RU106976U1 - AUTOMATED WORKPLACE WITH IDENTIFICATION OF AN AUTHORIZED USER - Google Patents

Abstract

The utility model relates to telecommunications, and more specifically to devices protecting computer systems from unauthorized activity and can be used in information systems and complexes, mainly equipped with an automated workstation (AWS), to increase the level of protection of information from unauthorized access (unauthorized access) to it by outsiders individuals. The essence of the utility model is that in an automated workstation (AWS) with the identification of an authorized user, consisting of a monitor, printer, keyboard, mouse-type manipulator (MTM), USB key, system unit of a personal electronic computer (SB PC), which is connected from the first to the fourth port, respectively, with the monitor port, with the printer port, with the keyboard port and with the port of the mouse type mouse (MTM), and configured to install software on the SB PC node in the form an operating system (OS) that provides control of the functions of the AWP software and hardware, the formation of a user interface with the ability to input and / or output information using the keyboard, MTM node, printer and monitor, software for processing user information and hardware and software trusted OS loading on SB PC using a USB key, which provides the possibility of user authentication, OS loading control and access control to software, information and hardware resources of the AWS during the operation of the SB PC; additionally, a switch, a microcontroller, an immobilizer (IM) and a transponder (TP) are introduced, which are wirelessly connected to the IM node, which is connected to the first and second ports, respectively, with its input and output the microcontroller, which is connected by the third port to the first port of the switch, which is connected by the second and third ports, respectively, to the USB key port and to the fifth port of the PC SB node, while the microcontroller operates according to the program, providing This means that it is possible to dynamically monitor the status (presence) of wireless communication between the TI and MI nodes, emulate disconnecting or connecting the USB key connection to the port of the SB PC node, respectively, in the absence or presence of the aforementioned wireless connection between the TI and MI nodes, block or unlock the access to the system and information resources of the SB PC, respectively, when the transponder is moved outside the local zone where the wireless connection between the TP and IM nodes is disconnected, or when it is placed within the local ones in which wireless communication is maintained between the transponder and the immobilizer. The essential features introduced made it possible to significantly increase the level of protection of the information contained and circulating in the AWP from unauthorized access by unauthorized individuals in the absence of direct control over the AWP by an authorized user.

Description

The utility model relates to telecommunications, and more specifically to devices protecting computer systems from unauthorized activity and can be used in information systems and complexes, mainly equipped with an automated workstation (AWS), to increase the level of protection against unauthorized access to information, especially when finding AWP without control by an authorized user.

In modern conditions, for the preparation of documents, presentations, processing multimedia data and other types of information, computer facilities are commonly used, usually organized in the form of automated workstations [L1].

The information circulating in the workstation is increasingly becoming the object of close attention of unauthorized individuals (PFL) and is subjected to unauthorized access using various methods, technologies and technical means.

The leak of confidential information is often contributed by the users of the workstation themselves. So, due to negligence, haste, forgetfulness, distraction and other subjective factors, authorized users (AP) [L2] can leave the AWP computer in a state open for access to AWP information resources, without control (supervision) for some time. Often such cases are observed when APs leave automated workplaces for smoking breaks, going to the toilet, eating, urgent calls to the boss, answering phone calls, etc. In such cases, AWPs that were left unattended with deactivated means of restricting access to information, contained in the memory of the workstation (on magnetic media, on the monitor screen, etc.), become easily available for unauthorized access (unauthorized access). At the same time, unauthorized access to the workstation is possible both from the PFL side and from legitimate personnel with the functions of insiders [L3-L5] - “hunters” of confidential information.

It was established experimentally that if the user is absent from the workplace where the AWP is left unattended for only a few minutes, then documents of a sufficiently large size can be copied from the computer’s disk via a USB port to a miniature external storage device such as a flash drive [L6, L7] volume. In experiments on simulating unauthorized access performed on a typical workstation, it was recorded that it takes about 10 seconds to connect a USB flash drive to a computer, taking into account its initialization, about 20 seconds to search for a test file, and about 15 to copy this file of 14.4 MB sec and for the correct removal of the flash drive - about 10 sec. It has been established that when simulating unauthorized access from an AWP computer with the task of copying to an external medium such as a flash drive of a document (PDF file) of about 50 pages, it takes about 55 seconds. This confirms the fact that the AWP, left unattended by its AP even for a short time, measured in units of minutes, can be exposed to a real threat of unauthorized access to its information resources.

