9:;<<=>?@A@<B>9
`&2ÿ345ÿ65783
` !"#$!ÿ&'($)('*(
`1
`$')ÿ&'($)(ÿ+,, "$
`DE+&8Fÿ&8GFGÿ8&&HIJ8GI+F
`+,, "$ÿ$-$)ÿ.$!ÿ/$0$(!
`C
` ÿ]Q^S_7`H3ZW76ÿaKbCcd
`KLMNÿOÿP

QRN S
`23T73T3775UVV$( )3775W7X
`CPPQRN ÿ

Y S7372X3ZZT[
`CCMNÿOÿOQ \S72T74T3773
`eKMf\ Nÿ]  NR \ÿNfS
`C   fS
`8GUUgJ_JhJijjklmImEgUgE
`x_' t#(rÿJ#'V$!ÿmT
`IÿIGÿHIÿHDÿnJÿFHÿ&GÿlÿlkÿGE
`& )$ÿUyrÿF$uÿz$!${ÿ7X7[4ÿvDlw
`Mf\ Nÿop f ÿNfS
`xU$(').rÿz#)
`8HÿHGÿHqÿnkÿE+ÿlI
`D$ÿF{'"yrÿF$uÿhyÿ27Z67ÿvDlw
`L   S7XT74T3772DlZ336`3
`KP f N Sq$!"#(rÿG#*'!ÿkT
`8t)$!!('!!$ÿ6`
`PPQRN SIGGn8FDm8JGDEIFgFGE&EIllr
`47XZXÿn|)"#$)ÿvjw
`IFJTs V* )t()rÿj$V'u'$ÿ2Z472ÿvDlw
`KF$(uyÿ( )tÿ! )tÿ')ÿ)(!($.ÿ($
`

