the Internet Windows Android
Expand
the main

What is encryption cryptographic agents. Cryptographic remedies

Data encryption mechanisms to ensure the information security of society is cryptographic protection of informationthrough cryptographic encryption.

Cryptographic information protection methods are used for processing, storage and transmission of information on media and communication networks.

Cryptographic protection of information during data transmission over long distances is the only reliable encryption method.

Cryptography is a science that studies and describes the information security model. Cryptography opens solutions to many network information security issues: authentication, confidentiality, integrity and control of interacting participants.

The term "encryption" means the transformation of data into the form, not readable for humans and software complexes without a key encryption key. Cryptographic information protection methods provide information security tools, so it is part of the concept of information security.

Information protection goals as a result are reduced to ensuring the confidentiality of information and the protection of information in computer systems in the process of transmitting information over the network between the system users.

Protection confidential information, based on cryptographic information protection, encrypts data using the reversible conversion families, each of which is described by the parameter called "key" and the order that defines the order of use of each transformation.

The most important component of the cryptographic information protection method is the key that is responsible for choosing the transformation and the procedure for its execution. The key is some sequence of symbols, configuring encrypting and decrypting algorithm for the cryptographic information protection system. Each such transformation is uniquely determined by the key, which determines the cryptographic algorithm, providing information protection and information security of the information system.

The same algorithm for cryptographic information protection can work in different modes, each of which has certain advantages and disadvantages affecting the reliability of Russia's information security and information security.

Symmetric or secret cryptography methodology.

In this methodology, technical means of protecting information, encryption and decryption by the recipient and the sender are used by the same key stipulated earlier before using cryptographic information protection.

In the case when the key was not compromised, the author's authentication will be automatically authenticated during the decryption process, since only it has the key to decrypt the message.

Thus, programs for protecting information cryptography suggest that the sender and addressee of the message is the only persons who can know the key, and compromising it will affect the interaction of these two users of the information system.

The problem of organizational protection of information in this case will be relevant for any cryptosystem, which is trying to achieve the target of information security or information protection on the Internet, because symmetric keys must be distributed between users safely, that is, it is necessary to protect information in computer networkswhere the keys are transmitted, was at a high level.

Any symmetric cryptosystem encryption algorithm software hardware Information protection uses short keys and produces encryption very quickly, despite large amounts of data that satisfies the targets of information protection.

Cryptosystem-based computer information protection tools must use symmetric keys in the following order:

· The work of information security begins with the fact that first the protection of information creates, distributes and maintains a symmetric key of organizational information protection;

· Next, a specialist in protecting information or the sender of the information security system in computer networks creates an electronic signature using the text hash function and add the resulting hash row to the text that must be safely transferred in the organization of information protection;

· According to the information security doctrine, the sender enjoys a rapid symmetrical encryption algorithm in a cryptographic information protection tool along with a symmetrical key to the message package and an electronic signature, which authenticates the system of encryption system of the cryptographic information protection;

· An encrypted message can be safely transmitted even by unprotected communication channels, although it is better to do it as part of the work of information security. But a symmetric key in obligatory must be transferred (according to the information security doctrine) on communication channels within software hardware of information protection;

· In the information security system throughout the history of information protection, according to the information security doctrine, the recipient also uses a symmetric algorithm to decrypt the package and the same symmetric key that makes it possible to restore the text of the source message and decrypt the sender's electronic signature in the information security system;

· In the information security system, the recipient must now separate the electronic signature from the message text;

· Now the recipient compares previously and now, to check the integrity of the message and the absence of distorted data in it, which in the field of information security is called the data integrity.

Open asymmetric information protection methodology.

Knowing the stories of information protection, it can be understood that in this methodology, the encryption keys and decryption are different, although they are created together. In such a system of information protection, one key is distributed publicly, and the other is secretly transmitted, because once encrypted data by one key can only be decrypted by another.

All asymmetric cryptographic information protection means are a target facility attack by a cracker acting in the field of information security by direct searching keys. Therefore, in such information security of the person or informational psychological safety, long keys are used to make the process of extinguishing the keys as long as the process that hacking the information security system will lose any meaning.

It is not at all a secret even for the one who makes the course protection of information that in order to avoid the slowness of algorithms for asymmetric encryption, a temporary symmetrical key is created for each message, and then only one is encrypted asymmetrical algorithms.

Systems of information and psychological safety and information security of the individual use the following procedure for using asymmetric keys:

· In the field of information security, asymmetric open keys are created and openly distributed. In the personality information security system, the secret asymmetric key is sent to its owner, and the open asymmetric key is stored in the database and administered to the certificate of certificates of the information protection system, which controls the information protection specialist. Then, information security, download free of charge anywhere, it implies that both users should believe that in such an information security system, a secure creation, administration and distribution of keys that all the organization of information protection uses. Even more, if at each stage of the operation of information protection, according to the basics of information protection, each step is performed by various persons, the recipient of the secret message must believe that the creator of the keys destroyed their copy and more data to the keys did not provide anyone to anyone I could still download the protection of information transmitted in the system to protect information. So there is any specialist in protecting information.

