Types of cryptographic information protection. Means of cryptographic information protection. Basic data encryption algorithms

Cryptographic information protection - protection of information using its cryptographic transformation.

Cryptographic methods are currently basic to ensure reliable authentication of parties to information exchange, protection.

TO means cryptographic protection information(CIPF) includes hardware, firmware and software that implement cryptographic algorithms for converting information for the purpose of:

Protection of information during its processing, storage and transmission;

Ensuring the reliability and integrity of information (including using digital signature algorithms) during its processing, storage and transmission;

Generating information used to identify and authenticate subjects, users and devices;

Generation of information used to protect the authenticating elements of a protected AS during their generation, storage, processing and transmission.

Cryptographic methods provide encryption and encoding of information. There are two main encryption methods: symmetric and asymmetric. In the first of them, the same key (kept secret) is used to both encrypt and decrypt data.

Very effective (fast and reliable) symmetric encryption methods have been developed. There is also a national standard for such methods - GOST 28147-89 “Information processing systems. Cryptographic protection. Cryptographic conversion algorithm."

Asymmetric methods use two keys. One of them, unclassified (it can be published together with others open information about the user) is used for encryption, another (secret, known only to the recipient) is used for decryption. The most popular of the asymmetric ones is the RSA method, based on operations with large (100-digit) prime numbers and their products.

Cryptographic methods make it possible to reliably control the integrity of both individual pieces of data and their sets (such as a message flow); determine the authenticity of the data source; guarantee the impossibility of refusing actions taken (“non-repudiation”).

Cryptographic integrity control is based on two concepts:

Electronic signature (ES).

A hash function is a hard-to-reversible data transformation (one-way function), implemented, as a rule, by means of symmetric encryption with block linking. The result of encryption of the last block (depending on all previous ones) serves as the result of the hash function.

Cryptography as a means of protecting (closing) information is becoming increasingly important in commercial activities.

To transform information, various encryption tools are used: document encryption tools, including portable ones, speech encryption tools (telephone and radio conversations), telegraph message encryption tools and data transmission.

To protect trade secrets on the international and domestic markets, various technical devices and sets of professional equipment for encryption and cryptographic protection of telephone and radio conversations, business correspondence, etc.

Scramblers and maskers, which replace the speech signal with digital data transmission, have become widespread. Security products for teletypewriters, telexes and faxes are produced. For these purposes, encryptors are used, made in the form of separate devices, in the form of attachments to devices, or built into the design of telephones, fax modems and other communication devices (radio stations and others). To ensure the reliability of transmitted electronic messages, electronic digital signature.

Cryptographic information protection tools, or CIPF for short, are used to ensure comprehensive protection of data transmitted over communication lines. To do this, it is necessary to ensure authorization and protection of the electronic signature, authentication of communicating parties using the TLS and IPSec protocols, as well as protection of the communication channel itself, if necessary.

In Russia, the use of cryptographic means of information security is mostly classified, so there is little publicly available information on this topic.

Methods used in CIPF

• Authorization of data and ensuring the safety of their legal significance during transmission or storage. To do this, they use algorithms for creating an electronic signature and verifying it in accordance with the established regulations RFC 4357 and use certificates according to the X.509 standard.
• Protecting data confidentiality and monitoring its integrity. Asymmetric encryption and imitation protection are used, that is, counteracting data substitution. Complied with GOST R 34.12-2015.
• Protection of system and application software. Monitor for unauthorized changes or incorrect functioning.
• Management of the most important elements of the system in strict accordance with the adopted regulations.
• Authentication of parties exchanging data.
• Securing the connection using TLS protocol.
• Protecting IP connections using the IKE, ESP, AH protocols.

The methods are described in detail in the following documents: RFC 4357, RFC 4490, RFC 4491.