Studies have shown that the solutions known to the technique of restricting access to information contained in the workstation are focused on the fact that the unauthorized access to it will be organized in a “scrap manner”, that is, using various hacking protection technologies installed on the workstation. But there are no effective solutions that provide protection against unauthorized access to AWP, which are activated and left without control by authorized users.

The lack of effective solutions that provide protection from unauthorized access to “uncontrolled” and “defenseless” workstations can be explained by the complexity of solving this problem due to its inconsistency. So, in order to use the AWP for its intended purpose, all of its means of protection against unauthorized access - must be deactivated. At the same time, to perform work on the workstation, a legitimate user performs authorization actions, after which the information resources of the workstation become available to him. When, for one reason or another of the reasons mentioned above, the AWP is left without control by the AP, the information contained in the PC AWP is possible NSD by the PFL. Therefore, to exclude unauthorized access by the PFL, all protection means (SZ) of the workstation must be activated. When activated, C3-use of the workstation as intended is not possible.

That is, in practice there is a situation when, on the one hand, there are protective equipment and rules and regulations have been established that determine the procedure for using the mentioned information security tools, however, on the other hand, personnel performing work on the workstation can ignore (intentionally or by negligence) and do not activate the means of protection against unauthorized access, leaving the workstation without control in a "defenseless state" and, thereby, creating a risk of leakage of confidential information from the workstation.

In this regard, the search for technical solutions to increase the level of protection of the workstation from unauthorized access to information (system and information resources located in the computer memory of the workstation), when the workstation is left in the on state without control by an authorized user, is an urgent task.

From technology [L8], a workstation (AWP) is known, consisting of a monitor, keyboard, mouse-type manipulator (MTM), printer, and the system unit of a personal electronic computer (SB PC), which is the first, second, third, and fourth port connected, respectively, with a monitor, with a keyboard, with a mouse type mouse (MTM) and a printer, while SB PC is configured to install and operate software on it in the form of an operating system (OS) that provides control of program functions MMM hardware of the automated workplace, creating a user interface with the possibility of inputting and / or outputting information using the keyboard, MTM node, printer and monitor, software for processing user information and software for password access to system and information resources of SB PC.

Work AWP is carried out in a standard way. System software, for example, such as Windows 2000 / XP / Vista, is installed on the AWP computer (SB PC node), the drivers necessary for the operation of the hardware, including the keyboard, the MTM node, the printer, and the display, are also installed. Then, in accordance with the type of information processed on the complex, application software is installed (installed), for example, for the preparation and processing of text information (creating documents, presentations, etc.), an office software package, for example, Microsoft Office, can be installed in the OS .

As a means to protect the system and information resources of the workstation, a software module is used that provides user authorization with a password entered from the keyboard. At the same time, the program module can be configured in such a way that in the absence of user activity, identified by the absence of keystrokes on the keyboard and movements of the mouse type manipulator, access to the AWP operating system is blocked. The presence of such a function partially solves the problem. That is, if the user left the workstation without control, then after a specified time, access to the workstation OS is automatically blocked.

The disadvantage of this workstation is the low level of information protection against unauthorized access by the PFL, especially for cases where the workstation is left without control by an authorized user.

This is due to the fact that the password for accessing the AWP resources entered using the keyboard can be intercepted by the PFL. In addition, when an authorized user is removed from the workplace without shutting down the personal computer SB (intentionally or for other reasons), the workstation may remain for a long time without control and without protection from unauthorized access by the PFL. This poses a risk of leaks of confidential information contained on the workstation.

As a rule, the time interval for automatically activating OS access blocking is set large enough to avoid frequent password entries. This reduces the level of protection of the workstation from unauthorized access, when the workstation is left without control by the AP.

The fundamental vulnerability of this workstation, from the point of view of the NSD to it PFL, lies in the fact that the activation of protection means depends only on the actions of the user. If the AP has activated AWP protection, then the AWP is protected, and if the AP has not activated AWP protection, the AWP is not protected and a confidential information leak channel is formed.

According to the authors, the closest in technical essence to the claimed object (prototype) is, known from the technique [L9], a workstation (AWP), consisting of a monitor, printer, keyboard, mouse type mouse (MTM), USB key, system unit of a personal electronic computer (SB PC), which is connected from the first to fifth ports, respectively, to the monitor port, to the printer port, to the keyboard port, to the mouse port (MTM) and to the USB port of the key, while node SB PC made with the possibility the installation and operation of software on it in the form of an operating system (OS) that provides control of the functions of the AWP software and hardware, the formation of a user interface with the possibility of inputting and / or outputting information using the keyboard, MTM node, printer and monitor, software software for processing user information and software for performing trusted OS boot using hardware such as a USB key, which provides the ability to authenticate the user, control the loading of the OS, and control access to software, information and hardware resources of the workstation during the operation of the SB PC.