· Next, the basics of information protection provide for what is created electronic signature text, and the resulting value is encrypted asymmetric algorithm. Then all the same basics of information protection suggest, the sender's secret key is stored in the character string and it is added to the text that will be transmitted in the information protection system and information security, because the electronic signature in the protection of information and information security can create an electronic signature!

· Then the system and information security tools solve the recipient transmission problem to the recipient.

· Next, in the system of information security tools, the sender must obtain an asymmetrical outdoor key of the Certificate Center for the Organization and Information Protection Technology. In this organization and technology for the protection of information, the interception of non-sinked requests for an open key is the most common attack of hackers. That is why the organization and technology of information protection can be implemented a system of confirming the authenticity of the public key certificates.

Thus, encryption algorithms imply the use of keys, which allows 100% to protect data from those users who are unknown.

Protection of information in local networksand information protection technologies along with confidentiality are obliged to ensure and integrity of storing information. That is, the protection of information in local networks should transmit the data so that the data remains unchanged during the transmission and storage process.

In order for the information security of information to ensure the integrity of storing and transferring data, the development of tools that detect any distortions of the source data are needed for which redundancy is given to the source information.

Information security in Russia with cryptography solves the issue of integrity by adding a certain checksum or verification combination to calculate the integrity of the data. Thus, again the model of information security is cryptographic - key-dependent. According to the assessment of information security based on cryptography, the dependence of the possibility of reading data from the secret key is the most reliable tool and is even used in state security systems.

As a rule, the audit of the information security of the enterprise, for example, the information security of banks, pays particular attention to the likelihood of successfully imposing distorted information, and the cryptographic information protection allows you to reduce this probability to a negligible level. Such information security service This probability calls the simplicity of the cipher, or the ability of encrypted data to resist the attack of the hacker.

Protection of information from viruses or system of protection of economic information must necessarily support the authentication of the user in order to identify the regulated user of the system and prevent penetration into the intruder system.

Verification and confirmation of user data authentication in all spheres information interaction - An important composite problem of ensuring the accuracy of any received information and information protection system in the enterprise.

The information security of banks is particularly acute to the problem of distrust of interacting with each other, where the concept of information security is included not only the external threat from the third party, but also the threat of information security (lectures) by users.

Digital signature

information Security Protection Unauthorized

Sometimes users want to abandon previously accepted commitments and are trying to change the previously created data or documents. The Doctrine of Information Security of the Russian Federation takes into account this and suppress such attempts.

Protecting confidential information using a single key is not possible in a situation where one user does not trust the other, because the sender may later abandon the fact that the message was generally transmitted. Next, despite the protection of confidential information, the second user can modify the data and attribute authorship to another user user. Naturally, whatever software protection Information or information protection of information, truth is established can not be in this dispute.

Digital signature in such a system of information protection in computer systems is a panacea of \u200b\u200bthe problem of authorship. Protection of information in computer systems with a digital signature contains 2 algorithms in itself: to calculate the signature and to check it. The first algorithm can be performed only by the author, and the second is in common access In order for everyone to check the digital signature at any time.

The term "cryptography" comes from the ancient Greek words "hidden" and "write." The phrase expresses the main purpose of cryptography - this is the protection and preservation of the secrets of the transmitted information. Information protection can occur different ways. For example, by restricting physical access to data, hiding the transfer channel, creating physical difficulties of connecting to communication lines, etc.

Goal cryptography

Unlike traditional Tynopisi methods, cryptography suggests the full availability of the transmission channel for intruders and ensures the confidentiality and authenticity of information using the encryption algorithms that make information inaccessible to extraneous reading. Modern system Cryptographic information protection (SCJ) is a software and hardware computers complex that provides information protection according to the following basic parameters.

  • Confidentiality - the impossibility of reading information by persons who do not have appropriate access rights. The main component of providing confidentiality in SCJ is the key (key), which is a unique alphanumeric combination for user access to a specific SPJ unit.
  • Integrity - the impossibility of unauthorized changes, such as editing and deleting information. To do this, the source information is added redundancy in the form of a test combination calculated by a cryptographic algorithm and key-dependent. Thus, without key knowledge, adding or changing information becomes impossible.
  • Authentication - confirmation of the authenticity of information and parties, sending it and receiving. The information transmitted via channels should be uniquely authenticated by content, the creation and transmission time, source and recipient. It should be remembered that the source of threats can be not only an attacker, but also the parties involved in the exchange of information with insufficient mutual trust. To prevent such situations, SPI uses a time stamp system for the impossibility of re-or reverse information and changes in the order of its following.

  • Authorship - Confirmation and impossibility of refusing a user committed by the user. The most common way to confirm authenticity is the EDS system consists of two algorithms: to create a signature and to verify it. With intensive work with the ECC, it is recommended to use software certifying centers to create and control the signatures. Such centers can be implemented as fully independent of the internal structure of the SCJO. What does this mean to an organization? This means that all operations with are processed by independent certified organizations and the falsification of the authorship is practically impossible.

Encryption algorithms

Currently, open encryption algorithms with symmetric and asymmetric keys with a length sufficient to provide the desired cryptographic complexity are dominated among SKZZi. The most common algorithms:

  • symmetric keys - Russian R-28147.89, AES, DES, RC4;
  • asymmetric keys - RSA;
  • using hash functions - P-34.11.94, MD4 / 5/6, SHA-1/2.