CIPF mechanisms for information protection

1. The confidentiality of stored or transmitted information is protected by the use of encryption algorithms.
2. When establishing a connection, identification is provided by means of an electronic signature when used during authentication (as recommended by X.509).
3. Digital document flow is also protected by electronic signatures together with protection against imposition or repetition, while the authenticity of the keys used to verify electronic signatures is monitored.
4. The integrity of information is ensured by means of a digital signature.
5. Using asymmetric encryption functions helps protect your data. In addition, hashing functions or impersonation algorithms can be used to check data integrity. However, these methods do not support determining the authorship of a document.
6. Repetition protection occurs using cryptographic functions of an electronic signature for encryption or imitation protection. In this case, a unique identifier is added to each network session, long enough to exclude its random coincidence, and verification is implemented by the receiving party.
7. Protection against imposition, that is, from penetration into communications from the outside, is provided by means of electronic signature.
8. Other protection - against bookmarks, viruses, modifications operating system etc. - is ensured using various cryptographic tools, security protocols, anti-virus software and organizational measures.

As you can see, electronic signature algorithms are a fundamental part of a means of cryptographic information protection. They will be discussed below.

Requirements for using CIPF

CIPF is aimed at protecting (by checking an electronic signature) open data in various information systems general use and ensuring their confidentiality (electronic signature verification, imitation protection, encryption, hash verification) in corporate networks.

A personal cryptographic information protection tool is used to protect the user’s personal data. However, special emphasis should be placed on information related to state secrets. According to the law, CIPF cannot be used to work with it.

Important: before installing CIPF, the first thing you should check is the CIPF software package itself. This is the first step. Typically, the integrity of the installation package is verified by comparing checksums received from the manufacturer.

After installation, you should determine the level of threat, based on which you can determine the types of CIPF required for use: software, hardware, and hardware-software. It should also be taken into account that when organizing some CIPF, it is necessary to take into account the placement of the system.

Protection classes

According to the order of the FSB of Russia dated July 10, 2014, number 378, regulating the use of cryptographic means of protecting information and personal data, six classes are defined: KS1, KS2, KS3, KB1, KB2, KA1. The protection class for a particular system is determined from an analysis of data about the model of the intruder, that is, from an assessment possible ways hacking the system. Protection in this case is built from software and hardware cryptographic information protection.

AC (current threats), as can be seen from the table, are of 3 types:

1. The first type of threats are associated with undocumented capabilities in the system software used in information system.
2. Threats of the second type are associated with undocumented capabilities in the application software used in the information system.
3. The third type of threat refers to all the others.

Undocumented features are functions and features of the software that are not described in the official documentation or do not correspond to it. That is, their use may increase the risk of violating the confidentiality or integrity of information.

For clarity, let’s look at the models of intruders whose interception requires one or another class of cryptographic information security means:

• KS1 - the intruder acts from the outside, without assistants inside the system.
• KS2 is an internal intruder, but does not have access to CIPF.
• KS3 is an internal intruder who is a user of CIPF.
• KV1 is an intruder who attracts third-party resources, for example, CIPF specialists.
• KV2 is an intruder, behind whose actions is an institute or laboratory working in the field of studying and developing CIPF.
• KA1 - special services of states.

Thus, KS1 can be called the basic protection class. Accordingly, the higher the protection class, the fewer specialists capable of providing it. For example, in Russia, according to data for 2013, there were only 6 organizations that had a certificate from the FSB and were capable of providing KA1 class protection.

Algorithms used

Let's consider the main algorithms used in cryptographic information protection tools:

• GOST R 34.10-2001 and updated GOST R 34.10-2012 - algorithms for creating and verifying an electronic signature.
• GOST R 34.11-94 and the latest GOST R 34.11-2012 - algorithms for creating hash functions.
• GOST 28147-89 and more new GOST R 34.12-2015 - implementation of encryption and data protection algorithms.
• Additional cryptographic algorithms are found in RFC 4357.

Electronic signature

The use of cryptographic information security tools cannot be imagined without the use of electronic signature algorithms, which are gaining increasing popularity.

