Hardware and software setup

home Windows
Windows

Categories of encryption tools and their features. Comparison of encryption tools Encryption cryptographic tools

Purpose: To protect the confidentiality, authenticity and integrity of information. Cryptographic systems and methods should be used to protect information that may be at risk if other means do not provide sufficient protection.

10.3.1 Policy on the use of cryptographic tools

Deciding whether cryptographic methods are suitable for the chosen purpose should be part of a broader process of risk assessment and choice of means. A risk assessment must be performed in order to determine the level of protection that the information requires. Based on the results of the evaluation, it can then be determined whether the cryptographic means what tools need to be implemented and for what purposes and business processes they will be used.

An organization needs to develop a policy for the use of cryptographic tools to protect its information. Such a policy is necessary in order to maximize the benefits and reduce the risk from the use of cryptographic methods, as well as to avoid misuse and misuse. When developing a policy, consider the following:

a) attitude of management towards the use of cryptographic tools in the organization, including general principles protection of information belonging to the organization;

b) approach to key information management methods, including methods for recovering encrypted information in case of loss, compromise or damage to keys;

c) positions and responsibilities, for example, appointing employees responsible for:

d) policy implementation;

e) key management;

f) method for determining the required level cryptographic protection;

g) standards that must be adopted for effective implementation throughout the organization (conformity of the chosen decisions and business processes).

10.3.2 Encryption

Encryption is a cryptographic technique that can be used to protect the confidentiality of information. It is recommended that you consider using this method to protect sensitive or sensitive information.

Based on the results of the risk assessment, the required level of protection should be determined, taking into account the type and quality of the chosen encryption algorithm and the length of the cryptographic keys used.

When implementing cryptographic policy within an organization, consideration should be given to laws and government restrictions on the use of cryptographic methods that may exist in different countries, as well as the transfer of encrypted information outside the country. In addition, issues related to the export and import of cryptographic technologies need to be considered (see also section 12.1.6).

To determine the level of protection you need, you should consult with an expert to help you select the appropriate tools that provide the protection you need and can maintain a strong key management system (see also section

ISO/EIC 17799:2000

10.3.5). In addition, legal advice may be required regarding the laws and regulations that may apply to the organization's chosen encryption methods.

10.3.3 Digital signatures

Digital signatures are a means of protecting the authenticity and integrity of electronic documents. They can be used, for example, in e-commerce to check who signed electronic document, and whether the content of the signed document has changed.

Digital signatures can be applied to any type of document processed electronically. They can be used, for example, to verify electronic payments, transfer of funds, contracts and agreements. A digital signature system can be implemented using a cryptographic method based on the use of a pair of keys that are uniquely related. In this case, one key is used to create a signature (secret key), and the other is used to verify it (public key).

The confidentiality of the secret key must be carefully monitored. This key must be kept secret, because anyone who gains access to this key will be able to sign documents (invoices, contracts, etc.), forging the signature of the owner of the key. In addition, the integrity of the public key must be protected. Such protection is provided through public key certificates (see section 10.3.5).

Consideration needs to be given to the type and quality of the signature algorithm and the length of the keys used. The cryptographic keys used for digital signatures must be different from the keys used for encryption (see section 10.3.2).

When using digital signatures, you must be aware of the laws that describe the conditions under which a digital signature is legally binding. For example, in the field of e-commerce, it is necessary to know the legal validity of digital signatures. If the terms of current legislation are insufficient, contracts or other agreements may be required to support the use of digital signatures. You should seek legal advice regarding laws and regulations that may apply to your organization's choice of using digital signatures.

10.3.4 Ensuring non-repudiation

Non-repudiation tools may be required when resolving disputes about whether an event or action has taken place - for example, when a dispute arises relating to the use electronic signature or payment. These tools can help in obtaining evidence that conclusively proves that some event or action took place, for example, refusal to send a digitally signed instruction to e-mail. These tools are based on the use of encryption and digital signatures (see.

also sections 10.3.2 and 10.3.3).

10.3.5 Key management

10.3.5.1 Protecting cryptographic keys

Cryptographic key management tools are required for effective application cryptographic methods. Compromise or loss of cryptographic keys may compromise the confidentiality, authenticity and/or integrity of information. An organization needs to establish a management system capable of supporting the use of two types of cryptographic methods, namely:

ISO/EIC 17799:2000

the same key that is used to both encrypt and decrypt information. This key is kept secret because anyone with access to it can decrypt all the information encrypted with it or introduce unauthorized information into the system;

b) public key methods, in which each user has a pair of keys - a public key (which can be transferred to anyone) and private key(which must be kept secret). Public key methods can be used for encryption (see Section 10.3.2) and for creating digital signatures (see Section 10.3.3).