Many countries have their national standards in the United States using a modified AES algorithm with a key length of 128-256 bits, and in the Russian Federation algorithm of electronic signatures P-34.10.2001 and block cryptographic algorithm R-28147.89 with a 256-bit key. Some elements of national cryptographic systems are prohibited for exporting outside the country, the development activities of SPI requires licensing.

Hardware cryptocolware systems

Hardware SCZI is physical devices containing software for encryption, recording and transmitting information. Encryption devices can be performed as personal devicessuch as Rutoken USB Enciprators and IronKey Flash Discs, Extension Boards for personal computersspecialized network switches and routers based on which it is possible to build fully protected computer networks.

Hardware Skusi is quickly installed and operate at high speed. Disadvantages - high, compared with software and software and hardware SCJ, cost and limited refurbishment.

Also, the hardware can be attributed to the SCJO blocks built into various devices Registration and data transfer where encryption is required and restricting access to information. Such devices include car tachometers, fixing the parameters of vehicles, some types of medical equipment, etc. For full operation, such systems requires a separate activation of the module module by the supplier specialists.

Systems of software cryptocrusts

Software SPZI is a special software package for encrypting data on information media (hard and flash drives, memory cards, CD / DVD) and transmitted via the Internet ( emails, Files in attachments, secure chats, etc.). There are quite a lot of programs, including free, for example, diskcryptor. You can also include protected virtual information exchange networks operating "on top of the Internet" (VPN), HTTP Internet Protocol Expansion with HTTPS and SSL encryption support - Cryptographic information transfer protocol, widely used in IP telephony and Internet applications.

Software SCIIs are mainly used on the Internet, at home computers and in other areas where the requirements for functionality and the resistance of the system are not very high. Or, in the case of the Internet, when you have to create a variety of diverse secure connections at the same time.

Software and hardware cryptocrust

Combines in me top Qualities Hardware I. software Systems Ski. This is the most reliable and functional way to create protected systems and data networks. All user identification options are supported, both hardware (USB drive or smart card) and "traditional" - login and password. Software-hardware SKZSi support all modern encryption algorithms, have a large set of functions for creating secure USE-based document management, all required government certificates. Installation of SPJs is made by qualified developer personnel.

Company "Crypto-Pro"

One of the leaders of the Russian cryptographic market. The company develops the entire spectrum of information protection programs using EDS based on international and Russian cryptographic algorithms.

The company's programs are used in electronic document flow of commercial and state organizations, for accounting and tax reporting, in various urban and budget programs, etc. The company issued more than 3 million licenses for the CSP cryptopro and 700 licenses program for certifying centers. Crypto-Pro provides developers interfaces to embed cryptographic protection elements into their own and provides the whole range of consulting services for the creation of SCJ.

Cryptoprovider Kryptopro

When developing SPZi. Cryptopro CSP. used built into operating windows system Cryptographic architecture Cryptographic Service Providers. Architecture allows you to connect additional independent modules that implement the required encryption algorithms. Using modules running through CryptoAPI functions, cryptographic protection can be carried out both software and hardware SCJ.

Key carriers

Various keys can be used various such as:

  • smart maps and readers;
  • electronic locks and readers working with Touch Memory devices;
  • various USB keys and interchangeable USB drives;
  • files system registry Windows, Solaris, Linux.

Cryptoprovider functions

CSP cryptopro ski is fully certified by FAPSI and can be used for:

2. Complete confidentiality, authenticity and integrity of data using encryption and simulation protection according to Russian encryption standards and TLS protocol.

3. Check and monitor the integrity of the program code to prevent unauthorized changes and access.

4. Creation of system protection regulations.

According to the EAC legislation, encryption (cryptographic) funds (Further - ShKS.) - this is " hardware, software and hardware and software, systems and complexes that implement cryptographic information conversion algorithms and intended to protect information from unauthorized access when transmitted over communication channels and (or) when processing and storage” .

This definition is very abstract, in connection with which the attribution or inconsistency of a particular product to the SCC can cause significant difficulties.

List of goods related to SCS

In the section on the import (exportation) of the SCS, a list of features (components), which must contain goods so that it can be considered the SCC:

  • means of imitovashchy
  • electronic digital signature
  • coding tools
  • cryptographic Key Production Tools
  • cryptographic keys themselves
  • systems, equipment and components developed or modified to perform crypto-analytical functions
  • systems, equipment and components developed or modified for the use of cryptographic methods for generating an expanding code for systems with an expanding spectrum, including hopping codes for systems with jump-shaking frequency
  • systems, equipment and components developed or modified to apply cryptographic methods for forming channels or classifying codes for modulated over time of ultra-wideband systems.

However, in practice, it is often a situation that the customs authorities, guided by the list from section 2.19 (and even only the code of TN VED from the list), may decide that the imported product is an encryption (and no matter whether there is an encryption or not ). In this case, the importer will have to receive permits or prove customs that there is no encryption in the product.

Export procedure (exports) of the SCC

Depending on the customs procedure for the import (export) of the SCC, it is necessary to issue various types of documents:

12 categories ShKS.

