cryptographic tools. Overview of the legislation of the Russian Federation: Cryptography What are cryptographic tools

About import
to the customs territory of the Eurasian
economic union and export from the customs
territory of the Eurasian Economic Union
encryption (cryptographic) means

Scroll
categories of goods that are encryption (cryptographic) means or contain encryption (cryptographic) means, the technical and cryptographic characteristics of which are subject to notification

1. Goods containing in their composition encryption (cryptographic) means having any of the following components:

1) a symmetric cryptographic algorithm using a cryptographic key with a length not exceeding 56 bits;

2) an asymmetric cryptographic algorithm based on any of the following methods:

factorization of integers, the size of which does not exceed 512 bits;

calculation of discrete logarithms in the multiplicative group of a finite field, the size of which does not exceed 512 bits;

discrete logarithm in the group of a finite field other than the field specified in the third paragraph of this subclause, the size of which does not exceed 112 bits.

Notes: 1. Parity bits are not included in the key length.

2. The term "cryptography" does not refer to fixed methods of data compression or encoding.

2. Goods containing encryption (cryptographic) means with the following limited functions:

1) authentication, which includes all aspects of access control, where there is no encryption of files or texts, with the exception of encryption, which is directly related to the protection of passwords, personal identification numbers or similar data to protect against unauthorized access;

Note. The authentication and electronic digital signature (electronic signature) functions include an associated key distribution function.

3. Encryption (cryptographic) tools that are components of software operating systems, the cryptographic capabilities of which cannot be changed by users, which are designed to be installed by the user on their own without further significant support from the supplier and technical documentation (description of cryptographic transformation algorithms, interaction protocols, description of interfaces, etc.) d) which is available to the user.

4. Personal smart cards (smart cards):

1) whose cryptographic capabilities are limited by their use in the categories of goods (products) specified in paragraphs 5-8 of this list;

2) for wide public use, the cryptographic capabilities of which are not available to the user and which, as a result of special development, have limited capabilities for protecting personal information stored on them.

Note. If a personal smart card (smart card) can perform several functions, the control status of each of the functions is determined separately.

5. Reception equipment for radio broadcasting, commercial television or similar commercial equipment for broadcasting to a limited audience without digital encryption, except when encryption is used solely to manage video or audio channels, send bills, or return program-related information to broadcast providers.

6. Equipment, the cryptographic capabilities of which are not available to the user, specially designed and limited for use in any of the following ways:

1) the software is executed in a copy-protected form;

2) access to any of the following:

copy-protected content stored on a read-only electronic storage medium;

information stored in encrypted form on electronic media that are offered for sale to the public in identical sets;

3) control of copying audio and video information protected by copyright.

7. Encryption (cryptographic) equipment specially designed and limited to banking or financial transactions.

Note. Financial transactions include, but are not limited to, fees and charges for transport services and loans.

8. Civilian portable or mobile radio-electronic equipment (for example, for use in commercial civil cellular radio communication systems) that is not capable of end-to-end encryption (from subscriber to subscriber).

9. Wireless radio-electronic equipment that encrypts information only in the radio channel with a maximum range of wireless operation without amplification and retransmission of less than 400 m in accordance with the manufacturer's specifications.

10. Encryption (cryptographic) means used to protect technological channels of information and telecommunication systems and communication networks.

11. Products whose cryptographic function is blocked by the manufacturer.

12. Other goods that contain encryption (cryptographic) means other than those specified in paragraphs 1-11 of this list and meet the following criteria:

1) are publicly available for sale to the public in accordance with the legislation of the member state of the Eurasian Economic Union without restrictions from the available assortment at retail outlets through any of the following:

sales for cash;

sales by ordering goods by mail;

electronic transactions;

telephone sales;

2) encryption (cryptographic) functionality of which cannot be changed by the user in a simple way;

3) are designed to be installed by the user without further substantial support from the supplier;

4) technical documentation confirming that the goods comply with the requirements of subparagraphs 1 - 3 of this paragraph, is placed by the manufacturer in the public domain and is submitted, if necessary, by the manufacturer (a person authorized by him) to the coordinating body at his request.

Data encryption mechanisms to ensure the information security of society are cryptographic protection of information through cryptographic encryption.

Cryptographic methods of information protection are used to process, store and transmit information on media and over communication networks.

Cryptographic protection of information during data transmission over long distances is the only reliable encryption method.

Cryptography is a science that studies and describes the information security model of data. Cryptography opens up solutions to many network security problems: authentication, confidentiality, integrity, and control of interacting participants.

The term "Encryption" means the transformation of data into a form that is not readable by humans and software systems without an encryption-decryption key. Cryptographic methods of information security provide means of information security, so it is part of the concept of information security.

