Hardware encryption

Today, three types of encryptors are most widely used for data encryption: hardware, software and hardware, and software. Their main difference lies not only in the method of implementing encryption and the degree of reliability of data protection, but also in price, which often becomes a determining factor for users. The cheapest encryption devices are software, then software and hardware comes and, finally, the most expensive hardware. Despite the fact that the price of hardware encoders is significantly higher than software, the difference in price is not comparable with a significant increase in the quality of information protection ^[1] .

A large number of data encryption tools are created as specialized physical devices. Software encoders are, as a rule, cheaper than hardware and, in some cases, capable of providing greater speed of information processing. The list of advantages of hardware encoders:

• a hardware random number generator creates truly random numbers to form strong encryption keys and a digital signature;
• hardware implementation of the cryptoalgorithm ensures its integrity;
• keys are encrypted and stored in the encoder board itself, and not in the computer’s RAM;
• the keys are loaded into the encryption device from Touch Memory (i-Button) electronic keys and smart cards directly, and not through the computer system bus and RAM, which eliminates the possibility of interception of keys;
• With the help of hardware encoders, you can implement computer access control systems and protect information from unauthorized access;
• the use of a specialized processor to perform all calculations relieves the central processor of the computer; You can also install multiple hardware encoders on one computer, which further enhances the speed of information processing (this advantage is inherent to encoders for the PCI bus);
• the use of paraphase bus when creating a cipher processor eliminates the risk of reading key information on electromagnetic radiation oscillations that occur when data is encrypted in the ground-to-power circuits of the device.
• data encryption is faster than in software and hardware encryption

When installing specialized encryption equipment on a computer, there will be fewer problems than adding data encryption functions to system software. In the best case, encryption should be done so that the user does not notice it. To do this with software, they must be hidden deep enough in the operating system. It is very difficult to do this operation painlessly with a debugged operating system. But any non-professional will be able to connect the encryption device to a personal computer or modem ^[2] .

The modern market offers 3 types of hardware to encrypt information to potential buyers.

• encryption blocks in communication channels
• self-contained encryption modules (they independently do all the work with the keys)
• cryptographic expansion cards for installation in personal computers

Almost all devices of the first two types are highly specialized. Therefore, it is necessary to thoroughly investigate the limitations that, during installation, these devices impose on the corresponding devices, application software and operating systems before making the final decision on their purchase. Otherwise, you can spend money in vain, not at all approaching the desired goal. However, there are companies that sell communication equipment with pre-installed hardware encryption devices, which sometimes makes it easier to choose.

Expansion cards for personal computers are a more universal means of hardware encryption and, as a rule, they are very easy to set up so that they encrypt all the information that is written to a hard disk or sent to ports and drives. Usually there is no protection against electromagnetic radiation in expansion cards for hardware encryption, since it is pointless to protect these cards if the entire computer is not protected in the same way.

Using a whole expansion card for hardware encryption alone is too wasteful. In addition to the encryption functions, manufacturers try to add various additional features to their devices, for example:

• Random number generator. It is necessary mainly for generating cryptographic keys. In addition, a large number of encryption algorithms apply them for other purposes. For example, the algorithm of electronic signature GOST R 34.10 - 2001: When calculating the signature, a new random number is used each time.
• Trusted download . Control input to the computer. Every time a user turns on a personal computer, the device will require him to enter personal information (for example, insert a diskette with keys). Only if the device recognizes the keys provided and considers them to be “their own”, will the download continue. Otherwise, the user will have to disassemble the computer and remove the encoder board from there in order to turn on the computer (however, as you know, the information on the hard disk can also be encrypted).
• Monitoring the integrity of the operating system files. The attacker will not be able to change anything in your absence in your absence. The encoder stores in its memory a list of all important files with pre-calculated checksums for each (or hash values), and the computer will be blocked if at the next boot does not match the checksum of at least one of the files.

