340 likes | 552 Views
ACCORD - TSHM. OKB SAPR S pecial D esign B ureau for CAD S ystem D esign www.accord.ru accord@accord.ru. Accord. R eliability in an unreliable world. Moscow, 2009. Why does this happen —. you are using various information security products,. ?. yet the information
E N D
ACCORD-TSHM OKB SAPR Special Design Bureau for CAD System Design www.accord.ru accord@accord.ru Accord. Reliability in an unreliable world. Moscow, 2009
Why does this happen — you are using various information security products, ? yet the information still leaks out
In order to provide security, and not simply protect, it is necessary to understand what exactly is the OBJECT OF PROTECTION.
The objects of information protection are defined by the things that the intruder’s activities may be aimed at: the computer equipment (CE); the data that is stored and processed by the CE; data processing technologies; data transmission channels.
The goals of the information protection are defined in accordance with the objects: protecting your computer from the unauthorized access; delimitatingthe data access rights; providing the invariability of the data processing technology; transferring data in a protected form.
The goals of the information protection are solvedby using the unauthorized access controlproduct Accord-TSHM and the information protection systems, which are based on it.
The computer protection from anunauthorized access is reached by providing the operating system trusted startup mode,which guarantees that: the user is exactly the one, who has the right to work on this computer; the computer is exactly the one, that this user has a right to work at.
Accord-TSHM: Trusted startup hardwaremodule Provides a trusted startup of the operating system, irrespective of its type, for an authenticated user.
What is secure boot? The operating system boot is performed only aftera successful completion of the following procedures: blocking the operating system boot from the external storage mediums; integrity checking of the PC hardware and the software utilities, using a step-by-step integrity inspection algorithm; the user identification/authentication.
Accord-TSHM —protection from an unauthorized access Accord-TSHM provides the trusted startup of the operating systems, supporting the following file systems: FAT 12, FAT 16, FAT 32, NTFS, HPFS, EXT2FS, EXT3FS, FreeBSD,Sol86FS, QNXFS,MINIX.
Accord-TSHM —protection from an unauthorized access In particular, the trusted startup mode is provided for the operating system families, such as: MS DOS, Windows, OS/2, UNIX, LINUX, BSD and others.
An unauthorized access controlproductAccord-TSHM consists of the hardware and software tools: Hardware tools: Controller; Contact device; Identifier; Software tools: BIOS-controller of the Accord-TSHM complex; Firmware, which the TSHM functions has been realized in.
Functional sufficiencyof the resident software External devices blocking opportunity Complex administration TSHM functions Identification/authentication Storing and applying the keys Step-by-step integrity inspection mechanism Blocking boot from the removable media for all users, except for the administrator
The main versions of Accord-TSHM include the controllers: for PCs with bussed interface PCI Accord-5MX, Accord-5.5 with a powerful cryptographicsybsystem.
Accord-TSHMAccord-5MX controller-based For PCs with bussed interfacePCI. Protection class up to 1B (inclusive.) Users registration – up to 128.
Accord-TSHMAccord-5.5 controller-based In addition to the Accord-5MX characteristics, also has a hardware cryptographic subsystem: A powerful cryptographiccalculator; A key information storage and monitoring tool.
Accord-TSHMAccord-5.5 controller-based Hardware implementation of all Russian cryptographic algorithms: Encryption by GOST28147-89 (up to12 Mbyte/sec); Calculation of the hash functions – GOST R 34.11-94 (6 Mbyte/sec); Calculation/checking of the electronic digital signature by GOSTR 34.10-2001 (50/50/80 msec); Calculation of the authentication protection codes APC (3000 APC/sec).
Accord-TSHMAccord-5.5 controller-based Hardware implementation of the foreign cryptographic algorithms: RC2 encryption (about4 Mbyte/sec), DES (24 Mbyte/sec), DESX (22 Mbyte/sec), TripleDES (8 Mbyte/sec); Hash-functions MD5 (15 Mbyte/sec) and SHA-1 (12 Mbyte/sec); Electronic digital signature EDS (RSA (2048 bit - 350/350 msec, 1024 bit - 45/45 msec, 512 bit - 6/6 msec, 256 bit - 1/1 msec), DSA (12/15/27 msec 1024-bit)).
