700 likes | 846 Views
OKB SAPR. OKB SAPR S pecial D esign B ureau for CAD S ystem D esign www.accord.ru 1@accord.ru. Accord. Safety in an un saf e world. Moscow, 2007. Why does this happen —. you are using various information security products,. ?. yet the information still leak s out.
E N D
OKB SAPR OKB SAPR Special Design Bureau for CAD System Design www.accord.ru 1@accord.ru Accord. Safetyin an unsafe world. Moscow, 2007
Why does this happen — you are using various information security products, ? yet the information still leaks out
In order to provide security, and not simply protect, it is necessary to understand what exactly is the OBJECT OF PROTECTION.
The objects of information protection are defined by the things that the intruder’s activities may be aimed at: the computer equipment (CE); the data that is stored and processed by the CE; data processing technologies; data transmission channels.
The goals of the information protection are defined in accordance with the objects: protecting your computer from the unauthorized access; delimitatingthe data access rights; providing the invariability of the data processing technology; transferring data in a protected form.
The goals of the information protection are solvedby using the unauthorized access controlproduct Accord-TSHM and the information protection systems, which are based on it.
Accord-TSHM Trusted Startup Hardware Module
The computer protection from anunauthorized access is reached by providing the operating system secure boot mode,which guarantees that: the user is exactly the one, who has the right to work on this computer; the computer is exactly the one, that this user has a right to work at.
Accord-TSHM: Trusted Startup HardwareModule Provides a secure boot of the operating system, irrespective of its type, for an authenticated user.
What is secure boot? The operating system boot is performed only aftera successful completion of the following procedures: blocking the operating system boot from the external storage mediums; integrity checking of the PC hardware and the software utilities, using a step-by-step integrity inspection algorithm; the user identification/authentication.
Accord-TSHM —protection from an unauthorized access Accord-TSHM provides the secure boot of the operating systems, supporting the following file systems: FAT 12, FAT 16, FAT 32, NTFS, HPFS, EXT2FS, EXT3FS, FreeBSD,Sol86FS, QNXFS,MINIX.
Accord-TSHM —protection from an unauthorized access In particular, the secure boot mode is provided for the operating system families, such as: MS DOS, Windows, OS/2, UNIX, LINUX, BSD and others.
An unauthorized access controlproductAccord-TSHM consists of the hardware and software tools: Hardware tools: Controller; Contact device; Identifier; Software tools: BIOS-controller of the Accord-TSHM complex; Firmware, which the TSHM functions has been realized in.
Functional sufficiencyof the resident software External devices blocking opportunity Complex administration TSHM functions Identification/authentication Storing and applying the keys Step-by-step integrity inspection mechanism Blocking boot from the removable media for all users, except for the administrator
The main versions of Accord-TSHM include the controllers: for PCs with bussed interface PCIand PCI-X Accord-5MX, Accord-5.5 with a powerful cryptographicsybsystem Accord-6 with cryptographic and communication sybsystem
Accord-TSHMAccord-5MX controller-based For PCs with bussed interfacePCI. Protection class up to 1B (inclusive.) Users registration – up to 128.
Accord-TSHMAccord-5.5 controller-based In addition to the Accord-5MX characteristics, also has a hardware cryptographic subsystem: A powerful cryptographic processor; A key information storage and monitoring tool.
Accord-TSHMAccord-5.5 controller-based Hardware implementation of all Russian cryptographic algorithms: Encryption by GOST28147-89 (up to12 Mbyte/sec); Calculation of the hash functions – GOST R 34.11-94 (6 Mbyte/sec); Calculation/checking of the electronic digital signature by GOSTR 34.10-94 (3/3/7 msec - 512 bit, 11/11/24 msec - 1024 bit); Calculation/checking of the electronic digital signature by GOSTR 34.10-2001 (50/50/80 msec); Calculation of the authentication protection codes APC (3000 APC/sec).
Accord-TSHMAccord-5.5 controller-based Hardware implementation of the foreign cryptographic algorithms: RC2 encryption (about4 Mbyte/sec), DES (24 Mbyte/sec), DESX (22 Mbyte/sec), TripleDES (8 Mbyte/sec); Hash-functions MD5 (15 Mbyte/sec) and SHA-1 (12 Mbyte/sec); Electronic digital signature EDS (RSA (2048 bit - 350/350 msec, 1024 bit - 45/45 msec, 512 bit - 6/6 msec, 256 bit - 1/1 msec), DSA (12/15/27 msec 1024-bit)).
Accord-TSHMAccord-6 controller-based Universal data security hardware solution implementing functions of protection against unauthorized access, cryptographic data security functions and network data security functions:
Accord-TSHMAccord-6 controller-based is a full-fledged 32-bit high-performance microcomputer equipped with PCI 32-bit, 33 MHz 3.3/5V, Ethernet 10/100, RS-232, USB-host, USB-slave iButton (Touch Memory) and physically implemented as a standard low-profile expansion card to be plugged in the PCI/PCI-X slot of the computer.
Accord-TSHM may also include the controllers: Accord-5.5.e for PCs with bussed interfacePCI-Express; Accord-5.5mini-PCI for notebooks and other computers with bussed interface mini-PCI; Accord-5.5 mini-PCIe for PCs with mini-PCI-Express standard.
Accord-TSHMAccord-5.5.e controller-based For computers with modern bussed interface PCI-Express. All the Accord-5.5 characteristics
Accord-TSHMAccord-5.5mini-PCI controller-based For notebooks and other computers with bussed interface mini-PCI. All the Accord-5.5 characteristics 4,5 x 6 cm
Individual packaging in accordance with the customer’s requirement, Accord-TSHMand Accord-TSHM-based systems may use various identifiers: TM-identifiers (standard packaging), smart-cards, fingerprint reading devices, PCDST (personal cryptographic data security tool) SHIPKA.