A cryptographic data protection device (LADD) is an expansion card with all of the above possibilities. A hardware encryption device that controls the entrance to a personal computer and verifies the integrity of all files of the operating system is also called an “electronic lock”. It is clear that the analogy is not quite complete - conventional locks are much inferior to these intelligent devices. Although it is clear that the latter need software - it requires a utility that generates keys for users and stores their list for identifying "your / someone else's". In addition, a program is needed to select important files and calculate their checksums. Access to these applications is usually only available to the security administrator. He must configure all devices for users in advance, and if problems arise, he must sort out their causes.

USB ruToken encoder

ruToken is a Russian means of authentication and information protection using certified encryption and authentication algorithms and combining Russian and international security standards.

ruToken is a small electronic device that connects to the USB port of a computer (USB stick). It is an analogue of a smart card, but no additional hardware (reader) is required to work with it.

Authentication

• Replacing password protection when accessing databases, Web-servers, VPN-networks and security-oriented applications for software and hardware authentication;
• Secure connections when accessing mail servers, database servers, Web servers, file servers, remote access authentication.

Data protection

• Information security (encryption according to GOST 28147-89);
• Email protection (EDS, encryption);
• Protection of access to a computer (user authorization at the entrance to the operating system).

Corporate use

• In application programs in electronic commerce systems for storing service information, personal information of users, passwords, encryption keys, digital certificates and other confidential information;
• ruToken can act as a single identification device for user access to different elements of the corporate system and provide, for example, access control, automatic setting of EDS documents, etc.

Main characteristics of ruToken:

• Hardware encryption according to GOST 28147-89;
• ISO 7816 file system;
• 8, 16, 32, 64 or 128 KB non-volatile memory;
• PC / SC, PKCS # 11, MS CryptoAPI, X.509 support.

General specifications:

• Based on a secure microcontroller;
• USB interface (USB 1.1 / USB 2.0);
• EEPROM memory 8, 16, 32, 64 or 128 KB;
• 2-factor authentication (upon the presence of ruToken and upon the presentation of the PIN code);
• 32-bit unique serial number;
• Support for Windows 98 / ME / 2000 / XP / 2003 / Vista / 2008/7;
• Support of standards ISO / IEC 7816, PC / SC, GOST 28147-89, MS CryptoAPI and MS SmartcardAPI, PKCS # 11 (v.2.10 +);
• Own Crypto Service Provider and ICC Service Provider with standard sets of interfaces and API functions;
• The ability to integrate into any smartcard-oriented software products (e-mail-, internet-, payment systems, etc.).

ruToken has a built-in file system that meets ISO / IEC 7816. Transparent encryption of the entire file system according to GOST 28147-89 is provided based on data unique to each instance of ruToken.

Built-in encryption algorithm GOST 28147-89 allows you to encrypt data in the modes of simple replacement, gamming and gamming with feedback. ruToken produces 32-bit imitation according to GOST 28147-89 and generates 256-bit random numbers. Encryption keys are stored in ruToken securely, without the possibility of exporting them from ruToken. Import of encryption keys GOST 28147-89 is supported.

Additional features:

• X.509 standard support and RSA, DES (3DES), RC2, RC4, MD4, MD5, SHA-1 algorithms;
• Secure storage of asymmetric encryption keys and digital certificates and the ability to use ruToken for asymmetric data encryption and work with digital certificates from any smartcard-based PC / SC applications;
• Tested to work with E-mail clients: MS Outlook, MS Outlook Express and Microsoft and Verisign certificate authorities;
• The turnkey solution is the organization of a protected Logon in Windows 2000 / XP / 2003, including PKI Logon.

SHIPKA series PCDSTs

SHIPKA PCDST is a specialized mobile device that allows you to reliably perform cryptographic transformations and store keys.

The family includes USB devices (realizing that the market for ICPM today has a wide selection of only cheap means - analog smart cards, we developed modifications with significantly different indicators): SHIPKA-1.5, SHIPKA-1.6 and SHIPKA-1.7, and also devices in CF Type II, PC CARD Type II, ExpressCard 34 and SHIPKA-Module devices.