An electronic signature is a special part of a document created by cryptographic transformations. Its main task is to identify unauthorized changes and determine authorship.

An electronic signature certificate is a separate document that proves the authenticity and ownership of an electronic signature to its owner using a public key. Certificates are issued by certification authorities.

The owner of an electronic signature certificate is the person in whose name the certificate is registered. It is associated with two keys: public and private. The private key allows you to create an electronic signature. The purpose of a public key is to verify the authenticity of a signature through a cryptographic link to the private key.

Types of electronic signature

According to Federal Law No. 63, electronic signatures are divided into 3 types:

• regular electronic signature;
• unqualified electronic signature;
• qualified electronic signature.

A simple electronic signature is created through passwords imposed on opening and viewing data, or similar means that indirectly confirm the owner.

An unqualified electronic signature is created using cryptographic data transformations using a private key. Thanks to this, you can confirm the person who signed the document and determine whether unauthorized changes have been made to the data.

Qualified and unqualified signatures differ only in that in the first case the certificate for electronic signature must be issued by a certification center certified by the FSB.

Scope of use of electronic signature

The table below discusses the scope of application of electronic signatures.

Electronic signature technologies are most actively used in document exchange. In internal document flow, the electronic signature acts as an approval of documents, that is, as a personal signature or seal. In the case of external document flow, the presence of an electronic signature is critical, as it is a legal confirmation. It is also worth noting that documents signed with electronic signatures can be stored indefinitely and not lose their legal significance due to factors such as erased signatures, damaged paper, etc.

Reporting to regulatory authorities is another area in which electronic document flow is increasing. Many companies and organizations have already appreciated the convenience of working in this format.

In law Russian Federation Every citizen has the right to use an electronic signature when using government services (for example, signing an electronic application for authorities).

Online trading is another interesting area in which electronic signatures are actively used. It confirms the fact that a real person is participating in the auction and his offers can be considered reliable. It is also important that any contract concluded with the help of an electronic signature acquires legal force.

Electronic signature algorithms

• Full Domain Hash (FDH) and Public Key Cryptography Standards (PKCS). The latter represents a whole group of standard algorithms for various situations.
• DSA and ECDSA are standards for creating electronic signatures in the USA.
• GOST R 34.10-2012 - standard for creating electronic signatures in the Russian Federation. This standard replaced GOST R 34.10-2001, which officially expired after December 31, 2017.
• The Eurasian Union uses standards completely similar to Russian ones.
• STB 34.101.45-2013 - Belarusian standard for digital electronic signature.
• DSTU 4145-2002 - standard for creating an electronic signature in Ukraine and many others.

It is also worth noting that the algorithms for creating electronic signatures have various purposes and goals:

• Group electronic signature.
• One-time digital signature.
• Trusted electronic signature.
• Qualified and unqualified signature, etc.

Cryptographic methods for protecting information can be implemented in both software and hardware. A hardware encryptor or cryptographic data protection device (CDPD) is most often an expansion card inserted into connector 18A or PC1 motherboard personal computer(PC) (Fig. 3.21). There are other implementation options, for example, in the form of an i8B key with cryptographic functions (Fig. 3.22).

Manufacturers of hardware encryptors usually equip them with various additional features, including:

Generating random numbers needed to obtain cryptographic keys. In addition, many cryptographic algorithms use them for other purposes, for example, in the electronic digital signature algorithm, GOST R 34.10-2001, a new random number is required for each signature calculation;

Rice. 3.21. Hardware encoder in the form of a PC1 board:

1 - technological connectors; 2 - memory for logging; 3 - mode switches; 4 - multifunctional memory; 5 - control unit and microprocessor; 6- PC1 interface; 7- PC1 controller; 8- DSC; 9- interfaces for connecting key media

Rice. 3.22.