In practice, the overwhelming majority of goods with the encryption function are imported on the basis of notification.

Notification can be registered only For goods related to one or more of 12 categories of encryption funds, the technical and cryptographic characteristics of which are subject to notification. This list is shown in the notification position.

Category №1

1. Products containing in their composition encryption (cryptographic) agents having any of the following components: 1) a symmetric cryptographic algorithm that uses a cryptographic key with a length not exceeding 56 bits; 2) an asymmetrical cryptographic algorithm based on any of next methods: decomposition of multipliers of integers whose size does not exceed 512 bits; Calculation of discrete logarithms in the multiplicative group of the final field, the size of which does not exceed 512 bits; The discrete logarithm in the group of the final field, other than the field specified in the paragraph of the present subparagraph, the size of which does not exceed 112 bits.

The SCS of this category is performed by various cryptographic functions, but the determining factor of the classification of this category is the length of the cryptographic key. These keys lengths are significantly less recommended. minimum values For relevant groups of algorithms. The use of such short cryptographic keys makes it possible on the modern equipment to open the encrypted messages by the method of complete brutex.

Symmetrical encryption Mainly used to ensure the confidentiality of the data, and it is based on the fact that the sender and recipient of the information use the same key both to encrypt messages and to decipher them. This key must be kept secret and transmitted in a way that excludes its interception. Examples of symmetric encryption algorithms: RC4, DES, AES.

Of the listed algorithms, only DES (considered obsolete) will certainly fall into category 1; Algorithm RC4 can also be used with short keys (for example, in WEP technology protocol communication Wi-Fi: key length 40 or 128 bits).

IN asymmetric encryption algorithms (or open key cryptography) To encrypt information, use one key (open), and for decryption - another (secret). These algorithms are widely used to establish secure connections for open channels Communications for EDS purposes. Examples of algorithms: RSA, DSA, Diffy - Helmana Protocol, GOST R 34.10-2012.

Specified methods refer to the mathematical database of the functioning of asymmetric algorithms:

  • decomposition of integer multipliers - RSA algorithm
  • calculation of discrete logarithms in the multiplicative group of the final field - DSA algorithms, Diffi Helmana, El Gamal
  • discrete logarithm in a group of a finite field other than the field indicated in the third paragraph of this subparagraph - algorithms on elliptic curves: ECDSA, ECDH, GOST R 34.10-2012.

Examples of notified SCS: Theoretically, any product can use outdated algorithms, or short keys in modern algorithms. In practice, however, it has little meaning, because Does not provide a sufficient level of protection. One of real examples It may be Wi-Fi in WEP mode with a key of 40 bits.

Category # 2.

2. Products containing encryption (cryptographic) means with the following limited functions: 1) Authentication, which includes all aspects of access control, where there is no encryption of files or texts, with the exception of encryption, which is directly related to password protection, personal identification numbers or such data to protect against unauthorized access;

User authentication within this category includes a comparison of the password entered by it or other similar identifying data with information stored in the authorized user database, and the encryption process itself is to protection of secret data from copying and illegal use When they are transmitted from the authentication object (user) to a controlling device.

Examples of notified SCS: Access control and access control systems - password readers, device for storing and generating databases of authorized users, network authentication devices - gateways, routers, routers, etc., devices with the protection of information stored on them - hard drives with a password restriction function Access.

2) Electronic digital signature (electronic signature).

The signature process is implemented by cryptographic information conversion using a closed signature key And allows you to check the lack of distortion of information in the electronic document from the date of signature (integrity), the signature belonging to the owner of the signature key certificate (authorship), and in case of successful verification, confirm the fact of signing an electronic document (non-sensibility).

Examples of notified SCS: EDS generators, software for maintenance and implementation of the mechanism of EDS, key information storage devices EDS.

Category number 3.

3. Encryption (cryptographic) means that are components of software operating systems whose cryptographic capabilities cannot be changed by users who are designed to install the user independently without further essential support with the supplier and technical documentation (description of cryptographic transformation algorithms, interaction protocols, descriptions of interfaces, and T .d.) To which is an accessible to the user.

Operating system This is a complex of interconnected programs designed to manage computer resources and organizing interaction with the user.

Examples of notified SCS: Operating systems and software complexes based on them.

Category number 4.

4. Personal smart cards (intelligent cards): 1) cryptographic capabilities of which are limited to their use in categories of goods (products) specified in paragraphs 5 - 8 of this List; 2) for a wide public application, the cryptographic capabilities of which are not available to the user and which as a result of special development have limited protection capabilities stored on them personal Information.

Smart maps These are plastic cards with a built-in microcircuit. In most cases, the smart card contains a microprocessor and an operating system that controls the device and controlling access to objects in its memory.

Examples of notified SCS: SIM access to services mobile operators, bank cardsequipped with chip-microprocessor, intelligent identification cards for its owner.

Category number 5.

5. Receiving equipment for broadcasting, commercial television or similar commercial equipment for broadcasting to a limited audience without encrypting a digital signal, except cases of encryption uses exclusively to control video or audio channels, sending accounts or returning information associated with broadcasting providers.

This category refers to goods intended to provide the user with access to paid coded digital satellite, essential and cable TV channels and radio stations (radio channels) (examples of standards: DVB-CPCM, DVB-CSA).