The cryptographic functionality of all these devices is the same - encryption, EDS, hash function, key generation, long-term storage of keys and certificates. The implementation of cryptographic operations in all cases hardware (in relation to the PC). For storage of key information in all devices there is a non-volatile protected memory of 4 Kbytes located directly in the processor. All devices are equipped with an additional non-volatile memory type DataFlash with a file system similar to ISO / IEC 7816; incorporate hardware DSCh. All modifications of the SHIPKA PCDST work under the Win32 family of operating systems, having program interfaces for this - Microsoft CryptoAPI Crypto-Provider, PKCS # 11 API library.

In all devices of the SHIPKA family, all Russian cryptographic algorithms are implemented. They also implemented the ability to support foreign cryptographic algorithms. The set of foreign algorithms for all devices is the same: Encryption: RC2, DES, DESX, TripleDES; Hashing: MD5, SHA-1; EDS: RSA (SHIPKA-1.5 - 512-bit, the rest - 2048-bit), DSA (SHIPKA-1.5 - 1024-bit, the rest - 2048-bit). All devices are fully reprogrammable - firmware can be updated directly by the user. This makes it possible to expand its functionality and create individual solutions for various tasks of the customer, since in a number of cases an exclusive solution is much more preferable than the standard one.

Personal means of cryptographic data protection SHIPKA-1.7 Features:

• CPU clock speed: 16 MHz
• 1-2 measures per team (most - 1)
• command execution frequency: 14 MHz
• Program Memory: 128 KB
• RAM: 4 KB
• Built-in protected non-volatile memory: EEPROM 4 KB
• Means of increasing the performance of cryptographic transformations: A hardware cryptographic coprocessor
• File system support: ISO / IEC 7816 standard
• External memory: 1) Type Data Flash 2 MB (on request - up to 8 MB)

2) NAND-flash type - up to 1GB (encrypted disk (encryption according to GOST 28147-89)

• Duplex hardware random number generator
• High-speed USB Interface Controller
• Exchange rate for unidirectional functions - about 3 MB / s, for bidirectional - about 1.5 MB / s
• Hardware implementation of cryptographic algorithms:

In the presence of an encrypted disk - only - EDS + GOST encryption + GOST hash; If the disk is not set, it is also available - EDS + DES / TripleDES encryption + SHA-1 hash; - EDS + RC2 encryption + MD5 hash; Speeds: EDS according to GOST R 34.10-2001: - key generation - 30 ms, - EDS calculation - 40 ms, - EDS verification - 70 ms. Calculation of the hash function - about 3 MB / s, encryption - about 1.5 MB / s.

• Data exchange with own external memory: Using a hardware SPI interface controller.

Maximum speed: 1 MB / s, real - 500 KB / s without overhead Ability to update the firmware without additional equipment the user has, including the dynamic reprogramming of the cryptographic coprocessor.

CRPCON series З Прав

Cryptographic Data Protection Devices (CLBS) of the CRYPTON series are hardware encoders for IBM PC-compatible computers. The devices are used as part of the means and systems of cryptographic data protection to ensure information security (including protection with a high level of secrecy) in government and commercial structures.

CRYPTON - a series of hardware encoders for IBM PC-compatible computers, made in the form of an ISA and PCI expansion card for a personal computer with an i386 processor and above.

The software of CRYPTON devices allows: to encrypt computer information (files, groups of files and disk partitions), ensuring their confidentiality; implement electronic digital signature of files, checking their integrity and authorship; create transparently encrypted logical drives, making it as easy and convenient as possible to work with confidential information; create cryptographically protected virtual networks, encrypt IP traffic and provide secure access to network resources of mobile and remote users; create systems to protect information from unauthorized access and access control to a computer.