All of the Accord-TSHM modifications: may be used at any PC 386+, which has a freePCI (ISA) slot; use personal TM-identifiers DS 1992 – DS 1996 with the memory volume up to 64 Kbit (or other identifier upon the customer’s request) for the user identification and provide for the registration of up to 128 users at the PC; use a password up to 12 symbols for the users authentication, entered from the keyboard;
All of the Accord-TSHM modifications: work with the following types of file systems: FAT 12,FAT 16,FAT 32,NTFS,HPFS, FreeBSD,Ext2FS,Sol86FS,QNXFS,MINIX; provide the integrity control of the PC hardware before the operating system boot; provide the integrity control of the programs and data before the operating system boot (for the operating systems of the Windows family, there is an option of integrity control for the particular register paths);
All of the Accord-TSHM modifications: perform the boot blocking from the alienable carriers (FDD, CD ROM, ZIP-drive); perform the registration of the users activities in the system log, located in the permanent memory of the controller; provide the system administration.
System administration: • assigning the general system settings; • users registration; • assigning the access right to the users and user groups; • selecting the objects, which are subject to integrity control: • files and directories, • register paths and values, • utility areas of the hard disk, • hardware tools; • working with the event log.
Accord-TSHM unauthorized access controlproductarchitecture specifics Permanent memory Random number generator Microprocessor software Databases (users, equipment, controlled objects Event log TSHM software user user ISA ISA Microprocessor Identifiers reader PC controller System bus R only PC RAM R/W TSHM software Add only ISA – Information security administrator
Reliability in an unreliable world: The Accord-TSHM architecture provides: impossibility ofthe introduction of changes into the firmware; impossibility of concealment of an unauthorized access from the information security administrator; possibility of building the Accord-TSHM-based information protection systems (when installing special software).
Information access isolation is provided by the hardware/software complexes, based on Accord-TSHM and special software Accord-1.95 – for the MS DOS, Windows 9x and Windows Millenium operating systems; Accord-NT/2000 – for the Windows NT, Windows 2000, Windows XP, Windows 2003 andVista operating systems;
Data SecurityManagement based on the protected network data exchange is provided by the Accord-DAC (distributed audit and control)subsystem, which combines an information security administrator's workstation (ISA WKS) and workstations equipped with DSS (data security systems) belonging to the ACCORD family .
Cryptographic algorithms forthe information technologies protection anddata transfer in a protected form have been realized in the Accord-5.5controller, which may be used for data encryption, signing its electronic digital signature and protecting the information technologies with the help of the authentication protection codes (APC).
Certificates The protection level, provided by Accord-TSHM and the Accord-TSHM-based systems, is approved by 20 conformance certificates, issued by: FAGCI, Government Technical Commission of Russia and FSTEC of Russia, the Ministry of Defence of the Russian Federation, GosStandard of Russia, Sanitary & Epidemiological Station of the Russian Federation.
Reinforcing the protective properties of the unauthorized access controlproducts of the ACCORDтмfamily may be reachedby using the following as a hardware identifier: A personal cryptographic data security tool – SHIPKA
OKB SAPR Special Design Bureau for Computer-AidedDesign www.accord.ru 1@accord.ru PERSONALcryptographic data security tool (PCDST)SHIPKA Moscow, 2005
Mobile • User-friendly • Protected and Ideal information interoperability:
Mobile • User-friendly • Protected OR Reallifeconfronts youwith an alternative:
Mobile • User-friendly • Protected OR Reallifeconfronts youwith an alternative: Using confidential information
Mobile • User-friendly • Protected OR Reallifeconfronts youwith an alternative: Storing the passwords for the web-services and the encryption keys/ Electronic Digital Signature (EDS)
Mobile • User-friendly • Protected OR Reallifeconfronts youwith an alternative: Banking account administration
Of two evils choose the lesser!
Of two evils choose the lesser!
In order to have everything you need, it’s enough to have PCDST SHIPKA with you.
PCDST SHIPKA Mobility:doesn’t require software installation from additional carriers; may be used at any PC, which has an USB-plug. User-friendliness:doesn’t require cryptographic libraries installation on PC; provides safe storage and application of the personal confidential data; doesn’t require any special skills when operating on PC or in the Internet. Protectability:hardware implementation of the cryptographic algorithms, protected randomnumber generator, protected permanent memory, applying the keys without transferring them to PC.
SHIPKA: hardware (Transport Level USB-controller ProtectedMCU core (ALU) Firmware commands memory: • cryptographic library • functions of the file system (FS), similar to ISO 7816-4 Critical data memory SPI (Functional Level) Hardware-based random number monitor FSData Flash data memory
Firmware SHIPKA • Cryptographic library • Support of the file system, similar to ISO/IEC 7816-4 • Upgradeability without any additional equipment required from the user.
Firmware SHIPKA:Cryptographic library: Russian algorithms Russian cryptographic algorithms: • Encryption:GOST 28147-89. • Hash-function calculation:GOSTR 34.11-97. • Calculation and checking of the Electronic Digital Signature:GOSTR 34.10-94,GOST 34.10-2001. • Calculation and checking of the APC (authentication protection codes).
Firmware SHIPKA:Cryptographic library: foreign algorithms Foreign cryptographic algorithms: • Encryption:RC2, RC4, RC5, DES, 3DES,RSA. • Hash-functions calculation:MD5 andSHA-1, • Electronic Digital Signature:RSA, DSA.