The goals of information security ultimately boil down to ensuring the confidentiality of information and protecting information in computer systems in the process of transmitting information over a network between users of the system.

Confidential information protection based on cryptographic information protection encrypts data using a family of reversible transformations, each of which is described by a parameter called a "key" and an order that determines the order in which each transformation is applied.

The most important component of the cryptographic method of protecting information is the key, which is responsible for choosing the transformation and the order in which it is performed. The key is a certain sequence of characters that configures the encryption and decryption algorithm of the cryptographic information protection system. Each such transformation is uniquely determined by a key that defines a cryptographic algorithm that provides information protection and information security of the information system.

The same cryptographic information protection algorithm can operate in different modes, each of which has certain advantages and disadvantages that affect the reliability of Russia's information security and information security tools.

Symmetric or secret cryptography methodology.

In this methodology, the technical means of information protection, encryption and decryption by the recipient and the sender use the same key, which was previously agreed upon even before the use of cryptographic engineering information protection.

In the case where the key has not been compromised, the decryption process will automatically authenticate the author of the message, since only he has the key to decrypt the message.

Thus, programs for protecting information with cryptography assume that the sender and addressee of the message are the only persons who can know the key, and its compromise will affect the interaction of only these two users of the information system.

The problem of organizational information protection in this case will be relevant for any cryptosystem that is trying to achieve the goal of protecting information or protecting information on the Internet, because symmetric keys must be distributed between users safely, that is, it is necessary that information protection in computer networks where keys are transmitted, was at a high level.

Any symmetric encryption algorithm of the hardware-software information security cryptosystem uses short keys and performs encryption very quickly, despite large amounts of data, which satisfies the purpose of information protection.

Cryptosystem-based computer information security tools should use symmetric key systems in the following order:

· The work of information security begins with the fact that, first, information protection creates, distributes and stores a symmetric key of organizational information protection;

Next, the information security specialist or the sender of the information security system in computer networks creates an electronic signature using the hash function of the text and adding the resulting hash string to the text, which must be securely transmitted to the information security organization;

· According to the doctrine of information security, the sender uses a fast symmetric encryption algorithm in a cryptographic information security tool together with a symmetric key to the message packet and an electronic signature that authenticates the user of the encryption system of the cryptographic information security tool;

· An encrypted message can be safely transmitted even over unsecured communication channels, although it is better to do this as part of the work of information security. But the symmetric key must be transmitted without fail (according to the doctrine of information security) via communication channels within the framework of software and hardware information protection;

· In the information security system throughout the history of information security, according to the doctrine of information security, the recipient uses the same symmetric algorithm to decrypt the packet and the same symmetric key, which makes it possible to restore the text of the original message and decrypt the sender's electronic signature in the information security system;

· In the information security system, the recipient must now separate the electronic signature from the text of the message;

· Now, the recipient compares the electronic signatures received earlier and now to check the integrity of the message and the absence of distorted data in it, which in the field of information security is called the integrity of data transmission.

Open asymmetric methodology for information security.

Knowing the history of information protection, one can understand that in this methodology, the encryption and decryption keys are different, although they are created together. In such an information security system, one key is distributed publicly, and the other is secretly transmitted, because once encrypted data with one key can only be decrypted with another.

All asymmetric cryptographic means of protecting information are the target of attacks by a cracker acting in the field of information security by direct enumeration of keys. Therefore, in such information security of a person or information psychological security, long keys are used to make the process of enumeration of keys such a long process that hacking the information security system will lose any sense.

It is not at all a secret even for those who make exchange rate protection of information that in order to avoid the slowness of asymmetric encryption algorithms, a temporary symmetric key is created for each message, and then only it is encrypted with asymmetric algorithms.

Systems of information psychological security and information security of a person use the following procedure for using asymmetric keys:

· In the field of information security, asymmetric public keys are created and publicly distributed. In the personal information security system, the secret asymmetric key is sent to its owner, and the public asymmetric key is stored in the database and administered by the certificate issuing center of the information security system, which is controlled by the information security specialist. Then, information security, which cannot be downloaded for free anywhere, implies that both users must trust that such an information security system securely creates, administers and distributes keys that are used by the entire information protection organization. Even more so, if at each stage of information protection, according to the basics of information protection, each step is performed by different persons, then the recipient of the secret message must believe that the creator of the keys destroyed their copy and did not provide these keys to anyone else so that someone still could download the protection of information transmitted in the system of information protection tools. This is how any information security professional works.

· Further, the basics of information security provide that an electronic signature of the text is created, and the resulting value is encrypted with an asymmetric algorithm. Then all the same information security basics assume that the sender's secret key is stored in a character string and it is added to the text that will be transmitted in the information security and information security system, because an electronic signature in information security and information security can create an electronic signature!

