical to keep any algorithm both highly guaranteed and up-to-date. This can even be demonstrated when considering very simple control criteria related to the payload content, where the criteria response is time-varying, e.g., where it is determined whether a particular byte sequence represents a valid Unicode character, the answer will vary depending on when the query is made. Public key infrastructure (Public Key Infrastructure, PKI) is commonly used to facilitate secure electronic transfer of data over a network. This PKI is used when a more stringent authentication method is required to confirm the identity of the parties involved and to verify the data to be transferred across the network/domain boundary. However, the multiple elements required to manage digital certificates and public key encryption require periodic configuration and updating to maintain a desired level of system security. In our co-pending uk application No. gb2010968.2, a payload assurance system and method is described that uses a separate electronic entity to assure the payload (using entropy elements in an authorization token to provide temporary (ephemeral) authorization at a network boundary device based on a persistent shared secret) and to permit transmission of the payload across the network boundary once predetermined test criteria specified in various tokens including a derived header are met at a predetermined network boundary device. Hereinafter, this application content is referred to as version 1. The derived header created is valid only for a single gateway, which has drawbacks in terms of scalability and data throughput while providing security and guaranteeing advantages. Thus, there is a need to achieve resilience without sacrificing security to enable the same payload to be sent multiple times via different gateways (and to enable the ability to handle the arrival of multiple identical payloads to a destination). Since all manifestations of the gateway have physical limitations in terms of size, existing schemes are also limited in terms of the size of the payload they can accept, which is due to the need to keep the entire payload in the gateway for assurance. For an effective, simple and secure service, it is desirable that the consumer of any service is not constrained by such internal restrictions, and any file of any size can be sent via the BCD-based service. The lack of release/import metadata in the export header in the version 1 payload assurance scheme means that while the requirement to move the payload across the security boundary is successfully achieved, there is no indication in the header of the appropriateness of release/import to that particular destination, nor is there a way of doing so. Thus, it is determined that there is a need for an extensible cross-domain payload assurance method and system that provides payload assurance related to suitability of outgoing data at cross-domain boundaries, and that has improved security, is properly authorized for cross-domain transfer, provides temporary authorization, is flexible to time variations, can utilize multiple boundary control devices across a single boundary, is not constrained by the inherent payload size limitations of the boundary control devices, and can provide centralized management control. Disclosure of Invention Accordingly, there is provided a method for payload assurance of a payload X to be transmitted across a network boundary via any one of a plurality of predetermined boundary control means, the method comprising the steps of: Providing, at the first electronic entity, upon request: An electronic authorization token for defining cha