f\

N 

f

f N cQNR}f~
` 

 \  N 

 \ O YN O

f 

 \
`€R O NQNN

€

€



f 


`R

   Y  NQN



f 

 
` R  \€R O NQNN^ € 

f\

N 
`

f\  N 

 \ O YN O R O NQN~
` R fO Y€ 

 €

YY YffN\€€
`N^€

f\

N \  NfN

YY YffN\
` 

 \ O YN N f

f

f€R O NQNN
`f

f

 \

YY NNO R O NQNN NYf~
`O €

YY NN €

YY NNYffN\\ ~
`fN\ 

O YN    Y NQNR} ~
` NN N fYff O NYf Nf N
`
`   Y ^€

YY YffN\ff N



f
` ^
`
`  ÿ ÿ
`

ÿÿÿ
`
`&2ÿ345ÿ65783
`
`1
`
`APPLE 1014
`
`

`

` ÿÿ 
`s
`i
`0/7=81+/39@91,=98E8+391>38>12/7+j,.8<<,991//7
`
`=/.+0+<81+/3/0+30/7=81+/3D:2,12,7+391/78E,D
`C7/<,99+3E/717839+1D83.8E8+39112,.,3+8-/09,74+<,
` !"#ÿ %ÿ&'(ÿ)"*("&) "
`1/8>12/7+j,.>9,79D+3<->.+3E12/9,=,89>7,93,<,9?
`987@1/.,1,<1D./<>=,3183.</>31,79><2127,819A
`%+,-.ÿ/0ÿ12,ÿ)34,31+/3
`J><2+30/7=81+/39@91,=9/01,3,=C-/@7,.nG-8<;</3?
`<,C1983.1,<23+F>,9Ao,.nG-8<;o7,0,791/9,C8781+/3
`56&2,+34,31+/37,-81,91/3,1:/7;</==>3+<8?
`/0,-,<17+<8-83.,-,<17/3+<<+7<>+19D</=C/3,319D,F>+C?
`1+/39=,12/.983.9@91,=9AB/7,C871+<>-87-@D+17,-81,9
`=,31D83.9@91,=91281283.-,381+/38-9,<>7+1@+30/7?
`1/7/>1+3E.818/0=>-1+C-,-,4,-9/09,<>7+1@+38.818
`=81+/3H7,.K+3,-,<17+<8-0/7=07/=12/9,1281283.-,
`</==>3+<81+/3ÿ3,1:/7;A
`3/3?381+/38-9,<>7+1@+30/7=81+/3HG-8<;K+312,98=,
`0/7=D89.,9<7+G,.+312,LMNOPQMRSL^_W`acRPYYMUXA
`#,9<7+C1+/3ÿ/0ÿ12,ÿ,-81,.ÿ71
`#,4+<,983.9/01:87,</=C/3,3191281/C,781,+387,.
`,34+7/3=,310/7C7/<,99+3E<-899+0+,..818>3.,7E/,p?
`56 4,712,C8919,4,78-@,87912,:/7-.289:+1?
`1,39+4,1,91+3E1/,39>7,12,+31,E7+1@/012,<-899+0+,.
`3,99,.17,=,3./>98.483<,9+3</==,7<+8-3,1:/7;?
`.818C899+3E127/>E212/9,</=C/3,319AJ><21,91+3E
`+3E1,<23/-/E+,9AB83@/012,8.483<,9</3<,737/>1+3E
`<83ÿG,ÿ4,7@ÿ-,3E12@ÿ83.ÿ4,7@ÿ,pC,39+4,A
`1,<23+F>,983..,4+<,9>9,.+3</==,7<+8-3,1:/7;9D
`56!30/71>381,-@DG,<8>9,/012,,p1,39+4,.,?
`83.3,1:/7;9/03,1:/7;9/01,37,0,77,.1/8912,)31,7?
`9+E383.1,91+3E1/,39>7,12,+31,E7+1@/07,..818D=83@
`3,1A&@C+<8--@D</==,7<+8-7/>1,7987,>9,.+3>39,?
`=+-+187@</=C>1+3E9@91,=9284,3/1G,,38G-,1/18;,
`<>7,.,34+7/3=,319D81-,89107/=8.818C,79C,<1+4,A
`0>--8.48318E,/012,17,=,3./>98.483<,9+37/>1+3E
`&281+9D</==,7<+8-7/>1,79284,G,,3.,4,-/C,.0/7
`1,<23/-/E@18;+3EC-8<,+312,</==,7<+8-3,1:/7;+3E
`</==,7<+8->9,:+12/>17,E87.1/9>CC/71+3E+30/7=8?
`:/7-.A<</7.+3E-@D12,7,+983,,.1/>9,</==,7<+8-
`1+/3<-899+0+,.8<</7.+3E1/=>-1+C-,-,4,-9/09,<>7+1@A-?
`3,1:/7;+3E,F>+C=,31DC871+<>-87-@3,1:/7;7/>1,79D+3
`12/>E2</==,7<+8-7/>1+3E.,4+<,91@C+<8--@>3.,7E/
`</=C>1+3E,34+7/3=,3191281=>919>CC/71BIJ9@9?
`=83@7,-+8G+-+1@83.F>8-+1@1,919D12,@87,3/1.,9+E3,.D
`1,=9D@,1:+12/>17,F>+7+3E12,,p1,39+4,1,91+3E1/<,7?
`3/787,12,@1,91,.D:+1212,E/8-/0283.-+3E=>-1+C-,
`1+0@1281,F>+C=,311/C7/<,997,..818A',3<,D12,7,+9
`-,4,-9ÿ/0ÿ9,<>7+1@ÿ<-899+0+<81+/3A
`83,,.1/,=C-/@>317>91,.</==,7<+8-3,1:/7;7/>1,79
`56)3</3178911/</==,7<+8-,34+7/3=,319D3,1?