· Then the information protection systems and means solve the problem of transferring the session key to the recipient.

· Further in the information security system, the sender must obtain the asymmetric public key of the certificate issuing authority of the organization and information security technology. In a given organization and information security technology, the interception of unencrypted requests for a public key is the most common attack by crackers. That is why in the organization and technology of information security, a system of certificates confirming the authenticity of the public key can be implemented.

Thus, encryption algorithms involve the use of keys, which allows you to 100% protect data from those users who do not know the key.

Information protection in local networks and information protection technologies along with confidentiality are required to ensure the integrity of information storage. That is, the protection of information in local networks must transmit data in such a way that the data remains unchanged during transmission and storage.

In order for the information security of information to ensure the integrity of data storage and transmission, it is necessary to develop tools that detect any distortion of the original data, for which redundancy is added to the original information.

Information security in Russia with cryptography solves the issue of integrity by adding some kind of checksum or check pattern to calculate the integrity of the data. So again the information security model is cryptographic - key dependent. According to the assessment of information security based on cryptography, the dependence of the ability to read data on the secret key is the most reliable tool and is even used in state information security systems.

As a rule, an audit of the information security of an enterprise, for example, the information security of banks, pays special attention to the probability of successfully imposing distorted information, and cryptographic protection of information makes it possible to reduce this probability to a negligible level. A similar information security service calls this probability a measure of the imitation resistance of a cipher, or the ability of encrypted data to withstand an attack by a hacker.

Information protection against viruses or economic information protection systems must necessarily support user authentication in order to identify a regulated user of the system and prevent an intruder from entering the system.

Verification and confirmation of the authenticity of user data in all areas of information interaction is an important integral problem of ensuring the reliability of any information received and the information security system in the enterprise.

The information security of banks is particularly acute in the problem of distrust of the parties interacting with each other, where the concept of information security of IS includes not only an external threat from a third party, but also a threat to information security (lectures) from users.

Digital signature

information security protection unauthorized

Sometimes IP users want to repudiate previously accepted obligations and try to change previously created data or documents. The doctrine of information security of the Russian Federation takes this into account and stops such attempts.

Protecting confidential information using a single key is impossible in a situation where one user does not trust the other, because the sender can then refuse that the message was transmitted at all. Further, despite the protection of confidential information, the second user can modify the data and attribute authorship to another user of the system. Naturally, whatever the software protection of information or engineering protection of information, the truth cannot be established in this dispute.

A digital signature in such a system of information protection in computer systems is a panacea for the problem of authorship. The protection of information in computer systems with a digital signature contains 2 algorithms: for calculating the signature and for verifying it. The first algorithm can be executed only by the author, and the second one is in the public domain so that everyone can check the correctness of the digital signature at any time.

Cryptographic information security tools are based on the use of data encryption principles.

Encryption- this is a reversible transformation of information in order to hide from unauthorized persons, while maintaining access to data for authorized users.

Encryption is used:

to hide information from unauthorized users during transmission, storage and prevention of changes;
authentication of the data source and prevention of the refusal of the sender of information from the fact of sending;
confidentiality of the transmitted information, i.e. its availability only for authorized users who have a certain authentic (valid, genuine) key.

Thus, with the help of encryption, the mandatory categories of information security are provided: confidentiality, integrity, availability, and identifiability.

Encryption is implemented by two data transformation processes - encryption and decryption using a key. According to GOST 28147-89 “Information processing systems. Cryptographic protection. Cryptographic transformation algorithm, the key is a specific secret state of some parameters of the cryptographic transformation algorithm, which ensures the choice of one transformation from the set of transformations possible for a given algorithm.

Encryption key- this is a unique element for changing the results of the encryption algorithm: the same source data using different keys will be encrypted in different ways.

To decrypt encrypted information, the receiving party needs a key and a decryptor - a device that implements data decryption. Depending on the number of keys used for encryption processes, there are two encryption methods:

symmetrical - the use of the same key for both encryption and decryption of data;
asymmetric - two different keys are used: one for encryption (public), the other for decryption (private).

The data transformation procedures using the key constitute the encryption algorithm. The most popular at present are the following cryptographically strong encryption algorithms described in state standards: GOST 28147-89 (Russia), AES (Advanced Encryption Standard, USA) and RSA (USA). However, despite the high complexity of these encryption algorithms, any of them can be cracked by searching through all possible key options.

The concept of "encryption" is basic for another cryptographic means of providing information security - a digital certificate.

Digital Certificate- this is an electronic or printed document issued by a certification authority (certificate authority) confirming the ownership of a public key or any attributes by the owner.

