Means of cryptographic information protection (cryptographic information protection). Means of cryptographic protection of information: types and application of cryptographic protection which is intended for

Cryptographic information protection tools, or CIPF for short, are used to ensure comprehensive protection of data transmitted over communication lines. To do this, it is necessary to ensure authorization and protection of the electronic signature, authentication of communicating parties using the TLS and IPSec protocols, as well as protection of the communication channel itself, if necessary.

In Russia use cryptographic means Information protection is mostly classified, so there is little publicly available information on this topic.

Methods used in CIPF

• Authorization of data and ensuring the safety of their legal significance during transmission or storage. To do this, they use algorithms for creating an electronic signature and verifying it in accordance with the established regulations RFC 4357 and use certificates according to the X.509 standard.
• Protecting data confidentiality and monitoring its integrity. Asymmetric encryption and imitation protection are used, that is, counteracting data substitution. Complied with GOST R 34.12-2015.
• Protection of system and application software. Monitor for unauthorized changes or incorrect functioning.
• Management of the most important elements of the system in strict accordance with the adopted regulations.
• Authentication of parties exchanging data.
• Securing the connection using TLS protocol.
• Protecting IP connections using the IKE, ESP, AH protocols.

The methods are described in detail in the following documents: RFC 4357, RFC 4490, RFC 4491.

CIPF mechanisms for information protection

1. The confidentiality of stored or transmitted information is protected by the use of encryption algorithms.
2. When establishing a connection, identification is provided by means of an electronic signature when used during authentication (as recommended by X.509).
3. Digital document flow is also protected by electronic signatures together with protection against imposition or repetition, while the authenticity of the keys used to verify electronic signatures is monitored.
4. The integrity of information is ensured by means digital signature.
5. Using asymmetric encryption functions helps protect your data. In addition, hashing functions or impersonation algorithms can be used to check data integrity. However, these methods do not support determining the authorship of a document.
6. Repetition protection occurs using cryptographic functions of an electronic signature for encryption or imitation protection. In this case, a unique identifier is added to each network session, long enough to exclude its random coincidence, and verification is implemented by the receiving party.
7. Protection against imposition, that is, from penetration into communications from the outside, is provided by means of electronic signature.
8. Other protection - against bookmarks, viruses, modifications operating system etc. - is ensured using various cryptographic tools, security protocols, anti-virus software and organizational measures.

As you can see, electronic signature algorithms are a fundamental part of a means of cryptographic information protection. They will be discussed below.

Requirements for using CIPF

CIPF is aimed at protecting (by checking an electronic signature) open data in various information systems general use and ensuring their confidentiality (electronic signature verification, imitation protection, encryption, hash verification) in corporate networks.

A personal cryptographic information protection tool is used to protect the user’s personal data. However, special emphasis should be placed on information related to state secrets. According to the law, CIPF cannot be used to work with it.

Important: before installing CIPF, the first thing you should check is the CIPF software package itself. This is the first step. Typically, the integrity of the installation package is verified by comparing checksums received from the manufacturer.

After installation, you should determine the level of threat, based on which you can determine the types of CIPF required for use: software, hardware, and hardware-software. It should also be taken into account that when organizing some CIPF, it is necessary to take into account the placement of the system.

Protection classes

According to the order of the FSB of Russia dated July 10, 2014, number 378, regulating the use of cryptographic means of protecting information and personal data, six classes are defined: KS1, KS2, KS3, KB1, KB2, KA1. The protection class for a particular system is determined from an analysis of data about the model of the intruder, that is, from an assessment possible ways hacking the system. Protection in this case is built from software and hardware cryptographic information protection.

AC (current threats), as can be seen from the table, are of 3 types:

1. Threats of the first type are associated with undocumented capabilities in the system software used in the information system.
2. Threats of the second type are associated with undocumented capabilities in the application software used in the information system.
3. The third type of threat refers to all the others.

Undocumented capabilities are functions and properties software, which are not described in the official documentation or do not correspond to it. That is, their use may increase the risk of violating the confidentiality or integrity of information.