Examples of notified SCS: TV tuners, television receivers, satellite television receivers.

Category No. 6.

6. Equipment, the cryptographic capabilities of which are not available to the user, specially designed and limited to use any of the following methods: 1) The software is executed in a copy-protected form; 2) access to any of the following: protected from copying content stored only on reading electronic information media; information stored in an encrypted form on electronic media information that are offered for the sale of the population in identical sets; 3) Control of coping audio and video information protected by copyright.

Examples of notified SCS: Gaming consoles, games, software, etc.

Category number 7.

7. Encryptic (cryptographic) equipment specially designed and limited by application for bank or financial transactions.

Products of this category should be a hardware device, i.e. To have a finished type of banking equipment, the use of which does not imply additional assembly or refinement with the exception of modernization goals.

Examples of notified SCS: ATMs, payment terminals, PIN-PAD (bank cards refer to category No. 4).

Category number 8.

8. Portable or mobile radio electronic media (for example, for use in commercial civilian radio systems), which are not capable of end-to-end encryption (from the subscriber to the subscriber).

All devices are assigned to this category. cellular communicationoperating in GSM, GPRS, EDGE, UMTS, LTE standards, as well as some radio stations. The main requirement for the goods in this category in the field of the functional being performed is the absence of ability to through encryption. The relationship between subscribers should be carried out through the relay device.

Examples of notified SCS: Mobile devices Communication and devices that have in their composition cellular modules of the above standards, radio stations.

Category number 9.

9. Wireless radio electronic equipment that encrypts information only in a radio channel with a maximum wireless range without amplification and relaying less than 400 m in accordance with technical Conditions manufacturer.

This includes most devices that can otherwise call as "Radio electronic means of a small radius of action". Encryption occurs when transferring / receiving information on wireless radio channel in order to protect it against interception, penetration of unauthorized users into a communication network. As you know, such protection supports most of the wireless data standards: Wi-Fi, Bluetooth, NFC, sometimes RFID.

Examples of notified SCS: Routers, access points, modems, devices containing in their composition Modules Wireless Radiocommunication Middle Radius, Contactless Access / Payment Cards / Identification.

Category №10

10. Encryption (cryptographic) means used to protect technological channels of information and telecommunication systems and communication networks.

This category describes the goods that are network devices performing switching and service Functions. As a rule, most of these devices support simple network control protocols to allow network status monitoring, its performance, as well as send the network administrator commands to its different nodes.

Examples of notified SCS: Servers, switches, network platforms, gateways.

Category №11

11. Products whose cryptographic function is blocked by the manufacturer.

This category can be represented absolutely. different types devices of different appointments and applications. A decisive factor in the classification of such goods to category No. 11 is the presence of a pre-installed software or hardwarewhich produces targeted blocking Cryptographic functions performed by goods.

Category number 12.

12. Other products that contain encryption (cryptographic) means other than those specified in paragraphs 1 - 11 of this List and comply with the following criteria: 1) are publicly available to sell the population in accordance with the legislation of the State Member of the Eurasian Economic Union without restrictions from the existing The availability of the range in places of retail through any of the following: Sales for cash; sales by ordering goods by mail; electronic transactions; sales on telephone orders; 2) encryption (cryptographic) functionality which cannot be changed by the user simple way; 3) Developed to install a user without further substantial support by the supplier; 4) Technical documentation confirming that the goods comply with the requirements of subparagraphs 1 - 3 of this item, is posted by the manufacturer in free access and it seems, if necessary, the manufacturer (face, authorized) by the authority on his request.

It is worth noting that in the practice of the Central TsLSF of the Federal Summary of Russia places increased requirements for the presentation of materials for registration of notifications for goods of this category. Thus, all of the listed criteria must be confirmed (links to the manufacturer's website with information in Russian or documented).

The most common categories of SCS

In the Unified Registry for each notification, the list of categories to which the goods are subject to. This information is encoded in the field. "Identifier": The field is a 12-digit code, wherein, if the product refers to the category N number from the list above, then the position n in the code will cost a digit 1, otherwise - 0.

For example, code 110000000110 It suggests that the goods were notified by category No. 1, 2, 10 and 11.

It is interesting to look at the statistics of the use of various categories.

As can be seen from the diagram, the most common and common cryptographic functions in the SCC is to encrypt data in a wireless radiocanal of a small radius of action (Wi-Fi, Bluetooth) - 27% from the total number of registered SCS, which is logical, given the volume of mobile communications, personal computers and other technical devicesequipped with modules supporting communication technology data.

Second place occupy SCCs that support authentication functions and control access to secure information - 19,5% . This trend is also easily explained by elevated standards and consumer requests to protect personal information as physical media (hard drives, USB flash drives, servers, etc.) and networks ( cloud storage, network banks, etc.). Additionally, it is worth noting that the overwhelming majority of the SCS used in access control and access control systems (better known as SCS) also perform cryptographic functionality related to category number 2.

Since the network work is an integral part of the functioning of any information system, the aspects of administration of this communication network are implemented in network devices Control. The safety of the control system organized by these devices is implemented by applying the mechanisms of encryption of technology communication channels, which is the basis for categorizing this SCC in category No. 10, which is the third most prevalence - 16% .