Main characteristics:

• encryption algorithm GOST 28147-89 ;
• the size of the encryption key is 256 bits (the number of possible key combinations is 1.158 * 10 ⁷⁷ );
• the number of key system levels is 3 (the master key is the user / network key is the session key);
• random number sensor - hardware (certified by an expert organization);
• the deviation of the distribution of the value of random numbers from the equiprobable distribution is no more than .0005;
• supported operating systems are MS-DOS, Windows 95 (98) / ME / NT 4.0 / 2000 / XP / 2003 UNIX (Solaris / Intel) (you can create original software drivers for device operation).

Crypton Emulator is a software emulator of cryptographic functions of the CRJPD series CCD in Windows 95/98 / Me / NT 4.0 / 2000 / XP / 2003, Solaris 2.x, 7, 8, Linux.

The emulator provides encryption according to the GOST 28147-89 algorithm, and in terms of the encryption functions, the emulator is fully compatible with the crypt system of the Krypton series. Thus, it is possible to replace the hardware cryptographic system "Krypton" with its software emulator without any changes to the software using the computer system "Crypton" or Crypton Emulator through the standard software interface Crypton API.

Application software designed for the end user and / or development tools — libraries designed to integrate encryption and / or electronic digital signature (EDS) functions into third-party developers — works with the encoder.

The Crypton API library is a necessary interface component and provides a software interface to cryptographic data protection devices (ACID) of the CRYPTON series for Win32 and DOS applications in DOS emulation mode in Windows 95/98 / NT 4.0 / 2000 / XP / 2003 operating environments. Solaris 2.x, 7, 8 (x86, Sparc). The use of various components and solutions allows you to solve problems, ranging from subscriber encryption and digital signature to IP traffic encryption. Allows you to protect information with a high security level, including information constituting state secrets.

eToken PRO

eToken PRO (Java) is a secure device designed for strong authentication, secure storage of secret data, performing cryptographic calculations and working with asymmetric keys and digital certificates.

• Smart Card Chip: Atmel AT90SC25672RCT
• Smart Card Operating System: Athena OS755, Java Virtual Machine (fully compatible with Sun Java Card standard)
• Supported interfaces and standards: PKCS # 11 version 2.01, Microsoft CryptoAPI, PC / SC, support for X.509 v3 standard certificates; SSL v3, IPSec / IKE; Microsoft CCID; eToken Minidriver
• Hardware implemented algorithms: RSA 1024/2048, DES, 3DES, SHA-1
• 72 KB secured memory on a smart card chip
• Models: USB key and smart card
• Ability to embed radio tags (RFID)
• Supported versions of eToken PKI Client: 4.55 and higher
• Supported eToken SDK Versions: 4.5 and up

Purpose

• Two-factor authentication of users of automated systems.
• Secure storage of user key information.
• Download and run custom applications (applets) on the device.

Opportunities

• Two-factor user authentication in systems built on the basis of PKI technology, in legacy applications, on workstations and in the network, in heterogeneous environments, with remote access to information resources. Several methods can be used to authenticate a user, including:
  • PKI-based authentication using X.509 digital certificates
  • authentication based on passwords, access codes and other data stored in protected device memory.
• Expansion of basic functionality by downloading additional applications (applets) developed in Java.
• Increased memory for secure storage of user data and user key information (72 KB).
• Work without installing additional drivers in the operating systems Windows Vista, Linux, Mac OS (drivers are included in the OS).
• Built-in radio tags (RFID tags) for use in access control systems.

IronKey

IronKey flash disk with transparent hardware data encryption. Designed to securely store sensitive data.

• Hardware implemented algorithms: RSA 2048, SHA 256, AES 256.
• Protected memory volume of 1-32GB, depending on the model.
• Self-destruction of encryption keys and data itself after 10 incorrect attempts to enter a password (the device is no longer operational).
• Additional functions to ensure the safety of the user (password manager, anonymous encrypted Internet access, virtual keyboard, utility to create and restore encrypted backups, etc.)

1. Igor Lukashov “Cryptography? Iron! "
2. S.P. Panasenko, V.V. Rakitin "Hardware Encoders"