For clarity, let’s look at the models of intruders whose interception requires one or another class of cryptographic information security means:

• KS1 - the intruder acts from the outside, without assistants inside the system.
• KS2 is an internal intruder, but does not have access to CIPF.
• KS3 is an internal intruder who is a user of CIPF.
• KV1 is an intruder who attracts third-party resources, for example, CIPF specialists.
• KV2 is an intruder, behind whose actions is an institute or laboratory working in the field of studying and developing CIPF.
• KA1 - special services of states.

Thus, KS1 can be called the basic protection class. Accordingly, the higher the protection class, the fewer specialists capable of providing it. For example, in Russia, according to data for 2013, there were only 6 organizations that had a certificate from the FSB and were capable of providing KA1 class protection.

Algorithms used

Let's consider the main algorithms used in cryptographic information protection tools:

• GOST R 34.10-2001 and updated GOST R 34.10-2012 - algorithms for creating and verifying an electronic signature.
• GOST R 34.11-94 and the latest GOST R 34.11-2012 - algorithms for creating hash functions.
• GOST 28147-89 and more new GOST R 34.12-2015 - implementation of encryption and data protection algorithms.
• Additional cryptographic algorithms are found in RFC 4357.

Electronic signature

The use of cryptographic information security tools cannot be imagined without the use of electronic signature algorithms, which are gaining increasing popularity.

An electronic signature is a special part of a document created by cryptographic transformations. Its main task is to identify unauthorized changes and determine authorship.

An electronic signature certificate is a separate document that proves the authenticity and ownership of an electronic signature to its owner using a public key. Certificates are issued by certification authorities.

The owner of an electronic signature certificate is the person in whose name the certificate is registered. It is associated with two keys: public and private. The private key allows you to create an electronic signature. The purpose of a public key is to verify the authenticity of a signature through a cryptographic link to the private key.

Types of electronic signature

According to Federal Law No. 63 electronic signature divided into 3 types:

• regular electronic signature;
• unqualified electronic signature;
• qualified electronic signature.

A simple electronic signature is created through passwords imposed on opening and viewing data, or similar means that indirectly confirm the owner.

An unqualified electronic signature is created using cryptographic data transformations using a private key. Thanks to this, you can confirm the person who signed the document and determine whether unauthorized changes have been made to the data.

Qualified and unqualified signatures differ only in that in the first case the certificate for electronic signature must be issued by a certification center certified by the FSB.

Scope of use of electronic signature

The table below discusses the scope of application of electronic signatures.

Electronic signature technologies are most actively used in document exchange. In internal document flow, the electronic signature acts as an approval of documents, that is, as a personal signature or seal. In the case of external document flow, the presence of an electronic signature is critical, as it is a legal confirmation. It is also worth noting that documents signed with electronic signatures can be stored indefinitely and not lose their legal significance due to factors such as erased signatures, damaged paper, etc.

Reporting to regulatory authorities is another area in which electronic document flow is increasing. Many companies and organizations have already appreciated the convenience of working in this format.

In law Russian Federation Every citizen has the right to use an electronic signature when using government services (for example, signing an electronic application for authorities).

Online trading is another interesting area in which electronic signatures are actively used. It confirms the fact that a real person is participating in the auction and his offers can be considered reliable. It is also important that any contract concluded with the help of an electronic signature acquires legal force.

Electronic signature algorithms

• Full Domain Hash (FDH) and Public Key Cryptography Standards (PKCS). The latter represents a whole group of standard algorithms for various situations.
• DSA and ECDSA are standards for creating electronic signatures in the USA.
• GOST R 34.10-2012 - standard for creating electronic signatures in the Russian Federation. This standard replaced GOST R 34.10-2001, which officially expired after December 31, 2017.
• The Eurasian Union uses standards completely similar to Russian ones.
• STB 34.101.45-2013 - Belarusian standard for digital electronic signature.
• DSTU 4145-2002 - standard for creating an electronic signature in Ukraine and many others.

It is also worth noting that the algorithms for creating electronic signatures have various purposes and goals:

• Group electronic signature.
• One-time digital signature.
• Trusted electronic signature.
• Qualified and unqualified signature, etc.

Many people know cryptography as the heart and basis of all cryptocurrencies, but not everyone thinks about the fact that we use it every day. The cryptography method is used in most modern applications and hides personal data from prying eyes.

What is cryptography?