The generalized functional diagram of this technical solution (hereinafter referred to as the complex) is presented in FIG. 1

The complex consists of the system unit of a personal electronic computer (SB PC) 1, monitor 2, printer 3, keyboard 4, a mouse type mouse (MTM) 5, and a USB key 6.

At the same time, the SB PC host 1 with its first to fifth ports is connected, respectively, with the monitor port 2, with the printer port 3, with the keyboard port 4, with the port of the mouse type mouse (MTM) 5 and with the USB port of the key 6.

Basically, the functioning of this workstation is similar to the previous complex. Additionally, to ensure a higher level of protection against unauthorized access, the trusted boot technology [L10-L12] is used using a USB key 6. If it is absent or disconnected from the PC SB 1, access to the operating system and information resources of the complex is blocked. Externally, this is manifested in the fact that in the absence of this key, the OS does not boot, and if the key is removed (disconnected from the PC SB 1) with the OS already loaded, then access to the operating system is activated. At the same time, the OS does not respond to keystrokes of a keyboard, a mouse-type manipulator, and requires the installation of a USB key 6 to authorize the user.

This workstation partially eliminates the disadvantages of the previous product. So, in comparison with the previous complex, this AWP has a higher level of protection against unauthorized access, which is ensured by using hardware to limit access to the AWP computer (SB PC 1) in the form of a removable USB key 6. This device is miniature and easy to install in PC port as necessary when performing work using AWP. In this case, the authorized user does not need to strain the memory to remember and enter passwords for access to the AWP OS, but simply connect (disconnect) this device to the USB port of the AWP computer (SB PC 1). Compared with the previous complex, for the implementation of the NSD to SB PC 1 of this AWP, one password is not enough, since loading the operating system will require the presence of a connected USB key 6, which is almost impossible to fake.

The disadvantage of this workstation is the low level of information protection against unauthorized access, which can be organized at the time when an authorized user (AL) leaves the workstation without control with the USB key 6 connected to it. That is, for subjective factors that depend on the AP, as that, its forgetfulness, distraction, distraction, etc., USB key 6, as a means of protection against unauthorized access, can be left connected to the PC PC 1 and this fact can be used by PFL to organize unauthorized access to the workstation in the absence of authorized use Vatel.

An analysis of the information security of the AWP from the NSDI showed that it substantially depends on the so-called “human factor”, that is, on the real activities of the personnel working on the AWP, which may violate established requirements, instructions and other regulations, including workplaces (AWS) in the active state, accessible to NSD by the PFL. This serves as a factor in information security threats [L13, L14] that arise during the operation of an AWP.

The causes of these facts are: staff negligence and / or deliberate actions, for example, because of the belief that in the few minutes that they leave the workplace, no one will "get into" the AWP computer. An AWP computer uncontrolled by the AP with deactivated security equipment becomes vulnerable from the point of view of unauthorized access to its system and information resources by the PFL.

An analysis of the causes of the threat of unauthorized access to the AWS left uncontrolled by its authorized user led the authors of these studies to the idea that the "duty" to activate the means of protection of the AWP from unauthorized access in time is to "put" on the technical means and, thereby , neutralize the effect of the mentioned “human factor”. Outwardly, it may look like this: when the AN approaches the AWP, access to the AWP OS is allowed, and when the AP is removed some distance from the AWP, for example, 3-10 m (outside the local zone where the AWP is located) or more, access to AWP is automatically blocked. When using such a model of access control to the workstation — the effectiveness of protection against unauthorized access can be significantly increased, since an authorized user does not need to perform any actions — the workstation protection is activated automatically, it is only necessary for the AP to leave the workstation.

The essence of the idea developed and proposed by the authors of this application for a utility model is to establish a direct connection between access to the operating system (OS) installed on SB PC 1 and the presence of an authorized user at the workplace. In other words, it is proposed to empower the AWP with the property to determine the presence of AP at the workplace and when it is removed from the AWP (SB PC 1), to provide automatic activation of means of protecting access to system and information resources of the AWP.