• computer login control. When turning on the PC, the device requires the user to enter personal information (for example, insert a device with a private key). Loading the operating system will be allowed only after the device recognizes the presented keys and considers them “its own”. Otherwise you will have to open it system unit and remove the encryptor from there to load the operating system (however, information on the PC’s hard drive can also be encrypted);
• monitoring the integrity of operating system files to prevent malicious modification configuration files And system programs. The encryptor stores a list of all important files with control hash values ​​​​precalculated for each of them, and if the next time the OS boots, the hash value of at least one of the controlled files does not match the standard, the computer will be blocked.

An encryptor that controls entry to a PC and checks the integrity of the operating system is also called “ electronic lock"(see paragraph 1.3).

In Fig. Figure 3.23 shows the typical structure of a hardware encoder. Let's consider the functions of its main blocks:

• control unit - the main encoder module. It is usually implemented on the basis of a microcontroller, when choosing which the main thing is speed and a sufficient number of internal resources, as well as external ports to connect all the necessary modules;
• PC system bus controller (for example, PC1), through which the main data exchange between the UKZD and the computer is carried out;
• a non-volatile memory device (memory), usually implemented on the basis of flash memory chips. It must be sufficiently capacious (several megabytes) and allow a large number of write cycles. Placed here software microcontroller that you

Rice. 3.23. The UKZD structure is completed when the device is initialized (when the encoder intercepts control when the computer boots);

• audit log memory, which is also a non-volatile memory (to avoid possible collisions, memory for programs and memory for the log should not be combined);
• cipher processor (or several similar blocks) - a specialized microcircuit or programmable logic chip PLD (Programmable Logic Device), which ensures the performance of cryptographic operations (encryption and decryption, digital signature calculation and verification, hashing);
• a random number generator, which is a device that produces a statistically random and unpredictable signal (so-called white noise). This could be, for example, a noise diode. Before further use in the encryption processor, according to special rules, white noise is converted into digital form;
• key information input block. Provides secure receipt of private keys from a key carrier and entry of user identification information necessary for his authentication;
• a block of switches required to disable the ability to work with external devices (disk drives, CD-ROM, parallel and serial ports, USB bus, etc.). If the user is working with highly sensitive information, the UKZD will block all external devices, including even the network card, upon entering the computer.

Cryptographic operations in UKPD must be performed in such a way as to exclude unauthorized access to session and private keys and the possibility of influencing the results of their implementation. Therefore, the encryption processor logically consists of several blocks (Fig. 3.24):

• calculator - a set of registers, adders, substitution blocks, etc. etc., interconnected by data buses. Designed to perform cryptographic operations as quickly as possible. As input, the computer receives open data that must be encrypted (decrypted) or signed, and a cryptographic key;
• control unit - a hardware-implemented program that controls the computer. If for any reason

Rice. 3.24.

the program will change, its work will begin to fail. That's why this program must not only be reliably stored and function reliably, but also regularly check its integrity. The external control unit described above also periodically sends control tasks to the control unit. In practice, for greater confidence, two cipher processors are installed in the encryptor, which constantly compare the results of their cryptographic operations (if they do not match, the operation is repeated);

The I/O buffer is necessary to improve the performance of the device: while the first block of data is being encrypted, the next one is being loaded, etc. The same thing happens at the output. This pipelined data transfer seriously increases the speed of performing cryptographic operations in the encryptor.

There is one more security task when the encryptor performs cryptographic operations: loading keys into the encryptor, bypassing RAM computer, where they can theoretically be intercepted and even replaced. For this purpose, the UKZD additionally contains input/output ports (for example, COM or USB), to which they are directly connected different devices reading key media. These can be any smart cards, tokens (special USB keys) or Touch Memory elements (see paragraph 1.3). In addition to the direct entry of keys into the UKPD, many of these media also provide their secure storage - even a key media without knowledge of a special access code (for example, a PIN code), an intruder will not be able to read its contents.

In order to avoid collisions when simultaneously accessing the encoder different programs, V computer system special software is installed

Rice. 3.25.