Cryptography is a science that studies ways to hide data and ensure its confidentiality. This is one of the oldest sciences and its history goes back four thousand years. The term “cryptography” itself is formed from two ancient Greek words “crypto” - hidden, “grapho” - I write. For beginners, the principle of cryptography can be explained using the example of the Caesar cipher, where each character of the alphabet was replaced by the one that is 3 positions before the desired one.

The first examples of cryptographic records were mono-alphabetic and began to appear as early as the third millennium BC. They were records whose text was changed by substituting other characters. Starting from the 9th century, polyalphabetic ciphers began to be used, and from the mid-20th century, electromechanical cipherers began to be used, but polygraphic ciphers were still used.

Before 1975, cryptography was an encryption method with a secret key that provided access to decryption of data. Later the period began modern development and methods of public key cryptography were developed that could be transmitted over open channels communications and used for data verification.

Modern applied cryptography is a science formed at the intersection of mathematics and computer science. A related science of cryptography is cryptanalysis. Cryptography and cryptanalysis are closely interrelated, only in the latter case are methods of deciphering hidden information studied.

With the modification to a public key, cryptography became more widespread and began to be used by individuals and commercial organizations, and in 2009 the first cryptocurrency was issued based on it. Until this time, it was considered the prerogative of state governing bodies.

Types of cryptography

Cryptographic systems are based on different kinds cryptography In total, I distinguish four main cryptographic primitives:

• Symmetric encryption. This method prevents data interception by third parties and is based on the fact that the sender and recipient of the data have the same keys to solve the encryption.
• Asymmetric encryption. This method involves a public and a private key. The keys are interconnected - information encrypted with a public key can only be revealed by the associated private key. It is impossible to use keys from different pairs to solve the puzzle, since they are interconnected by a mathematical relationship.
• Hashing. The method is based on converting source information into bytes of a given sample. The transformation of information is called a hash function, and the resulting result is a hash code. All hash codes have a unique sequence of characters.
• Electronic signature. This is a transformation of information using a private key, which allows you to confirm the authenticity of the document and the absence of data corruption.

Capabilities and applications

Cryptography was originally used by the government to securely store or transmit documents. Modern asymmetric encryption algorithms have become more widely used in the field of IT security, and symmetric methods are now used primarily to prevent unauthorized access to information during storage.

In particular, cryptographic methods are used for:

• secure storage of information by commercial and private entities;
• implementation of digital electronic signature systems;
• confirming the authenticity of certificates;
• secure online data transmission over open communication channels.

Cryptography and blockchain

In blockchain, cryptography is used to protect and ensure the confidentiality of individuals and personal data, maintain high transaction security, and reliably protect the entire system and storage.

Hash functions

Hash functions in the blockchain are interconnected; with their help, information protection and transaction irreversibility are achieved. Every new block transaction is linked to the hash of the previous block, which in turn is formed based on the hash of the last block formed before it. Thus, each new transaction block contains all the information about the previous blocks and cannot be forged or changed.

In order for a new block to be added to the blockchain chain, the network must reach a general consensus and select the hash of the new block. To do this using computer technology miners offer many “nonce” options for the value of a function. The first miner, who managed to generate a hash suitable for combination with previous data by random selection, signs a block with it, which is included in the chain, and the new block will already contain information with it.

Thanks to the use of hashing technology in the blockchain, all transactions that have been performed in the system can be expressed as one hash of a new block. The hashing method makes it almost impossible to hack the system, and with the addition of each new block, the blockchain’s resistance to attacks only increases.

Digital signatures

The blockchain uses an asymmetric cryptography method based on public and . The public key serves as the storage address for the coins, and the secret key serves as the password to access it. The private key is based on the public key, but it cannot be calculated mathematically.

Among the many public key cryptography schemes, the most common are the elliptic curve scheme and the factorization scheme. Bitcoin uses the first scheme - elliptic curves. The private key is 32 bytes, the public key is 33 bytes, and the signature is about 70 bytes.

Public key cryptography

Modern public key cryptography is used in the blockchain system to transfer coins.