All keys must be protected from modification and destruction. Secret and private keys must be protected from unauthorized disclosure. Cryptographic methods can also be used for this purpose. The equipment used to generate, store, and archive keys must be physically secured.

10.3.5.2 Standards, procedures and methods

The key management system should be based on an agreed set of standards, procedures, and secure practices to perform the following tasks:

a) creation of keys for various cryptographic systems and various fields of application;

b) creating and obtaining public key certificates;

c) handover of keys the right users along with instructions on how to activate the key upon receipt;

d) storage of keys and instructions for obtaining keys for authorized users;

e) changing or renewing keys, as well as rules governing the timing and methods of changing keys;

f) actions in relation to compromised keys;

g) revocation of keys, including methods to revoke or deactivate keys, for example, if the key has been compromised or if its owner leaves the organization (in this case, the key also needs to be archived);

h) recovery of lost or damaged keys to support business continuity, for example, to recover encrypted information;

i) key archiving, e.g. for archives and backups information;

j) destruction of keys;

k) logging and auditing of key management activities.

To reduce the chance of compromise, keys must have start and end dates defined so that they can only be used for a limited time. This period should depend on the conditions under which the cryptographic tool is used and on the possible risk.

It may be necessary to develop rules for responding to legal requests for access to cryptographic keys (for example, it may be necessary to provide encrypted information in plain text as evidence in court).

In addition to the issues of security of private and secret keys, it is also necessary to think about the protection of public keys. There is a danger that an attacker will be able to forge a digital signature by replacing the user's public key with his own. solve this

The term "cryptography" comes from the ancient Greek words for "hidden" and "writing". The phrase expresses the main purpose of cryptography - it is the protection and preservation of the secrecy of the transmitted information. Information protection can take place different ways. For example, by restricting physical access to data, hiding the transmission channel, creating physical difficulties in connecting to communication lines, etc.

Purpose of cryptography

Unlike traditional cryptography methods, cryptography assumes the full availability of the transmission channel for intruders and ensures the confidentiality and authenticity of information using encryption algorithms that make information inaccessible to outside reading. Modern system cryptographic information protection (CIPF) is a software and hardware computer complex that provides information protection according to the following main parameters.

  • Confidentiality- the impossibility of reading the information by persons who do not have the appropriate access rights. The main component of ensuring confidentiality in CIPF is the key (key), which is a unique alphanumeric combination for user access to a specific CIPF block.
  • Integrity- the impossibility of unauthorized changes, such as editing and deleting information. To do this, redundancy is added to the original information in the form of a check combination calculated by a cryptographic algorithm and depending on the key. Thus, without knowing the key, adding or changing information becomes impossible.
  • Authentication- confirmation of the authenticity of the information and the parties sending and receiving it. Information transmitted through communication channels must be uniquely authenticated by content, time of creation and transmission, source and recipient. It should be remembered that the source of threats can be not only an attacker, but also the parties involved in the exchange of information with insufficient mutual trust. To prevent such situations, CIPF uses a system of timestamps to make it impossible to resend or return information and change its order.

  • Authorship- confirmation and impossibility of refusal of actions performed by the user of information. The most common way to authenticate is the EDS system consists of two algorithms: to create a signature and to verify it. When working intensively with the ECC, it is recommended to use software certification authorities to create and manage signatures. Such centers can be implemented as completely independent of internal structure SKZI tool. What does this mean for the organization? This means that all transactions with are processed by independent certified organizations and forgery of authorship is almost impossible.

Encryption algorithms

Currently, among the CIPF, open encryption algorithms using symmetric and asymmetric keys with a length sufficient to provide the desired cryptographic complexity prevail. The most common algorithms:

  • symmetric keys - Russian Р-28147.89, AES, DES, RC4;
  • asymmetric keys - RSA;
  • using hash functions - Р-34.11.94, MD4/5/6, SHA-1/2.

Many countries have their own national standards. In the USA, a modified AES algorithm with a key of 128-256 bits is used, and in the Russian Federation, the electronic signature algorithm R-34.10.2001 and the block cryptographic algorithm R-28147.89 with a 256-bit key. Some elements of national cryptographic systems are prohibited for export outside the country, activities for the development of CIPF require licensing.

Hardware crypto protection systems

Hardware CIPF is physical devices containing software for encrypting, recording and transmitting information. Encryption devices can be made in the form of personal devices, such as ruToken USB encryptors and IronKey flash drives, expansion cards for personal computers, specialized network switches and routers, on the basis of which it is possible to build completely secure computer networks.