• (software) for encoder control (Fig. 3.25). Such software issues commands through the encoder driver and transmits data to the encoder, ensuring that information flows from different sources do not intersect, and also that the encoder always contains the necessary keys. Thus, UKZD performs two fundamentally different types commands:
• Before loading the operating system, commands located in the encoder memory are executed, which carry out all necessary checks(for example, user identification and authentication) and establish the required level of security (for example, disable external devices);
• after loading the OS (for example, Windows), commands received through the encryptor management software are executed (encrypt data, reload keys, calculate random numbers, etc.).

This separation is necessary for security reasons - after executing the commands of the first block, which cannot be bypassed, the intruder will no longer be able to perform unauthorized actions.

Another purpose of the encryptor management software is to provide the ability to replace one encryptor with another (say, one that is more productive or implements different cryptographic algorithms) without changing the software. This happens in a similar way to, for example, changing a network card: the encryptor comes with a driver that allows programs to perform a standard set of cryptographic functions in accordance with some application programming interface (for example, CryptoAP1).

In the same way, you can replace a hardware encryptor with a software one (for example, with an encoder emulator). To do this, the software encoder is usually implemented in the form of a driver that provides the same set of functions.

However, not all UKCDs need encoder management software (in particular, an encoder for “transparent” encryption and decryption of everything hard drive You only need to set up your PC once).

To additionally ensure the security of performing cryptographic operations in UKZD, it can be used multi-level protection cryptographic keys of symmetric encryption, in which a random session key is encrypted with the user’s long-term key, and that, in turn, with the master key (Fig. 3.26).

At the stage bootstrap The main key is entered into key cell No. 3 of the encoder memory. But for three-level encryption you need to get two more. The session key is generated as a result of a request to the generator (sensor)

Rice. 3.26. Encrypting a file using UKDN numbers (DRN) encoder to obtain a random number, which is loaded into key cell No. 1, corresponding to the session key. With its help, the contents of the file are encrypted and a new file is created that stores the encrypted information.

Next, the user is asked for a long-term key, which is loaded into key cell No. 2 with decryption using the master key located in cell No. 3. A reliable encryptor must have a mode for decrypting one key using another inside the encryption processor; in this case the key is in open form never “leaves” the encoder at all. Finally, the session key is encrypted using the long-term key located in cell No. 2, downloaded from the encryptor and written to the header of the encrypted file.

When decrypting a file, the session key is first decrypted using the user's long-term key, and then the information is restored using it.

In principle, one key can be used for encryption, but a multi-key scheme has serious advantages. First, the possibility of attacking the long-term key is reduced, since it is only used to encrypt short session keys. And this makes it difficult for an attacker to cryptanalyze encrypted information in order to obtain a long-term key. Secondly, when changing the long-term key, you can very quickly re-encrypt the file: just re-encrypt the session key from the old long-term key to the new one. Thirdly, the key media is unloaded, since only the master key is stored on it, and all long-term keys (and the user may have several of them for different purposes) can be stored in a form encrypted using the master key, even on the PC’s hard drive.

Encryptors in the form of SHV keys (see Fig. 3.22) cannot yet become a full replacement for a hardware encryptor for the PC1 bus due to the low encryption speed. However, they have several interesting features. Firstly, a token (SHV key) is not only a hardware encryptor, but also a carrier of encryption keys, i.e. a two-in-one device. Secondly, tokens usually comply with common international cryptographic standards (RKSB #11, 1BO 7816, RS/8S, etc.), and they can be used without additional settings in existing software information protection (for example, they can be used to authenticate users in the OS family Microsoft Windows). And finally, the price of such an encoder is tens of times lower than a classic hardware encryptor for the PCI bus.

Anyone who seriously thinks about the security of their confidential information faces the task of selecting software for cryptographic data protection. And there is absolutely nothing surprising about this - encryption today is one of the most reliable ways to prevent unauthorized access to important documents, databases, photographs and any other files.