A digital certificate consists of 2 keys: public (public) and private (private). Public-part is used to encrypt traffic from the client to the server in a secure connection, ^nsh^e-part - to decrypt the encrypted traffic received from the client on the server. After pair generation public/private Based on the public key, a certificate request is generated to the Certification Authority. In response, the certification authority sends a signed digital certificate, while verifying the identity of the client - the certificate holder.

A certification authority (certifying authority, Certification authority, C A) is a party (department, organization) whose honesty is undeniable, and the public key is widely known. The main task of the certification authority is to authenticate encryption keys using digital certificates (electronic signature certificates) by:

provision of services for certification of digital certificates (electronic signature certificates);
maintenance of public key certificates;
obtaining and verifying information on the conformity of the data specified in the key certificate and the submitted documents.

Technically, the CA is implemented as a component of the global directory service responsible for managing users' cryptographic keys. Public keys and other information about users are stored by certification authorities in the form of digital certificates.

The main means of ensuring the IS of electronic documents in modern IS is their protection with the help of an electronic (electronic digital) signature.

Electronic signature (ES)- details of an electronic document obtained as a result of cryptographic transformation of information using a private key, which makes it possible to establish the absence of data distortion from the moment the signature was generated and to verify that the signature belongs to the owner of the digital certificate (ES key certificate).

The electronic signature is intended to identify the person who signed the electronic document, and is a full replacement (analogue) of a handwritten signature in cases provided for by law. The use of EP allows you to:

control of the integrity of the transferred document: in case of any accidental or intentional change of the document, the signature will become invalid, since it is calculated based on the initial state of the document and corresponds only to it;
protection against changes (forgery) of the document due to the guarantee of forgery detection during data integrity control;
conclusive confirmation of the authorship of the document, since the private key of the ES is known only to the owner of the corresponding digital certificate (fields can be signed: "author", "changes made", "time stamp", etc.).

Since the implementation of the ES is based on the application of the principles of data encryption, there are two options for constructing the ES:

based on symmetric encryption algorithms, which provides for the presence in the system of a third party (arbitrator) who is trusted by both parties. Authorization of the document is the very fact of encrypting it with a secret key and passing it to the arbiter;
based on asymmetric encryption algorithms - the most common in modern ISs: schemes based on the RSA encryption algorithm (Full Domain Hash, Probabilistic Signature Scheme, PKCS # 1), ElGamal, Schnorr, Diffie-Hellman, Pointcheval-Stem signature algorithm, probabilistic Rabin signature scheme, Boneh-Lynn-Shacham, Goldwasser-Micali-Rivest, schemes based on the ECDSA elliptic curve apparatus, national cryptographic standards: GOST R 34.10-2012 (Russia), DSTU 4145-2002 (Ukraine), STB 1176.2-99 ( Belarus), DSA (USA).

At the moment, the main domestic standard regulating the concept of ES is GOST R 34.10-2012 “Information technology. Cryptographic protection of information. Processes of formation and verification of electronic digital signature.

As a rule, the implementation of ES in IS is carried out by including in their composition special modular components containing certified cryptographic data protection tools: CryptoPro CSP, SignalCom CSP, Verba OW, Domain-K, Avest, Genkey and others certified by FAPSI (Federal Agency for Government Communications and Information under the President of the Russian Federation) and meeting the Microsoft Crypto API specifications.

Microsoft CryptoAPI is a Windows application programming interface that contains a standard set of functions for working with a cryptographic provider. Included in Microsoft Windows operating systems (since 2000).

CryptoAPI allows you to encrypt and decrypt data, supports working with asymmetric and symmetric keys, as well as digital certificates. The set of supported cryptographic algorithms depends on the specific cryptographic provider.

A Cryptographic Service Provider (CSP) is an independent module for performing cryptographic operations on Microsoft operating systems running CryptoAPI functions. Thus, a crypto provider is an intermediary between the operating system, which can manage it using standard CryptoAPI functions, and the executor of cryptographic operations, such as an application IC or hardware.

According to the legislation of the EAEU, encryption (cryptographic) means(Further - ShKS) - it " hardware, software and hardware-software, systems and complexes that implement algorithms for cryptographic transformation of information and are designed to protect information from unauthorized access during its transmission over communication channels and (or) during its processing and storage” .

This definition is very abstract, and therefore the attribution or non-attribution of a particular product to the SCS can cause significant difficulties.

List of products related to SHKS

The Regulations on the import (export) of the BCS contain a list of functions (components) that a product must contain in order for it to be considered a BCS:

means of imitation protection
means of electronic digital signature
means of coding
means of making cryptographic keys
the cryptographic keys themselves
systems, equipment and components designed or modified to perform cryptanalytic functions
systems, equipment and components designed or modified to use cryptographic techniques for generating spreading code for spread spectrum systems, including code hopping for frequency hopping systems
systems, equipment and components designed or modified to apply cryptographic channelization techniques or scrambling codes for time-modulated ultra-wideband systems.