Hardware CIPF are quickly installed and operate at high speed. Disadvantages - high, in comparison with software and hardware-software CIPF, cost and limited upgrade options.

Also, the hardware blocks can be attributed to the CIPF blocks built into various devices registration and data transmission, where encryption and restriction of access to information is required. Such devices include automobile tachometers that record the parameters of vehicles, some types medical equipment etc. For full-fledged operation of such systems, a separate activation of the CIPF module by the supplier's specialists is required.

Systems of software cryptoprotection

Software CIPF is a special software package for encrypting data on storage media (hard and flash drives, memory cards, CD/DVD) and when transmitting over the Internet ( emails, attachments, secure chats, etc.). There are quite a lot of programs, including free ones, for example, DiskCryptor. The software CIPF also includes protected virtual networks information exchange, working "on top of the Internet" (VPN), expansion of the Internet HTTP protocol with support for HTTPS and SSL encryption - a cryptographic information transfer protocol widely used in IP telephony systems and Internet applications.

Software cryptographic information protection tools are mainly used on the Internet, on home computers and in other areas where the requirements for the functionality and stability of the system are not very high. Or as in the case of the Internet, when you have to create many different secure connections at the same time.

Software and hardware cryptoprotection

Combines best qualities hardware and software systems SKZI. This is the most reliable and functional way to create secure systems and data transmission networks. All user identification options are supported, both hardware (USB-drive or smart card) and "traditional" ones - login and password. Software and hardware cryptographic information protection tools support all modern encryption algorithms, have a large set of functions for creating a secure workflow based on digital signature, all the required state certificates. CIPF installation is carried out by qualified personnel of the developer.

Company "CRYPTO-PRO"

One of the leaders of the Russian cryptographic market. The company develops a full range of information protection programs using digital signatures based on international and Russian cryptographic algorithms.

The company's programs are used in the electronic document management of commercial and government organizations, for the submission of accounting and tax reporting, in various city and budget programs, etc. The company has issued more than 3 million licenses for the CryptoPRO CSP program and 700 licenses for certification centers. "Crypto-PRO" provides developers with interfaces for embedding cryptographic protection elements into their own and provides a full range of consulting services on the creation of SKZI.

Cryptoprovider CryptoPro

When developing CIPF CryptoPro CSP built-in operating room was used Windows system cryptographic architecture of Cryptographic Service Providers. The architecture allows you to connect additional independent modules that implement the required encryption algorithms. With the help of modules working through the CryptoAPI functions, cryptographic protection can be carried out by both software and hardware CIPF.

Key carriers

Various private keys can be used, such as:

  • smart cards and readers;
  • electronic locks and readers working with Touch Memory devices;
  • various USB keys and removable USB drives;
  • system files Windows Registry Solaris Linux.

Functions of a crypto provider

CIPF CryptoPro CSP is fully certified by FAPSI and can be used for:

2. Complete confidentiality, authenticity and data integrity through encryption and imitation protection according to Russian standards encryption and TLS protocol.

3. Integrity check and control program code to prevent unauthorized modification and access.

4. Creation of a system protection regulation.

Cryptographic security information security based on the principles of data encryption.

Encryption- this is a reversible transformation of information in order to hide from unauthorized persons, while maintaining access to data for authorized users.

Encryption is used:

  • to hide information from unauthorized users during transmission, storage and prevention of changes;
  • authentication of the data source and prevention of the refusal of the sender of information from the fact of sending;
  • privacy transmitted information, i.e., its availability only for authorized users who have a certain authentic (valid, genuine) key.

Thus, with the help of encryption, the mandatory categories of information security are provided: confidentiality, integrity, availability, and identifiability.

Encryption is implemented by two data transformation processes - encryption and decryption using a key. According to GOST 28147-89 “Information processing systems. Cryptographic protection. Cryptographic transformation algorithm, the key is a specific secret state of some parameters of the cryptographic transformation algorithm, which ensures the choice of one transformation from the set of transformations possible for a given algorithm.

Encryption key- this is a unique element for changing the results of the encryption algorithm: the same source data using different keys will be encrypted in different ways.

To decrypt encrypted information, the receiving party needs a key and a decryptor - a device that implements data decryption. Depending on the number of keys used for encryption processes, there are two encryption methods:

  • symmetrical - the use of the same key for both encryption and decryption of data;
  • asymmetric - two different keys are used: one for encryption (public), the other for decryption (private).

The data transformation procedures using the key constitute the encryption algorithm. The most popular at present are the following crypto-resistant encryption algorithms described in state standards: GOST 28147-89 (Russia), AES (Advanced Encryption Standard, USA) and RSA (USA). Nevertheless, despite the high complexity of these encryption algorithms, any of them can be cracked by enumeration of all options keys .