`+3</=C>1+3E9@91,=91281283.-,=>-1+-,4,-9,<>7+1@.8?
`:/7;+3E.,4+<,90/7>9,+3=+-+187@8CC-+<81+/3987,/01,3
`18A5q6h/+31&8<1+<8-8.+/J@91,=Hh&JK9/01:87,
`7,F>+7,.1/9>CC/71=>-1+C-,-,4,-9/09,<>7+1@<-899+0+<8?
`1+/3AB>-1+-,4,-9,<>7+1@HBIJKD8<</7.+3E1/12,LMNOPQMR
`78.+/+983,p8=C-,/0,F>+C=,311281=>91/C,781,+3
`SQTPUVMNOPQWXYNZVYWZ[\UONX]SL^_W`abcRPYYMUXd
`8BIJ,34+7/3=,31A9/01:87,78.+/+9878.+/1281>9,9
`"J&)JJ)"/AeffgDh83>87@igggH,4AiKD+98</3<,C1
`</=C>1,79/01:87,1/C,70/7=8487+,1@/00>3<1+/39+3
`/0C7/<,99+3E+30/7=81+/3:+12.+00,7,31<-899+0+<81+/39
`12,C7/<,99/0</34,71+3E4/+<,/7.818+30/7=81+/31/
`83.<81,E/7+,912819+=>-183,/>9-@C,7=+198<<,99G@
`83.07/=878.+/07,F>,3<@H%K9+E38-A&2,87<2+1,<1>7,
`>9,79:+12.+00,7,319,<>7+1@<-,8783<,983..,3+,98<?
`/012,h&J9/01:87,78.+/+9.,9+E3,.D8992/:3+3%+EA
`<,991/>9,79:2/-8<;8>12/7+j81+/3AB>-1+-,4,-9,<>7+1@
`iD+38=/.>-87=833,7+3/7.,71/>9,</==,7<+8-?/00?
`83.BIJD89>9,.2,7,D,3</=C8999+=>-183,/>98<?
`12,?92,-0H &JK</=C/3,31983.12,7,G@-,4,78E,
`<,99G@>9,79:+12.+00,7,31-,4,-9/08<<,998>12/7+1@
` &J.,4,-/C=,3183.7,.><,12,/4,78--.,4,-/C?
`1281+93/13,<,9987+-@-+=+1,.1/8381+/38-9,<>7+1@<-,87?
`=,31</919/012,h&J9/01:87,78.+/A&2,87<2+1,<1>7,
`83<,ÿ-,4,-A
`.,C+<1,.+3%+EAi+98</3<,C1>8-.+8E78=+-->91781+3E
`5k6)30/7=81+/3<-899+0+,.8<</7.+3E1/8E/4,73?
`=8r/70>3<1+/38->3+19D83../,93/13,<,9987+-@+-->9?
`=,31/7=+-+187@/7E83+j81+/3l99,<>7+1@<-899+0+<81+/3+9
`1781,ÿC2@9+<8-ÿ7,-81+/392+C9A
`7,0,77,.1/2,7,89<-899+0+,.+30/7=81+/3A)30/7=81+/3
`56&2,9/01:87,78.+/3/1+/38-87<2+1,<1>7,
`>9,.+38</==,7<+8-,34+7/3=,3183.1/:2+<28<<,99
`92/:3+3%+EAi+3<->.,987,.<7+1+<8-9@91,=+31,7</3?
`+91/G,-+=+1,.+97,0,77,.1/89C7/C7+,187@+30/7=81+/3A
`3,<1HJ)Ki83.8G-8<;J)sA&2,7,.J)</>C-,9
`B/7,E,3,78--@D</30+.,31+8-+30/7=81+/37,0,791/+30/7?
`0>3<1+/38-,31+1@+31,708<,9H%()KD9><2898>9,7+31,7?
`=81+/31/:2+<28<<,99+91/G,-+=+1,.83.,3</=C899?
`08<,t/783,1:/7;+31,708<,eD1/487+/>97,.%()>3+19A
`,9ÿG/12ÿ<-899+0+,.ÿ83.ÿC7/C7+,187@ÿ+30/7=81+/3A
`&2/9,>3+19<83+3<->.,82>=83?</=C>1,7+31,708<,
`5m6)383BIJ,34+7/3=,31D+1+9+=C/718311/>9,
`H')KuD87,.9@91,=</317/->3+1vD83+31,73,1:/7;+3E
`817>91,.</=C>1+3E9@91,=D:2+<27,0,791/12,1/18-+1@
`>3+1w83.83+30/7=81+/39,<>7+1@H)"% J(K>3+1xA&2,
`/0C7/1,<1+/3=,<283+9=9:+12+38</=C>1,79@91,=D+3?
`7,.J)8--/:9487+/>91@C,9/07,.%()>3+191/G,>9,.
`<->.+3E287.:87,D0+7=:87,D83.9/01:87,D1281+9D12,
`/312,7,.9+.,/012,78.+/A%/7,p8=C-,D12,+31,73,1?
`</=G+381+/37,9C/39+G-,0/7,30/7<+3E83/7E83+j81+/3l9
`:/7;+3E>3+1wD12,7,.9@91,=</317/->3+1v83.12,')
`9,<>7+1@C/-+<@A)3=83@17>91,.</=C>1+3E9@91,=91281
`u<838--7,9+.,/389+3E-,C7/<,99/7G/87.gD9><289
`C7/<,999,39+1+4,/7<-899+0+,.+30/7=81+/3D,9C,<+8--@
`8y,31+>=<-899=+<7/C7/<,99/7<+7<>+1G/87.1281</3?
`381+/38-9,<>7+1@+30/7=81+/3D+30/7=81+/39@91,=9l9,?
`3,<19ÿ1/ÿ12,ÿ7,.ÿJ)A
`<>7+1@=,12/.983..,4+<,987,>9,.1/C7/1,<112,+3?
`
`
`


