WO2000072508A1

WO2000072508A1 - System and method for high assurance separation of internal and external networks

Info

Publication number: WO2000072508A1
Application number: PCT/US2000/014313
Authority: WO
Inventors: Vishnampet S. Jayanthinathan; James F. Mahoney; Glenn H. Durbin
Original assignee: Engineering Systems Solutions, Inc.
Priority date: 1999-05-25
Filing date: 2000-05-25
Publication date: 2000-11-30
Also published as: AU5443400A

Abstract

A method, apparatus, and program product for securing computer systems from unauthorized access. A system identifies and authenticates users and is partitioned into virtual computers attached to mutually exclusive public and private networks (136, 138). The identification and authentication (138) is accomplished by using biometrics and a smart card and/or a fingerprint detector, which may be located on a keyboard in communication with the system. The system is partitioned into virtual computers (132, 134) which may include a virtual secure computer for use with a connection to a secure network, a virtual public computer for use with a connection to a non-secure public network, and a virtual transition computer to control the partitioning of the system and switching from the virtual secure computer to the virtual public computer such that the activation of one of the virtual secure computer and the virtual public computer is mutually exclusive of the activation of the other.

Description

TITLE OF THE INVENTION

SYSTEM AND METHOD FOR HIGH ASSURANCE SEPARATION OF INTERNAL

AND EXTERNAL NETWORKS

CROSS-REFERENCES TO RELATED APPLICATIONS

This application is related to and claims priority to U S Provisional Patent

Application S N 60/136,139, entitled "System for High Assurance Separation of Internal and

External Networks" filed on May 25, 1999, and incorporated herein by reference

BACKGROUND OF THE INVENTION

Field of the Invention

This invention relates generally to a system and method for secuπng computer

systems from unauthoπzed access. The invention is more specifically related to identifying

and authenticating users and partitioning a computer system into virtual computers attached

to mutually exclusive public and private networks.

Discussion of the Background

The World Wide Web is cπtical to business communications and commerce, and

unfortunately, it is also a very dangerous technology to connect to corporate, educational, or

pπvate computers and networks. The classified United States Government has been trying

for years to solve the problem of separation of trust and levels of users in computer systems

and networks They have encountered difficulty in building a system that can not be

penetrated by a sophisticated hacker. The major reason for the failures and weakness in past

systems has fallen into two areas, user authentication and network connectivity In the first case, user authentication has pπmaπl} relied on user selected passwords

Government and industry has discov ered that users are not \ ery good at choosing secuπt)

passwords All too often user-generated passwords are too short, or easily guessed, e g . the

user's name, child's or pet's name, or project name Attempts have been made to restrict user

passwords by reqmπng a minimum number of characters or a mix of alpha and numeric, or

having the systems automatically generate pronounceable, random generated stπngs or

characters, and forcing frequent change The most common problem with this method is the

user hates the system, can't remember the password and usually writes it down somewhere,

and frequently has to call the network help desk to get the password reset Thus, passwords

are the cheapest user authentication mechanisms available today, but come with many

weaknesses

Regarding network connectivity, duπng the time a computer is linked with an external

network, data communication is not restπcted to the intentional authoπzed packets Via the

same on-line link the user communicates through, network intruders may penetrate the

system, stealing the user's data, or maliciously damaging records If the user is concurrently

linked on-line to an internal network - such as an organizational Local Area Network (LAN) -

the intruder can further penetrate the system and hop from the user's PC through that LAN to

other systems

As the Internet is currently a chaotic network, with no central management or

authority, it is a heaven for crackers, hackers, and software virus distributors Hackers can

anonymously penetrate systems with low πsk of being caught Still, regardless of the data

secunty threats, an increasing number of users are aware of the Internet as a cπtical source of information and an essential productivity tool to every modern organization. Hence, they

demand on-line access to Internet services such as the World Wide Web and E-mail.

The business world is widely adopting a variety of complex software technologies,

such as Firewalls, Proxy Servers, Intrusion Detection and Access Control mechanisms, to

analyze and fitter communications in an attempt to lower external security threats from the

Internet. However, due to their tremendous complexity and intrinsic limitations, these online

analysis implementations cannot provide the high level of data security required by

organizations such as the military, governmental agencies, financial institutions, law firms,

and the like.

Security officers charged with securing classified data, rely primarily on the

fundamental assertion that if no link to the network exists, network security threats are

limited. Many organizations request confidential data to be effectively secured against

network intrusion through physical separation between their internal environment and the

external hostile world.

To facilitate communication with the external world, a dedicated stand-alone

workstation - or a dedicated network of workstations - is linked to the external network. This

dedicated system is not connected to the internal environment via any link. In such a set-up,

data is often passed to and from the dedicated system using diskettes or alternative,

removable media ("Sneaker Net").

For example, Figure 1 illustrates separate workstations for secured and non-secure

transactions. A secured PC 100 communicates with a secure storage device 102, with

connectivity to a LAN 104. A physically separate Internet workstation 106 communicates

with a public storage device 108, with an Internet link 110. In extremely high security environments - such as intelligence agencies - no digital

data transfer is allowed at all. In such a set-up, the dedicated system simply has no diskette

drive installed, and data is only keyed in manually. While the above set-up provides adequate

data security, it results in substantial added costs and lower productivity. When users need to

communicate with the external world, they must physically move - both their data and

themselves - to and from the dedicated "Internet station".

In a PC based environment - where personal computers are a key tool in performing

one's work - dedicated Internet stations do not comply with common work practices. The

user can neither set-up his Internet browser software according to his personal preferences,

nor can he keep his personal communication private. Moreover, the need to install and

maintain dedicated systems bears a substantial cost per seat. As a result, in many higher

security sites, dedicated Internet stations are in short supply.

Not only does a shortage of Internet stations lower productivity, it also results in a

security risk. Frustrated users may seek alternative, non-regulated solutions, such as working

from home or simply installing a dial-up modem within their secured workstation, thus

jeopardizing the security of the entire organization.

Primitive biometrics, such as height and weight have been used to identify people

since the time of the Ancient Egyptians. Advances in computer technology now mean that

the comparison of biometrics can be at least partially automated. Police officers across the

world may now use automated fingerprint identification systems to help them search for and

identify suspects. Indeed, the biometric industry now claims that specialty automated

systems can do a similar job in an automated manner for millions of individuals. More recent examples of Biometrics are hand and facial recognition. The advent of

inexpensive microprocessors and advanced imaging electronics has reduced the cost and

increased the accuracy of biometric devices. Biometrics has become more and more a part of

the commercial access-control landscape, providing an accepted and highly effective

identification program. Nuclear power plants and the 1996 Atlanta Olympics are but two

examples of the successful use of biometric technology for controlling and identifying

individual access. Recognition Systems, Inc. introduced the first ID3D HandKey reader in

1986.