When implementing this idea, the security level of the workstation can be significantly increased. This is achieved due to the fact that the ability to perform work by personnel on the workstation, determined by their access to the resources of the operating environment that operates on the SB PC, becomes dependent on the presence of an authorized user on the workstation. That is, if the user is on the workstation, then the SB PC operates normally and access to the resources of the workstation OS is open, and if the user has left the workstation more than an acceptable distance when direct control of the workstation by the workstation is already difficult, then access to resources OS, and therefore to all AWP - is blocked. When implementing this idea, an AWP, in the absence of an AP, will always be with activated protective equipment, so PFL will not be able to access an AWP in the absence of an AP.

Thus, in cases where an authorized AWP user, for one reason or another, leaves an active AWP, the use of the proposed technical solution can automatically block access to the AWP until the AP appears again in the local area of the AWP.

In the well-known AWP prototype, there is no correlation between the functions of restricting access to the resources of the AWP operating system and the presence of APs in the workplace. Therefore, in this complex - prototype, it remains possible for PFL to organize NSD to an active workstation in cases of removal of AP from it.

When implementing the idea developed by the authors, the guaranteed functioning of the workstation with permanent means of protection against unauthorized access can be achieved regardless of the location of the authorized user.

As shown by patent studies, technical solutions that provide the ability to load and operate the operating system on the workstation only if there is an authorized user (AP) at the workplace and automatically block access to the workstation operating environment when the AP is removed from the workplace are not known from the technology.

The purpose of the utility model is to expand the functionality of an automated workstation (AWP) to control access to its system and information resources depending on the location (movement) of an authorized user relative to the local zone in which the AWP is located.

This goal is achieved due to the fact that in the well-known automated workstation (AWP), consisting of a monitor, printer, keyboard, mouse-type manipulator (MTM), USB key, system unit of a personal electronic computer (SB PC), which is from the first the fourth port is connected, respectively, with the monitor port, with the printer port, with the keyboard port and with the port of the mouse type mouse (MTM), and configured to install software on the SB PC node as an operating system (OS), I provide managing functions of the AWP software and hardware, forming a user interface with providing him with the ability to input and / or output information using the keyboard, MTM node, printer and monitor, software for processing user information, and software and hardware for trusted OS loading on SB PC using a USB key, which provides the possibility of user authentication, OS loading control and access control to the software, information and hardware resources of the AR M during the operation of the SB PC, an analogue switch (AK), a microcontroller (MK), an immobilizer (IM), and a transponder (TP) are introduced, which are wirelessly connected to the IM node, which is connected, respectively, with its input and output to the first and with the second ports of the microcontroller, which is connected by the third port to the first port of the AK node, which is connected by the second and third ports, respectively, to the USB port of the dongle and to the fifth port of the PC SB node, while the MK node operates according to a program that allows dynamic monitoring by wireless means the presence of a transponder in a controlled local area (CLZ), within which the AWS is located, emulating a USB key disconnection by generating a shutdown signal for the AK node blocking the passage of signals from the USB key to the PC SB port when removing the transponder worn by an authorized user for KLZ limits (radio access zones) and emulation of connecting a USB key, by generating signals to turn on the AK node, allowing the passage of signals from the USB key to the SB PC port, when a transponder is found and worn by authorized user within KLZ, wherein said APM is placed.

The proposed device provides the following combination of distinctive features and properties.

This is an introduction to the workstation of an analog switch (AK), microcontroller (MK), immobilizer (IM) and transponder (TP), which is wirelessly connected to the immobilizer, which is connected with its input and output, respectively, with the first and second ports of the microcontroller , which is connected by the third port to the first port of the AK node, which is connected by the second and third ports, respectively, to the USB port of the dongle and to the fifth port of the SB PC host.

The presence of these signs allows you to implement completely new properties that significantly affect the achievement of the goal. So, connecting a USB key as a user authentication hardware through the AK node allows you to implement the ability to control access to the functions of the operating system operating in the SB PC and the information resources of the AWP using the MK node, the functioning algorithm of which is determined by the presence of an authorized user in the KLZ (AP) with a transponder worn by it, which allows you to automatically identify the presence of AP at the workplace and when it is removed outside the KLZ, provide automatic activation of protective equipment s workstations from unauthorized access.

This is the functioning of the MK according to the program that provides the possibility of dynamic monitoring by wireless means of the presence of a transponder in a controlled local area (CLZ), within which the AWS is located, emulating a USB key disconnection by generating shutdown signals for the AK node blocking the passage of signals from the USB key to the PC SB port , when removing the transponder, worn by an authorized user, outside the KLZ (radio access zone) and emulating a USB key, by generating signals to turn on the AK node, I allow passing signals from its USB key to the PC port Sa, when the transponder worn by the authorized user within KLZ, wherein said APM is placed.