The problem is that to make an informed choice, you need to understand all aspects of the operation of cryptographic products. Otherwise, you can very easily make a mistake and choose software that either will not protect all the necessary information or will not provide the required degree of security. What should you pay attention to? Firstly, these are the encryption algorithms available in the product. Secondly, methods for authenticating information owners. Thirdly, ways to protect information. Fourthly, additional functions and capabilities. Fifthly, the authority and fame of the manufacturer, as well as the presence of certificates for the development of encryption tools. And this is not all that may be important when choosing a cryptographic protection system.

It is clear that it is difficult for a person who does not understand the field of information security to find answers to all these questions.

Secret Disk 4 Lite

The developer of the Secret Disk 4 Lite product is Aladdin, one of the world leaders working in the field of information security. She has a large number of certificates. And although the product in question itself is not a certified tool (Secret Disk 4 has a separate certified version), this fact indicates that the company is recognized as a serious developer of cryptographic tools.

Secret Disk 4 Lite can be used to encrypt individual hard drive partitions, any removable drives, and also to create protected virtual disks. Thus, with the help of this tool, most of the problems related to cryptography can be solved. Separately, it is worth noting the possibility of encryption system partition. In this case, loading the OS itself by an unauthorized user becomes impossible. Moreover, this protection is incomparably more reliable than the built-in Windows protection tools.

Secret Disk 4 Lite does not have built-in encryption algorithms. This program uses external crypto providers to operate. By default, the standard module integrated into Windows is used. It implements the DES and 3DES algorithms. However, today they are considered obsolete. Therefore, for better protection, you can download a special Secret Disk Crypto Pack from the Aladdin website. This is a crypto provider that implements the most secure cryptographic technologies available today, including AES and Twofish with key lengths up to 256 bits. By the way, if necessary, in combination with Secret Disk 4 Lite, you can use certified algorithm providers Signal-COM CSP and CryptoPro CSP.

A distinctive feature of Secret Disk 4 Lite is its user authentication system. The fact is that it is built on the use of digital certificates. For this purpose, a hardware USB eToken is included in the product package. It is a securely protected storage for private keys. In fact, we are talking about full-fledged two-factor authentication (the presence of a token plus knowledge of its PIN code). As a result, the encryption system under consideration is free from such a bottleneck as the use of conventional password protection.

Additional features of Secret Disk 4 Lite include the possibility of multi-user work (the owner of encrypted disks can provide access to them to other people) and background work encryption process.

The interface of Secret Disk 4 Lite is simple and clear. It is written in Russian, just like a detailed help system, which describes all the nuances of using the product.

InfoWatch CryptoStorage

InfoWatch CryptoStorage is a product of a fairly well-known company InfoWatch, which has certificates for development, distribution and maintenance encryption tools. As already noted, they are not mandatory, but can play the role of a kind of indicator of the seriousness of the company and the quality of its products.

Figure 1. Context menu

InfoWatch CryptoStorage implements only one encryption algorithm - AES with a key length of 128 bits. User authentication is implemented using regular password protection. To be fair, it is worth noting that the program has a minimum length limit. keywords, equal to six characters. However, password protection is certainly much less secure than two-factor authentication using tokens. A special feature of the InfoWatch CryptoStorage program is its versatility. The fact is that with its help you can encrypt individual files and folders, entire hard drive partitions, any removable drives, as well as virtual disks.

This product, like the previous one, allows you to protect system drives, that is, it can be used to prevent unauthorized booting of the computer. In fact, InfoWatch CryptoStorage allows you to solve the entire range of problems associated with the use of symmetric encryption.

An additional feature of the product in question is the organization of multi-user access to encrypted information. In addition, InfoWatch CryptoStorage implements guaranteed data destruction without the possibility of recovery.

