Means of cryptographic information protection: types and applications

Means of cryptographic protection of information, or cryptographic information protection in abbreviated form, are used to ensure comprehensive protection of data transmitted over communication lines. For this, it is necessary to observe authorization and protection of electronic signatures, authentication of communicating parties using the TLS and IPSec protocols, as well as protection of the communication channel itself, if necessary.

In Russia, the use of cryptographic means of information protection is for the most part classified, therefore, there is little public information on this topic.

Methods used in CIPF

• Data authorization and ensuring the safety of their legal significance during transmission or storage. To do this, apply the algorithms for creating an electronic signature and its verification in accordance with the established RFC 4357 regulation and use certificates according to the X.509 standard.
• Protecting data privacy and monitoring its integrity. Asymmetric encryption and imitation protection are used, that is, anti-data substitution. Complied with GOST R 34.12-2015.
• Protection of system and application software. Track unauthorized changes or malfunctions.
• Management of the most important elements of the system in strict accordance with the adopted regulations.
• Authentication of parties exchanging data.
• Connection security using the TLS protocol.
• Protection of IP connections using IKE, ESP, AH protocols.

The methods are described in detail in the following documents: RFC 4357, RFC 4490, RFC 4491.

CIPF mechanisms for information protection

1. The confidentiality of stored or transmitted information is protected by the use of encryption algorithms.
2. When establishing a connection, identification is provided by means of electronic signature during their use during authentication (according to recommendation X.509).
3. Digital document management is also protected by electronic signature along with protection from imposition or repetition, while authenticity keys used to verify electronic signatures are monitored.
4. The integrity of the information is ensured by digital signature.
5. Using asymmetric encryption features protects data. In addition, hashing functions or simulation algorithms can be used to verify data integrity. However, these methods do not support the authorship of a document.
6. Protection against repetition occurs by the cryptographic functions of an electronic signature for encryption or imitation protection. At the same time, a unique identifier is added to each network session, long enough to exclude its accidental coincidence, and verification is implemented by the receiving party.
7. Protection from imposing, that is, from penetration into communication from the outside, is provided by electronic signature means.
8. Other protection - against bookmarks, viruses, modifications of the operating system, etc. - is provided using various cryptographic tools, security protocols, anti-virus software and organizational measures.

As you can see, electronic signature algorithms are a fundamental part of the cryptographic protection of information. They will be discussed below.

Requirements for the use of cryptographic information protection

The CIPF is aimed at protecting (by verifying the electronic signature) open data in various public information systems and ensuring their confidentiality (verifying the electronic signature, imitating protection, encryption, hash verification) in corporate networks.

A personal cryptographic information protection tool is used to protect the user's personal data. However, information regarding state secrets should be highlighted. According to the law, cryptographic information protection cannot be used to work with it.

Important: before installing the cryptographic information protection system, the first step is to check the cryptographic information protection package itself. This is the first step. Typically, the integrity of the installation package is verified by comparing the checksums received from the manufacturer.

After installation, you should determine the threat level, on the basis of which you can determine the types of cryptographic information protection necessary for use: software, hardware, and hardware-software. It should also be borne in mind that when organizing some cryptographic information protection systems it is necessary to take into account the placement of the system.

Protection classes

According to the order of the FSB of Russia dated 10.07.14 under number 378, which regulates the use of cryptographic means of protecting information and personal data, six classes are defined: KS1, KS2, KS3, KV1, KV2, KA1. The protection class for a particular system is determined from the analysis of data on the model of the intruder, that is, from the assessment of possible methods of breaking the system. Protection at the same time is built from software and hardware cryptographic information protection.

AU (actual threats), as can be seen from the table, there are 3 types:

1. Threats of the first type are associated with undocumented capabilities in the system software used in the information system.
2. Threats of the second type are associated with undocumented capabilities in the application software used in the information system.
3. The threat of the third type is called all the others.

Undocumented features are functions and properties of software that are not described in the official documentation or do not correspond to it. That is, their use may increase the risk of violation of confidentiality or integrity of information.

