What are the means of skzi. Cryptographic methods of information protection

Listen ... can you, for our common benefit, every letter that arrives at your post office, incoming and outgoing, you know, sort of print it out a little and read: does it contain any report or just correspondence .. .

N.V. Gogol "Inspector"

Ideally, only two people should be able to read a confidential letter: the sender and the one to whom it is addressed. The formulation of such a seemingly very simple thing was the starting point of cryptoprotection systems. The development of mathematics gave impetus to the development of such systems.

Already in the XVII-XVIII centuries, ciphers in Russia were quite sophisticated and resistant to breaking. Many Russian mathematicians worked on the creation or improvement of encryption systems and at the same time tried to pick up the keys to the ciphers of other systems. Currently, several Russian encryption systems can be noted, such as Lexicon Verba, Secret Net, DALLAS LOCK, Secret Disk, the Accord product family, etc. We will talk about them. You will also get acquainted with the main software and hardware and software cryptoprotection complexes, learn about their capabilities, strengths and weaknesses. We hope that this article will help you make a choice of a cryptographic protection system.

Introduction

Are you concerned that important information from your computer can fall into the wrong hands? This information can be used by competitors, regulatory authorities, and simply ill-wishers. Obviously, such actions can bring you significant damage. What to do? In order to protect your information from strangers, you must install one of the data encryption programs. Our review is devoted to the analysis of encryption systems for desktop systems. It should be noted that the use of foreign encryption systems in Russia is very limited for a number of reasons, therefore state organizations and large domestic companies are forced to use Russian developments. However, medium and small companies, as well as individuals, sometimes prefer foreign systems.

For the uninitiated, encryption of information looks like something of a black magic. Indeed, encrypting messages to hide their content from outsiders is a complex mathematical problem. In addition, the cipher must be chosen in such a way that it would be practically impossible to open it without a key, and quickly and easily with a key. Many companies and organizations find it very difficult to optimal choice when installing encryption programs. The matter is further complicated by the fact that absolutely secure computers and absolutely reliable encryption systems do not exist. However, there are still enough ways by which you can repel almost all attempts to reveal encrypted information.

What do encryption programs have inside

Encryption programs differ from each other in the encryption algorithm. Once the file is encrypted, you can write it to a floppy disk, send it via e-mail or put on a server in your local network. The recipient of your encryption must have the same encryption program in order to read the contents of the file.

If you want to send an encrypted message to multiple users at the same time, then your information for each recipient can be encrypted with their own key or with a shared key for all users (including the author of the message).

The cryptosystem uses a secret code to turn your information into a meaningless, pseudo-random set of characters. At good algorithm encryption, it is almost impossible to decrypt a message without knowing secret code used for encryption. Such algorithms are called symmetric key algorithms because the same key is used to encrypt and decrypt information.

To protect your data, the encryption program creates a secret key based on your password. You just need to set a long password that no one can guess. However, if you want someone else to read the file, you'll need to tell that person the secret key (or the password it's based on). You can be sure that even a simple encryption algorithm will protect your data from ordinary user, say, from a colleague at work. However, professionals have a number of ways to decrypt a message without knowing the secret code.

Without special knowledge, you will not be able to independently check how reliable your encryption algorithm is. But you can rely on the opinion of professionals. Some encryption algorithms, such as Triple DES (Data Encryption Standard) have been subjected to years of testing. According to the results of the test, this algorithm has proven itself well, and cryptographers believe that it can be trusted. Most of the new algorithms are also carefully studied, and the results are published in the specialized literature.

If the algorithm of the program has not been openly reviewed and discussed by professionals, if it does not have certificates and other official papers, this is a reason to doubt its reliability and refuse to use such a program.

Another type of encryption systems are public key systems. For such a system to work, there is no need to tell the addressee the secret key (or the password on the basis of which it was created). These encryption systems generate two digital keys for each user: one is used to encrypt data, the other - to decrypt them. The first key (called the public key) can be made public, while the second key is kept secret. After that, anyone can encrypt the information using the public key, and only those who have the corresponding secret key can decrypt it.

Some encryption programs contain another important means of protection - a digital signature. A digital signature certifies that the file has not been modified since it was signed and gives the recipient information about who exactly signed the file. Creation algorithm digital signature based on the calculation of the checksum - the so-called hash sum, or message digest. The applied algorithms guarantee that it is impossible to pick up two different files whose hash sums would match.

When the recipient receives a digitally signed file, their encryption program recalculates the hash sum for that file. The recipient then uses the public key published by the sender to recover the digital signature. If the result matches the value calculated for the file, then the recipient can be sure that the text of the message has not been changed (if this happened, the hash sum would be different), and the signature belongs to a person who has access to the sender's secret key.

To protect important or confidential information needed not only good program encryption. You need to take a number of steps to ensure information security. If your password is weak (experts recommend setting it to eight or more characters) or if an unencrypted copy of confidential information is stored on your computer, then in this case even best system encryption will be powerless.

Lexicon-Verba system

The Lexicon-Verba system is a means of organizing a protected electronic document management both within the corporate network and between different organizations. Lexicon-Verba uses two modifications of the cryptography system: the Verba-W system is intended for state bodies (protection of confidential information, in particular chipboard; signature keys are open, encryption keys are closed), the Verba-OW system is for commercial organizations (protection of trade secrets; signature and encryption keys are open).

There are quite a few global encryption standards, but only a small part of them are certified by the Federal Agency for Government Communications and Information (FAPSI), which makes it impossible to use non-certified solutions in Russia. The Verba-W system has a FAPSI certificate No. SF / 114-0176. Verba-OW system - FAPSI certificate No. SF / 114-0174.