More than ever today, security management continues to be a matter of pressing

national and international concern. And while the risks may range from minor theft to the

safety of individuals, the root problem lies in systems that again and again prove themselves

vulnerable.

SUMMARY OF THE INVENTION

Accordingly, one object of this invention is to provide a novel system and method for

identifying and authenticating users and partitioning a computer system into virtual

computers attached to mutually exclusive private and public networks.

A further object of this invention is to provide a novel system and method for

identifying and authenticating users and partitioning a computer system into a first virtual

computer attached to an Internet and a second virtual computer attached to an intranet such

that the first and second virtual computers reside on a single computer. In accordance with one aspect of the invention, there is provided a method and s\stem

for captunng a user's fingerprints from a keyboard, identifying the user from the fingeφnnts

and allowing access to a computer system after the user is identified/authenticated

In accordance with another aspect of the invention, there is provided a method and

system for using a smart card interfaced with the system to authenticate features of a user by

using biometnc features captured by sensing devices in communication with the svstem

system for receiving a request from a user who selects either the public or private network to

access, rebooting the computer to remove data from memory, and switching to the selected

network, effectively locking out the network which is not cunently selected

In accordance with another aspect of the invention, there is provided a system wherein

a public network comprises a partition of the hard drive and a connection to the Internet, and

a pnvate network compnses a second partition of the hard dnve and a connection to an

intranet

Thus, one embodiment of the present invention provides users with a secure computer

system, which prevents unauthonzed access and use, both internally, I e at the computer

terminal, and externally by the internet Users benefit from this security because access by

authonzed users is simple, while the level of protection from unauthonzed users is increased

For identification and authentication of users, e g , Biometnc fingeφπnt technology is

utilized Biometncs provides irrefutable user identification and authentication For

separating access to different networks, the present invention provides a logical and physical

equivalent of logical and physical equivalent of no connection to the outside network but at

the same time, connectivity to the on the World Wide Web Thus, it is possible to connect both an internal coφorate Intranet and an external Internet without exposing coφorate

resources to the digital miscreants of the world Incoφorating Commercial-off-the-Shelf

(COTS) technology, the present invention completely separates a single workstation into two

separate environments physical and logical, thus providing the assurance that hackers and

intruders from the Internet cannot get to coφorate data and networks The present invention's

architecture and biometnc fingeφnnt user authentication thus provides a significant increase

in protection from the Internet

Even with guaranteed user identification and authentication, today's users are still

vulnerable to malicious code that can reside in program files and data Modem workstation

configurations are extremely dynamic It is almost a daily requirement to install new or

updated software, exchange documents and data via the World Wide Web, or download a

new Plug-In for your browser Malicious code embedded in new programs and data can

penetrate your coφorate systems and networks quickly destroying cntical coφorate systems,

servers, and databases In order to avoid such penetration, the present invention may include

virus protection for protecting a system's cntical data and applications from malicious code

The present invention may also include tamper detection on system units Not only

does tamper detection protect a system unit from unauthonzed access to security components,

it reduces loss attnbuted to theft of expensive system components Estimates vary widely,

but some say the theft of system memory alone has cost coφorate Amenca in excess of 1

Billion dollars Tamper detection provided by the present invention can reduce this cost

significantly

Even with the best secunty mechanisms in the world, theft of internal hard disks or

complete system units is a senous concern The present invention may include desktop Disk Encryption hardware and software, e.g., Kilgetty Disk Encryption hardware and software.

Thus, even if the system unit is stolen, an adversary or competitor will not be able to

compromise proprietary data.

BRIEF DESCRIPTION OF THE DRAWINGS

A more complete appreciation of the invention and many of the attendant advantages

thereof will be readily obtained as the same becomes better understood by reference to the

following detailed description when considered in connection with the accompanying

drawings, wherein:

Figure 1 illustrates separate workstations for secured and non-secure transactions;

Figure 2 illustrates two virtual computers housed in a single computer with each

virtual computer connected to mutually exclusive networks, with user

identification/authentication;

Figure 3 illustrates an exemplary single computer for secure and non-secure

transactions;

Figure 4 illustrates a single computer with a partitioned hard drive for secure and non-

secure transactions;

Figure 5 illustrates an exemplary single computer with a devices for logically

separating access to separate networks and identifying/ authenticating users;

Figure 6 illustrates an exemplary single computer with a devices for logically

separating access to separate networks;

Figure 7 illustrates a computer device configuration for logically separating access to

separate networks; Figure 8 illustrates a computer storage device configuration for logically separating

access to data for separate networks;

Figure 9 illustrates an exemplary network configuration with computers configured

for logically separating access to separate networks;

Figure 10 illustrates an exemplary network configuration with a computer configured

for logically separating access to separate networks;

Figure 1 1 A illustrates an exemplary portion of a generalized computer system upon

which portions of the invention may be implemented; and

Figure 1 IB illustrates an exemplary portion of a generalized hardware configuration,

in the format of a workstation, upon which portions of the invention may be implemented.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

Referring now to the drawings, wherein like reference numerals designate identical or

corresponding parts throughout the several views, and more particularly to Fig. 2 thereof,

there is illustrated two virtual computers housed in a single computer 130 with each virtual

computer connected to mutually exclusive networks, with user identification/authentication.

A virtual computerl 132 is connected to networkl 136 and a virtual computer2 134 is

connected to a network2 138. The networkl 136 is mutually exclusive of the network2 138,

and virtual computerl 132 and virtual computer2 134 are both housed in a single computer

system 130. The computer 130 includes connection to user identification/authentication 138

for security of user access.

Figure 3 illustrates an exemplary single computer for secure and non-secure

transactions. A computer 150 includes a WAVE LAN with a wireless connection 152 to Lucent technology 154 and a wireless connection 156 to IBM technology 158 A keyboard

160 includes a smart card and a fingeφnnt station The keyboard 160 is used for user

identification authentication, and facilitates secure access to Internets 162, classified 164 and

intranets 166.

When studying the separated workstation configuration of Figure 1 , one notices that a

single user is unlikely to use both concunently Hence, one of the two systems is always

'idle' If total separation between time slots were secured, a single PC could be used as two

separate systems.

This is the underlying concept of the 2IN1 PC made by Voltaire Advanced Data

Secunty Ltd Noltaire offers a solution, which allows the physical separation to be

maintained over time, rather than m space. The concept is based on a t o-state machine,

where the PC can either be m the Secured or the Public distinct state at any time. During the

secured transition between the two states, all temporary data memory is fully erased from

common areas, this process is managed by firmware at the lowest physical layer, providing

strong physical separation

The implementation is based on a controller card installed in-between the host PC on

one side and its hard disk(s), the internal LAN connection and the Internet connection on the

other. This card serves as a security controller, switching the access to and from these

peripheral devices.