`

`


`


`
`

`
`
`
`
`
`

`

`black side INFOSEC processing, to destinations onei-
`ther the red or black sidesof the radio. For destinations
`on the black side of the radio, the router must send the
`messagesthrough the INFOSEC 8.
`information
`[0011] A multiple-input, multiple-output
`system capable for use in the JTRS software radio is
`shownin Fig. 2 in which the INFOSEC unit 15 forms a
`boundary betweenred and black environments. On the
`black side of the system the INFOSEC interfaces with
`input/output channels 1 through N. Similarly, on the red
`side of the system the INFOSEC interfaces with corre-
`sponding input/output channels 1 through N that con-
`nect to a router 16. The router 16 is coupled to a plurality
`of users, here, user 1 through user M. In such an envi-
`ronment the data streams maybeatdifferent security/
`
`compartmentlevelsif it is a governmentinformation sys- [0017]Astill further object of the invention is to obtain
`tem, or the data steams maybelongto different commu-
`routing information from a routerthat is not certified to
`nities of interestif in a commercial environment.
`handle information of multiple levels of security without
`sending confidential information to the router.
`[0018] The aforesaid objects are achieved individual-
`ly and in combination, andit is not intended that the in-
`vention be construed as requiring two or more of the ob-
`jects to be combined unless expressly required by the
`claims attached hereto.
`
`3
`
`EP 1 283 630 A2
`
`4
`
`It is highly desirable to use standard commer-
`[0013]
`cial software for the router becauseof the rapid techno-
`logical advances and routing evolution occurring in the
`commercial sector. However, commercial routing soft-
`ware doesnot undergothe rigorous and extensivetest-
`ing required to certify it as trusted and therefore a com-
`mercial router has nolevel oftrust. Yet, there is a strong-
`ly felt need to develop an approachthat uses commer-
`cial routing techniques and software in an MLS environ-
`ment and guarantees that data from one security level
`will not get released to users or networksata different
`level without following the safeguards specified by the
`information system's security policy.
`
`SUMMARYOF THE INVENTION
`
`10
`
`15
`
`[0014] Therefore, in light of the above, and for other
`reasonsthat will become apparent whenthe invention
`is fully described, an object of the invention is to use a
`router that has not been certified to process data of mul-
`tiple security levels, to provide routing information for a
`messagecontaining confidential data.
`[0015] A further object of the invention is to use rout-
`ing information from an untrusted router to route confi-
`dential data without sending that data to the router.
`[0016] Yet another object of the invention is to gener-
`ate a transmission frame by combining routing informa-
`tion from a dummy messagesentto a router, with con-
`fidential information to be transported using the trans-
`mission frame.
`
` ÿÿ 
`;
`9
` $5&/)$,'%& #$$ ')',)"#..,<
` !"#" $ # %&'"(
`"'&$#* +',*#, ,# ,%"'$#* ,'8) "#<
`# %&'"($)#* $#* +',,')#-') # ,)
`&#5"'&')0'"$'),# 50#& ##"",,5 
`# ,)$)#* ,')#-')*#,.$'%#)',/
`"#..,"'&$" #,1G#+0,-"#..,"'&,# 5$#* <