The concept of "encryption" is basic for another cryptographic means of providing information security - a digital certificate.

Digital certificate- this is an electronic or printed document issued by a certification authority (certification authority) confirming the ownership of a public key or any attributes by the owner.

A digital certificate consists of 2 keys: public (public) and private (private). Public-part is used to encrypt traffic from the client to the server in a secure connection, ^nsh^e-part - to decrypt the encrypted traffic received from the client on the server. After pair generation public/private Based on the public key, a certificate request is generated to the Certification Authority. In response, the certification authority sends a signed digital certificate, while verifying the identity of the client - the certificate holder.

A certification authority (certifying authority, Certification authority, C A) is a party (department, organization) whose honesty is undeniable, and the public key is widely known. The main task of the certification authority is to authenticate encryption keys using digital certificates (electronic signature certificates) by:

  • provision of services for certification of digital certificates (electronic signature certificates);
  • maintenance of public key certificates;
  • obtaining and verifying information on the conformity of the data specified in the key certificate and the submitted documents.

Technically, the CA is implemented as a component of the global directory service responsible for managing users' cryptographic keys. public keys and other information about users is stored by certification authorities in the form of digital certificates.

The main means of ensuring the IS of electronic documents in modern IS is their protection with the help of an electronic (electronic digital) signature.

Electronic signature (ES)- details of an electronic document obtained as a result of cryptographic transformation of information using a private key, which makes it possible to establish the absence of data distortion from the moment the signature was generated and to verify that the signature belongs to the owner of the digital certificate (ES key certificate).

The electronic signature is intended to identify the person who signed the electronic document, and is a full replacement (analogue) of a handwritten signature in cases provided for by law. The use of EP allows you to:

  • control of the integrity of the transferred document: in case of any accidental or intentional change of the document, the signature will become invalid, since it is calculated on the basis of initial state document and corresponds only to it;
  • protection against changes (forgery) of the document due to the guarantee of forgery detection during data integrity control;
  • conclusive confirmation of the authorship of the document, since the private key of the ES is known only to the owner of the corresponding digital certificate (fields can be signed: "author", "changes made", "time stamp", etc.).

Since the implementation of the ES is based on the application of the principles of data encryption, there are two options for constructing the ES:

  • based on algorithms symmetric encryption, which provides for the presence in the system of a third party (arbitrator), who is trusted by both parties. Authorization of the document is the very fact of encrypting it with a secret key and passing it to the arbiter;
  • based on asymmetric encryption algorithms - the most common in modern ICs: schemes based on the algorithm RSA encryption(Full Domain Hash, Probabilistic Signature Scheme, PKCS#1), ElGamal, Schnorr, Diffie-Hellman, Pointcheval-Stem signature algorithm, Rabin probabilistic signature scheme, Boneh-Lynn-Shacham, Goldwasser-Micali-Rivest, elliptic curve apparatus ECDSA, national cryptographic standards: GOST R 34.10-2012 (Russia), DSTU 4145-2002 (Ukraine), STB 1176.2-99 (Belarus), DSA (USA).

On the currently main domestic standard regulating the concept of ES is GOST R 34.10-2012 " Information technology. Cryptographic protection of information. The processes of formation and verification of electronic digital signature».

As a rule, the implementation of ES in IS is carried out by including in their composition special modular components containing certified cryptographic data protection tools: CryptoPro CSP, SignalCom CSP, Verba OW, Domain-K, Avest, Genkey and others certified by FAPSI (Federal Agency for Government Communications and information under the President Russian Federation) and meeting the Microsoft Crypto API specifications.

Microsoft CryptoAPI is a Windows application programming interface that contains a standard set of functions for working with a cryptographic provider. Included in operating systems Microsoft Windows(since 2000).

CryptoAPI allows you to encrypt and decrypt data, supports working with asymmetric and symmetric keys, as well as digital certificates. The set of supported cryptographic algorithms depends on the specific cryptographic provider.

A Cryptographic Service Provider (CSP) is an independent module for performing cryptographic operations in operating rooms. Microsoft systems controlled by CryptoAPI functions. Thus, the crypto provider is an intermediary between the operating system, which can manage it using standard features CryptoAPI, and a performer of cryptographic operations, such as an application IC or hardware.