Accord-TSHM may also include the controllers: Accord-4.5 for PCs with bussed interfaceISA; Accord-PC104 for PCs with PC-104 standard; Accord-5МХ mini-PCI for notebooks and other computers with bussed interface mini-PCI;
Accord-TSHMAccord-4.5 controller-based For PCs with bussed interfaceISA. Protection class up to 1B (inclusive.) Users registration – up to 128.
Accord-TSHMAccord-5МХ mini-PCI controller-based For notebooks and other computers with bussed interface mini-PCI. Protection class up to 1B (inclusive.) Users registration – up to 128. Hashing byGOSTR 34.11-94up to 17 Kb/sec. Production/checking of theAuthentication Protection Code – 17 APC/sec.
Individual packaging in accordance with the customer’s requirement, Accord-TSHMand Accord-TSHM-based systems may use various identifiers: TM-identifiers (standard packaging), smart-cards, fingerprint reading devices, PCDST (personal cryptographic data security tool) SHIPKA.
All of the Accord-TSHM modifications: may be used at any PC 386+, which has a freePCI (ISA) slot; use personal TM-identifiers DS 1992 – DS 1996 with the memory volume up to 64 Kbit (or other identifier upon the customer’s request) for the user identification and provide for the registration of up to 128 users at the PC; use a password up to 12 symbols for the users authentication, entered from the keyboard;
All of the Accord-TSHM modifications: work with the following types of file systems: FAT 12,FAT 16,FAT 32,NTFS,HPFS, FreeBSD,Ext2FS,Sol86FS,QNXFS,MINIX; provide the integrity control of the PC hardware before the operating system boot; provide the integrity control of the programs and data before the operating system boot (for the operating systems of the Windows family, there is an option of integrity control for the particular register paths);
All of the Accord-TSHM modifications: perform the boot blocking from the alienable carriers (FDD, CD ROM, ZIP-drive); perform the registration of the users activities in the system log, located in the permanent memory of the controller; provide the system administration.
System administration: • assigning the general system settings; • users registration; • assigning the access right to the users and user groups; • selecting the objects, which are subject to integrity control: • files and directories, • register paths and values, • utility areas of the hard disk, • hardware tools; • working with the event log.
Accord-TSHM unauthorized access controlproductarchitecture specifics Permanent memory Random number generator Microprocessor software Databases (users, equipment, controlled objects Event log TSHM software user user ISA ISA Microprocessor Identifiers reader PC controller System bus R only PC RAM R/W TPM software Add only ISA – Information security administrator
Reliability in an unreliable world: The Accord-TSHM architecture provides: impossibility ofthe introduction of changes into the firmware; impossibility of concealment of an unauthorized access from the information security administrator; possibility of building the Accord-TSHM-based information protection systems (when installing special software).
Delimitation of the data access rights is provided by the hardware/software complexes, based on Accord-TSHM and special software Accord-1.95 – for the MS DOS, Windows 9x and Windows Millenium operating systems; Accord-NT/2000 – for the Windows NT, Windows 2000, Windows XP, Windows 2003 andVista operating systems;
Information protection management based on the protected network data exchange is provided by the Accord-RAU subsystem, which joins the automated workplace of the information security administrator (AWP ISA) and the user terminals, equipped with the Accord-AMDZ-based hardware/software complexes.
Cryptographic algorithms forthe information technologies protection anddata transfer in a protected form have been realized in the Accord-5.5controller, which may be used for data encryption, signing its electronic digital signature and protecting the information technologies with the help of the authentication protection codes (APC).
Certificates The protection level, provided by Accord-TSHM and the Accord-TSHM-based systems, is approved by 20 conformance certificates, issued by: FAGCI, Government Technical Commission of Russia and FSTEC of Russia, the Ministry of Defence of the Russian Federation, GosStandard of Russia, Sanitary & Epidemiological Station of the Russian Federation.
Reinforcing the protective properties of the unauthorized access controlproducts of the ACCORDтмfamily may be reachedby using the following as a hardware identifier: A personal cryptographic data security tool – SHIPKA
ACCORD-TSHM OKB SAPR Special Design Bureau for CAD System Design www.accord.ru accord@accord.ru Accord. Reliability in an unreliable world. Moscow, 2009