"Lexicon-Verba" provides encryption and digital signature in accordance with the requirements of GOST 28147-89 "Information processing systems. Cryptographic protection” and GOST R34.10-94 “Information technology. Cryptographic protection of information. Procedures for the development and verification of an electronic digital signature based on an asymmetric cryptographic algorithm.

The program is certified by the State Technical Commission under the President Russian Federation. In July, it is expected to receive a certificate from the Russian Ministry of Defense.

The cryptographic protection of the system is based on the method of encryption with a public key. Each key that identifies a user consists of two parts: a public key and a private key. The public key is freely distributed and is used to encrypt information this user. To decrypt a document, the person who encrypted it must have your public key and identify you as having access to the document when encrypting it.

To decrypt a document, you need to use the private key. The private key consists of two parts, one of which is stored on a smart card or touch-memory, and the other is stored on your computer's hard drive. Thus, neither the loss of a smart card nor unauthorized access to a computer makes it possible, individually, to decrypt documents.

The initial key set, which includes complete information about the user's public and private keys, is created at a specially equipped secure workplace. A floppy disk with key information is used only at the stage of preparing the user's workplace.

The Lexicon-Verba system can be used within the framework of two main systems for organizing secure document management:

  • as a standalone solution. If the organization has a local network, the system can be installed not on all computers, but only on those that require working with confidential documents. This means that inside the corporate network there is a subnet for the exchange of classified information. At the same time, participants in the closed part of the system can exchange open documents with other employees;
  • as part of the workflow. Lexicon-Verba has standard connection interfaces external functions to perform the operations of opening, saving, closing and sending documents, which makes it easy to integrate this system into both existing and newly developed workflow systems.

It should be noted that the properties of the Lexicon-Verba system make it not only a means of providing information protection from external intrusions, but also as a means of increasing intra-corporate confidentiality and sharing access.

One of the important additional resources for increasing the level of information security control is the ability to maintain an "event log" for any document. The document history fixing feature can only be enabled or disabled when the system is installed; when it is turned on this magazine will be conducted regardless of the desire of the user.

The main advantage and distinctive feature system is a simple and intuitive implementation of information security functions while maintaining the traditional word processors user's working environment.

The cryptography unit performs encryption, as well as the installation and removal of an electronic digital signature (EDS) of documents.

Auxiliary functions of the block - downloading a secret key, exporting and importing public keys, setting up and maintaining a directory of system subscriber keys.

Thus, each of those who have access to the document can put only his signature, but remove any of the previously set ones.

This reflects the accepted procedure of office work, when, as the document is approved, it can be subject to revisions at different stages, but after that the document must be approved again.

If you try to make changes to the document by means other than "Lexicon-Verba", the EDS is damaged, as a result, the inscription "Damaged" will appear in the "Signature Status" field.

Office

As the number of system users increases, entering each public key on each computer becomes difficult. Therefore, to organize the work of the office, centralized administration of the public key directory is organized. This is done in the following way:

1) "Lexicon-Verba" is installed on the administrator's computer in local mode. This creates a directory of public keys, in which the administrator adds each key used in the office;

2) on all other computers, the system is installed in network mode. This mode uses the public key directory located on the administrator's computer;

3) each New user, added by the administrator to the directory, becomes "visible" to all users connected to the directory. From that moment on, they get the opportunity to transfer encrypted documents to him.

Directory administration becomes centralized, but this does not affect the level of system security, since providing access to public keys is a kind of "acquaintance" of users, but it does not give access to any documents. For a user to be able to decrypt a document, their public key must not only be in the directory, but must also be explicitly listed as having access to the document.

Cryptographic methods of information protection can be implemented both in software and in hardware. Hardware encoder or device cryptographic protection data (UKZD) is, most often, an expansion card that is inserted into the 18A or PC1 connector of the system board personal computer(PC) (Fig. 3.21). There are other implementation options, for example, in the form of an u8B key with cryptographic functions (Fig. 3.22).

Manufacturers of hardware encoders usually equip them with various additional features, including:

Random number generation required to receive cryptographic keys. In addition, many cryptographic algorithms use them for other purposes, for example, in the electronic digital signature algorithm, GOST R 34.10-2001, a new random number is required for each signature calculation;

Rice. 3.21. Hardware encoder in the form of a PC1 board:

1 - technological connectors; 2 - memory for logging; 3 - mode switches; 4 - multifunctional memory; 5 - control unit and microprocessor; 6- PC1 interface; 7- PC1 controller; 8- DSC; 9- interfaces for connecting key carriers

Rice. 3.22.

  • computer login control. When turning on the PC, the device requires the user to enter personal information (for example, insert a device with a private key). Loading the operating system will be allowed only after the device recognizes the presented keys and considers them "its own". Otherwise, you will have to open system unit and remove the encoder from there to load the operating system (however, the information on the PC hard drive can also be encrypted);
  • integrity control of operating system files to prevent malicious modification configuration files And system programs. The encoder stores a list of all important files with pre-calculated control hash values ​​for each of them, and if the hash value of at least one of the controlled files does not match the standard at the next OS boot, the computer will be blocked.

An encryptor that performs login control on a PC and checks the integrity of the operating system is also called " electronic lock» (see par. 1.3).