InfoWatch CryptoStorage is a Russian-language program. Its interface is made in Russian, but is quite unusual: there is no main window as such (there is only a small configurator window), and almost all the work is implemented using context menu. This solution is unusual, but one cannot fail to recognize its simplicity and convenience. Naturally, Russian-language documentation is also available in the program.

Rohos Disk is a product of Tesline-Service.S.R.L. It is part of a line of small utilities that implement various tools for protecting confidential information. Development of this series has been ongoing since 2003.

Figure 2. Program interface

The Rohos Disk program is designed for cryptographic protection of computer data. It allows you to create encrypted virtual disks on which you can save any files and folders, as well as install software.

To protect data, this product uses cryptographic algorithm AES with a key length of 256 bits, which provides a high degree of security.

Rohos Disk implements two methods of user authentication. The first of them is ordinary password protection with all its shortcomings. The second option is to use a regular USB disk on which the required key is recorded.

This option is also not very reliable. When using it, the loss of a flash drive can lead to serious problems.

Rohos Disk has a wide range of additional features. First of all, it is worth noting the protection of USB drives. Its essence is to create a special encrypted section on a flash drive in which confidential data can be transferred without fear.

Moreover, the product includes a separate utility with which you can open and view these USB drives on computers that do not have Rohos Disk installed.

Next additional opportunity- support for steganography. The essence of this technology is to hide encrypted information inside multimedia files (AVI, MP3, MPG, WMV, WMA, OGG formats are supported).

Its use allows you to hide the very fact of the presence of a secret disk by placing it, for example, inside a film. The last additional function is the destruction of information without the possibility of its recovery.

The Rohos Disk program has a traditional Russian-language interface. In addition, it is accompanied by a help system, perhaps not as detailed as that of the two previous products, but sufficient to master the principles of its use.

When talking about cryptographic utilities, one cannot fail to mention free software. After all, today in almost all areas there are worthy products that are distributed completely freely. And information security is no exception to this rule.

True, there is a dual attitude towards the use of free software to protect information. The fact is that many utilities are written by single programmers or small groups. At the same time, no one can vouch for the quality of their implementation and the absence of “holes,” accidental or intentional. But cryptographic solutions themselves are very difficult to develop. When creating them, you need to take into account a huge number of different nuances. That is why it is recommended to use only well-known products, and always with open source. This is the only way to be sure that they are free of “bookmarks” and tested by a large number of specialists, which means they are more or less reliable. An example of such a product is the TrueCrypt program.

Figure 3. Program interface

TrueCrypt is perhaps one of the most feature-rich free cryptographic utilities. Initially, it was used only to create secure virtual disks. Still, for most users this is the most convenient way protection various information. However, over time, it added the function of encrypting the system partition. As we already know, it is intended to protect the computer from unauthorized startup. True, TrueCrypt is not yet able to encrypt all other sections, as well as individual files and folders.

The product in question implements several encryption algorithms: AES, Serpent and Twofish. The owner of the information can choose which one he wants to use in this moment. User authentication in TrueCrypt can be done using regular passwords. However, there is another option - using key files, which can be stored on a hard drive or any removable storage device. Separately, it is worth noting that this program supports tokens and smart cards, which allows you to organize reliable two-factor authentication.

From additional functions The program in question can be noted that it is possible to create hidden volumes inside the main ones. It is used to hide sensitive data when opening a disk under duress. TrueCrypt also implements a system Reserve copy volume headers to recover them in case of failure or return to old passwords.

The TrueCrypt interface is familiar to utilities of this kind. It is multilingual, and it is possible to install the Russian language. With documentation, things are much worse. It exists, and it is very detailed, but it is written in English language. Naturally, there can be no talk of any technical support.

For greater clarity, all their features and functionality are summarized in Table 2.

Table 2 - Functionality programs for cryptographic information protection.

In this article you will learn what CIPF is and why it is needed. This definition refers to cryptography - the protection and storage of data. Protecting information in electronic form can be done in any way - even by disconnecting the computer from the network and installing armed guards with dogs near it. But it is much easier to do this using cryptographic protection tools. Let's figure out what it is and how it is implemented in practice.