It is also important to note that the least common function of the SCS are distributed by category №5 (0,28% ), №12 (0,29% ) I. №7 (0,62% ). Products that implement these cryptographic functions are rare and when registering in the Central Committee, the documentation on them is subjected to more detailed analysis, because "Not put on stream" and sets of cryptographic protocols used and algorithms can be unique in each case. That is why these categories of these categories need to be given to maximum attention when drawing up the necessary documents, since otherwise the risk of refusal registration is extremely large.

Notes

Links

  • Electronic signature (EDS) - a single electronic signature portal, - http://www.techportal.ru/glossary/identifikatsiya.html
  • Cryptographic methods of information protection, - Collection of lectures on the basics local networks National Open University, - http://www.intuit.ru/studies/courses/16655/1300/lecture/25505?page\u003d2
  • Concept operating system- materials of the portal about operating systems, - http://osys.ru/os/1/ponyatie_operatsionnoy_sistemy.shtml
  • Introduction to SNMP - Materials on Network Security, - http://network.xsp.ru/6_1.php

Cryptographic information security tools are based on the use of data encryption principles.

Encryption- This is a reversible conversion of information in order to hide from unauthorized individuals, while maintaining data access for authorized users.

Encryption is used:

  • To hide information from unauthorized users when transferring, storing and preventing changes;
  • data source authentication and prevent the sender failure from the fact of sending;
  • Confidentiality transmitted information, i.e. its availability only for authorized users who have a certain authentic (valid, genuine) key.

Thus, using encryption is provided with mandatory categories of IB: confidentiality, integrity, availability and identifiability.

Encryption is implemented by two data conversion processes - encrypted and decoding using the key. According to GOST 28147-89, "information processing systems. Cryptographic protection. The cryptographic transformation algorithm ", the key is a specific secret state of some parameters of the cryptographic transformation algorithm, providing a choice of one conversion from the set of all sorts for this algorithm transformations.

Encryption key- This is a unique element for changing the results of the operation of the encryption algorithm: the same source data when using various keys will be encrypted differently.

To decrypt the encrypted information of the receiving side, a key and decoder is a device that implements data decoding. Depending on the number of keys used for encryption processes, two encryption methods are distinguished:

  • symmetric - use of the same key and for encryption and to decrypt data;
  • Asymmetric - two different keys are used: one for encryption (open), another for decryption (closed).

Data conversion procedures using the key are encryption algorithm. The following crypto-resistant encryption algorithms described in state standards are most popular: GOST 28147-89 (Russia), AES (Advanced Encryption Standard, USA) and RSA (USA). Nevertheless, despite the high complexity of these encryption algorithms, any of them can be hacked by extinguishing all possible key options.

The concept of "encryption" is the basic for another cryptographic means of providing an IB - digital certificate.

Digital certificate- This is released by the Certification Center (Certification Center) electronic or printed documentconfirming the owner of the open key owner or any attributes.

The digital certificate consists of 2 keys: public (Public) and private Private). PublicTherch is used to encrypt traffic from the client to the server in a secure connection, ^ PSh ^ e-part - to decrypt the encrypted traffic received from the client on the server. After generating a couple public / Private. Based on a public key, a certificate request is generated to the certificate authority. In response, the certification authority sends a signed digital certificate, while checking the authenticity of the client - the certificate holder.

Certification Center (Certification Center, Certification Authority, C A) is the side (department, organization), whose honesty is indisputable, and the public key is widely known. The main task of the certification authority is to confirm the authenticity of encryption keys using digital certificates (electronic signature certificates) by:

  • providing services for digital certificate certificates (electronic signature certificates);
  • Certificates of open keys;
  • obtaining and verifying information on the information specified in the key certificate and submitted documents.

Technically, the certification authority is implemented as a component of the global directory service responsible for managing the cryptographic key users. Open keys and other users information is stored with certifying centers in the form of digital certificates.

The main means of providing IB electronic documents in modern IP is their protection using the electronic (electronic digital) signature.

Electronic signature (EP)- props of the electronic document obtained as a result of cryptographic information conversion using a closed key that allows you to set the lack of distortion of data from the moment of signing the signature and check the signature accessory to the digital certificate (Certificate of the EP key).

Electronic signature is designed to identify a person signatory electronic documentand is a full-fledged replacement (analogue) of his own signature in cases provided by law. Using EP allows you to carry out:

  • Monitoring the integrity of the transmitted document: with any random or deliberate change in the document, the signature will be invalid because calculated on the basis of source state document and corresponds only to him;
  • protection against changes (fakes) of the document due to the guarantee of the detection of fake when monitoring the integrity of the data;
  • Evidence confirmation of the authorship of the document, since the closed key of the EP is known only to the owner of the corresponding digital certificate (fields can be signed: "Author", "Changes", "Time Tag", etc.).

