DE4408035A1 - Communications computer for networking with multilayer data exchange - Google Patents

Abstract

The computer has a bus (8) linking separate processors (1-7) for the physical, data link, network, transport, session, presentation and application layers respectively of the OSI reference model. The need for two processors at the network level corresponds to its division into two sublayers for communication within and between networks. The messages transmitted between the processors and the data bus can be encrypted without influencing the protocol, which offers many-sided access security. The computers can communicate in any layer via gateways without internal protocol conversions.

Description

The invention is in the field of data transmission in networks and relates to a communication computer according to the preamble of Claim 1.

Data transfers between spatially separate data terminals require agreements on the protocols and telegrams in order for one Data exchange can take place in an understandable form. In local This can be done in the environment through locally observed regulations to reach. However, a data exchange between networks should different network protocols can take place are corresponding Adaptations of the protocols to each other are required, which is usually the case through so-called gateways. To be as unhindered as possible Data exchange between modern communication systems too enable a high level of complexity and a variety of Have functions, the various functions become schematic Shifts are allocated and for the different shifts customized protocols defined. The most common such system is that defined by the ISO (International Standard Organization) OSI reference model (Open Systems Interconnection) Seven-layer model of communication.  

A linkage of communication systems can in principle on everyone of layers. Communication computers interact with each other connected, which provide the required protocols. The latter are usually implemented with a processor that in addition, it performs other functions, such as a to process the desired application. However, this has some decisive disadvantages, especially when many of different layers of communication relationships are processed. So the computer is through the gateway functions, that means the constantly necessary protocol conversions are burdened, too The other computing applications. The individual protocols, although they are functional and independent of each other coupled in time; they are also a uniform operating system subject, although they have different requirements on one Operating system.

When transferring data over networks to which the most varied The user always has the question of Access control or data security. Known so far Approaches are based on functional extensions on one or several protocol layers or define special protocol Intermediate layers. However, some of these measures are liable Disadvantages. Since no definitive norms for the mentioned If there are additives, there is a risk of incompatibility different realizations. Guaranteed security is on this base cannot be reached. And last but not least, increase additional security functions the complexity of the protocols and require greater processor power.

It is therefore the task of a communication computer in this way design that he does not have through editing the logs Fee is charged and also the highest possible data security offers.  

The task is basically characterized by the characteristics solved according to claim 1. The desired data security will achieved by the configuration according to claim 3.

The proposed communication computer is characterized by a Plurality of processors, each for processing data are responsible for assigned protocol layers. A preferred one Embodiment sees its own for each protocol layer Processor before. This arrangement allows one another in time independent processing based on customized operating systems for every processor. The mutual influence of the protocols is eliminated, the delays remain low, which is high Data throughput results.

DE-A-41 20 398 describes a data processing system in which between the central processing unit (CPU), i.e. the processor, and a data encryption / decryption device is connected to the data bus becomes. In this way, unauthorized access to the Processor blocked. This principle can be broken down into one or more Use processors of the communication computer according to the invention, whereby the desired data security can be achieved.

The invention is illustrated using the example of the OSI Reference model explained in more detail using the figures below. Show:

Fig. 1 shows a schematic section of the communication computer according to the invention, and

Fig. 2 shows the structure of the telegrams over the 7 OSI layers with encryption on two levels.

Fig. 1 shows the inventively essential part of a computer serving as a communication data processing system. In addition to other circuits, not shown, such as working memory and peripheral controls, a total of eight processors are connected to a bus 8 . Each of the eight processors is responsible for processing the telegrams of the corresponding layer of the OSI reference model, namely the application processor 7 for layer 7 , the "application layer", the presentation processor 6 for layer 6 , the "presentation layer", the session processor 5 for the layer 5, the "session layer," the transport processor 4 for the layer 4, the "transport layer", the inter-network processor 3 c and the network processor 3 a for the layer 3, the "network layer", the backup processor 2 for Layer 2 , the "Datalink Layer" and the bit transfer processor 1 for Layer 1 , the "Physical Layer". The use of two processors at the network level corresponds to the subdivision of this layer into sub-layers 3 a, b for intra-network communication and 3 c for internetwork communication, which is preferably used for network connections via gateways.

It should be noted at this point that the division shown is preferred but not mandatory. For the purposes of the invention, it is also possible to merge processors, in particular those for protocols which have similar requirements for the functioning of the processor, such as, for. B. the presentation processor 6 and the session processor 5 . The independent processing is no longer possible to the full extent, but under certain circumstances an excess capacity of processor performance can be avoided.