Main Goals of Cryptography

The decoding of CIPF sounds like a “cryptographic information protection system.” In cryptography, the information transmission channel can be completely accessible to attackers. But all data is confidential and very well encrypted. Therefore, despite the openness of the channels, attackers cannot obtain information.

Modern CIPF means consist of a software and computer complex. With its help, information is protected according to the most important parameters, which we will consider further.

Confidentiality

It is impossible to read the information if you do not have access rights to do so. What is CIPF and how does it encrypt data? The main component of the system is electronic key. It is a combination of letters and numbers. Only by entering this key can you get to the desired section on which the protection is installed.

Integrity and Authentication

This is an important parameter that determines the possibility of unauthorized changes to data. If there is no key, then you cannot edit or delete information.

Authentication is a procedure for verifying the authenticity of information that is recorded on key media. The key must match the machine on which the information is decrypted.

Authorship

This is confirmation of the user’s actions and the impossibility of refusing them. The most common type of confirmation is an EDS (electronic digital signature). It contains two algorithms - one creates a signature, the second verifies it.

Please note that all operations performed with electronic signatures, are processed by certified centers (independent). For this reason, it is impossible to fake authorship.

Basic data encryption algorithms

Today, many CIPF certificates are widespread; different keys are used for encryption - both symmetric and asymmetric. And the keys are long enough to provide the required cryptographic complexity.

The most popular algorithms used in cryptographic protection:

1. Symmetric key - DES, AES, RC4, Russian R-28147.89.
2. With hash functions - for example, SHA-1/2, MD4/5/6, R-34.11.94.
3. Asymmetric key - RSA.

Many countries have their own standards for encryption algorithms. For example, in the United States they use modified AES encryption; the key can be from 128 to 256 bits long.

The Russian Federation has its own algorithm - R-34.10.2001 and R-28147.89, which uses a 256-bit key. Please note that there are elements in national cryptographic systems that are prohibited from being exported to other countries. All activities related to the development of CIPF require mandatory licensing.

Hardware crypto protection

When installing CIPF tachographs, you can ensure maximum protection of the information stored in the device. All this is implemented both at the software and hardware levels.

CIPF hardware type are devices that contain special programs, providing reliable data encryption. They also help to store information, record it and transmit it.

The encryption device is made in the form of an encoder connected to USB ports. There are also devices that are installed on motherboards PC. Even specialized switches and network cards with cryptographic protection can be used to work with data.

Hardware types of CIPF are installed quite quickly and are capable of exchanging information at high speed. But the disadvantage is the rather high cost, as well as the limited possibility of modernization.

Software cryptographic protection

This is a set of programs that allows you to encrypt information stored on various media (flash drives, hard drives and optical disks, etc.). Also, if you have a license for CIPF of this type, you can encrypt data when transmitting it over the Internet (for example, via Email or chat).

There are a large number of protection programs, and there are even free ones - DiskCryptor is one of them. The software type of CIPF is also virtual networks, allowing the exchange of information “over the Internet”. These are VPN networks known to many. This type of protection also includes the HTTP protocol, which supports SSL and HTTPS encryption.

CIPF software is mostly used when working on the Internet, as well as on home PCs. In other words, exclusively in those areas where there are no serious requirements for the durability and functionality of the system.

Software and hardware type of cryptographic protection

Now you know what CIPF is, how it works and where it is used. It is also necessary to highlight one type - hardware and software, which combines all the best properties of both types of systems. This method of processing information is by far the most reliable and secure. Moreover, you can identify the user different ways- both hardware (by installing a flash drive or floppy disk) and standard (by entering a login/password pair).

Hardware and software systems support all encryption algorithms that exist today. Please note that the installation of CIPF should only be carried out by qualified personnel of the complex developer. It is clear that such CIPF should not be installed on computers that do not process confidential information.