The use of these signs and properties allows at any time to control the presence of an authorized user within the KLZ, where the automated workstation is located, and to provide automatic blocking of access to the workstation when the AP is removed outside the KLZ, as well as to remove this lock when the AP returns to the KLZ, where hosted by AWP.

The presence and use of all the above signs and properties allows you to implement a high level of protection of the workstation from unauthorized access, which can be organized on the basis of the use of the said “human factor”, that is, the actions of an authorized user who can (accidentally, out of forgetfulness, distraction, negligence and etc. or intentionally) leave AWP with deactivated protective equipment uncontrolled. Increasing the protection level of the AWP against unauthorized access is ensured by the fact that the activation and deactivation of access to the AWP is directly related, respectively, to the presence and absence of an authorized user in close proximity to the AWP. At the same time, the control of this presence / absence of AP in the KLZ is carried out by technical means, without the participation of the AP, which completely eliminates the effect of subjective factors. In the proposed technical solution, the disadvantages of the AWP prototype are completely eliminated.

The combination of distinguishing features and properties of the proposed workstation with the identification of an authorized user is unknown from the technique, therefore it meets the criterion of novelty. At the same time, in order to achieve the maximum effect, by expanding the functionality of the automated workstation (AWP) to control access to its system and information resources, depending on the location (movement) of the authorized user relative to the local zone in which the AWP is located, and thereby increase the level of protection of the automated workstation (AWP) from unauthorized access, which can be organized when an authorized user is removed from the AWP without activating media tv protect access to the said workstations, necessary to use the entire set of features and properties described above.

Figure 2 shows a functional diagram of a workstation with the identification of an authorized user (hereinafter - the complex).

The complex (Fig. 2) consists of a monitor 1, a switch 3, a printer 4, a USB key 5, a keyboard 6, a mouse type mouse (MTM) 7, a microcontroller (MK) 8, an immobilizer (IM) 9, a transponder (TP) 11 and the SB PC node 2, which is connected from the first to the fifth port, respectively, with the monitor 1, with the printer 4, with the keyboard 6, with the MTM node 7 and the first port of the switch 3, which is connected to the second and third ports with a USB key, respectively 5 and with the first port of the MK 8 assembly, which is connected by the second and third ports, respectively, to the input and output of the immobilizer 9, which is wireless in one way connected to transponder 11. In this case, MK 8 operates according to a program that provides the possibility of dynamic monitoring by wireless means of the presence of transponder 11 in a controlled local area (KLZ), within which the SB PC 2 is located. In addition, MK 8 operates on a program providing the ability to emulate disconnecting the USB key 5 by generating the turn-off signals of the switch 3, blocking the passage of signals from the USB key 5 to the SB port of the PC 2, when removing the transponder 11 worn by an authorized by the user, outside the KLZ (radio access zone), and emulating the connection of the USB key 5, by generating switching signals for the switch 3, allowing the passage of signals from the USB key 5 to the SB PC 2 port, when the transponder 11 carried by an authorized user is within the KLZ, where the node is located SB PC 2.

The complex (figure 2) operates as follows. In the initial state, the complex is turned off. To ensure the possibility of using the complex for its intended purpose, a software package (software) is installed on the SB PC 2 node. At the same time, an operating system (OS) is installed on SB PC 2, which controls the functions of the software and hardware of the complex, creates a user interface with the ability to input and / or output information using the keyboard 6, the MTM 7 node, monitor 1 and printer 4 , installing software oriented for processing the information necessary for the user, installing software to protect the OS and user information from viruses, installing software on data encryption software and software for performing trusted OS boot using a USB key 5.

Also installed are drivers for the hardware nodes of the complex (monitor 1, printer 4, etc.) under the control of the OS installed on SB PC 2.

After installing the software necessary for the functioning of the complex, personnel may be allowed to use the complex for its intended purpose.

Personnel authorized to carry out work on the complex are given an USB identification key 5 and a transponder assembly 11, which can be made in a convenient form for carrying, for example, in the form of a key fob.

Work on the complex begins with the fact that a USB key 5 is connected to the USB port of the SB PC 2 host, which authenticates and authorizes the AWP user. Between nodes IM 9 and TP 11, wireless communication 11 is performed, during which the presence of a TP 11 node is checked in the KLZ, where the AWP is located, and, accordingly, the AP. If the TS node 11 is detected by the IM 9 node, it is considered that the AP is identified and the MK 8 node emulates the connection of the USB key 5 to the USB port of the SB PC 2 node - loading the OS and / or access to the OS of the SB PC 2 node is allowed.