For clarity, we consider the models of violators, for the interception of which one or another class of means of cryptographic protection of information is needed:

• KC1 - the intruder acts from the outside, without helpers inside the system.
• KS2 is an internal intruder but does not have access to cryptographic information protection.
• KC3 is an internal intruder who is a user of cryptographic information protection system.
• KV1 is an intruder who attracts third-party resources, such as cryptographic information protection specialists.
• KV2 is an intruder, behind the actions of which is an institute or laboratory working in the field of studying and developing CIPF.
• KA1 - special services of the states.

Thus, KC1 can be called the base class of protection. Accordingly, the higher the protection class, the less specialists able to provide it. For example, in Russia, according to data for 2013, there were only 6 organizations that have a certificate from the FSB and are able to provide protection for the KA1 class.

Algorithms Used

Consider the main algorithms used in cryptographic information protection tools:

• GOST R 34.10-2001 and updated GOST R 34.10-2012 - algorithms for creating and verifying electronic signatures.
• GOST R 34.11-94 and the latest GOST R 34.11-2012 - algorithms for creating hash functions.
• GOST 28147-89 and newer GOST R 34.12-2015 - implementation of encryption and data protection algorithms.
• Additional cryptographic algorithms are found in RFC 4357.

Electronic signature

The use of cryptographic information protection tools cannot be imagined without the use of electronic signature algorithms, which are gaining more and more popularity.

An electronic signature is a special part of a document created by cryptographic transformations. Its main task is to identify unauthorized changes and the definition of authorship.

An electronic signature certificate is a separate document that proves the authenticity and ownership of an electronic signature to its owner by public key. The issuance of the certificate is carried out by certification authorities.

The owner of an electronic signature certificate is the person in whose name the certificate is registered.It is associated with two keys: public and private. The private key allows you to create an electronic signature. The public key is intended for signature authentication due to cryptographic communication with the private key.

Types of Electronic Signature

According to Federal Law No. 63, an electronic signature is divided into 3 types:

• regular electronic signature;
• unqualified electronic signature;
• qualified electronic signature.

A simple ES is created using passwords imposed on the opening and viewing of data, or similar means that indirectly confirm the owner.

An unskilled ES is created using cryptographic data transformations using a private key. Thanks to this, you can confirm the person who signed the document and establish the fact of making unauthorized changes to the data.

Qualified and unqualified signatures differ only in the fact that in the first case, a certificate for electronic signature must be issued by a certified FSB certification center.

Scope of use of electronic signature

The table below describes the scope of application of EP.

The most active technologies are electronic documents used in document exchange. In the internal document flow, EP acts as the approval of documents, that is, as a personal signature or seal. In the case of external workflow, the presence of electronic signature is critical, as it is legal confirmation. It is also worth noting that documents signed by electronic signature are able to be stored indefinitely and not lose their legal significance due to factors such as erased signatures, damaged paper, etc.

Reporting to regulatory authorities is another area in which electronic document flow is growing. Many companies and organizations have already appreciated the convenience of working in this format.

According to the law of the Russian Federation, every citizen has the right to use electronic signature when using public services (for example, signing an electronic application for authorities).

Online bidding is another interesting area in which electronic signature is actively used. It is a confirmation of the fact that a real person is participating in the auction and his proposals can be considered reliable. It is also important that any contract concluded with the help of electronic instruments takes legal force.

Electronic Signature Algorithms

• Full Domain Hash (FDH) and Public Key Cryptography Standards (PKCS). The latter is a whole group of standard algorithms for various situations.
• DSA and ECDSA are the standards for creating electronic signatures in the United States.
• GOST R 34.10-2012 - the standard for the creation of EP in the Russian Federation. This standard replaced GOST R 34.10-2001, which officially ceased to function after December 31, 2017.
• The Eurasian Union uses standards that are completely similar to the Russian ones.
• STB 34.101.45-2013 is the Belarusian standard for digital electronic signature.
• DSTU 4145-2002 - the standard for creating electronic signatures in Ukraine and many others.

It is also worth noting that ES creation algorithms have different purposes and goals:

• Group electronic signature.
• A one-time digital signature.
• Trusted EP.
• Qualified and unqualified signature, etc.