About import
to the customs territory of the Eurasian
economic union and export from the customs
territory of the Eurasian Economic Union
encryption (cryptographic) means

Scroll
categories of goods that are encryption (cryptographic) means or contain encryption (cryptographic) means, the technical and cryptographic characteristics of which are subject to notification

1. Goods containing in their composition encryption (cryptographic) means having any of the following components:

1) a symmetric cryptographic algorithm using cryptographic key length not exceeding 56 bits;

2) an asymmetric cryptographic algorithm based on any of the following methods:

factorization of integers, the size of which does not exceed 512 bits;

calculation of discrete logarithms in the multiplicative group of a finite field, the size of which does not exceed 512 bits;

discrete logarithm in the group of a finite field other than the field specified in third paragraph of this subclause, the size of which does not exceed 112 bits.

Notes: 1. Parity bits are not included in the key length.

2. The term "cryptography" does not refer to fixed methods of data compression or encoding.

2. Goods containing encryption (cryptographic) means with the following limited functions:

1) authentication, which includes all aspects of access control, where there is no encryption of files or texts, with the exception of encryption, which is directly related to the protection of passwords, personal identification numbers or similar data to protect against unauthorized access;

Note. Authentication and electronic digital signature functions ( electronic signature) include an associated key distribution function.

3. Encryption (cryptographic) tools that are components of software operating systems, the cryptographic capabilities of which cannot be changed by users, which are designed to be installed by the user on their own without further significant support from the supplier and technical documentation (description of cryptographic transformation algorithms, interaction protocols, description of interfaces, etc.) d) which is available to the user.

4. Personal smart cards (smart cards):

1) whose cryptographic capabilities are limited by their use in the categories of goods (products) specified in paragraphs 5 - 8 this list;

2) for wide public use, the cryptographic capabilities of which are not available to the user and which, as a result of special development, have limited capabilities for protecting personal information stored on them.

Note. If a personal smart card (smart card) can perform several functions, the control status of each of the functions is determined separately.

5. Reception equipment for radio broadcasting, commercial television or similar commercial equipment for broadcasting to a limited audience without digital encryption, except when encryption is used solely to manage video or audio channels, send bills, or return program-related information to broadcast providers.

6. Equipment, the cryptographic capabilities of which are not available to the user, specially designed and limited for use in any of the following ways:

1) the software is executed in a copy-protected form;

2) access to any of the following:

copy-protected content stored on a read-only electronic storage medium;

information stored in encrypted form electronic media information that is offered for sale to the public in identical sets;

3) control of copying audio and video information protected by copyright.

7. Encryption (cryptographic) equipment specially designed and limited to banking or financial transactions.

Note. Financial operations include fees and charges for transport services and credit.

8. Civilian portable or mobile radio-electronic equipment (for example, for use in commercial civil cellular radio communication systems) that is not capable of end-to-end encryption (from subscriber to subscriber).

9. Wireless radio-electronic equipment that encrypts information only in a radio channel with a maximum wireless range without amplification and retransmission of less than 400 m in accordance with specifications manufacturer.

10. Encryption (cryptographic) means used to protect technological channels of information and telecommunication systems and communication networks.

11. Goods, cryptographic function which are blocked by the manufacturer.

12. Other goods that contain encryption (cryptographic) means other than those specified in paragraphs 1 - 11 of this list and meet the following criteria:

1) are publicly available for sale to the public in accordance with the legislation of the member state of the Eurasian Economic Union without restrictions from the available assortment at retail outlets through any of the following:

sales for cash;

sales by ordering goods by mail;

electronic transactions;

telephone sales;

2) encryption (cryptographic) functionality which cannot be changed by the user in a simple way;

3) are designed to be installed by the user without further substantial support from the supplier;

4) technical documentation confirming that the goods meet the requirements subparagraphs 1 - 3 of this paragraph, is placed by the manufacturer in the public domain and is submitted, if necessary, by the manufacturer (a person authorized by him) to the coordinating body at his request.

Liked the article? Share with friends!
Twitter
print
Was this article helpful?
Yes
Not
Thanks for your feedback!
Something went wrong and your vote was not counted.
Thank you. Your message has been sent
Did you find an error in the text?
Select it, click Ctrl+Enter and we'll fix it!
Related Tips
First look at the iPhone SE Video reviews iPhone SE
First look at the iPhone SE Video reviews iPhone SE
Samsung A9 processor is more voracious than TSMC iPhone SE in hand
Samsung A9 processor is more voracious than TSMC iPhone SE in hand
Sharp has created the world's first completely frameless smartphone
Sharp has created the world's first completely frameless smartphone
Sharp Aquos S2 is the new smartphone with the smallest bezels
Sharp Aquos S2 is the new smartphone with the smallest bezels
Proper charging of iPhone, iPad, MacBook batteries
Proper charging of iPhone, iPad, MacBook batteries
Why do photographers choose RAW format for photography?
Why do photographers choose RAW format for photography?