For dummies, the principle of public key cryptography can be explained using the example of a transaction. Let's say the sender wants to send 1 bitcoin. To do this, he needs to send a transaction, which will indicate where the coin should be taken from and where it will be sent (the recipient's public key). When a transaction is formed, the sender must sign it with his private key. Next, communication nodes check the correspondence of the sender’s secret key with its public key, with which the coin is currently associated. If the conditions are met, then there is an open and private key sender are interconnected, then the sent coin will begin to be associated with the recipient’s already public key.

Conclusion

Cryptography is an important component modern world and is necessary primarily to save personal data and important information. Since its inception, it has gone through many modifications and is now a security system that is practically impossible to hack. It is difficult to overestimate its potential for humanity. Modern cryptography methods are used in almost all industries in which there is a need for secure transmission or storage of data.

Corporate encryption tools implemented by AST can support GOST encryption algorithms and provide the necessary classes of cryptographic protection depending on the required degree of protection, regulatory framework and compatibility requirements with others, including external systems.

Cryptographic information protection tools (CIPF) are an important component in ensuring information security and allow you to guarantee a high level of data security, even if encrypted electronic documents into the hands of third parties, as well as in case of theft or loss of storage media with them. CIPF is used today in almost every company - more often at the level of interaction with automated banking systems and government information systems; less often - for storing and exchanging corporate data. Meanwhile, it is the latest use of encryption that allows you to protect your business from dangerous leaks of critically valuable information with a guarantee of up to 99%, even taking into account the human factor.

Functionally, the need for the use of CIPF is also determined by the growing popularity of electronic document management, archiving and paperless interaction. The importance of documents processed in such systems dictates the need to ensure high security of information, which cannot be achieved without the use of encryption and electronic signatures.

The introduction of CIPF into corporate practice involves the creation of a hardware and software complex, the architecture and composition of which is determined based on the needs of a specific customer, legal requirements, assigned tasks and the necessary methods and encryption algorithms. This may include encryption software components (crypto providers), VPN organization tools, identification tools, tools for generating and verifying keys and digital signatures used to organize legally significant document flow, and hardware storage media.

Corporate encryption tools implemented by AST can support GOST encryption algorithms and provide the necessary classes of cryptographic protection depending on the required degree of protection, regulatory framework and compatibility requirements with other, including external systems. At the same time, encryption tools provide protection for the entire set of information components - files, directories with files and archives, physical and virtual storage media, entire servers and storage systems.

The solution will be able to provide a full range of measures for reliable protection of information during its storage, transmission, use, as well as for managing the CIPF themselves, including:

• Ensuring information confidentiality
• Ensuring information integrity
• Guarantee of information authenticity
• Targeted information protection, including:
  — Encryption and decryption
  — Creation and verification of digital signature
• Flexibility of configuration, management and use of CIPF
• CIPF protection, including monitoring and detection of malfunctions, unauthorized access attempts, and cases of key compromise.

Completed projects

Related services:

• Event monitoring and information security incident management

  The most important factor in ensuring information security (IS) is the availability of complete and reliable information about events

  [...]
• Security network security and perimeter protection

  Network infrastructure technologically underlies all corporate IT systems and is a transport artery for information,

  [...]
• Protection against targeted attacks

  One of the most serious and dangerous threats to business from an information security (IS) point of view is targeted

  [...]
• Automated process control system protection

  Automated control system technological processes(APCS) in production is a fundamental decision,

  [...]
• Vulnerability analysis and management systems

  Just as there are no absolutely healthy people, there are no absolutely secure information systems. IT infrastructure components

  [...]
• Protection against information leakage (DLP system)

  Any organization has documents with limited access containing one or another confidential information. Their falling into strangers

Means of cryptographic information protection (CIPF)

"...Cryptographic information protection means (CIPF) - hardware and (or) certified in the manner established by the legislation of the Russian Federation software, providing encryption, integrity control and the use of digital signatures when exchanging electronic documents;..."

Source:

"Methodological recommendations for providing organizations engaged in the production and (or) circulation (except for import and retail sale) of ethyl alcohol, alcoholic and alcohol-containing products on the territory of the Russian Federation, software tools of a unified state automated information system for recording the volume of production and turnover of ethyl alcohol, alcoholic beverages and alcohol-containing products and their installation in technical means of recording and transmitting information on the volume of production and turnover of ethyl alcohol, alcoholic and alcohol-containing products to a single state automated information system accounting for the volume of production and turnover of ethyl alcohol, alcoholic and alcohol-containing products" (approved by Rosalkogolregulirovanie)

"...Means of cryptographic information protection (CIPF) - a set of software and technical means, implementing cryptographic transformations with source information and the function of generating and verifying an electronic digital signature..."