However, in practice, a situation often arises that the customs authorities, guided by the list from section 2.19 (and even only the TN VED code from the list), can decide that the imported product is an encryption tool (and it does not matter whether there is encryption in fact or not ). In this case, the importer will have to obtain permits or prove to customs that the product is not encrypted.

Import (export) procedure

Depending on the customs procedure for the import (export) of SCS, it is necessary to issue various types of documents:

12 categories

In practice, the vast majority of goods with an encryption function are imported on the basis of a notification.

Notification can be registered only for goods belonging to one or more of the 12 categories of cryptographic means, the technical and cryptographic characteristics of which are subject to notification. This list is given in the Regulation on Notification.

Category #1

1. Goods containing in their composition encryption (cryptographic) means having any of the following components: 1) a symmetric cryptographic algorithm using a cryptographic key with a length not exceeding 56 bits; 2) an asymmetric cryptographic algorithm based on any of the following methods: factorization of integers, the size of which does not exceed 512 bits; calculation of discrete logarithms in the multiplicative group of a finite field, the size of which does not exceed 512 bits; discrete logarithm in the group of a finite field other than the field specified in the third paragraph of this subclause, the size of which does not exceed 112 bits.

The BCS of this category performs various cryptographic functions, but the determining factor for this category is the length of the cryptographic key. The indicated key lengths are significantly less than the recommended minimum values for the corresponding groups of algorithms. The use of such short cryptographic keys makes it possible on modern equipment to crack encrypted messages using the brute force method.

Symmetric encryption is mainly used to ensure data confidentiality, and is based on the fact that the sender and recipient of information use the same key to both encrypt messages and decrypt them. This key must be kept secret and transmitted in a way that prevents it from being intercepted. Examples of symmetric encryption algorithms: RC4, DES, AES.

Of the algorithms listed, only DES (considered obsolete) definitely falls into category 1; also, the RC4 algorithm can sometimes be used with short keys (for example, in the WEP protocol of Wi-Fi communication technology: the key length is 40 or 128 bits).

V asymmetric encryption algorithms(or public-key cryptography) one key (public) is used to encrypt information, and another key (secret) is used to decrypt information. These algorithms are widely used to establish secure connections over open communication channels for the purposes of digital signature. Examples of algorithms: RSA, DSA, Diffie-Hellman Protocol, GOST R 34.10-2012.

Specified methods relate to the mathematical basis for the functioning of asymmetric algorithms:

factorization of integers - RSA algorithm
calculation of discrete logarithms in the multiplicative group of a finite field - DSA, Diffie-Hellman, ElGamal algorithms
discrete logarithm in the group of a finite field other than the field specified in the third paragraph of this subclause - algorithms on elliptic curves: ECDSA, ECDH, GOST R 34.10-2012.

Examples of notified BCS: theoretically, any product can use outdated algorithms, or short keys in modern algorithms. In practice, however, this makes little sense, since does not provide an adequate level of protection. One real-world example would be Wi-Fi in WEP mode with a 40-bit key.

Category #2

2. Products containing encryption (cryptographic) means with the following limited functions: 1) authentication, which includes all aspects of access control, where there is no encryption of files or texts, with the exception of encryption, which is directly related to the protection of passwords, personal identification numbers or such data to protect against unauthorized access;

Authentication of a user within this category involves comparing the password entered by him or other similar identifying data with information stored in the database of authorized users, and the encryption process itself consists of protection of secret user data from copying and illegal use when they are transmitted from the authentication object (user) to the controlling device.

Examples of notified BCS: devices for access control and management systems - password readers, devices for storing and creating databases of authorized users, network authentication devices - gateways, routers, routers, etc., devices with the protection of information stored on them - hard drives with a password restriction function access.

2) electronic digital signature (electronic signature).

The signing process is implemented by cryptographic transformation of information using the signature's private key and allows you to check the absence of distortion of information in the electronic document from the moment the signature was formed (integrity), the signature belongs to the owner of the signature key certificate (authorship), and in case of successful verification, confirm the fact of signing the electronic document (non-repudiation).

Examples of notified BCS: EDS generators, software for maintenance and implementation of the EDS application mechanism, EDS key information storage devices.

Category #3

Operating system it is a set of interrelated programs designed to manage computer resources and organize user interaction.

Examples of notified BCS: operating systems and software systems based on them.

Category #4

4. Personal smart cards (smart cards): 1) whose cryptographic capabilities are limited by their use in the categories of goods (products) specified in paragraphs 5 - 8 of this list; 2) for wide public use, the cryptographic capabilities of which are not available to the user and which, as a result of special development, have limited capabilities for protecting personal information stored on them.