A special feature in the service of data backup is the encryption on individual layers, which is accomplished, for example, by a decryption and encryption device 9 or 9 ', which is connected between the transport processor 4 and the bus 8 or the data backup processor 2 and the bus 8 . The data and commands 10 that travel between the processor 4 and the decryption / encryption device 9 are not encrypted. The data and commands 11 which reach the bus 8 from the decryption / encryption device 9 may or may not be encrypted as required. The mode of operation of the encryption is explained in greater detail on the basis of the explanation for FIG. 2. It should also be pointed out here that the arrangement shown is exemplary. Cryptography can also be accomplished in other ways. Decryption / encryption devices 9 can also be interposed between other processors and in total different numbers. In particular, the internal network processor 3 c is preferred because it processes the gateways to external networks. The decryption / encryption device 9 is also able to pass on the data directly without influencing it.

The physical structure of the multiprocessor computer can be based on done in many different ways. This ranges from assemblies in independent, separate devices processor-bus-linked processors in one device up to processors a common circuit board, mixed forms are conceivable.

The Fig. 2 schematically shows the structure of the telegrams such as structured according to the requirements of the OSI reference model at different levels and are evaluated. The eight processors, as described in connection with FIG. 1, are again drawn on the right-hand side, this time clearly arranged one above the other on different levels. The application data 7 are packed by the application processor 7 in a protocol-compliant, standardized application telegram 17 , which includes two parts, the application useful data, 7 data 27 for short, and its so-called header, the application header data, here 7-header for short 37 called. This telegram is accepted as a whole on layer 6 below. The display processor 6 packs the data obtained at this level into a protocol-compliant, standardized display telegram 16 , in the display user data, or 6 data 26 for short, the entire application telegram 17 of the superimposed layer 7 is contained, and this with the display Header data, 6 head 36 for short. This process continues through the fifth stage, the session layer with the session telegram 15 consisting of the 5 data 25 and the 5-header 35 , to the fourth stage, the transport layer.

Here, in accordance with the assumption made for FIG. 1, the first hatching indicates the encryption, the encryption of the data or the decryption thereof when the process is viewed in the opposite direction. The transport processor 4 is a crypto processor, as is implemented, for example, by an arrangement according to FIG. 1. Its output data, the transport telegram 14 , are encrypted. The protocols used and their functions are not affected by this. However, the data that is transferred to the layers below for further processing are now encrypted and can only be decrypted by the recipient processor of the corresponding layer. An authorized subscriber in the communication system must therefore be a communication computer that has a crypto processor on the same level and the corresponding key. According to the agreement on which the layer model is based, the header and data, i.e. the entire telegram of a layer, are always considered as data by the layer below. The encryption carried out in the example on the transport level is not recognizable on the network level below it, and neither is it on the levels below. However, only decrypted data is passed on to the session level above.

In continuation of the process described is an already partially encrypted intranetwork telegram 13 a on the backup level, on the assumption in turn according to a crypto processor acts, part of the data backup telegram 12, which is encoded as a whole. Part of the 2-data 22 is now double-encrypted, while the 2-head 32 and the remaining part of the 2-data 22 are simply encrypted. Regardless of this, the bit transmission processor 1 prepares this data for the bit transmission telegram 11 , consisting of the 1-head 31 and the 1-data 21 . If a participant in the communication system is missing the crypto processor on the data protection level or his key, he cannot communicate at all. If the crypto processor is missing on the transport level, the connection is maintained, but the transmitted information is not accessible to it.

Of course, encryption is possible on several or even all layers. Of particular importance is the internetwork layer 3 c, which is provided for coupling different networks in a network. Transitions between public, private and military networks are possible via appropriate gateways, which requires reliable control over access authorization.

According to the OSI reference model, gateways are in principle on everyone Layers possible. The use of specific processors for one certain layer enables the telegrams of this layer directly to process and bypass protocol conversions. In one Association of communication computers with processors for fixed assigned protocol layers can be accessed via gateways any protocol layers connect without make internal protocol adjustments depending on the shift have to. In connection with cryptography, this can also be done Take the aspect of data security into account.

Claims (5)

1. Communication computer for operation in a computer network with a data exchange on several layers using defined protocols, with an address bus and a data bus ( 8 ) to which at least one processor, working memory and control circuits for peripheral devices are connected, characterized in that each in the communication computer a processor ( 1 , 2 ,..., 7 ) for data processing is present on one or a dedicated group of protocol layers. 2. Communication computer according to claim 1, characterized in that one processor ( 1 , 2 ,..., 7 ) is present in the communication computer for data processing on exactly one dedicated protocol layer. 3. Communication computer according to claim 1 or 2, characterized in that the information ( 11 ) transmitted between one to all selected processors ( 2 , 4 ) and the data bus ( 8 ) are encrypted. 4. Communication computer according to claim 3, characterized in that the information ( 11 ) transmitted between the processor ( 3 c) responsible for the protocol layer ( 3 ) c according to the ISO / OSI-7 layer model ( 3 c) and the data bus ( 8 ) are encrypted. 5. Communication computer according to one of the preceding claims, characterized in that it communicates via a gateway on an arbitrarily selectable layer, which is assigned its own processor, the telegrams ( 11 , 12 ,..., 17 ) of a protocol layer directly from responsible processor ( 1 , 2 ,..., 7 ) are processed, which eliminates protocol conversions.