Source:

Board of the Pension Fund of the Russian Federation dated January 26, 2001 N 15 "On the introduction of cryptographic information protection and electronic digital signature in the system of the Pension Fund of the Russian Federation" (together with the "Regulations for registration and connection of legal and individuals to the electronic document management system of the Pension Fund of the Russian Federation")

Official terminology. Akademik.ru. 2012.

See what “Cryptographic information protection tools (CIPF)” are in other dictionaries:

CIPF- means of cryptographic information protection CIPF means of monitoring information security Source: http://pcweek.ru/?ID=476136 … Dictionary of abbreviations and abbreviations

Guiding document. Protection against unauthorized access to information. Terms and Definitions- Terminology Guidance document. Protection against unauthorized access to information. Terms and definitions: 29. Security administrator The access subject responsible for protecting the automated system from unauthorized access to... ... Dictionary-reference book of terms of normative and technical documentation

EToken- smart card and USB eToken key PRO, eToken NG FLASH, eToken NG OTP, eToken PRO (Java) and eToken PASS eToken (from English electronic and English token sign, token) trademark for a line of personal products... ... Wikipedia

OPTIMA-WorkFlow- This article or section contains a list of sources or external links, but the sources of individual statements remain unclear due to a lack of footnotes. You can improve the article by making more precise references to sources... Wikipedia - Hardware encryption is an encryption process performed using specialized computing devices. Contents 1 Introduction 2 Advantages and disadvantages of hardware encryption ... Wikipedia

Cryptographic information protection - protection of information using its cryptographic transformation.

Cryptographic methods are currently basic to ensure reliable authentication of parties to information exchange, protection.

TO means of cryptographic information protection(CIPF) includes hardware, firmware and software that implement cryptographic algorithms for converting information for the purpose of:

Protection of information during its processing, storage and transmission;

Ensuring the reliability and integrity of information (including using digital signature algorithms) during its processing, storage and transmission;

Generating information used to identify and authenticate subjects, users and devices;

Generation of information used to protect the authenticating elements of a protected AS during their generation, storage, processing and transmission.

Cryptographic methods provide encryption and encoding of information. There are two main encryption methods: symmetric and asymmetric. In the first of them, the same key (kept secret) is used to both encrypt and decrypt data.

Very effective (fast and reliable) symmetric encryption methods have been developed. There is also a national standard for such methods - GOST 28147-89 “Information processing systems. Cryptographic protection. Cryptographic conversion algorithm."

Asymmetric methods use two keys. One of them, unclassified (it can be published together with others open information about the user) is used for encryption, another (secret, known only to the recipient) is used for decryption. The most popular of the asymmetric ones is the RSA method, based on operations with large (100-digit) prime numbers and their products.

Cryptographic methods make it possible to reliably control the integrity of both individual pieces of data and their sets (such as a message flow); determine the authenticity of the data source; guarantee the impossibility of refusing actions taken (“non-repudiation”).

Cryptographic integrity control is based on two concepts:

Electronic signature (ES).

A hash function is a hard-to-reversible data transformation (one-way function), implemented, as a rule, by means of symmetric encryption with block linking. The result of encryption of the last block (depending on all previous ones) serves as the result of the hash function.

Cryptography as a means of protecting (closing) information is becoming increasingly important in commercial activities.

Various methods are used to convert information encryption tools: means of encrypting documents, including portable ones, means of encrypting speech (telephone and radio conversations), means of encrypting telegraph messages and data transmission.

To protect trade secrets on the international and domestic markets, various technical devices and sets of professional equipment for encryption and cryptographic protection of telephone and radio conversations, business correspondence, etc.

Scramblers and maskers, which replace the speech signal with digital data transmission, have become widespread. Security products for teletypewriters, telexes and faxes are produced. For these purposes, encryptors are used, made in the form of separate devices, in the form of attachments to devices, or built into the design of telephones, fax modems and other communication devices (radio stations and others). To ensure the reliability of transmitted electronic messages, an electronic digital signature is widely used.