Smart cards These are plastic cards with a built-in microchip. In most cases, smart cards contain a microprocessor and an operating system that controls the device and controls access to objects in its memory.

Examples of notified BCS: SIM-cards for access to the services of mobile operators, bank cards equipped with a microprocessor chip, smart cards for identifying its owner.

Category #5

This category refers to products intended to provide the user with access to paid encrypted digital satellite, terrestrial and cable TV channels and radio stations (radio channels) (examples of standards: DVB-CPCM, DVB-CSA).

Examples of notified BCS: TV tuners, TV signal receivers, satellite TV receivers.

Category #6

6. Equipment, the cryptographic capabilities of which are not available to the user, specially designed and limited for use in any of the following ways: 1) the software is executed in a copy-protected form; 2) access to any of the following: copy-protected content stored on a read-only electronic storage medium; information stored in encrypted form on electronic media that are offered for sale to the public in identical sets; 3) control of copying audio and video information protected by copyright.

Examples of notified BCS: Game consoles, games, software, etc.

Category #7

7. Encryption (cryptographic) equipment specially designed and limited to banking or financial transactions.

Goods in this category must be a hardware device, i.e. have a finished look of banking equipment, the use of which does not require additional assembly or modification, except for the purposes of modernization.

Examples of notified BCS: ATMs, payment terminals, pin-pads (bank cards are classified as category No. 4).

Category #8

This category includes all mobile cellular communication devices operating in the GSM, GPRS, EDGE, UMTS, LTE standards, as well as some radio stations. The main requirement for products of this category in the field of the functionality performed is the lack of ability to end-to-end encryption, i.e. communication between subscribers must be carried out through a relay device.

Examples of notified BCS: Mobile communication devices and devices incorporating cellular communication modules of the above standards, radio stations.

Category #9

This includes most devices that may otherwise be referred to as "short-range radio-electronic means". Encryption occurs when transmitting / receiving information over a wireless radio channel in order to protect it from interception, penetration of unauthorized users into the communication network. As you know, most wireless data transfer standards support such protection: Wi-Fi, Bluetooth, NFC, sometimes RFID.

Examples of notified BCS: routers, access points, modems, devices containing short-range wireless radio communication modules, contactless access / payment / identification cards.

Category #10

10. Encryption (cryptographic) means used to protect technological channels of information and telecommunication systems and communication networks.

This category describes products that are network devices that perform switching and service functions. As a rule, most of these devices support simple network management protocols that allow you to monitor the network status, its performance, and also send commands from the network administrator to its various nodes.

Examples of notified BCS: Servers, switches, network platforms, gateways.

Category #11

11. Products whose cryptographic function is blocked by the manufacturer.

This category can be represented by completely different types of devices for different purposes and applications. The decisive factor for classifying such goods in category No. 11 is the presence of a pre-installed software or hardware, which produces targeted blocking cryptographic functions performed by the product.

Category #12

12. Other goods that contain encryption (cryptographic) means other than those specified in paragraphs 1 - 11 of this list and meet the following criteria: 1) are publicly available for sale to the public in accordance with the legislation of a member state of the Eurasian Economic Union stock availability at retail outlets through any of the following: cash sales; sales by ordering goods by mail; electronic transactions; telephone sales; 2) encryption (cryptographic) functionality of which cannot be changed by the user in a simple way; 3) are designed to be installed by the user without further substantial support from the supplier; 4) technical documentation confirming that the goods comply with the requirements of subparagraphs 1 - 3 of this paragraph, is placed by the manufacturer in the public domain and is submitted, if necessary, by the manufacturer (a person authorized by him) to the coordinating body at his request.

It should be noted that, in practice, the CLSZ of the FSB of Russia imposes increased requirements on the submission of materials for registration of notifications for goods of this category. So, all the listed criteria must be confirmed (by links to the manufacturer's website with information in Russian or documented).

The most common categories of SCS

In the Unified Register, for each notification, there is a list of categories to which the goods are assigned. This information is encoded in the field "Identifier": the field is a 12-digit code, and if the product belongs to the category with number N from the list above, then the number 1 will be in position N in the code, otherwise it will be 0.

For example, code 110000000110 indicates that the goods were notified in categories Nos. 1, 2, 10 and 11.

It is interesting to look at the usage statistics of different categories.

As can be seen from the diagram, the most common and frequently encountered cryptographic functions in the BCS is data encryption in a short-range wireless radio channel (Wi-Fi, Bluetooth) - 27% of the total number of registered SCSs, which is logical, given the volume of produced mobile communications, personal computers and other technical devices equipped with modules that support these communication technologies.