On fig. 3.23 shows a typical structure of a hardware encoder. Consider the functions of its main blocks:

  • control unit - the main module of the encoder. It is usually implemented on the basis of a microcontroller, when choosing which the main thing is speed and a sufficient amount of internal resources, as well as external ports to connect all the necessary modules;
  • PC system bus controller (for example, PC1), through which the main data exchange between UKZD and a computer is carried out;
  • non-volatile storage device (memory), usually implemented on the basis of flash memory chips. It must be sufficiently capacious (several megabytes) and allow a large number of write cycles. Here is placed software microcontroller that you

Rice. 3.23. The UKZD structure is filled out when the device is initialized (when the encoder takes control when the computer boots);

  • audit log memory, which is also a non-volatile memory (to avoid possible collisions, program memory and log memory should not be combined);
  • cipher processor (or several similar units) - a specialized microcircuit or microcircuit of programmable logic PLD (Programmable Logic Device), which ensures the performance of cryptographic operations (encryption and decryption, calculation and verification of EDS, hashing);
  • random number generator, which is a device that produces a statistically random and unpredictable signal (the so-called white noise). It can be, for example, a noise diode. Before further use in the cipher processor, according to special rules, white noise is converted into digital form;
  • block for entering key information. Provides secure receipt of private keys from the key carrier and input of identification information about the user required for his authentication;
  • block of switches required to disable the ability to work with external devices (drives, CD-ROM, parallel and serial ports, USB bus etc.). If the user works with highly sensitive information, UKZD will block all external devices, including even a network card.

Cryptographic operations in UKZD should be performed in such a way as to exclude unauthorized access to session and private keys and the possibility of influencing the results of their implementation. Therefore, the cipher processor logically consists of several blocks (Fig. 3.24):

  • calculator - a set of registers, adders, substitution blocks, etc. interconnected by data buses. Designed for the fastest execution of cryptographic operations. As input, the calculator receives open data that should be encrypted (decrypted) or signed, and a cryptographic key;
  • control unit - a hardware-implemented program that controls the calculator. If for any reason

Rice. 3.24.

the program will change, its work will begin to falter. Therefore, this program must not only be securely stored and function stably, but also regularly check its integrity. The external control unit described above also periodically sends control tasks to the control unit. In practice, for greater confidence in the encoder, two cipher processors are installed that constantly compare the results of their cryptographic operations (if they do not match, the operation is repeated);

The I/O buffer is needed to improve the performance of the device: while the first block of data is being encrypted, the next one is being loaded, and so on. The same thing happens on the output. Such data pipeline transmission seriously increases the speed of cryptographic operations in the encoder.

There is another task of ensuring security when performing cryptographic operations by the encoder: loading keys into the encoder, bypassing the computer's RAM, where they can theoretically be intercepted and even replaced. To do this, UKZD additionally contains input-output ports (for example, COM or USB), which are directly connected to different devices reading key media. These can be any smart cards, tokens (special USB keys) or Touch Memory elements (see par. 1.3). In addition to the direct entry of keys into UKZD, many of these media also provide their reliable storage - even a key carrier without knowing a special access code (for example, a PIN code) will not be able to read its contents.

In order to avoid collisions when simultaneously accessing the encoder different programs, V computer system installing special software


Rice. 3.25.

  • (software) to control the encoder (Fig. 3.25). Such software issues commands through the encoder driver and transmits data to the encoder, making sure that information flows from different sources do not overlap, and also that the encoder always contains the right keys. Thus, UKZD performs two fundamentally different types commands:
  • before loading the operating system, commands are executed that are in the memory of the encoder, which perform all the necessary checks (for example, user identification and authentication) and set the required security level (for example, turn off external devices);
  • after loading the OS (for example, Windows), commands are executed that come through the encryptor control software (encrypt data, reload keys, calculate random numbers, etc.).

Such separation is necessary for security reasons - after executing the commands of the first block, which cannot be bypassed, the intruder will no longer be able to perform unauthorized actions.

Another purpose of the encoder management software is to provide the ability to replace one encoder with another (say, one that is more productive or implements other cryptographic algorithms) without changing the software. This happens in the same way, for example, changing network card: The encryptor comes with a driver that allows programs to perform a standard set of cryptographic functions in accordance with some application programming interface (for example, CryptAP1).

In the same way, you can replace a hardware encoder with a software one (for example, an encoder emulator). To do this, a software encoder is usually implemented as a driver that provides the same set of functions.

However, not all UKZD need the encoder management software (in particular, an encoder for "transparent" encryption-decryption of all hard drive The PC only needs to be set up once).

To additionally ensure the security of performing cryptographic operations in UKZD, multi-level protection of cryptographic keys of symmetric encryption can be used, in which a random session key is encrypted with a long-term user key, and that, in turn, with a master key (Fig. 3.26).

At the stage of initial loading, the master key is entered into the key cell No. 3 of the encoder memory. But for three-level encryption, you need to get two more. The session key is generated as a result of a request to the generator (sensor)

Rice. 3.26. Encryption of the file using UKZD ny numbers (DSN) encoder to obtain a random number, which is loaded into key cell No. 1 corresponding to the session key. It encrypts the contents of the file and creates new file A that stores the encrypted information.

Next, the user is prompted for a long-term key, which is loaded into key cell #2 with decryption using the master key located in cell #3. in this case, the key never “leaves” the encoder at all. Finally, the session key is encrypted using the long-term key in cell 2, downloaded from the encryptor, and written to the header of the encrypted file.

When decrypting a file, the session key is first decrypted using the user's long-term key, and then information is restored using it.

In principle, one key can be used for encryption, but a multi-key scheme has serious advantages. First, the possibility of an attack on a long-term key is reduced, since it is only used to encrypt short session keys. And this complicates the attacker cryptanalysis of encrypted information in order to obtain a long-term key. Secondly, when changing the long-term key, you can very quickly re-encrypt the file: it is enough to re-encrypt the session key from the old long-term key to the new one. Thirdly, the key carrier is unloaded, since only the master key is stored on it, and all long-term keys (and the user may have several of them for different purposes) can be stored encrypted with the master key even on the PC hard drive.