A single hard disk is physically segmented into two distinct areas, with disk access

controlled in firmware at the IDE bus physical layer, allowing disk access to only one

segment at any time. While in operation, the system is in one of two mutually exclusive states Secured and

Public The Secured hard disk and the LAN connection are available to the host PC while the

Internet (or any other non-secured network) connection is physically disconnected and access

to the Public disk is blocked The Public hard disk and the Internet connection are available

to the host PC, while the Secured LAN is physically disconnected and the Secured disk

cannot be accessed

During any transition from Secure to Public and back, the system performs a cold

boot which ensures a complete erasure of system memory The two-separated hard disk areas

both store a copy of an operating system and boot independently Thus, the two v irtual PCs

are never active concurrently

The peripheral environment of the single PC is segmented into two distinct areas

Secured and Public The two areas are never connected to the PC at the same time Some

parts of the system are shared between the two segments, but these are fully erased duπng the

secured transition between the Secured and Public As a result, shared devices never expose

sensitive data to the external world

As this set-up is managed in firmware at the lowest physical layer, physical separation

is provided Hence, a similar data-secunty level, previously provided by two separated PCs,

is achieved using a single one A limitation is that users cannot work on their "secured"

station while also connected to the Internet However, most users seldom work concurrentlv

on both networks

Figure 4 illustrates a single computer 170 with a partitioned hard dm e for secure and

non-secure transactions The computer 170 includes an IDE controller 172 which controls access to a secure area 174 and a public area 176 of a storage device The IDE controller 172

is connected to a secure LAN/net 180 and a public net 182

Figure 5 illustrates an exemplary single computer 200 with a de\ ices for logicalh

separating access to separate networks and identifying/ authenticating users The computer

200 includes a 2x1 card 202 for logically partitioning the computer 200 into at least two

virtual computers The computer 200 further includes biometnc software 204 for

identifying/authenticating a user of the computer 200, a WAVE LAN card 206 for netw ork

connectivity, a modem 208, anti-vims software 210, firewall software 212 and MM con

exchange 214 The computer 200 includes an internal enteφπse networks connection 230 to

intranets 236 and Lucent technologies 238, a private network connection 232 to a classified

network 240, and a public networks connection 234 to internets 242 and IBM technology

244 A special keyboard 216 provides secure user identification/authentication with a smart

card 218 and a fmgeφnnt station 220 A mouse 222 is further connected to the computer 200

for user input

A preferred configuration of the invention is based on, e g , an IBM Intel station with

Pentium III processors running at at least 500 MHz Fully configured w ith at least 64MB

memory, at least 13 GB hard disk, 18/40X DVD, 10/100 Ethernet, Windows NT, Windows

98, Virus protection, a Biometnc keyboard, a V90 Modem, and 8MB 3D graphics video

Other features may include disk encryption software to protect data in the event of overrun or

theft

The smart card may, e g be implemented as a smart card of MIT, SARL, Inc , hich

was established in 1999 The smart card of MIT, SARL, Inc integrates smart card

technology with biometnc identification in a multi-platform environment An exemplar. product is the computeπzed biometnc identification and access system, SAFE™ (Secure

Access Friendly Env ironment), which can be installed immediately by users who w ant a

positive biometnc identification system coupled with the information storage capability of a

smart card The SAFE™ program incoφorates four specific components which function in

concert with each other

1 Biometnc Technology

2 An Encrypted Smart Card

3 Multiple Platform Environment

4 MIT, SARL's Licensed Software Program

Together, the four components of SAFE™ permit the user to accomplish any of scores of

missions where it is necessary to provide positive identification of individuals and to record

information about the transaction Applicable situations include, but are not limited to the

following

Government ID Cards Banks

Military Secunty Hospitals /Healthcare Institutions

Individuals Welfare Systems

Buildings Social Secunty Systems

Computers/Facilities Dnvers Licenses

The Internet Telephone Companies

Time & Attendance Insurance Companies • Credit Card Companies • Voter Registration Processes

Debit Cards • University Dining

This product combines biometrics and the smart card with a software program. SAFE™

allows the user to swiftly enroll hundreds of thousands or millions of people in a positive

identification program which is cost effective. SAFE™ can run on existing or networked

computers.

The strict definition of biometrics is the science, which involves the statistical

analysis of biological characteristics. A (slightly) more pragmatic definition is: The

application of computational methods to biological features, especially with regard to the

study of unique biological characteristics of humans. As with many terms, the computer

industry has adopted the word and subtly changed its meaning. Biometrics has thus become

synonymous with the verification of peoples' identities using their unique characteristics. A

biometric is something that is used as a means of proving you are who you claim to be, just

like a PIN or a password, but the crucial difference is that the biometric is something that is a

part of you, rather than something you know. Some examples include your height, weight,

the shape of your hand, the pattern of your voice, veins, retina or iris, your face and the

patterns on the surface of the skin of your thumbs or fingers: the fingeφrint.

The present invention provides easily used fingeφrint recognition which guarantees

the authenticity of the user. Registration is a simple process that allows many users to use the

same system, or register multiple fingers. As discussed previously, Recognition Systems, Inc introduced the first ID3D

HandKey reader in 1986 SAFE™ incoφorates this reader which is a very widely used

biometnc device for access control applications It is user friendly and cost effective

More than ever today, secunty management continues to be a matter of pressing

national and international concern And while the risks may range from minor theft to the

vulnerable Facial recognition will revolutionize security management w orldwide as we mov e

speedily to the era of total electronic commerce and communications

Facial characteristics of persons to be identified are captured in a 96-byte digital

number set called the Personal Identification Vector (PIV) Using cameras, computer

interfaces, and MIT, SARL 's patented SAFE™ system Identification Technologies

International, Inc introduced the One-on-One facial recognition system SAFE™

incoφorates this reader which is a widely used biometnc device for access control

applications In essence it creates a numencal "facial signature" of the person This data is

stored on MIT, SARL's encrypted smart card

The verification process does not use templates or neural networks It volv es the

generation of an instant "checkpoint" PIV (usually not stored) of the individual which is

matched against the stored PIV Facial recognition is more accurate than any existing

recognition or verification system No two faces are structurally alike, not even those of

identical twins

• This ID is not transferable A person and the person's face cannot be

separated Only that person can use his/her right of access • Venfication is entirely within the process, it is automatic, with no user

involvement required

• Eyeglasses, normal makeup and facial hair do not interfere with corcect

identification

• Beyond being reliable, MIT, SARL's SAFE™ facial recognition is simple,

fast and cost-effective

The second component of SAFE™ is the smart card, a miniature "computer in vour

wallet" It is a portable data storage device that prevents unauthorized reading of or changes

to the data it cames Because the smart card is a computer it is a programmable device