`% + ,)')%&'"(0,#. $1#" ) #
`+',)#$# ),5# ,5#,#$')> $0 $ <
` %&'"(','' '2 ,*'" 34*#,
`5,H,) #", */ '$ ,$ )') ,*#,'"#.<
`$)5'),"056$5'&$-6 $33-.#).$
`.,"'&,# ,'$#&0&#* ,$ 1I - ,$'$ ,#5<
`37-')0',#$# ,%&'"($)8,#"$$$391:&$#-'
`&/*& ) #)0&#8''88,#'" ' $$"#..,<
`$, ,*'"3;"'%"#" ) # %&'"('$
`"'&,# 5 "H$')$#* +','CJ0,#<
`$#+5131%&'"('&&#+$0',#$ /8$#*
`. ')5',' $ ' )' '*,#.#$", /&0&
`*" #'&  / ,*'" $ #%$) 
`+&&# 5 ,&'$) #$,$#, +#,($' ')**,
`$#* +',,')#-$"'$0',#$ /8$#*"#..,"'&.#<
`&0&+ # *#&&#+5 $'*5',)$$8"*)%/ 
`).$-ÿ*#,ÿ>'.8&1
`
`*#,.' #ÿ$/$ .K$ÿ$", /ÿ8#&"/1
` , +#,(5 ?"&)$',# ,*#,
`,# 5.$$'5$-,"0)*,#. $, ,*'"$#
`LCC:6IÿÿGÿM
` ,)$)#* ,')##,,"0)#0, ','* ,
`%&'"($)8,#"$$5- #)$ ' #$#<
`N,*#,-&5 #* '%#0-')*#,# ,
` , ,)#,%&'"($)$#* ,')#1#,)$ ' #$
`,'$#$ ' +&&%"#.'88', + 0 #
`# %&'"($)#* ,')#- ,# ,.$ $) 
`$*&&/)$",%)-'#%O" #* 0 #$ #$'
`.$$'5$ÿ ,#5ÿ ÿÿ!1
`,# , ' '$# %", *) #8,#"$$)' '#*.&<
`:.& 8&<8 -.& 8&<# 8 *#,.' #
` 8&$", /&0&$- #8,#0),# 5*#,.' #*#,'
`$/$ ."'8'%&*#,$ @6$#* +',,')#$
`.$$'5ÿ"# '5ÿ"#*) '&ÿ)' '1
`$#+517+"  3A*#,.$'
`P:*, ,#%O" #* 0 #$ #$,# <
`%#)',/% +,)')%&'"(0,#. $1 
`5*#,.' #*,#.' ,$ ),# , #,# "#*<
`%&'"($)#* $/$ .  ,*'"$+ 
`) '&ÿ)' 'ÿ+ # ÿ$)5ÿ ' ÿ)' 'ÿ #ÿ ÿ,# ,1
`8 2# 8 "'&$3 ,#51.&',&/-# ,)
`I '# ,#%O" #* 0 #$ #5,<
`$)#* $/$ .  ,*'"$+ "#,,<
`' ' ,'$.$$#*,'.%/"#.%5,# 5*#,.'<
`$8#)58 2# 8 "'&$3 ,#5 ' "#<
` #*,#.')../.$$'5$ #',# ,-+ "#<
`" #',# ,3B1,# ,3B$"#8&) #'8&,'& /
`*) '&*#,.' # #% ,'$8#, )$5  ,'$<
`#*$,$-,-$,3 ,#5$,C1$"'0<
`.$$#ÿ*,'.1
`,#. )' '$ ,'.$.'/%' )**, $", /2
`Q:$ &&*, ,#%O" #* 0 #$ ##% '
`"#.8', . &0&$* $'5#0,. *#,.' #$/$<
`,# 5*#,.' #*,#.',# , ' $# ", *) #
` .-#, )' '$ '.$.'/%&#5 #)**, "#..<
`')&*#,.' ##*.& 8&&0&$#*$", /+ #
` $ÿ#*ÿ ,$ ÿ*ÿÿ'ÿ"#..,"'&ÿ0,#. 1
`$)5ÿ"#*) '&ÿ*#,.' #ÿ #ÿ ÿ,# ,1
`,# ,3B,"0$)' '- ,*,#.'$,
`'*#,$')#%O" $','"0))0)'&<
`#,*,#.##* "'&$-'),# $ # '88,#<
`&/')"#.%' #-') $#  )) ' <
`8,' )$ ' #1#,>'.8&-$,3.'/$)'.$<
`0 #%"#$ ,)'$,H,5 +##,.#,#* #%<
`$'5')),$$) #')$ ' #,'")$5"'&
`O" $ #%"#.%)&$$>8,$$&/,H,)%/ 
`1,# ,3B-$5,# 5 '%&$'),# 5'&5#<
`"&'.$ÿ' '")ÿ, #1
`, .$#* +',-,"0$ .$$'5*,#.$,3')
`:. #)'""#,)'"+  0 #
`%'$)# ')),$$) ,.$',# #0,+" #
`,# $')' '.$$'5"# '5"#*) '&*#,.'<
`$) .$$'51$ '&$' '"5,# 5*#,<
` #-%/$%$   5)../*#,.' #*#, "#*)<
`.' # # .$$'5')# 8 5 .$$'5#0,
` '&*#,.' # .$$'51.$$'5$$
` "'& ,# ,) ,.$$,0"$ "#$
`+  )../*#,.' # #',# ,*#,'))5,# 5
`,# 1,# ,3B- ,#5 $#* $,# 5 '%&$
`
`*#,.' # # .$$'5-') "#*) '&*#,<
`')'&5#, .$-) ,.$ ' .$$'5$ #%
`.' #$&$+,$%$   )*#, )../*#,.'<
`# 8 #"'&-*#,>'.8&1:""#,)5&/- ,# <
` #ÿÿ ÿ.$$'5ÿ"# '5ÿ ÿ,# 5ÿ*#,.' #1
`,# 8 $ .$$'5#"'&+  ')))
`: ,$ )5',)'88',' $-'""#,)5 # <
`,# 5*#,.' #' '") # .$$'51.&',&/-
`0 #-$)$')' '.$$'5 #',# ,-+" 
`+ ,# ,,"0$'.$$'5###* 
`)' '.$$'5'$*#,.' #"&'$$*)' '*,$ $"<
`"'&$- >'.$ ,# 5*#,.' # ,<
`, /&0&1'88',' $"&)$'$#,"'  "'<
`"0).$$'5-) ,.$ $,#,"'& #
` # "#*5,) #,"0 )' '.$$'5"#<
`+" #$) .$$'5-')# 8 $ .$$'5
` '5 *#,.' #"&'$$*)' *,$ $", /&0<
` # ' $,#,"'&1D"'$ ,# ,3B,"0$
`&-') #')) # )' '.$$'5$#,"*#,.' #
`)' '$ ,'.$ ' .'/%' )**, $", /2"#.8', <
`"#",5 $#,"#* )' '.$$'51'88'<
`. &0&$E5#0,. $/$ .F#,.'/%&#5 #)*<
`,' $'&$#"&)$')' ' 5, / "#8&) # 
`*, "#.. $#* ,$ E"#..,"'&$/$ .F- 
`$#,"'  "' # ')"#*5,) # ,'$*#,.
`,# ,517.$ % $ ) #$, "'% ,$ )
` *#,.' #"&'$$*)' *,$ $", /&0& #<
`+ ÿ #$ÿ)' 'ÿ$ ,'.$1
`