Encryptors in the form of SHV keys (see Fig. 3.22) cannot yet become a full-fledged replacement for a hardware encoder for the PC1 bus due to the low encryption speed. However, they have several interesting features. Firstly, a token (SW key) is not only a hardware encoder, but also a carrier of encryption keys, i.e. a two-in-one device. Secondly, tokens usually correspond to common international cryptographic standards(RKSB #11, 1BO 7816, RS/8S, etc.), and they can be used without additional settings in already existing information security software (for example, they can be used to authenticate users in the operating system of the family Microsoft Windows). And finally, the price of such an encoder is ten times lower than that of a classic hardware encoder for the PCI bus.

The corporate encryption tools implemented by AST can support GOST encryption algorithms and provide the necessary cryptographic protection classes depending on the required degree of protection, the regulatory framework and compatibility requirements with other, including external systems.

Means of cryptographic information protection (CIPF) are an important component in ensuring information security and make it possible to guarantee high level data safety, even if encrypted electronic documents into the hands of third parties, as well as in case of theft or loss of storage media with them. CIPF today are used in almost every company - more often at the level of interaction with automated banking systems and state information systems; less often - for storing corporate data and exchanging them. Meanwhile, it is the latest use of encryption that allows you to protect your business from dangerous leaks of critical information with a guarantee of up to 99%, even taking into account the human factor.

Functionally, the need for the use of CIPF is also determined by the ever-growing popularity of electronic document management, archiving and paperless interaction. The importance of documents processed in such systems dictates the obligation to ensure high security of information, which cannot be done without the use of encryption and electronic signatures.

The introduction of CIPF into corporate practice provides for the creation of a software and hardware complex, the architecture and composition of which is determined based on the needs of a particular customer, legal requirements, tasks and necessary methods, and encryption algorithms. This may include encryption software components (cryptoproviders), VPN organization tools, identity tools, tools for generating and verifying keys and digital signatures that serve to organize legally significant workflow, and hardware storage media.

The corporate encryption tools implemented by AST can support GOST encryption algorithms and provide the necessary cryptographic protection classes depending on the required degree of protection, the regulatory framework and compatibility requirements with other, including external systems. At the same time, encryption tools provide protection for the entire set of information components - files, directories with files and archives, physical and virtual storage media, entire servers and storage systems.

The solution will be able to provide a full range of measures for the reliable protection of information during its storage, transmission, use, as well as for managing the CIPF itself, including:

  • Ensuring the confidentiality of information
  • Ensuring the integrity of information
  • Information authenticity guarantee
  • Targeted information protection, including:
    - Encryption and decryption
    — Creation and verification of EDS
  • Flexibility of configuration, management and use of CIPF
  • Protection of CIPF, including monitoring and detection of cases of malfunction, attempts of unauthorized access, cases of compromise of keys.

Completed projects

Related Services:

  • Event monitoring and information security incident management

    The most important factor in ensuring information security (IS) is the availability of complete and reliable information about events,

    [...]
  • Ensuring network security and perimeter protection

    Network infrastructure technologically underlies all corporate IT systems and is a transport artery for information,

    [...]
  • Protection against targeted attacks

    One of the most serious and dangerous threats to business in terms of information security (IS) are targeted

    [...]
  • APCS protection

    Automated process control system (APCS) in production is a fundamental solution,

    [...]
  • Vulnerability analysis and management systems

    As there is absolutely no healthy people, and there are no absolutely protected information systems. IT infrastructure components

    [...]
  • Information leakage protection (DLP system)

    Any organization has documents with limited access containing certain confidential information. Their entry into others

The means of cryptographic information protection (CIPF) include hardware, software and hardware and software, which implement cryptographic algorithms for converting information in order to:

Protection of information during its processing, storage and transmission through the transport environment of the AU;

Ensuring the reliability and integrity of information (including using digital signature algorithms) during its processing, storage and transmission over the transport environment of the AS;

Development of information used to identify and authenticate subjects, users and devices;

Development of information used to protect the authenticating elements of a secure AS during their generation, storage, processing and transmission.

It is assumed that cryptographic information protection tools are used in some AS (in a number of sources - an information and telecommunication system or a communication network), together with mechanisms for implementing and guaranteeing a security policy.

Cryptographic transformation has a number of significant features:

The CIPF implements some information conversion algorithm (encryption, electronic digital signature, integrity control)

The input and output arguments of the cryptographic transformation are present in the AS in some material form (AS objects)

CIPF uses some confidential information (keys) to work

The cryptographic transformation algorithm is implemented as some material object interacting with the environment (including the subjects and objects of the protected AS).

Thus, the role of the CIPF in a secure AS is the transformation of objects. In every specific case this transformation has singularities. Thus, the encryption procedure uses the object - plain text and the object - key as input parameters, the result of the transformation is the object - cipher text; on the contrary, the decryption procedure uses the ciphertext and the key as input; The procedure for setting a digital signature uses the object - message and the object - the secret key of the signature as input parameters, the result of the digital signature is the object - the signature, as a rule, integrated into the object - the message. We can say that the CIPF protects objects at the semantic level. At the same time, objects - cryptographic transformation parameters are full-fledged AS objects and can be objects of some security policy (for example, encryption keys can and should be protected from unauthorized access, public keys for verifying a digital signature from changes). So, cryptographic information protection devices as part of secure ASs have a specific implementation - it can be a separate specialized device built into a computer, or a specialized program. The following points are essential:

CIPF exchanges information with the external environment, namely: keys are entered into it, plain text during encryption

CIPF in the case of hardware implementation uses an element base of limited reliability (i.e., in the parts that make up the CIPF, malfunctions or failures are possible)

CIPF in the case of software implementation is executed on a processor of limited reliability and in a software environment containing third-party programs that can affect various stages of its operation

CIPF is stored on a tangible medium (in the case of software implementation) and can be intentionally or accidentally distorted during storage

CIPF interacts with the external environment indirectly (powered by the mains, emits electromagnetic fields)

CIPF is manufactured and/or used by a person who can make mistakes (intentional or accidental) during development and operation

The existing means of data protection in telecommunication networks can be divided into two groups according to the principle of building a key system and an authentication system. The first group includes tools that use symmetric cryptographic algorithms to build a key system and an authentication system, and the second group includes asymmetric ones.

