A trusted path device is described which may be used stand alone or may be
retrofitted to a users untrusted computer console or workstation so that
an untrusted data input may be displayed on an untrusted display and
verified by the user, following which the trusted data can be output to an
untrusted or trusted device or network. The output may be encrypted or
not, by means of an encryption device which may or may not use a `one time
pad` key provided from a structured array of retrievable "one time pad"
keys having associated uniquely there with, a serial number which itself
need not be encrypted but with which the input data and encrypted output
data are uniquely associated. Sufficient "one time pad" keys are provided
on a commonly available and physically manageable medium so as to allow
much simplified key management procedures while still maintaining high
levels of correctness and effectiveness of the encryption processes.
Trusted devices as per ITSEC Level 6 may be used to implement the trusted
path and encryption devices since the apparatus according to the invention
are inherently simple in functionality thereby simplifying conformance
with the relevant ITSEC and security equivalent requirements.