Smart cards allow for extremely high levels of security because the card can use sophisticated

cryptographic techniques to encode and decode all communications between the smart card

and other devices The smart card resembles an ordinary dnver's license or similar means of

identification It can include a picture of its holder, and other identifying pnnted information,

just like a driver's license The integrated circuit holds electronic information, which is easily

collected and collated by electronic data processing equipment The information remains on

the chip

Smart card technology is spreading rapidly throughout the world In 1994 sixty -six

telephone companies in sixty countnes used smart cards for pay telephones, and it is expected

that over 100 countnes will have adopted that system before the end of the century (see. e g ,

Http://www.mιcrosoft.com coφinfo/press/1996/sept/Smcrddpr ht http /) The need for

increased amounts of storage such as medical records will require proportionately more

expensive smart cards The smart card contains a Self-Programmable One-Chip Microcomputer ( SPOM ) a

miniature computer w ithout peπpheial dev ices, w hich has physical dimensions so small that

it can be embedded into the body of a typical plastic credit card In the case of contact smart

cards, eight metallic copper pads provide the electronic contact points for serial

communication of data between the SPOM and the smart card reader The pads provide

SPOM power (normally 5 volts, some SPOMs will run on 3 volts for low power

applications), a half duplex (input and output on the same data line) input/output contact

point for serial data communication between the SPOM and the reader, a contact point for the

reader to read the clock signal generated by the SPOM (ranges from 3 MHZ to 5 MHZ

depending on the manufacturer), and the SPOM reset signal The ISO 7816 standard dictates

physical dimensions of the SPOM silicon for the smart card (25 square millimeters

maximum) This size limitation on the silicon area ensures the SPOM is resistant to physical

damage when the plastic card within which it resides is flexed, bent or subjected to typical

credit-card abuse, but also restncts the amount of electronic circuitry that can be placed

withm the SPOM limiting the power of the SPOM processor and amount of memory

The smart card SPOM contains Random Access Memory (RAM), Read Only

Memory (ROM), and Electrically Erasable Programmable Read Only Memory (EEPROM)

RAM usually consists of a maximum of 256 bytes and is used as a scratch-pad area for the

operating system ROM contains the SPOM operating system and can consist of up to

maximum of 16K bytes EEPROM consists of up to a maximum of 8K bytes and may be

used by a smart card application to store data and user-written executable modules

EEPROM performs the same function as RAM, except that EEPROM does not lose data when power is removed The electronic construction of EEPROM requires more space on the

SPOM silicon than a similar amount of RAM or ROM

The smart card processor has an 8-bit data path and 8-bit registers Most smart card

processors use the same operation codes and command set as industry standard

microcontroller processors used in embedded applications such as the Intel 8051 or the

Motorola 6805 The 8051 or 6805 are processors similar to the Intel or Motorola

microprocessors used in personal computers (PCs), howev er, the 8051 or 6805 are 8-bit

processors designed to be used in embedded applications An embedded application is the

control of an electronic device by a processor with a burned in (non-changing) program An

example of an embedded processor application is the keyboard of a PC The microcontroller

processor is a part of, and is dedicated to, that electronic device The reason the smart card

SPOM is called self-programmable is because the SPOM contains EEPROM which can be

written to or erased by the SPOM Card Operating System (COS) With some smart card

operating systems, using an 8051 or 6805 C cross-compiler can write applications written in

the C Programming language on an IBM-compatible PC The executable module can then be

downloaded into the smart card SPOM EEPROM

The manufacturer of the smart card provides the manufacturer of the SPOM

semiconductor with the operating system, which will be subsequently burned into the ROM

of the processor Although vanous operating systems are available, the selection of an

operating system is contingent upon the smart card application All smart card operating

systems provide security and file management functionality Secunty functions consist of

authentication of the smart card to the smart card reader, authentication of the smart card

reader to the smart card, and, file management based upon security attributes assigned to individual files contained within the smart card EEPROM Reading, writing and erasing

must all be considered when assigning security attnbutes to a file File management is very

similar to the concept of DOS Individual files are contained within hierarchical directory

structures The smart card reader issues specific control commands to the smart card

operating system to access files contained within the EEPROM Some security features are

performed by the operating systems of the smart card and smart card reader in a manner

transparent to the application program on the host computer, which manipulates data ithin

the smart card The MIT, SARL encrypted smart card operating system allows the

downloading of user-written application executables into the EEPROM Because the

EEPROM is limited to a maximum of 8K bytes, the executable module must be minimized to

reside in memory with the data A practical example of a user-wntten application is the

storage of an individual's biometnc template on a smart card The individual is verified when

the smart card processor compares the biometnc template stored on the smart card with a

template from external biometncs equipment Secunty improves when the comparison is

performed within the smart card because the biometrics template is not exposed to the

outside Smart cards protect data using hardware and software techniques

Semiconductor manufacturers have attempted to make the smart card SPOM resistant

to physical probing by electronic instruments and physical disassembly Resistance to

tampenng improves since the entire smart card circuitry is contained within a single

integrated-circuit SPOM minimizing physical exposure of address, data or control buses

The smart card operating system uses cryptography to protect smart card data Two

commonly used smart card cryptography techniques are symmetric and asymmetnc

cryptography The most common form of symmetnc cryptography is the Data Encryption Standard

(DES) The term symmetric is used because both the device receiv mg the encrypted data and

the device sending the encrypted data must contain the same secret encoding/decoding key

The vast majority of smart cards use symmetric cryptography

The two most common types of asymmetnc cryptography are Rivest, Shamir,

Adleman (RSA) and Digital Signature Standard (DSS) DSS was developed by the United

States government and is approved by the National Institute of Standards and Technology

(NIST) Unlike RSA, DSS does not have the ability to encrypt with the public key With

asymmetric cryptography, every individual/organization has a public and a private

encryption/decryption key Encrypted data can be sent to an individual/organization using

their public key Only the pnvate key of that individual/organization can decrypt the data

An individual/organization can send out encrypted data using their private key Only the

public key of that individual/organization can decrypt the data Decryption of the data by the

public key is proof that a particular individual/organization encrypted and sent the data and is

known as a digital signature

A public key system means that the smart card possesses a secret key embedded in the

smart card and a public key is assigned to that smart card When a smart card is inserted into

a smart card reader, the smart card reader generates a random number R, which is sent to the

smart card The smart card encrypts that random number with an asymmetric algonthm

(RSA or DSS) using its secret key The smart card then sends that encrypted number R' back

to the reader The smart card also sends its public key to the reader in the form of a

certificate, which is a type of digital signature The certificate is the smart card's public key,

which has been encrypted by the secret key of a certifying authority (CA) The CA prevents the use of fraudulent public keys by ensuring that public keys belong to the users who claim

them. The CA carefully checks the identity of an indi idual organization before certifying

their public key The CA certifies the public key by encrypting it ith the CA's private kev