Let us carry out a comparative analysis of these systems. An information message ready for transmission, initially open and unprotected, is encrypted and thereby converted into a ciphergram, i.e. into closed text or graphic image document. In this form, the message is transmitted over a communication channel, even if it is not secure. The authorized user, after receiving the message, decrypts it (i.e., reveals it) by means of inverse transformation cryptograms, as a result of which the original, open form of the message is obtained, available for perception by authorized users. The transformation method in a cryptographic system corresponds to the use of a special algorithm. The action of such an algorithm is triggered by a unique number (sequence of bits), usually called the encryption key.

For most systems, the key generator circuit can be a set of instructions and commands, either a piece of hardware or computer program, or all of these together, but in any case, the encryption (decryption) process is implemented only by this special key. For the exchange of encrypted data to be successful, both the sender and the recipient need to know the correct key setting and keep it secret. The strength of any closed communication system is determined by the degree of secrecy of the key used in it. However, this key must be known to other network users so that they can exchange encrypted messages freely. In this sense, cryptographic systems also help to solve the problem of authentication (authentication) of the received information. If a cracker intercepts a message, he will deal only with the cipher text, and the true recipient, accepting messages closed with a key known to him and the sender, will be reliably protected from possible misinformation. In addition, there is the possibility of encrypting information and more in a simple way- using a pseudo-random number generator. The use of a pseudo-random number generator consists in generating a cipher gamma using a pseudo-random number generator with a certain key and applying the resulting gamma to the open data in a reversible way. This method of cryptographic protection is implemented quite easily and provides a fairly high encryption speed, but is not sufficiently resistant to decryption.

Classical cryptography is characterized by the use of one secret unit - the key, which allows the sender to encrypt the message, and the recipient to decrypt it. In the case of encrypting data stored on magnetic or other storage media, the key allows you to encrypt information when writing to the media and decrypt when reading from it.

"Organizational and legal methods of information security"

The main regulatory guidance documents relating to state secrets, regulatory and reference documents

To date, a stable legislative framework in the field of information protection has been created in our country. The fundamental law can be called the Federal Law of the Russian Federation "On information, information technology and on the protection of information. “State regulation of relations in the field of information protection is carried out by establishing requirements for information protection, as well as liability for violation of the legislation of the Russian Federation on information, information technologies and information protection.” The Law also establishes the obligations of information owners and information system operators.

As for the “codified” regulation of information security, the norms of the Code of Administrative Offenses of the Russian Federation and the Criminal Code of the Russian Federation also contain the necessary articles. In Art. 13.12 of the Code of Administrative Offenses of the Russian Federation refers to a violation of the rules for protecting information. Also Art. 13.13, which provides for punishment for illegal activities in the field of information protection. And Art. 13.14. which provides for punishment for disclosure of information with restricted access. Article 183. The Criminal Code of the Russian Federation provides for punishment for illegal receipt and disclosure of information constituting a commercial, tax or banking secret.

The Federal Law "On Information, Informatization and Information Protection" determines that the state information resources of the Russian Federation are open and publicly available. The exception is documented information classified by law as restricted access.

The concept of state secrets is defined in the Law "On State Secrets" as "information protected by the state in the field of its military, foreign policy, economic, intelligence, counterintelligence and operational-search activities, the dissemination of which may harm the security of the Russian Federation." Thus, based on the balance of interests of the state, society and citizens, the scope of the Law is limited to certain types of activities: military, foreign policy, economic, intelligence, counterintelligence and operational-search.

The law determined that the main criterion is that the classified information belongs to the state.

The law also secured the creation of a number of bodies in the field of protecting state secrets, in particular, an interdepartmental commission for the protection of state secrets, introduced the institution of officials with the authority to classify information as state secrets, while at the same time imposing personal responsibility on them for activities to protect state secrets in their area of ​​responsibility.

General organization and coordination of work in the country on the protection of information processed technical means, is carried out by a collegial body - the Federal Service for Technical and Export Control (FSTEC) of Russia under the President of the Russian Federation, which exercises control over the provision in the bodies government controlled and at enterprises conducting work on defense and other secret topics.

Purpose and tasks in the field of information security at the state level

The state policy of ensuring the information security of the Russian Federation determines the main areas of activity of the federal state authorities and state authorities of the constituent entities of the Russian Federation in this area, the procedure for fixing their duties to protect the interests of the Russian Federation in information sphere within the framework of their activities and is based on maintaining a balance of interests of the individual, society and the state in the information sphere. The state policy of ensuring the information security of the Russian Federation is based on the following basic principles: observance of the Constitution of the Russian Federation, the legislation of the Russian Federation, generally recognized principles and norms of international law in the implementation of activities to ensure the information security of the Russian Federation; openness in the implementation of the functions of federal state authorities, state authorities of the constituent entities of the Russian Federation and public associations, which provides for informing the public about their activities, taking into account the restrictions established by the legislation of the Russian Federation; legal equality of all participants in the process of information interaction, regardless of their political, social and economic status, based on the constitutional right of citizens to freely search, receive, transmit, produce and disseminate information in any legal way; priority development of domestic modern information and telecommunication technologies, production of hardware and software capable of ensuring the improvement of national telecommunications networks, their connection to global information networks in order to comply with the vital interests of the Russian Federation.