Since the implementation of EP is based on the application of data encryption principles, there are two options for building EP:

  • Based on algorithms for symmetric encryption, which provides for the presence in the system of a third party (arbitrator), which is trusted by both parties. The authorization of the document is the very fact of encryption by its secret key and the transfer of his arbitrator;
  • Based on algorithms for asymmetric encryption - the most common in modern IC: schemes based on RSA encryption algorithm (Full Domain Hash, Probabilistic Signature Scheme, PKCS # 1), El Gamal, Schnera, Diffi Helman, Pointcheval-Stem Signature Algorithm, probabilistic Rabin signature scheme, Boneh-Lynn-Shacham, Goldwasser-Micali-Rivest, ECDSA elliptical curves schemes, National Cryptographic Standards: GOST R 34.10-2012 (Russia), DSTU 4145-2002 (Ukraine), STB 1176.2-99 ( Belarus), DSA (USA).

On the currently The main domestic standard regulating the concept of EP is GOST R 34.10-2012 " Information technology. Cryptographic information protection. Processes for forming and verifying electronic digital signature. "

As a rule, the implementation of the EP in the IP is performed by inclusion in their composition of special modular components containing certified tools for cryptographic data protection: CSP cryptopro, CSP signaling, Verba OW, Domain-K, Avest, Genquet and other certified FAPSIs (Federal Governmental Communication Agency and Information under the President Russian Federation) and satisfying Microsoft Crypto API specifications.

Microsoft CryptoAPI is a Windows application programming interface that contains a standard set of functions for working with cryptoproder. Included in operating systems Microsoft Windows. (starting in 2000).

CryptoAPI allows you to encrypt and decrypt data, supports operation with asymmetric and symmetric keys, as well as digital certificates. A set of supported cryptographic algorithms depends on a specific cryptoprovider.

Cryptograph (CRYPTOGRAPHY SERVICE PROVIDER, CSP) is an independent module for the implementation of cryptographic operations in Microsoft operating systems running CryptoAPI functions. Thus, the Crypto Provider is an intermediary between the operating system, which can control it using the standard CryptoAPI functions, and the artist of cryptographic operations, such as applied IC or hardware.

Cryptographic information security tools, or abbreviated SCJ, are used to ensure comprehensive data protection, which are transmitted over communication lines. To do this, you must comply with authorization and protection of the electronic signature, the authentication of the reporting parties using TLS and IPsec protocols, as well as the protection of the communication channel itself, if necessary.

In Russia, the use of cryptographic means of protecting information for the most part is classified, so there is little publicly available information regarding this topic.

Methods used in Skui

  • Authorization of data and ensuring the safety of their legal significance during transmission or storage. This use algorithms for creating an electronic signature and verification in accordance with the RFC 4357 established regulations and use certificates according to the X.509 standard.
  • Privacy protection data and monitoring their integrity. Asymmetric encryption and imitobracy is used, that is, opposition to the data substitution. GOST R 34.12-2015 is observed.
  • Protection of system and applied software. Tracking unauthorized changes or incorrect operation.
  • Management of the most important elements of the system in strict accordance with the accepted regulations.
  • Authentication of parties exchanging data.
  • Connection protection using the TLS protocol.
  • Protection of IP connections using IKE, ESP, AH protocols.

Detailed methods are described in the following documents: RFC 4357, RFC 4490, RFC 4491.

SKI mechanisms for information protection

  1. Privacy protection by stored or transmitted information occurs with the use of encryption algorithms.
  2. When establishing communication, identification is provided by electronic signature using them during authentication (on the X.509 Recommendation).
  3. The digital workflow is also protected by electronic signature tools together with imposition or repeat protection, while monitoring the accuracy of the keys used to verify electronic signatures.
  4. Information integrity is provided by means of digital signature.
  5. Using asymmetric encryption functions allows you to protect data. In addition, to verify the integrity of the data, the functions of the hashing or the simulators algorithms can be used. However, these methods do not support the definitions of the authorship of the document.
  6. Repeated protection occurs with cryptographic electronic signature functions for encryption or simulators. At the same time, a unique identifier is added to each network session, a long time is sufficient to eliminate its accidental coincidence, and the receipt of the receiving party is being implemented.
  7. Protection against imposition, that is, from penetration into communications from the part, is provided by electronic signatures.
  8. Other protection - against bookmarking, viruses, operating system modifications, etc. - is provided with the help of various cryptographic tools, security protocols, anti-virus software and organizational events.

As you can see, the electronic signature algorithms are a fundamental part of the process of cryptographic information protection. They will be discussed below.

Requirements when using SCJ

Skusi aims to protect (via electronic signature) of open data in various information systems general use and ensure their confidentiality (check of electronic signature, imitator, encryption, test of hash) in corporate networks.

Personal Cryptographic Information Protection Tool is used to protect personal data. However, the information relating to state secrets should be especially allocated. According to the law, the SCJO cannot be used to work with it.

IMPORTANT: Before installing Skusi, the first thing should be checked by the SPJ type package itself. This is the first step. As a rule, the integrity of the installation package is checked by comparing control sumsderived from the manufacturer.

After installation, it is necessary to determine the threat level, based on which it is possible to determine the types necessary for use: software, hardware and hardware and software. It should also be borne in mind that during the organization of some SPJs it is necessary to take into account the placement of the system.