The second place is occupied by BCS that support the functions of authentication and control of access to protected information - 19,5% . This trend is also easily explained by the increased standards and consumer demands for the protection of personal information both on physical media (hard drives, USB flash drives, servers, etc.) and on network media (cloud storage, network data banks, etc.). .). In addition, it is worth noting that the vast majority of BCSs used in access control systems (better known as ACS) also perform cryptographic functionality related to category No. 2.

Since networking is an integral part of the functioning of any information system, the aspects of administration of this communication network are implemented in network control devices. The security of the control interface organized by these devices is implemented through the use of encryption mechanisms for technological communication channels, which is the basis for categorizing this kind of BCS into category No. 10, which is the third most common - 16% .

It is also important to note that the least common BCS functions are categorized №5 (0,28% ), №12 (0,29% ) and №7 (0,62% ). Products that implement these cryptographic functions are rare, and when registering with the CLSZ, their documentation is subjected to a more detailed analysis, because “not put on stream” and the sets of cryptographic protocols and algorithms used may be unique in each individual case. That is why it is necessary to pay maximum attention to the goods of these categories when drawing up the necessary documents, since otherwise the risk of refusal to register a notification is extremely high.

Notes

Links

Electronic Signature (EDS), - Unified Electronic Signature Portal, - http://www.techportal.ru/glossary/identifikatsiya.html
Cryptographic methods of information protection, - Collection of lectures on the basics of local networks of the National Open University, - http://www.intuit.ru/studies/courses/16655/1300/lecture/25505?page=2
The concept of the operating system, - Materials of the portal about operating systems, - http://osys.ru/os/1/ponyatie_operatsionnoy_sistemy.shtml
Introduction to SNMP, - Network Security Materials, - http://network.xsp.ru/6_1.php

Means of cryptographic protection of information, or CIPF for short, are used to provide comprehensive protection of data that is transmitted over communication lines. To do this, it is necessary to comply with the authorization and protection of the electronic signature, authentication of the communicating parties using the TLS and IPSec protocols, as well as protection of the communication channel itself, if necessary.

In Russia, the use of cryptographic information security tools is mostly classified, so there is little publicly available information on this topic.

Methods used in CIPF

Authorization of data and ensuring the safety of their legal significance during transmission or storage. To do this, algorithms for creating an electronic signature and its verification are used in accordance with the established RFC 4357 regulations and use certificates according to the X.509 standard.
Protection of data confidentiality and control of their integrity. Asymmetric encryption and imitation protection are used, that is, counteraction to data spoofing. Complied with GOST R 34.12-2015.
Protection of system and application software. Tracking unauthorized changes or malfunctions.
Management of the most important elements of the system in strict accordance with the adopted regulations.
Authentication of the parties exchanging data.
Connection protection using the TLS protocol.
Protection of IP connections using IKE, ESP, AH protocols.

The methods are described in detail in the following documents: RFC 4357, RFC 4490, RFC 4491.

CIPF mechanisms for information protection

The confidentiality of stored or transmitted information is protected by the use of encryption algorithms.
When establishing a connection, identification is provided by means of electronic signature when used during authentication (as recommended by X.509).
The digital document flow is also protected by means of an electronic signature together with protection against imposition or repetition, while the reliability of the keys used to verify electronic signatures is monitored.
The integrity of information is ensured by means of a digital signature.
Using asymmetric encryption features helps protect data. In addition, hashing functions or imitation protection algorithms can be used to check the integrity of the data. However, these methods do not support determining the authorship of a document.
Replay protection occurs by cryptographic functions of the electronic signature for encryption or imitation protection. At the same time, a unique identifier is added to each network session, long enough to exclude its accidental coincidence, and verification is implemented by the receiving party.
Protection against imposition, that is, from penetration into communication from outside, is provided by means of electronic signature.
Other protection - against bookmarks, viruses, operating system modifications, etc. - is provided through various cryptographic tools, security protocols, antivirus software and organizational measures.

As you can see, electronic signature algorithms are a fundamental part of the means of cryptographic information protection. They will be discussed below.

Requirements when using CIPF

CIPF is aimed at protecting (by verifying an electronic signature) open data in various public information systems and ensuring their confidentiality (by verifying an electronic signature, imitation protection, encryption, hash verification) in corporate networks.

A personal means of cryptographic information protection is used to protect the user's personal data. However, special attention should be given to information relating to state secrets. By law, CIPF cannot be used to work with it.

Important: before installing the CIPF, the first step is to check the CIPF software package itself. This is the first step. Typically, the integrity of the installation package is verified by comparing checksums received from the manufacturer.

After installation, you should determine the level of threat, on the basis of which you can determine the types of cryptographic information protection necessary for use: software, hardware and hardware-software. It should also be borne in mind that when organizing some CIPF, it is necessary to take into account the location of the system.