The state in the process of implementing its functions to ensure the information security of the Russian Federation: conducts an objective and comprehensive analysis and forecasting of threats to the information security of the Russian Federation, develops measures to ensure it; organizes the work of the legislative (representative) and executive bodies of state power of the Russian Federation to implement a set of measures aimed at preventing, repelling and neutralizing threats to the information security of the Russian Federation; supports the activities of public associations aimed at objectively informing the population about socially significant phenomena of public life, protecting society from distorted and unreliable information; exercises control over the development, creation, development, use, export and import of information security tools through their certification and licensing of activities in the field of information security; pursues the necessary protectionist policy in relation to manufacturers of informatization and information protection tools on the territory of the Russian Federation and takes measures to protect the domestic market from the penetration of low-quality informatization tools and information products into it; contributes to the provision of physical and legal entities access to global information resources, global information networks; formulates and implements the state information policy of Russia; organizes the development of a federal program for ensuring information security of the Russian Federation, which unites the efforts of state and non-state organizations in this area; contributes to the internationalization of global information networks and systems, as well as Russia's entry into the world information community on the terms of equal partnership.

Improving the legal mechanisms for regulating public relations arising in the information sphere is a priority direction of the state policy in the field of ensuring the information security of the Russian Federation.

This involves: assessing the effectiveness of the application of existing legislative and other regulatory legal acts in the information sphere and developing a program for their improvement; creation of organizational and legal mechanisms for ensuring information security; determining the legal status of all subjects of relations in the information sphere, including users of information and telecommunication systems, and establishing their responsibility for compliance with the legislation of the Russian Federation in this area; creation of a system for collecting and analyzing data on the sources of threats to the information security of the Russian Federation, as well as on the consequences of their implementation; development of normative legal acts that determine the organization of the investigation and the procedure for litigation on the facts of illegal actions in the information sphere, as well as the procedure for eliminating the consequences of these illegal actions; development of offenses taking into account the specifics of criminal, civil, administrative, disciplinary responsibility and the inclusion of relevant legal norms in the criminal, civil, administrative and labor codes, in the legislation of the Russian Federation on public service; improvement of the personnel training system used in the field of information security of the Russian Federation.

The legal support of the information security of the Russian Federation should be based, first of all, on the observance of the principles of legality, the balance of interests of citizens, society and the state in the information sphere. Compliance with the principle of legality requires federal government bodies and government bodies of the constituent entities of the Russian Federation, when resolving conflicts that arise in the information sphere, to be strictly guided by legislative and other regulatory legal acts regulating relations in this area. Compliance with the principle of balancing the interests of citizens, society and the state in the information sphere implies legislative consolidation of the priority of these interests in various areas of the life of society, as well as the use of forms of public control over the activities of federal state authorities and state authorities of the constituent entities of the Russian Federation. The implementation of guarantees of constitutional rights and freedoms of a person and a citizen related to activities in the information sphere is the most important task of the state in the field of information security. The development of mechanisms for the legal support of information security of the Russian Federation includes measures to informatize the legal sphere as a whole. In order to identify and harmonize the interests of federal state authorities, state authorities of the constituent entities of the Russian Federation and other subjects of relations in the information sphere, develop necessary decisions the state supports the formation of public councils, committees and commissions with a wide representation of public associations and promotes the organization of their effective work.

Features of certification and standardization of cryptographic services

In almost all countries that have developed cryptographic technologies, the development of cryptographic information protection tools belongs to the sphere of state regulation. State regulation includes, as a rule, licensing of activities related to the development and operation of cryptographic means, certification of CIPF and standardization of cryptographic transformation algorithms.

The following types of activities are subject to licensing: development, production, certification tests, sale, operation of encryption tools designed for cryptographic protection of information containing information constituting a state or other secret protected by law, during its processing, storage and transmission through communication channels, as well as provision of services in the field of encryption of this information; development, production, certification tests, operation of telecommunications systems and complexes of the highest state authorities of the Russian Federation; development, production, certification tests, implementation, operation of closed systems and telecommunications complexes of the authorities of the constituent entities of the Russian Federation, central federal executive authorities, organizations, enterprises, banks and other institutions located on the territory of the Russian Federation, regardless of their departmental affiliation and forms property (hereinafter - closed systems and telecommunications complexes) intended for the transmission of information constituting a state or other secret protected by law; carrying out certification tests, sale and operation of encryption means, closed systems and telecommunications complexes designed to process information that does not contain information constituting a state or other secret protected by law, during its processing, storage and transmission through communication channels, as well as the provision of services in the field of encryption of this information

Encryption tools include: hardware, software and hardware-software tools that implement cryptographic algorithms for converting information, ensuring the security of information during its processing, storage and transmission over communication channels, including encryption technology; hardware, software and hardware-software means of protection against unauthorized access to information during its processing and storage that implement cryptographic algorithms for converting information; hardware, software and hardware-software means of protection against the imposition of false information, including means of imitation protection and "digital signature" that implement cryptographic algorithms for converting information; hardware, hardware-software and software for the production of key documents for encryption tools, regardless of the type of key information carrier.

Closed telecommunication systems and complexes include telecommunication systems and complexes in which information is protected using encryption tools, secure equipment and organizational measures.

Additionally, the following types of activities are subject to licensing: operation of encryption tools and/or digital signature tools, as well as encryption tools for protecting electronic payments using plastic credit cards and smart cards; provision of services for the protection (encryption) of information; installation, installation, adjustment of encryption tools and / or digital signature tools, encryption tools for protecting electronic payments using plastic credit cards and smart cards; development of encryption tools and/or digital signature tools, encryption tools for protecting electronic payments using plastic credit cards and smart cards

The procedure for certification of CIPF is established by the "Certification System for Cryptographic Information Protection ROSS.R11.0001.030001 of the State Standard of Russia.