This certificate is then given to the individual/organization The authenticity of a public key

is proven when the CA's public key can decrypt it When the reader receiv es the smart card's

certificate, it decrypts the smart card's public key w ith the public key of the CA The public

key of the CA is universally known The reader then uses the smart card's public key to

decrypt the encrypted random number sent to it by the smart card If the decrypted random

number matches what the reader originally sent out, the reader knows the smart card is

authentic This method of cryptography is called asymmetric because the two devices use

different keys to communicate encrypted data with each other

First, each individual to be included in the system must be enrolled His or her picture

must be taken, and the picture as well as pertinent identifying information must be imprinted

on the smart card and in its circuit Tests show that one skilled operator with one set of

equipment can enroll people at the rate of 30 per hour It takes approximately two seconds

for the information to be stored in the ma database

The cardholder then has a credit-card sized plastic card, which can be earned in a

wallet or purse It can be produced easily when needed When the cardholder uses the card,

it is inserted into a card reading machine. The machines are relatively inexpensive, and can

be positioned in strategic locations, as are bank ATM machines, at welfare offices, or polling

booths. The cardholder must also place the palm of one hand on a metal plate, or look into a

mirror, which electronically measures the hand or face and its configuration to confirm the cardholder's identity This avoids any possible tampenng by a hacker w ithin the smart card

applications (See, e g , Article # 1 The Wall Street Journal. Monday, October, 21 , 1998)

The electronic readers at the point of use perform three important functions They

first confirm the identity of the cardholder, and then they test to see whether the cardholder is

the person he or she puφorts to be by checking the biometnc information from the handpnnt

or face-print against a central database Finally, the reader imprints or extracts (or both) the

information required for that transaction, 1 e , that Mary Doe, living at 101 1 Wistful \ ista.

Hometown, USA, voted in the municipal election at 1 1 10 a m on Nov ember 4, or that John

Doe entered the nuclear installation through Gate 6 at a given time on a particular day or that

it actually was Joe Smith who clocked into his job at the factory on time

The system was designed specifically to be user friendly for all forms of computer

programs on the market today. This eliminates the cost of purchasing new computers, when

computers are readily available in all offices worldwide

The software program allows the user to both imprint and collect information as the

smart card is used The card can be used to ensure that each voter casts only one vote, or to

record the exact time and date when a worker enters a sensitive nucleai installation, or even

to accumulate time and attendance information for an industrial payroll The software is so

user-fnendly it can be run on the typical PC

Figure 6 illustrates an exemplary single computer 300 with a devices foi logically

separating access to separate networks. The computer 300 includes a card 302 which

includes a switch for switching access between a secured LAN 308 and a public link 306 A

storage device 304 is connected to the card 302 for switching between a public storage area

and a secure storage area in the device

72 An exemplary implementation is based on the installation of a controller card in-

between the host PC on one side and its hard disks, internal LAN links and Internet

connection on the other This card serves as a secunty controller controlling access to and

from all these devices

During operation the system is either in one of two distinct states Secured and Public

In the Secured state, the Secured hard disk and the LAN connection are available to the host

PC, while both the Public disk and the Internet connection are physically disconnected In

the Public state, the Public hard disk and the Internet connection are available to the host PC,

while both the Secured disk and the LAN connection are physically disconnected

During any transition from Secure to Public or from Public to Secure, the system

reboots via a hardware-reset, totally erasing the entire PC RAM Each of the two distinct

hard disks stores its own copy of an operating system, and boots independently The other

hard disk is totally hidden and inaccessible, so that the two disks are never active at the same

All secunty operations are performed in firmware by a 2ml PC controller Setting-up

the 2ιnl PC requires the insertion of a hardware plug, an action that cannot be emulated by

software As a result, the 2ιnl PC implementation provides the same high level of secunty

cunently achieved only by the use of two separate PCs

Most PCs have only a single hard disk installed However, operating systems allow

the user to soft-partition a single disk into a number of distinct volumes, specified by the

designation of physical address areas This feature is used to implement two disks - Secured

and Public - on a single hard disk device A dedicated Master Boot Record makes only one

partition visible to the operating system and user, fully hiding the other The 2ιnl PC controller specifies which "disk" is available and which one is hidden and

disconnected according to the system state Partitioning through software alone cannot fully

secure access to "hidden" data areas, and does not provide the required high level of data

security However, since the 2ιnl PC device serves as an intermediate betw een the host PC

and the hard disk, it can physically block access to specific address areas, w hen so required

Setting the device to segment the single hard disk into two distinct areas partitions - in

accordance with the operating system partitioning, allows the 2ml PC to certify that only one

partition is physically accessible at any time That is, the device provides high security by

physically blocking at the low hardware bus level any access to a certain "disk", while the

higher operating system layers provide the user with the natural transparency and ease-of-use,

hiding the appropnate disk partition from both system and application software

Figure 7 illustrates a computer device configuration 350 for logically separating

access to separate networks The configuration 350 includes an IDE to hard disk 352. an IDE

from a PC host 358, a controller 360, a memory 362, a setup enable 354, a hardware interface

356, and electromechanical relays with secured in 366, secured out 368, public in 370 and

public in 372

The configuration shown in Figure 7 is an exemplary block diagram of a 2ml m-slot

card An exemplary 2ml PC product version is applicable to PC systems, utilizing IDE- AT A

hard disks The 2ml PC can be easily installed as an add-in to any common PC Neither the

hard disk nor the communication card(s) need to be replaced

The 2ιnl PC is implemented as an ISA PC m-slot card The IDE-ATA cable from the

host PC is connected to the card, and then a further IDE-ATA connection goes to the hard

dιsk(s) Both the Secure and Public communication cables are linked through the card As a result, all links pass through the card and are physically controlled by its embedded

controller

At each instant, one of the communication links is connected, while the other is

switched off and disconnected through an electro-mechanical relay, providing a full physical

Galvanic disconnection

A non-volatile memory device is embedded on the card, storing the set-up

information, including the partition borders and the Master Boot Record(s) This non-v olatile

memory can only be written when the 2ιnl PC is in its set-up mode, enabled by the physical

insertion of a special set-up plug Without the set-up plug, the wnte-enable leg of that

memory device is physically disconnected, turning the device into a Read Only Memory

Thus, no network intruder can alter the set-up information unless he physically penetrates the

secured site

The controller implements a two-state machine, containing an internal switch

specifying its state, either Secure or Public This switch can only be set by the embedded

controller device during the secured transition session

It is to be noted that no digital data is transferced to or from the 2ml PC card via the

ISA bus The card merely uses the ISA bus for power and clock signals, and monitors

specific ISA lines to identify system events and activity Hence, the 2ιnl PC is a passive ISA

device, does not interfere with any other ISA device, nor does it require any IRQ allocation

The 2ιnl PC analyzes all IDE bus signals and reacts according to its set-up When in

the secured state, the 2ιnl PC blacks all access to the Public disk area, as specified by the

partitioning data stored within its set-up memory on board Concurrently, it issues a signal to the Public relay, switching off the Public network links, and blocking all communications (to

and from the Internet)