During the operation of the workstation, the presence of the TP 11 node is constantly monitored in the KLZ, where the workstation is located. To do this, under the control of MK 8, a wireless connection 10 is periodically established between the TP nodes 11 and the MI 9. If the TP node 11 is located in the KLZ, where the AWS is located, then the MK 8 node supports the switch node 3 in the open state, in which communication between the node of the SB PC 2 and the USB key 5 - is supported.

In cases where an authorized user, for various reasons, moves away from the SB PC node 2 (leaves the workstation without control) and takes the TP node 11 with him, then the wireless connection 10 between the IM 9 node and the TP node 11 is disconnected. This leads to the fact that this fact is detected by the MK 8 node, which puts the switch node 3 in the closed state, in which the communication between the SB PC node 2 and the USB key 5 is broken. This emulates the disconnection of the USB key 5 from the SB PC host 2. This blocks access to the OS running on the workstation computer, that is, on the SB PC 2 host.

When the AP returns to the KLZ, where the AWS is located, then the wireless connection 10 between the IM 9 node and the TP node 11 is restored, this fact is detected by the MK 8 node, which puts the switch node 3 in the open state, in which the communication connection between the PC SB node 2 and USB key 5 - is restored. I.e. the USB key 5 is emulated to the SB PC 2 host, after which access to the workstation is opened (lock is removed).

As a result of using the introduced new features and properties, it is possible to achieve a technical result consisting in reducing the likelihood of unauthorized access to the workstation (to the system and information resources of the SB PC 2 node) by reducing the operating time of the workstation software and hardware in unprotected mode. The technical result achieved by using the proposed technical solution can also be considered a reduction in the time spent by the AWP with deactivated information protection means when an authorized user is removed outside the local zone where the AWP is located. Moreover, the achievement of this technical result is achieved through the use of automated workstation identification of an authorized user by its individual transponder, a violation of wireless communication with which activates automatic blocking of access to system and information resources of the workstation.

When implementing the complex, its functioning algorithm can be represented as follows:

- Start;

- Preparation for work: making power supply and necessary electrical connections, installing software, installing drivers, connecting a USB key 5, initializing the nodes IM 8, TP 11;

- Launch of the operating system on SB PC 2;

- Check-1: wireless 10 between the nodes of TP 11 and IM 9 - Is there? - If No, then blocking access to the OS with the output of an informational message to the monitor with the requirement to perform user authorization actions; if - Yes, then continued;

- Formation of the software environment according to the settings of the user of the complex;

- Check-2: performing a periodic (for example, every 3-5 seconds) verification of the availability of wireless communication between nodes of TP 11 and IM 9: wireless 10 between nodes of TP 11 and IM 9 - Is there? - If No, then blocking access to the OS with the output of an informational message to the monitor with the requirement to perform user authorization actions; if - Yes, then continued;

- Shutdown: turn off SB PC 2, disconnect the USB key 5;

- The end.

The nodes of the monitor 1, SB PC 2, printer 4, USB key 5, keyboard 6 and MTM 7, as well as the implementation of functions and properties associated with installing software on the SB PC node 2 in the form of an operating system (OS) that provides control functions software and hardware AWP, the formation of a user interface with the ability to enter and / or output information using the keyboard 6, MTM 7, printer 4 and monitor 1, software for processing user information and hardware and software trust boot OS on SB PC 2 using a USB key 5, which provides the ability to authenticate the user, control boot OS and control access to software, information and hardware resources of the workstation during the operation of the SB PC 2, can be similar to the corresponding features of the workstation - prototype and do not require refinement in their implementation.

The microcontroller assembly MK 8 can be implemented on the basis of PIC controllers with sufficient performance and the required number of ports. An advantageous solution is the use of microcontrollers of the PIC18X5XX [L15] family with built-in USB2.0 bus support.

The node of the switch 3 can be implemented on the basis of microcircuit type CD4052 [L16], which is a multi-channel analog multiplexer - demultiplexer with the necessary functions.