`[0019] A method in accordance with the invention
`routes a data messagecontaining confidential informa-
`tion, by substituting dummy informationfor the confiden-
`tial information in the message. The message is sent
`with the dummy information to a router for adding routing
`information to the message, and the confidential infor-
`mation is elsewhere substituted for the dummyinforma-
`tion in the messagecontaining the routing information.
`[0020] A trusted guard apparatus, accordingtothein-
`vention, sends a data messageto a router, in which the
`data messagehasinformation classified at a first secu-
`rity level. The apparatus includes a source authentica-
`tion unit configured to receive the data message con-
`taining the information classified at the first security lev-
`el, and to add to the data message source information
`concerning the source of the data message. The appa-
`ratus also includes a data integrity unit coupled to the
`source authentication unit and configured to transform
`the information classified at the first security level to in-
`
`[0009] The INFOSEC unit 8 connectsto the black CSI
`on the black side of the software radio, and to the red
`CSI on the red side of the radio, and forms a boundary
`between the red and black environments. Connected to
`the black CSI are an antenna I/O interface unit 10 for
`
`sending and receiving RF signals, RF units 11, modems
`12, and various other black side processes 13. Also, a
`userinterface 14 can be connected to the black CSI as
`
`shownin Fig. 1. The black CSI allows various types of
`COTSfunctional entity interface units to be used in the
`softwareradio, such as various types of commercial mo-
`dems, for example.
`[0010] The internetworking unit 7 includes a routerfor
`routing messages, received from the user interfaces on
`the red side of the radio or received over the air after
`
`[0012] The router 16 receivesdata, either from a user
`or from one of the channels, and routesit to the appro-
`priate destination. For example, user 1 may send a mes-
`sage addressedto a destination reached using channel
`N. The router 16, using routing tables and routing algo-
`rithm software, receives the message from user 1 and
`based on the address determines a route over which to
`
`send the message. This entails attaching routing infor-
`mation to the message and outputting the message over
`the channel the router determines services the chosen
`
`route. The router 16, through the useofits routing tables
`and algorithms, determines that the messageis to be
`output on channel N, for example. Accordingly, the rout-
`er outputs the message on channel N with the added
`routing information attached to the message. Similarly,
`when the router receives a message on oneof the N
`channels, it examines the routing information in the re-
`ceived message, determines the user or channel to
`which to send the message, and outputs the message
`to that user or channel. Because the router 16 receives
`
`data streams that maybeat different security/compart-
`ment levels (government system) or may belongto dif-
`ferent communities of interest (commercial system), the
`router in Fig. 2 must be tested to ensure it can be trusted
`with those data streams.
`
`
`