Standardization of cryptographic transformation algorithms includes comprehensive research and publication in the form of standards of elements of cryptographic procedures in order to use proven cryptographically secure transformations by CIPF developers, to ensure the possibility of joint operation of various CIPF, as well as the possibility of testing and verifying compliance of the CIPF implementation with the algorithm specified by the standard. The following standards have been adopted in Russia - cryptographic conversion algorithm 28147-89, algorithms for hashing, setting and verifying a digital signature R34.10.94 and R34.11.94. From foreign standards, the DES, RC2, RC4 encryption algorithms, the MD2, MD4 and MD5 hashing algorithms, the DSS and RSA digital signature verification algorithms are widely known and used.

Legislative framework for information security

The basic concepts, requirements, methods and tools for designing and evaluating an information security system for information systems (IS) are reflected in the following fundamental documents:

"Orange Book" National Center computer protection

"Harmonized criteria of European countries (ITSEC)";

The concept of protection against unauthorized access of the State Commission under the President of the Russian Federation.

Information security concept

The security concept of the system being developed is "a set of laws, rules and norms of behavior that determine how an organization processes, protects and distributes information. In particular, the rules determine in which cases the user has the right to operate with certain sets of data. The more reliable the system, the stricter and the concept of security should be more diverse. Depending on the formulated concept, you can choose specific mechanisms that ensure the security of the system. The concept of security is an active component of protection, which includes an analysis of possible threats and the choice of countermeasures."

The security concept of the developed system according to the "Orange Book" should include the following elements:

Arbitrary access control;

Safety reuse objects;

Security labels;

Forced access control.

Consider the content of the listed elements.

Arbitrary access control is a method of restricting access to objects based on the identity of the subject or the group to which the subject belongs. The arbitrariness of control consists in the fact that some person (usually the owner of the object) can, at his own discretion, give or take away access rights to the object to other subjects.

The main advantage of arbitrary access control is flexibility, the main disadvantages are the dispersal of control and the complexity of centralized control, as well as the isolation of access rights from data, which allows copying secret information into public files.

Object reuse security is an important practical addition to access controls that prevents accidental or intentional extraction of secret information from garbage. Reuse safety must be guaranteed for areas random access memory(in particular, for buffers with screen images, decrypted passwords, etc.), for disk blocks and magnetic media in general.

Security labels are associated with subjects and objects to enforce access control. The label of the subject describes its trustworthiness, the label of the object - the degree of closeness of the information contained in it. According to the Orange Book, security labels consist of two parts - a security level and a list of categories. The main problem that needs to be addressed in connection with labels is ensuring their integrity. First, there must be no unlabeled subjects and objects, otherwise there will be easily exploitable holes in labeled security. Secondly, for any operations with the data, the labels must remain correct. One of the means of ensuring the integrity of security labels is the division of devices into multi-level and single-level devices. Multilevel devices can store information of different levels of secrecy (more precisely, lying in a certain range of levels). A single-level device can be considered as a degenerate case of a multi-level device, when the allowable range consists of a single level. Knowing the level of the device, the system can decide whether it is permissible to write information to it with a certain label.

Enforced access control is based on the matching of subject and object security labels. This method of access control is called forced, because it does not depend on the will of the subjects (even system administrators). Enforced access control is implemented in many variants operating systems and DBMS, characterized by increased security measures.

Anyone who seriously thinks about the security of their confidential information faces the task of selecting software for cryptographic data protection. And there is absolutely nothing surprising in this - encryption is by far one of the most reliable ways to prevent unauthorized access to important documents, databases, photos and any other files.

The problem is that for a competent choice it is necessary to understand all aspects of the operation of cryptographic products. Otherwise, you can very easily make a mistake and stop at software that either does not allow you to protect all the necessary information, or does not provide the proper degree of security. What should you pay attention to? First, these are the encryption algorithms available in the product. Secondly, the methods of authentication of information owners. Third, ways to protect information. Fourth, additional features and capabilities. Fifthly, the authority and fame of the manufacturer, as well as the availability of certificates for the development of encryption tools. And that's not all that may be important when choosing a cryptographic protection system.

It is clear that it is difficult for a person who is not versed in the field of information security to find answers to all these questions.

Secret Disk 4 Lite

Secret Disk 4 Lite is developed by Aladdin, one of the world leaders working in the field of information security. She has many certifications. And although the product in question is not a certified tool (Secret Disk 4 has a separate certified version), this fact indicates the recognition of the company as a serious developer of cryptographic tools.

Secret Disk 4 Lite can be used for encryption separate sections hard drive, any removable drives, as well as to create secure virtual drives. Thus, with this tool, you can solve most of the problems related to cryptography. Separately, it is worth noting the possibility of encryption system partition. In this case, the boot of the OS by an unauthorized user becomes impossible. Moreover, this protection is incommensurably more reliable than the built-in Windows protection tools.

Secret Disk 4 Lite does not have built-in encryption algorithms. This program uses external cryptographic providers for its work. By default, a standard module integrated into Windows is used. It implements the DES and 3DES algorithms. However, today they are considered obsolete. Therefore, for better protection You can download a special Secret Disk Crypto Pack from the Aladdin website. This is a cryptographic provider that implements the most secure cryptographic technologies to date, including AES and Twofish with a key length of up to 256 bits. By the way, if necessary, in combination with Secret Disk 4 Lite, you can use certified algorithm providers Signal-COM CSP and CryptoPro CSP.

A distinctive feature of Secret Disk 4 Lite is the user authentication system. The point is that it is built on the use digital certificates. To do this, a hardware USB eToken is included in the product package. It is a highly secure storage for secret keys. In fact, we are talking about full-fledged two-factor authentication (the presence of a token plus knowledge of its PIN code). As a result, the encryption system under consideration is spared such a "bottleneck" as the use of conventional password protection.

Of the additional functions of Secret Disk 4 Lite, one can note the possibility of multi-user work (the owner of encrypted disks can provide access to them to other people) and the background operation of the encryption process.