The implementation of the nodes of the immobilizer 9 and transponder 11 can be carried out on the basis of principles and devices known from the art [L17-L20]. When implementing the IM 5 and TP 6 nodes, it is preferable to use the latest developments of Texas Instruments [L19], including floating-point chips - CryptoTransponders, which are resistant to code interception. As a private option, the implementation of the IM 5 and TP 6 nodes can be carried out on the basis of the Dynamic Identification Dialog system (dynamic identification dialogue), which is used in transponder tags for their reliable protection against electronic hacking. This technology is based on interactive dynamic code recognition. In accordance with it, the security system identifies the label in the process of dialogue, consisting of several information messages. To begin with, the label should receive a message that it is in the system visibility range. The next step is to revoke the label with your own code. After receiving it, the system issues a random number, which the label receives, converts, in accordance with the nonlinear algorithm embedded in it, and then transmits it back. The system simultaneously performs the same conversion, and when the numbers - the eigenvalue and the one received from the label - coincide, it gives out a signal about “recognition of the owner”. The main difference between the new dynamic code and the usual one (which is still used in almost all key fobs) is that it is impossible to make an "electronic cast" from it, since the code of the tag itself is only one of the recognition elements. At each stage of the dialogue, only one single code is recognized as true. Therefore, DID tags have the highest level of reliability and protection from environmental influences.

When implementing the proposed technical solution, the program procedures and algorithms developed by the authors that are known from computer programs and utility models [L21-27] can also be used.

For ease of use, the nodes MK 8, IM 9 and switch 3 are expediently made in the form of a printed circuit board, which can be installed both inside the PC system unit 2 and in a separate case.

As shown, the proposed complex can significantly increase the level of protection of the workstation from unauthorized access to information (system and information resources located in the computer memory of the workstation), while the computer (SB PC) of the workstation is left in the on state without monitoring by an authorized user. The solution to this problem is provided by expanding the functionality of the automated workstation (AWP) to control access to its system and information resources depending on the location (movement) of the authorized user relative to the local zone in which the AWP is located, and the implementation of the achieved technical result.

Thanks to the use of this technical solution, the risks of unauthorized access to AWS (system and information resources), caused by unregulated actions of personnel, in which the complex can be operated with deactivated means of information protection, are completely eliminated. This is achieved on the basis of identification by the automated workstation means an authorized user by his individual transponder, a violation of wireless communication with which activates automatic blocking of access to system and information resources of the workstation.

The above means, with which it is possible to implement a utility model, make it possible to ensure its industrial applicability.

The main nodes of the complex have been experimentally verified and can be used as the basis for creating samples of complexes that provide effective protection for the workstation and the information contained in it from unauthorized access of PFL when an authorized user is deleted from the KLZ where the workstation is located.

The technical solution developed by the authors and obtained with the help of its technical result provides the opportunity to significantly increase the level of protection of the workstation against unauthorized access, which can be organized as a result of violation of the operating rules and other unregulated actions of personnel operating the mentioned workstation, for example, when an authorized user is removed from the KLZ where the AWP is located.

An automated workstation with an authorized user identification will be in demand by a wide range of consumers who use computer technology to process confidential information that needs protection from unauthorized access, which can be organized in case of violation of the operating rules and other unregulated actions of personnel operating the mentioned workstation, especially when deleting this personnel outside the zones in which workstations with deactivated information protection facilities are located.

LIST OF USED LITERATURE

1. Workstation, http://rn.wikipedia.org/wiki/

2. Authorized user, http://ru.wikipedia.org/wiki/%D0%

3. Protection from an insider, http://net-rabota.ru/obchee/zachita-ot-insaidera

4. The issue of protection from insiders. http://bre.ru/security/29504.html

5. The fight against insiders - internal spies, http://www.guardinfo.ru/ manager / economic / infoprotect / infoprotect_1980.html

6. Classification of flash drives, http://www.metro-office.ru/Catalog 5801.aspx

7. USB flash drive, http://market.yandex.ru/catalogmodels.xml? CAT_ID = 488214 & hid = 288003

8. An automated workstation in a secure execution for processing information constituting a state secret, http://www.npp-bit.ru/compex/arm_gostayna.php

9. Automated workplace for the exchange of classified documentary information, utility model No. 80040, publication date: 01/20/2009

10. Trusted download, http://ru.wikipedia.org/wiki/%D0%94%D0%BE%D0%

11. Computer security based on trusted download, http://www.itsec.ru/articles2/Inf_security/dov-ili-control

12. The hardware and software complex “Trusted Boot Key” from Kraftway and Aladdin Security Solutions R. D., http://www.mskit.ru/news/n85858/