`

`


`


`
`

`
`
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`
`
`

`

`5
`
`EP 1 283 630 A2
`
`6
`
`DETAILED DESCRIPTION
`
`Preferred embodiments according to the
`[0024]
`present invention are described below with reference to
`the above drawings, in whichlike reference numerals
`designate like components.
`[0025] When dealing with data processed by untrust-
`ed software between a source and a destination, it is
`necessary to prove at the destination point that the
`source information is accurate (source authentication)
`andthat the data has not been modified (data integrity).
`If source authentication and data integrity are provided
`at the source and destination by trusted software and/
`or hardwareentities, referred to here as trusted guards,
`then the untrusted router cannot interfere undetected
`with that information that is sent from the source to the
`destination and the trusted entities can enforce the com-
`
`puting system's security policy.
`[0026]
`Fig. 3 is a block diagram showing a trusted
`guard A 17 coupledwith users 1 through M and coupled
`to ports 1 through M of the router 16. Another trusted
`guard B 18 is coupled to channels 1 through N of the
`router 16 and to the INFOSEC 15. Trusted guard B can
`be included aspart of the INFOSEC 15.
`[0027] Ablock diagram of trusted guard A is shownin
`Fig. 4. The trusted guard of Fig. 4 includes a labeling
`unit 19, a secure hashing algorithm (SHA)unit 20, a dig-
`ital signature (DSS) unit 21 and a signature application
`unit 22. To provide source authentication the trusted
`guard's labeling unit 19 receives user data and source
`information and uses that information to attach a label
`to the data at its source. The label can include informa-
`
` ÿÿ 
`D
`C
`75-,%I57ÿ75894%:-%;<
` !
`"""" #$%"!
`*
`+:&"
`""&"'"!
`'"#"&&//
`
`&#/"(/2"
`""& "&" !
`"ÿ2ÿ'"$
`"""" #('!
`*J+0/'""& "!
`ÿÿ ÿÿ""ÿÿÿ$
`"/&/""("
`*+,"""#!
`"" '#"'
`"(#!
`""K"L
`("  !
`"&K L$
`("""" #("&"!
`%" '#
`"""" #!
`""& ""/M
`"" #$-"""
`/"("""(
`""""!
`
`"
` "(
`/"""
`"
`"""!
`"""ÿÿÿÿ"ÿ$
`'ÿ" "N"ÿ" ÿ' $
`*+-&#"&."("
`*+6$A"&2"/"
`#"#/&''
`,?E'/""?O'
`'"/"'"!
`'"?O?D$,"
`"'#""'&"$0
`3?F"'"?<
`""'""'"#!
`?D%<6;859?C$-"3
`("&"#" 
`&ÿÿ"ÿ'ÿÿÿ%<6;859ÿ?C$
`1"/&''""2
`*P+,&2",""/
`&"ÿÿÿ"'"ÿ$
`6$B$-"6$B"&
`?G(""K8=,L@H(!
`34%56ÿ75894%:-%;<ÿ;6ÿ-=5ÿ74,0%<>8
`"K788L@?"''
`@@$-'#""
`*+6$?"&2"
`N"&?G#"""
`""&
`""$-&!
`ÿÿ"/ÿ$
`&"(""(1'(
`6$@"&2''
`&(" #('2&(
`" "("""/6$?("
`'2M!! &$6(""!
`
`ÿÿÿÿ%<6;859$
`Q""("
`6$A"&2'" ""!
`""'2&(
`"&/%<!
`
`"'Q""
`6;859ÿÿÿ"ÿÿ$
` '' & "$-
`6$B""/#/
`""R& %<6;859('!
`"ÿÿÿ,$
`& '/""$6
`6$C"/"'""
`1'(%<6;859R""
`ÿÿÿÿ#$
`'"'" #'
`6$D"&2'" ""!
`N"$-'#& !
`"("
`&&"R$-8=,@H
`"//""'"
`&"& '' 
`ÿ#$
`"&& 
`6$E"#/"/
`''1 "
` ÿ""ÿ$
`#$="&"'1!
`6$F"#/"
` """(&
`&""
`"'#$-"
`/""
`"/!2/Q"'#
`$6"$G,!7"'2"#"
`/"&/""(""&
`'' "&$61!
`""'"""'"
`'("&&'
`ÿ#$
`&"$,1'"!
`6$?H,!>""#"
`"2!"'!
`/"ÿÿÿ"/ÿ$
`&$> (/#( '''"
`
`tion about the source, such as, for example, a channel
`number, a security level, a packet number, the length of
`the packet and/or a time-of-day label. Further, if assur-
`ance requirementssodictate, the trusted guard can add
`other information to the data such as a packet number,
`a time stamp or a unique identifier such as an identifier
`cryptographically generated by a trusted guard. The
`trusted guards areinitialized by the INFOSEC, prefera-
`bly at the time of powering on the trusted guards. For
`example, the INFOSEC can initialize the trusted guards
`to operate at a specific security level depending on the
`guard's certification. The information provided by the la-
`beling unit can be setatinitialization. The SHA unit 20
`can be usedto reduce the amountof data by applying
`a hashalgorithm to the labeled data and thereby reduce
`the computational complexity of the digital signature
`evaluation. Hashing can be usedto reduce the complex-
`ity of using digital signatures, although it need not be
`used to practice the invention. The trusted guard can
`use well-known techniques to provide data integrity
`when sending data between trusted guards, such as by
`applying a digital signature to the labeled data. For ex-
`ample, a digital signature can be a number computed
`from the data being signed. An example ofa digital sig-
`nature is a check-sum computed from the data andla-
`bel. Generally, however, a cryptographic procedure is
`
`clude information for determining the integrity of the in-
`formation classified at the first security level. It also in-
`cludesa data substitution unit coupled to the source au-
`thentication unit and configured to generate a dummy
`data messageby substituting dummydata for the infor-
`mation classified at the first security level, and output-
`ting the dummy data messageto the router.
`[0021] A transmission frame for delivering confiden-
`tial data to a destination node, according to the inven-
`tion, includes a dummy datafield containing dummy da-
`ta, classified at a first security level, substituted for con-
`fidential data classified at a second security level differ-
`ent from the first security level. The transmission frame
`also includes a message headerfield containing infor-
`mation identifying the destination node, and a routing
`field containing routing information for use in routing the
`transmission frame to the destination node.
`
`[0022] The above andstill further objects, features
`and advantagesof the invention will become apparent
`upon consideration of the following descriptions and de-
`scriptive figures of specific embodiments thereof. While
`these descriptions go into specific details of the inven-
`tion, it should be understoodthat variations may and do
`exist and would be apparentto those skilled in the art
`based onthe descriptions herein.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0023]
`
`Fig. 1 is a block diagram illustrating an architecture
`of a software radio.
`
`Fig. 2 is a block diagram of a portion of a computing
`system, suchasthe software radio of Fig. 1, using
`a router and an INFOSEC.
`
`Fig. 3 is a block diagram of a computing system us-
`ing an untrusted router in combination with an IN-
`FOSECanda trusted guard unit.
`Fig. 4 is a diagram showing a detailed view of a
`trusted guard unit A.
`Fig. 5 is a flowchart illustrating a process of routing
`data according to the invention.
`Fig. 6 is a block diagram of a computing system us-
`ing an untrusted router, a trusted guard unit and
`showing data flows according to certain aspects of
`the invention.
`
`Fig. 7 is a detailed view of a trusted guard with a
`dummy message generator.
`Fig. 8 is a detailed view of a trusted guard unit that
`combines routing information from an untrusted
`router with signed data from another trusted guard
`unit.
`
`Figs. 9A-D are diagramsof data packets at various
`stagesof a routing process according to aspects of
`the invention.
`
`Fig. 10A-G are diagrams illustrating various data
`flows in a software radio.
`
`