When in the Public state, the 2ml PC blocks all access to the Secure disk area and

switches off the Secured network to disconnect the LAN The device further identifies

control commands, sent from the host PC over the IDE bus, to initiate a secured transition

Any access to the Master Boot Record sector is routed by the device to a mirror sector

stored on the embedded non-volatile memory on board This way, the two disk areas are

totally independent, each having its own Master Boot Record During normal operation, the

Master Boot Record sector(s) are fully secured in hardware, as the non-v olatile memory

device can only be wntten to when the set-up plug is inserted

Software dnvers for common PC environments are available to initiate a transition

from Secured state to Public and vice versa These include DOS, Windows 3 xx

Windows95, Windows NT, OS/2 and some UNIX versions including SCO and LINUX

Figure 8 illustrates a computer storage device configuration 400 for logically

separating access to data for separate networks The configuration 400 includes a secured

area 402, a transition area 404, a public area 406 and a functional area 408

An additional third Transition virtual computer is created alongside the two systems,

Secured and Public. This virtual computer serves as a De-Militanzed Zone, a gap separating

the Secured and Public computers, both in time and space It is totally hidden dunng both

sessions, and can be Read-Only protected in firmware, unless the set-up plug is inserted

The transition from Secure to Public and back is initiated in softw are to certify that

the operating environment is shutdown in an orderly manner When the user clicks on an

Initiate-Transition icon, the 2ιnl PC software dnver is activated The driver performs a Restart-PC (or System shutdown) routine to close all active applications in an orderly

manner Once the operating system has concluded its shut-down, the dnver regains control,

sends the message to the 2ιnl PC controller (via the IDE bus) and initiates a hardware-reset

(or power-down) signal Upon this message, the controller disconnects both network links

and senses that a hardware-reset signal (or Power-Up) has been actually sent through the PC

buses

Later, once the host PC sends a boot request via the IDE bus, the controller loads the

Master Boot Record pointing to the Transition partition (from the on-board memory) and

boots a common DOS system (from the Transition stashed partition) The transition

"computer" performs secunty-related routines, including RAM contents erasure, and then

sends the controller a message to initiate an additional hardware-reset signal

When the controller senses this second hardware-reset signal, it switches on the

second communication link, and once the host PC sends the boot request again, the

appropnate system - either Secured or Public - is loaded through its dedicated Master Boot

Record

As the Transition computer is a common DOS system, it provides an open

architecture, allowing value added resellers and installers to seamlessly add their secunty

routines This is an exceptionally strong secunty feature, as the Transition partition is stashed

away and totally hidden during both Secured and Public sessions, effectively protected by

firmware Furthermore, as the Transition disk area can be kept as Read-Only unless in set¬

up, it is secured against the user as well, and can be used to perform any automated secunty

routine An organization may wish to install access control applications and check user

passwords during every transition. The automated transition can also be used to

automatically run scanning applications such as an anti-virus.

Users connected to two networks often wish to transfer data between their separated

environments. When separated workstations as shown in Figure 1 are used, data is often

transfened to and from the dedicated system using diskettes. The 2inl PC supports this

routine, allowing users to transfer data between the Secured and Public systems via diskettes

placed within the common floppy diskette drive.

The 2inl PC strictly requires that the diskette will be removed during the transition.

When the transition routine is initiated, the 2inl PC software driver checks for the presence

of a diskette in the drive and issues a warning accordingly. However, if the 2inl PC hardware

controller identifies that a diskette is actually accessed during the transition, it will not

complete the transition to the next state. Moreover, whenever data security policy requires

so, the installer can set-up their 2inl PC to disable the use of diskettes in either the Secured or

the Public computer altogether.

Instead of using a diskette, which is inferior to the hard disk and limited in capacity,

an additional partition, named Functional, may be configured to serve as a common area,

where data can be controllably stored and transfened between the Public and Secure

separated environments. In such a set up, the Secured and Public partitions will alternately be

disk volume C: in the Secured and Public states respectively, while the Functional partition

will be D: drive in both sessions.

The Functional partition feature can be further used to create a one-way secured

tunnel, so that Public data can be transfened into the Secured partition, but never the other way around. This is accomplished through the configuration of the Functional partition as a

Read/Write disk during the Public state, and Read-Only duπng the Secure session As the

Read-Only characteristic is controlled in firmware, at the low IDE bus lev el, this set-up

guarantees that Secured data can never be written into the Functional common area, and

accessible during Public sessions.

for logically separating access to separate networks. Computers 510, 512 and 514 are

connected to a hub switch 504 which switches access between a secure hub 502 to a secure

server 500 and a public hub 508 to a public server 506.

Users who link onto two physically separated networks need t o physically separated

communication links, resulting in duplicate network infrastructure beaπng substantial

additional costs. The emerging need to provide Internet connectivity to users often requires

the addition of separated network links to their desktops, which, in existing sites, is a

cumbersome operational task consuming substantial time and resources.

The 2inl NET allows organizations to save the additional cabling, and securely link

users from their desktops through two physically separated networks using the existing single

Ethernet Fast-Ethernet cable. The 2inl NET system solution is based on the installation of a

special version of Voltaire's 2inl PC cards withm the desktop workstations, and a central

switch-selector remotely controlled in hardware.

The 2inl NET central switch-selector is a standard 19" 1U patch panel, supporting up

to 8 end-user workstations. It is a passive device which requires no povv er supply, does not

count as an Ethernet device, and generates a negligible reduction of the Ethernet signal

(comparable to the extension of the cable by less than 30 cm) The network cables, connected between the existing hub-switch and the LAN cards,

are routed through the 2ιnl NET central switch-selector and the 2ιnl PC cards, which control

the Ethernet/Fast-Ethernet communication.

Adding an "out-of-band" DC voltage signal between the wires (TX and RX pairs)

reliably controls the switching between the two separate networks The signal's polanty

physically determines which of the two networks is connected by the central switch-selector

to the workstation The 2ιnl NET central switch-selector and the 2ml PC cards remov e that

DC element and present the network ports on their "backside" with a clean, standard IEEE

802.3 signal.

for logically separating access to separate networks. A desktop PC 602 includes a computer

606 connected by an Ethernet connection 608 to a DC + Ethernet mixer 610 in

communication with a 2inl PC card 612. The desktop PC 602 has a DC + Ethernet

connection 604 with a communications closet 600 via a DC + Ethernet splitter 620 which

transmits a DC signal 622 to a 2inl NET controller 624 The DC + Ethernet splitter 620

includes an Ethernet connection 628 to a relay unit 630, which also receives a control signal

626 from the 2inl NET controller 624. The relay unit 630 is connected to a secure network

634 by an Ethernet connection 632, and to a public network 638 by an Ethernet connection

636.