Protection classes

According to the order of the FSB of Russia dated July 10, 2014, number 378, which regulates the use of cryptographic means of protecting information and personal data, six classes are defined: KS1, KS2, KS3, KB1, KB2, KA1. The protection class for a particular system is determined from the analysis of data on the model of the intruder, that is, from an assessment of possible ways to hack the system. Protection in this case is built from software and hardware cryptographic information protection.

AC (actual threats), as can be seen from the table, there are 3 types:

Threats of the first type are associated with undocumented features in the system software used in the information system.
Threats of the second type are associated with undocumented features in the application software used in the information system.
The threat of the third type is called all the rest.

Undocumented features are functions and features of the software that are not described in the official documentation or do not correspond to it. That is, their use may increase the risk of violating the confidentiality or integrity of information.

For clarity, consider the models of violators, for the interception of which one or another class of cryptographic information protection tools is needed:

KS1 - the intruder acts from the outside, without helpers inside the system.
KS2 is an insider, but does not have access to the CIPF.
KS3 is an insider who is a user of the CIPF.
KV1 is an intruder that attracts third-party resources, such as cryptographic information protection specialists.
KV2 is an intruder behind whose actions is an institute or laboratory working in the field of studying and developing cryptographic information protection tools.
KA1 - special services of states.

Thus, KS1 can be called the basic protection class. Accordingly, the higher the protection class, the fewer specialists capable of providing it. For example, in Russia, according to data for 2013, there were only 6 organizations that had a certificate from the FSB and were able to provide class KA1 protection.

Used algorithms

Consider the main algorithms used in cryptographic information protection tools:

GOST R 34.10-2001 and updated GOST R 34.10-2012 - algorithms for creating and verifying an electronic signature.
GOST R 34.11-94 and latest GOST R 34.11-2012 - algorithms for creating hash functions.
GOST 28147-89 and newer GOST R 34.12-2015 - implementation of data encryption and imitation protection algorithms.
Additional cryptographic algorithms are in RFC 4357.

Electronic signature

The use of cryptographic information protection tools cannot be imagined without the use of electronic signature algorithms, which are gaining more and more popularity.

An electronic signature is a special part of a document created by cryptographic transformations. Its main task is to detect unauthorized changes and determine authorship.

An electronic signature certificate is a separate document that proves the authenticity and ownership of an electronic signature by its owner using a public key. The certificate is issued by certification authorities.

The owner of the electronic signature certificate is the person in whose name the certificate is registered. It is associated with two keys: public and private. The private key allows you to create an electronic signature. The public key is intended to verify the authenticity of the signature due to the cryptographic relationship with the private key.

Types of electronic signature

According to Federal Law No. 63, an electronic signature is divided into 3 types:

regular electronic signature;
unqualified electronic signature;
qualified electronic signature.

A simple ES is created using passwords imposed on opening and viewing data, or similar means that indirectly confirm the owner.

An unqualified ES is created using cryptographic data transformations using a private key. This allows you to confirm the person who signed the document and to establish the fact that unauthorized changes have been made to the data.

Qualified and unqualified signatures differ only in that in the first case, the certificate for the ES must be issued by a certification center certified by the FSB.

Scope of electronic signature

The table below discusses the scope of EP.

ES technologies are most actively used in the exchange of documents. In the internal workflow, the ES acts as an approval of documents, that is, as a personal signature or seal. In the case of external document management, the presence of an ES is critical, as it is a legal confirmation. It is also worth noting that documents signed by ES can be stored indefinitely and not lose their legal significance due to factors such as erasable signatures, damaged paper, etc.

Reporting to regulatory authorities is another area in which electronic document management is growing. Many companies and organizations have already appreciated the convenience of working in this format.

According to the law of the Russian Federation, every citizen has the right to use ES when using public services (for example, signing an electronic application for authorities).

Online trading is another interesting area in which electronic signature is actively used. It is a confirmation of the fact that a real person is participating in the auction and his proposals can be considered reliable. It is also important that any contract concluded with the help of ES acquires legal force.

Electronic signature algorithms

Full Domain Hash (FDH) and Public Key Cryptography Standards (PKCS). The latter is a whole group of standard algorithms for various situations.
DSA and ECDSA are US digital signature standards.
GOST R 34.10-2012 - the standard for creating electronic signatures in the Russian Federation. This standard replaced GOST R 34.10-2001, which was officially terminated after December 31, 2017.
The Eurasian Union uses standards that are completely similar to those in Russia.
STB 34.101.45-2013 - Belarusian standard for digital electronic signature.
DSTU 4145-2002 - the standard for creating an electronic signature in Ukraine and many others.

It should also be noted that the algorithms for creating ES have different purposes and goals:

Group electronic signature.
One-time digital signature.
Trusted EP.
Qualified and unqualified signature, etc.