13. GOST R 51275-99 Information security. http: //www.centre- expert.ru /index.php/ infosec /

14. Threats to information security, http://www.bre.ru/security/

15. Microcontrollers PIC18FX5XX with support for full-speed bus USB2.0, http://www.trt.ru/products / microchip / pic 18_2.htm

16. Analog multiplexer - CD4052 demultiplexer, reference data, http://radio-elements.ru/cd4052.html

17. Immobilizer, http://www.keycenter.ru/

18. Dipl.-Ing. Michael Knebelkamp, Dipl.-Ing. Herbert Meier, “On Immobilizers of the Latest Generation”, http://www.motodok.com/

19. Joe Schurmann, Herbert Meier; TIRIS - Leader in Radio Frequency Identification Technology, Texas Instruments Technical Journal Vol. 10, No. 6.

20. Immobilizers and methods of blocking, http://www.ugona.net/

21. FSUE “18 Central Research Institute” of the Ministry of Defense of the Russian Federation, “Sensor Manager” computer program, State Registration Certificate with FIPS of the Russian Federation No. 20099610444 dated January 19, 2009, authors: Khotyachuk V.K., Khotyachuk K.M. and etc.

22. FSUE “18 Central Research Institute” of the RF Ministry of Defense, Computer Program “Transceiver Controller”. Certificate of state registration in FIPS of the Russian Federation No. 20099610445 dated January 19, 2009, authors: Bakunin I. B., Khotyachuk V.K., Khotyachuk K.M., Goncharov B.C.

23. FSUE “18 Central Research Institute” of the Ministry of Defense of the Russian Federation, Computer Program “Communication equipment monitor”. Certificate of State Registration in FIPS of the Russian Federation No. 2009611020 dated February 16, 2009, authors: Vasin M.S., Shelestov M.E., Khotyachuk V.K.

24. FSUE “18 Central Research Institute” of the Ministry of Defense of the Russian Federation, Utility Model “Protected Drive”, Utility Model Patent No. 87276 dated 05/29/2009 Authors: Khotyachuk V.K., Khotyachuk K.M., Timoshkin BC, Pokormyak L.V. .

25. FSUE “18 Central Research Institute” of the Ministry of Defense of the Russian Federation, Utility model “Storage with protection against unauthorized access to memory”. Utility Model Patent No. 844594 of July 10, 2009, authors: Vdovin E.I., Khotyachuk K.M., Khotyachuk V.K.

26. FSUE “18 Central Research Institute” of the Ministry of Defense of the Russian Federation, Utility Model “Hidden Object Access Registrar”, Utility Model Patent No.86026 of 08.20.2009, authors: Bugaenko OV, Khotyachuk VK, Khotyachuk K.M ., Timoshkin BC

27. FSUE “18 Central Research Institute” of the Ministry of Defense of the Russian Federation, Utility Model “Drive with Location Control”. Utility Model Patent No. 90233 dated 12/27/2009 Authors: Batalov A.V., Khotyachuk V.K., Khotyachuk K.M., Timoshkin B.C.

Claims (1)

Automated workstation (AWP) with authorized user identification, consisting of a monitor, printer, keyboard, mouse type mouse (MTM), USB key, system unit of a personal electronic computer (SB PC), which is connected from the first to fourth ports, respectively with a monitor port, with a printer port, with a keyboard port and with a mouse-type manipulator port, and configured to install software on the SB PC node as an operating system that controls functions software, hardware AWP, the formation of a user interface with the ability to enter and / or output information using the keyboard, MTM, printer and monitor, user information processing software and hardware and software trusted boot operating system on SB PC using USB dongle providing user authentication and access control to the system and information resources of the workstation during its operation, characterized in that in its In addition, a switch, a microcontroller, an immobilizer (MI) and a transponder (TP) are introduced, which are wirelessly connected to the IM node, which is connected to the first and second ports of the microcontroller by its input and output, which is connected to the first port of the switch by the third port, which the second and third ports are connected respectively to the USB key port and to the fifth port of the SB PC host, while the microcontroller operates according to a program that provides the ability to dynamically monitor the status (presence) of wireless communication between the TI and MI nodes, emulating the disconnection or connection of the USB key connection to the port of the SB PC node, respectively, in the absence or presence of the aforementioned wireless communication between the TI and MI nodes, blocking or unlocking access to the system and information resources of the SB PC, respectively, when moving the transponder outside the local zone where the wireless connection between the TP and IM nodes is broken, or when placing it within the local zone where the wireless connection between the transponder and the immobilizer is supported th.