Whenever no DC Voltage is detected, both networks are totally disconnected, thus

eliminating the risk of a secured workstation being mistakenly connected to a non-classified

network. This set-up of the 2inl NET and 2inl PC cards allows organizations to perform a

smooth addition of an extra network, saving the hassle of paving new cables to the desktops All additions are concentrated at the communication closet, and the back-bone behind it

Furthermore, the 2ml NET operation is fully transparent and maintenance free, beanng no

effect on the Ethernet/Fast-Ethernet standard communication

Secunty oriented organizations, searching to provide Internet connectivity to their

users, while keeping their classified data physically secured, can simply install 2ml PC cards

within desktop workstations, place 2ml NET switch-selectors in their communication closets,

and add common commercial Internet access solutions

The 2ιnl PC is designed to be installed by a technical installer The level of expertise

required is equal to or lower than that needed to install a common modem or LAN card The

installer connects the external links of both the Secure and Public networks to the In-sockets

on the card, and further connects the Out-sockets with the appropriate network links in the PC

(modem and/or LAN card)

Wherever required, the installer can "seal" the communication links with a mechanical

cover on top of the bracket, which is screwed from withm the PC This cover will disable

any communication cables' unintentional crossing between the Secured and Public links In

order to set-up the 2ιnl PC, a set-up enable plug must be placed Only then can the on board

non-volatile memory device be written to and store set-up information As long as the device

is in set-up mode, normal operation is disabled

The system is set-up by running the 2ιnl PC installation software The installer

indicates how the hard disk is to be partitioned and split between Secure, Public and

Functional The installer can further set-up the different features outlined above, such as

whether the Functional partition should be Read-Only, the size of the partitions etc Once the configuration is set, the software utility installs the appropnate software

dnvers and adds the icon graphics and w allpapers to the appropriate w indow s It further

wntes the Transition partition on a hidden area stashed on the disk, creates the Master Boot

Records and writes all relevant information onto the non-volatile memorv on the 2ιnl PC

card (MBRs, partition borders information and configuration data)

Once set-up is completed, the installer removes the set-up plug The non-volatile

memory device then becomes Read-Only, physically disabling any alteration to the 2ml PC

system Once the 2ιnl PC has been installed, operation is straightforward and requires no

special training by the user No further maintenance is required

When in the Secure or the Public states, the user works in a normal system

environment as the other disk partitions are fully hidden and inaccessible Whenev er the

user so desires, he can initiate the Switch-To routine by clicking on the relevant graphical

Once this is done, the active operating system automatically shuts-down and initiates

a re-boot However, this time, after the secured Transition has been property completed, the

system boots-up the second virtual machine Throughout that session and until the user

initiates the switch-to back, the first virtual machine is fully hidden and totally inaccessible

The 2ιnl PC stores its hard disk's Master Boot Record(s) in its on-board non-volatile

memory Attempts to rewnte the Master Boot Record(s), a popular malicious act performed

by many software viruses, will totally fail, as these records are protected in firmware

A special master boot record is written on the disk's first sector, so that any attempt to

directly access the disk without the appropnate 2ιnl PC card, will result in a warning message

to reconnect the card again Note that whoever tnes to access that disk directly does not hav e the Master Boot Record with that disk format information Hence, to bypass the 2ιnl PC and

read data stored on the disk, one must reconstruct the formatting information first, a

substantial effort which requires significant resources and expertise

In many high security installations, hard disks are removable rather than fixed, and

locked away in a safe place at the end of the day When a 2ιnl PC's hard disk is placed into

the wrong host PC, it will lack its Master Boot Record and thus cannot be used

This way, the 2ιnl PC provides media protection against attempts to snoop and read

the disk's data and/or alter its content However, this security is limited, as experts, inv esting

adequate effort, can reconstruct master boot records and read the disk's data

In order to save costs, organizations may wish to use a single LAN card - or any other

communication device - to connect to both the Secured and Public networks In

organizations where both networks are of a similar type, the 2ml PC enables the sharing of a

single communication device This can be easily performed by the short-connection of the

Out-sockets of both the Secured and Public with a "T" type link to the communication dev ice

As there exists a Galvanic disconnection between at least one of the two network links

(m-sockets) and the communication device, total physical separation is assured providing the

adequate data security required This provides an additional cost saving, eliminating the need

to purchase, install and support a second communication device, such as a LAN card

Some security officers make an effort to eliminate the risk of users connecting the

Public link to a Secured device A common method is to switch the wires of only one such

network throughout the installation and make it incompatible The 2ιnl PC prov ides an easy

way to switch-back wires on board Many security-oriented organizations have no diskette drives within their secured

environment workstations, so that classified data storage and export is centrally controlled.

However, there often exists no need to disable the floppy disk access during the Public state.

The 2inl PC allows the installer to disable the use of diskettes in either the Secured or the

Public computer. This is accomplished by the installation of a special optional floppy-disk

cable instead of the standard one, and its connection to a certain socket on the 2inl PC card.

Using this connection, the 2inl PC controls the Ready Not-Ready floppy-drive bus

hardware signal, and can physically disable any floppy drive access during either the Secured

or Public state. As a result, any attempt to access the floppy drive when it is so disabled w ill

result in a "Drive not ready" response.

To further enhance data security, the 2inl PC has a built-in support for the hardware

activation of external devices from within the Transition computer. It can be set-up to

generate a signal on an external port and control devices such as visual displays or

communication links.

It can also be programmed to take appropriate actions according to an external input

signal, generated by an external device such as volumetric sensors, received on an external

port. This feature can be used to integrate devices such as smart-card readers or fingeφnnt

identification scanners. It may be used to require the user to manually approve the transition,

in a manner no digital network-based hacking attack may ever bypass. These hardware

interfaces may be used by the organization to enforce security requirements to be met prior to

the establishment of links to either Secured or Public environments.

Figure 11A illustrates an exemplary portion of a generalized computer system 700

upon which portions of the invention may be implemented. For example, the configurations of the invention may each be implemented by a plurality of computers having a generalized

configuration as exemplified by Figure 1 1 A or by a plurality of computers having

configurations similar to those of Figures 1 1 A and 1 I B descπbed below

An input 502 of Figure 1 1 A communicates with a memory 704 and a Central

Processing Unit 708 The Central Processing Unit 708 communicates with the memory 704

and an output 706 The output 706 is also in communication with the memory 704 The

Central Processing Unit 708 may include an arithmetic/logic unit and a control unit in the

form of hardware and/or software (not shown) One or more of inputs 702 may each be in

communication with one or more memoπes 704 and/or Central Processing Units 708 One or

more Central Processing Units 708 may be in communication with one or more outputs 706

and/or memories 704 and/or inputs 702 One or more memories 704 may be in

communication with one or more inputs 702 and/or Central Processing Units 708 and/or

outputs 706 Clearly, a plurality of variations of computer hardware configurations may be

realized in a network of computer systems upon which portions of the invention may be

implemented

Figure 1 IB illustrates an exemplary hardware configuration of a generalized computer

system 720 upon which portions of the invention may be implemented One or more

processors 724 are connected to a communication bus 722 The communication bus 722 also

communicates with a mam memory 726, preferably a random access memory ("RAM") A

secondary memory 728 communicating with the communication bus 722 may also be

included in the computer system 720 The secondary memory 728 may include, for example,

a hard disk dnve, a removable storage drive such as a floppy disk dnve, a magnetic tape

dnve, an optical disk dnve, a program cartridge and cartridge interface, a removable memory chip (e.g., EPROM, PROM, ROM), or any other similar storage medium. The secondary

memory 728 may be in communication with a storage unit 730 such as a floppy disk,

magnetic tape, optical disk, or other storage medium read by and written to by a secondary

memory device. The storage unit 730 includes a computer usable storage medium for storing

computer software and data.