Protection classes

According to the order of the FSB of Russia of 10.07.14 at number 378, which regulates the use of cryptographic means of protecting information and personal data, six classes are defined: CS1, KS2, KS3, kV1, kV2, ka1. The protection class for a particular system is determined from the analysis of data on the violator model, that is, from the assessment possible methods hacking system. Protection is based on software and hardware of cryptographic information protection.

AU (actual threats), as can be seen from the table, there are 3 types:

  1. The threats of the first type are associated with undocumented possibilities in the system software used in information system.
  2. The threats of the second type are associated with undocumented capabilities in the applied software used in the information system.
  3. The threat of the third type is called all the others.

Undocumented features are functions and properties softwarewhich are not described in the official documentation or do not correspond to it. That is, their use can increase the risk of violation of the confidentiality or integrity of information.

For clarity, consider the models of violators, for the interception of which you need one or another class of means of cryptographic protection of information:

  • CS1 - the violator acts from the outside, without helpers inside the system.
  • KS2 is an internal intruder, but not having access to SCJ.
  • KS3 - an internal violator, which is a user Skui.
  • KV1 - a violator who attracts third-party resources, such as SPJ specialists.
  • KV2 is a violator for the actions of which the institute or a laboratory working in the field of studying and developing SKZI.
  • Ca1 - special services of states.

Thus, the CS1 can be called a basic security class. Accordingly, the higher the class of protection, the less experts capable of providing it. For example, in Russia, according to 2013, there were only 6 organizations with a certificate from the FSB and capable of providing protection of the CA2 class.

Algorithms used

Consider the main algorithms used in the means of cryptographic information protection:

  • GOST R 34.10-2001 and updated GOST R 34.10-2012 - Algorithms for creating and checking the electronic signature.
  • GOST R 34.11-94 and the last GOST R 34.11-2012 - the algorithms for creating hash functions.
  • GOST 28147-89 and more new GOST R 34.12-2015 - implementation of encryption algorithms and imitobackers of data.
  • Additional cryptographic algorithms are in the RFC 4357 document.

Electronic signature

The use of means of cryptographic information protection cannot be submitted without the use of electronic signature algorithms that are gaining increasing popularity.

The electronic signature is a special part of the document created by cryptographic transformations. Its main task is to identify unauthorized changes and determining the authorship.

The electronic signature certificate is a separate document, which proves the authenticity and belonging to the electronic signature to its open key owner. The certificate is issued by certifying centers.

The owner of the electronic signature certificate is a person, whose name is registered by the certificate. It is associated with two keys: open and closed. The closed key allows you to create an electronic signature. Public key is designed to verify the authenticity of the signature due to the cryptographic connection with the closed key.

Types of electronic signature

By Federal law No. 63 Electronic signature is divided into 3 types:

  • normal electronic signature;
  • unqualified electronic signature;
  • qualified electronic signature.

Simple EP is created at the expense of passwords imposed on the opening and viewing of data, or similar means, indirectly confirming the owner.

Unqualified EP is created using cryptographic data transformations using a private key. Thanks to this, you can confirm the person who has signed the document and establish the fact of entering into these unauthorized changes.

A qualified and unqualified signatures differ only in the fact that in the first case, the certificate on EP must be issued by the certified FSB certifying center.

Electronic Signature Use Area

The table below shows the scope of applying EP.

The most active EP technology is applied in the exchange of documents. In the internal document flow, EP acts as approval of documents, that is, as a personal signature or printing. In the case of external document management, the presence of EP is critical, as it is a legal confirmation. It is also worth noting that the documents signed by EP are able to be stored infinitely long and not lose their legal significance due to such factors as erasing signatures, spoiled paper, etc.

Reporting to regulatory authorities is another sphere in which electronic document flow is increasing. Many companies and organizations have already appreciated the convenience of work in such a format.

According to the Law of the Russian Federation, every citizen has the right to use EL when using public services (for example, the signing of an electronic statement for the authorities).

Online trading is another interesting sphere in which an electronic signature is actively applied. It is a confirmation of the fact that in the auction participates a real man And his proposals can be considered reliable. It is also important that any prisoner contract with EP acquires legal force.

Algorithms of electronic signature

  • Full Domain Hash (FDH) and Public Key Cryptography Standards (PKCS). The latter is a whole group of standard algorithms for different situations.
  • DSA and ECDSA - E-Signature Creation Standards in the United States.
  • GOST R 34.10-2012 - Standard for the creation of EP in the Russian Federation. This standard Replaced GOST R 34.10-2001, the action of which officially stopped after December 31, 2017.
  • The Eurasian Union enjoys standards fully similar to Russian.
  • STB 34.101.45-2013 - Belarusian standard for digital electronic signatures.
  • DSTU 4145-2002 - Standard for creating an electronic signature in Ukraine and many others.

It should also be noted that the EP creation algorithms have various appointments And goals:

  • Group electronic signature.
  • Disposable digital signature.
  • Trusted ep.
  • Qualified and unskilled signature, etc.
Did not find an answer to your question? Look at here
State Services Personal AccountState Services Personal Account
State Supervisory Cabinet- Entrance on SNILS and TelephoneState Supervisory Cabinet- Entrance on SNILS and Telephone
Single telephone rescue service in the Russian FederationSingle telephone rescue service in the Russian Federation