    
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`
`
`
`

`

`7
`
`EP 1 283 630 A2
`
`8
`
`pends to the dummy messagerouting information spec-
`ifying such a route (26). The router sends the dummy
`messagewith the routing information to trusted guard B
`where the data is diverted (27). Trusted guard B then
`replaces the dummydata in the message to which the
`routing information is appended with the data from the
`data source (28). Trusted guard B then sendsthe recon-
`structed message according to the routing information
`supplied by the router (29). In this manner, a router 16
`with untrusted software is used to supply routing infor-
`mation without the untrusted router receiving data from
`the data source.
`
` ÿÿ 
`;
`K
`&(! ! &-
` ! 
`(! /5@0#4  (
`"#$%&' (&! &
`!1 !  ! :
`&  " ! (
`1 8 /5K0#4 ! :
`$)*+,-&.!',! /.,,0
` &'(!1
`1"+"'2(3 (&#4.,,
` ! &&1 
`561)!#7 &!'
` /5;0#4 ! : -
`!  '"'#4! &&'
` ! ! ! 
`55&&'! '"' 8
`&&'"(  /590#*   6@
` '"'!69&'"'
`1 1 &&'( ! -
`1! !#4 ! :
`1   8! 
`6;*<)=,3>1)!#? -
`ÿÿ #
`8!'"'   6@
`BC4&    (
`8 ! ("(!!-
`)!#?&  8 -
` ÿÿ'"'ÿÿÿ#
`D'' )!#@#*(1
`BC4 ! (1)!#?
`)!#@ ! $?L&' 6 !
`1' !! 
`H   8!1
` ! (& -
`'8 (&"( 
`   6@1 ''1
`
` !#$'81 ! 
`! #*1   
`$691)!#K#* ! 
`''1!   1'""'
`1)!#7 ! $?L''-
`D    '
`(!!  ?5#4 ! $?L-
`! ! 
` ""8'"'&&'! -
`   '(8(
`#$' 8'( ! $& '-
` D "(.,,#E18   6@
`"'!'!   -
`"''1!  !"'
`& D#4 ! $?L
`   #$ !'(&-
`!/##M'"'M! 08  
`& '"'!!!!-
`&'   ! 
`   6@ !'-
`:?6&'  6@*<)=,3>6J#
` '(1 ' -
`4(!  ?5 8!&-
`
`& 1 
`&' ! ?L   &'
`!! ''8'
`!1-'(
`" ' 1  F
`' ('8' '1
`#BGC48''1  1 
` ('8'   (
` !#$%&'--
`1 "HI,8 ( 
`'&  &   
`   '  (
` & &  (&! &''(
`'8'  1  '8'#4-
`! #$' 8'((!! -
`8'88 !   -
` ?5 8!(& -
` 1 1'!  &&'( !
`! '!!N -
` #$8 ''! '&  !-
`#4 !