Abstract: A cryptographic ignition key system and method for managing access to sensitive or protected information using an unclassified, block-cipher-based cryptographic combiner for storing non-private information on a physical token and storing private information on another device having anti-tamper protections and safeguards.

Abstract: An interface device for a protected workstation or host has a network interface for connection to a multi-level secure network, a first address corresponding to a guard control port, and a second address corresponding to a guard data port. A transport guard in the device has a control component coupled to the guard control port for processing configuration data sent to the first address and producing a desired security configuration, a guard component coupled to the output of the control component and to the guard data port of the network interface, and a host interface coupled to the guard component for exchanging data with the protected host. Only when permitted by the desired security configuration, the guard component passes network data addressed to the second address of the network interface to the host interface, and passes outbound data from the host interface to the network through the guard data port.

Abstract: A cryptographic ignition key system and method for managing access to sensitive or protected information using an unclassified, block-cipher-based cryptographic combiner for storing non-private information on a physical token and storing private information on another device having anti-tamper protections and safeguards.

Abstract: Systems including both distributed and centralized architectures for providing multiple levels of security using “virtual” switches. Ports and channels are assigned the same time slots on a TDMA bus only when they have matching security levels.

Abstract: A method of enforcing a network security policy including mandatory access control (MAC), discretionary access control (DAC) and integrity control for a secure information network, includes operating a transport guard within a memory partition logically between a protected application running in the partition and a networking stack, and defining ports for the transport guard including (i) an application port for forwarding data to and receiving data from the application, (ii) a data port for receiving data addressed to the application from the networking stack, and for sending data originating from the application to the stack, and (iii) a control port for supplying configuration data to the transport guard. The configuration data corresponds to MAC, DAC and integrity control policies specified by the network for the protected application. The transport guard limits data flow between its protected application and the data ports accordingly.

Abstract: An interface device for a protected workstation or host has a network interface for connection to a multi-level secure network, a first address corresponding to a guard control port, and a second address corresponding to a guard data port. A transport guard in the device has a control component coupled to the guard control port for processing configuration data sent to the first address and producing a desired security configuration, a guard component coupled to the output of the control component and to the guard data port of the network interface, and a host interface coupled to the guard component for exchanging data with the protected host. Only when permitted by the desired security configuration, the guard component passes network data addressed to the second address of the network interface to the host interface, and passes outbound data from the host interface to the network through the guard data port.

Abstract: A method for operating a multiple single levels of security (MSLS) system comprising the step of providing switched-circuit functionality between channels operating at the same level of security whereby MSLS requirements are met and intelligence is distributed in a way to minimize security certification effort, and apparatus operative for said method.