The interface of Secret Disk 4 Lite is simple and straightforward. It is made in Russian, just like the detailed help system, which describes all the nuances of using the product.

InfoWatch CryptoStorage

InfoWatch CryptoStorage is a product of a fairly well-known company InfoWatch, which has certificates for the development, distribution and maintenance of encryption tools. As already noted, they are not mandatory, but they can play the role of a kind of indicator of the seriousness of the company and the quality of its products.

Figure 1. Context menu

InfoWatch CryptoStorage implements only one encryption algorithm - AES with a key length of 128 bits. User authentication is implemented using conventional password protection. For the sake of fairness, it should be noted that the program has a minimum length limit keywords, equal to six characters. However, password protection is certainly far inferior in its reliability to two-factor authentication using tokens. A feature of the InfoWatch CryptoStorage program is its versatility. The point is that it can be used to encrypt individual files and folders, entire partitions of the hard drive, any removable drives, as well as virtual drives.

This product, like the previous one, allows you to protect system drives, that is, it can be used to prevent unauthorized booting of the computer. In fact, InfoWatch CryptoStorage allows you to solve the whole range of tasks related to the use of symmetric encryption.

An additional feature of the product under consideration is the organization of multi-user access to encrypted information. In addition, InfoWatch CryptoStorage implements guaranteed data destruction without the possibility of their recovery.

InfoWatch CryptoStorage is a Russian-language program. Its interface is made in Russian, but it is rather unusual: the main window as such is missing (there is only a small configurator window), and almost all the work is done using context menu. Such a solution is unusual, but one cannot but recognize its simplicity and convenience. Naturally, the Russian-language documentation in the program is also available.

Rohos Disk is a product of Tesline-Service.S.R.L. It is part of a line of small utilities that implement various tools for protecting confidential information. This series has been under development since 2003.


Figure 2. Program interface

Rohos Disk is designed for cryptographic protection of computer data. It allows you to create encrypted virtual drives on which you can save any files and folders, as well as install software.

To protect data, this product uses cryptographic algorithm AES with a key length of 256 bits, which provides a high degree security.

Rohos Disk has two methods for user authentication. The first of them is the usual password protection with all its shortcomings. The second option is to use a regular USB disk, on which the necessary key is written.

This option is also not very reliable. When using it, the loss of a "flash drive" can lead to serious problems.

Rohos Disk has a wide range of additional features. First of all, it is worth noting the protection of USB drives. Its essence is to create a special encrypted partition on the "flash drive" in which you can safely transfer confidential data.

Moreover, the product includes a separate utility with which you can open and view these USB drives on computers that do not have Rohos Disk installed.

Next additional opportunity- Steganography support. The essence of this technology is to hide encrypted information inside multimedia files (AVI, MP3, MPG, WMV, WMA, OGG formats are supported).

Its use allows you to hide the very fact of the presence of a secret disk by placing it, for example, inside the movie. The last additional function is the destruction of information without the possibility of its recovery.

The Rohos Disk program has a traditional Russian-language interface. In addition, she is accompanied help system, perhaps not as detailed as the two previous products, but sufficient to master the principles of its use.

Speaking of cryptographic utilities, one cannot fail to mention free software. Indeed, today in almost all areas there are worthy products that are distributed completely freely. And information security is no exception to this rule.

True, there is a twofold attitude to the use of free software for information protection. The fact is that many utilities are written by single programmers or small groups. At the same time, no one can vouch for the quality of their implementation and the absence of "holes", accidental or intentional. But cryptographic solutions themselves are quite difficult to develop. When creating them, you need to take into account a huge number of different nuances. That is why it is recommended to use only well-known products, and always with open source. This is the only way to be sure that they are free from "bookmarks" and tested by a large number of specialists, which means that they are more or less reliable. An example of such a product is the TrueCrypt program.


Figure 3. Program interface

TrueCrypt is arguably one of the most feature-rich free cryptographic utilities out there. Initially, it was used only to create secure virtual disks. Still, for most users, this is the most convenient way to protect various information. However, over time, the function of encrypting the system partition appeared in it. As we already know, it is intended to protect the computer from unauthorized startup. However, TrueCrypt does not yet know how to encrypt all other partitions, as well as individual files and folders.

The product in question implements several encryption algorithms: AES, Serpent, and Twofish. The owner of the information can choose which one he wants to use in this moment. User authentication in TrueCrypt can be done using ordinary passwords. However, there is another option - using key files that can be stored on a hard drive or any removable storage. Separately, it is worth noting that this program supports tokens and smart cards, which allows you to organize reliable two-factor authentication.

Of the additional functions of the program in question, one can note the possibility of creating hidden volumes inside the main ones. It is used to hide sensitive data when a drive is opened under duress. Also, TrueCrypt implements a system Reserve copy volume headers for crash recovery or reverting to old passwords.

The TrueCrypt interface is familiar to utilities of this kind. It is multilingual, and it is possible to install the Russian language. Documentation is much worse. It is, and very detailed, but written in English language. Naturally, about any technical support there can be no speech.

For greater clarity, all their features and functionality are summarized in table 2.

Table 2 - Functionality cryptographic information protection programs.

Secret Disk 4 lite

InfoWatch CryptoStorage

Encryption algorithms

DES, 3DES, AES, TwoFish

AES, Serpent, TwoFish

Maximum encryption key length

Connecting external crypto providers

Strong authentication using tokens

+ (tokens are purchased separately)

Encryption of files and folders

Partition encryption

System Encryption

Encryption of virtual disks

Removable storage encryption

Support for multi-user work

Guaranteed data destruction

Hiding encrypted objects

Work under duress

Russian-language interface

Russian language documentation

Technical support


Loading...
Top