The computer system 720 may also include a communications interface 732 in

communication with the communication bus 722 for transfemng software and data between

the computer system 720 and external devices. Examples of communications interfaces 732

include a modem, a network interface (e.g., a network card), a communications port, a

PCMCIA slot and card, and other similar interfaces. Software and data transferred via the

communications interface 732 are in the form of signals 736 which are provided to the

communications interface 732 via a channel 734. The signals 736 may be electronic,

electromagnetic, optical or other signals capable of being received by the communications

interface 732. The channel 734 may be implemented using wire, cable, fiber optics, a phone

line, a cellular phone link, an RF link or other communications channels.

Computer programs are stored in main memory 726 and/or secondary memory 728.

Computer programs may be received via the communications interface 732. Computer

programs, when executed by the processor 724, enable the computer system 720 to perform

the features of the present invention.

This invention may be conveniently implemented using a conventional general

puφose digital computer or microprocessor programmed according to the teachings of the

present specification, as will be apparent to those skilled in the computer art, or a network of

such computers. Appropriate software coding can readily be prepared by skilled programmers based on the teachings of the present disclosure, as will be apparent to those

skilled in the software art The invention may also be implemented by the preparation of

application specific integrated circuits or by interconnecting an appropnate network of

conventional component circuits, as will be readily apparent to those skilled in the art

The present invention includes a program product which is a storage medium

including instructions which can be used to program a computer to perform a process of the

invention The storage medium can include, but is not limited to, any type of disk including

floppy disks, optical discs, CD-ROMs, and magneto-optical disks, ROMs, RAMs, EPROMs,

EEPROMs, magnetic or optical cards, or any type of media suitable for storing electronic

instructions

Obviously, numerous modifications and variations of the present invention are

possible in light of the above teachings It is therefore to be understood that within the scope

of the appended claims, the invention may be practiced otherwise than as specifically

descnbed herein

WHAT IS CLAIMED AS NEW AND DESIRED TO BE SECURED BY LETTERS PATENT OF THE UNITED STATES IS

1 A system for securely separating a first network including at least one first

computer from a second network including at least one second computer, said system

compnsing

a separation device configured to logically separate a first virtual computer from a

second virtual computer, wherein said first and second virtual computers physically reside in

a single computer, and

an authentication device configured to authenticate a user of said system

2 The system according to Claim 1, further compnsing at least one of

a device configured to detect at least one computer virus,

a device configured to detect at least one unauthonzed intruder,

a device configured to detect tampering, and

an encryption device configured to encrypt data to be stored in the system

3 The system according to Claim 1 , further compπsing

a third virtual computer configured to control separation of said first and second

virtual computers, wherein

said first virtual computer includes a connection to said first network,

said second virtual computer includes a connection to said second network,

said third virtual computer physically resides in said single computer,

said first and second networks are mutually exclusive, and

said authentication device is further configured to perform biometnc identification

and authentication of said user

Claims

4 The system according to Claim 3, wherein

said authentication device includes at least one of a smart card and a fingeφnnt

detector,

said single computer operates in two mutually exclusive states, wherein

said single computer operates in a first one of said mutually exclusive states when

said first virtual computer is activated, and

said single computer operates in a second one of said mutually exclusive states when

said second virtual computer is activated, wherein

said first virtual computer is not activated while said second v irtual computer is

activated, and said second virtual computer is not activated while said first virtual computer

is activated.

5. The system according to Claim 1, wherein:

said first network compπses an Internet and said second network compnses a secure

intranet

6 A method for securely separating a first network including at least one first

computer from a second network including at least one second computer, said method

compπsing the steps of:

logically separating a first virtual computer from a second virtual computer, wherein

said first and second virtual computers physically reside in a single computer; and

authenticating a user of said single computer.

7 The method according to Claim 6, further compπsing the steps of:

determining whether at least one computer virus is introduced into said single

computer; determining whether at least one unauthorized intruder is accessing said single

computer,

determining whether tampenng of said single computer has occuned, and

encrypting data to be stored in said single computer

8 The method according to Claim 7, wherein the step of logically separating said

first virtual computer from said second virtual computer further compπses logically

separating, by a third virtual computer, said first and second virtual computers, wherein

said first virtual computer includes a connection to said first network,

said second virtual computer includes a connection to said second network,

said third virtual computer physically resides in said single computer,

said first and second networks are mutually exclusive, and

said step of authenticating further comprises performing biometnc identification and

authentication of said user

9 The method according to Claim 8, wherein

said step of authenticating further comprises authenticating, by at least one of a smart

card and a fingeφnnt detector, said user,

said single computer operates in two mutually exclusive states, wherein

said first virtual computer is activated, and

said single computer operates m a second one of said mutually exclusive states when

said second virtual computer is activated, wherein said first virtual computer is not activated while said second virtual computer is

activated, and said second v irtual computer is not activated while said first v irtual computer

is activated

10 The method according to Claim 6, wherein

said first network comprises an Internet and said second network comprises a secure

intranet

11 An apparatus for securely separating a first network including at least one first

computer from a second network including at least one second computer, said apparatus

comprising

means for logically separating a first virtual computer from a second virtual computer,

wherein said first and second virtual computers physically reside in a single computer, and

means for authenticating a user of said single computer

12 The apparatus according to Claim 1 1 , further comprising at least one of

means for detecting at least one computer virus,

means for detecting at least one unauthorized intruder,

means for detecting tampering, and

means for encrypting data to be stored in the single computer

13 The apparatus according to Claim 1 1 , further comprising

virtual computers, wherein

said first virtual computer includes a connection to said first network

said second virtual computer includes a connection to said second network,

said third virtual computer physically resides in said single computer, said first and second networks are mutually exclusiv e, and

said means for authenticating further comprises means for performing biometnc

identification and authentication of said user

14 The apparatus according to Claim 13, wherein

said means for authenticating includes at least one of a smart card and a fingeφnnt

detector,

said single computer operates in two mutually exclusive states, wherein

said first virtual computei is activated, and

said second virtual computer is activated, wherein

said first virtual computer is not activated while said second virtual computer is

is activated

15 The apparatus according to Claim 1 1 , wherein

intranet