Secure Media

In certain cases, computer users need to protect the results of their work from unauthorized access . The traditional method of protection is information encryption . The essence of this method is as follows: at the end of his work, the user either encrypts the file (s) using one of the many encryption systems ( GnuPG , TrueCrypt , PGP , etc.), or creates a password-protected archive. Both of these methods, subject to certain requirements (using a password of sufficient length), can sufficiently reliably protect data ^[1] . However, working with data based on these principles is quite inconvenient: the user needs to ensure reliable destruction of an unencrypted copy of confidential data, to continue working with protected data, you need to create an unencrypted copy of it.

An alternative to this method can be the use of fully encrypted storage media in the work. Encrypted media at the operating system level is a regular logical drive . There are two main approaches to creating encrypted media: hardware-software and software.

Protected storage media allow you to organize two-factor user authentication when you need to provide a password or pin code from the storage medium and the device itself to enter the system. The following possibilities of using storage media are distinguished:

• User authentication in the operating system, directory services and networks ( Microsoft , Linux , Unix , Novell operating systems).
• Protecting computers from unauthorized loading.
• Strong user authentication, access control, protection of data transmitted over the network in Web resources ( online stores , e-commerce ).
• E-mail - digital signature generation and data encryption, access control, password protection.
• Public key encryption systems ( PKI ), certification authorities - storage of X.509 certificates , reliable and secure storage of key information, a significant reduction in the risk of compromising the private key.
• Organization of secure data transmission channels ( VPN technology, IPSec and SSL protocols ) - user authentication, key generation, key exchange.
• Workflow systems - creation of legally significant secure workflow using electronic digital signature and encryption (transfer of tax reports, contracts and other commercial information via the Internet).
• Business applications, databases, ERP systems - user authentication, storage of configuration information, digital signature and encryption of transmitted and stored data.
• “Client-Bank” systems, electronic payments - ensuring the legal significance of completed transactions, strict mutual authentication and authorization of clients.
• Cryptography - ensuring convenient use and safe storage of key information in certified means of cryptographic information protection (cryptographic providers and cryptographic libraries).
• Terminal access and thin clients - user authentication, storing parameters and settings of the session.
• Drive Encryption - differentiation and control of access to protected data, user authentication, storage of encryption keys.
• Data encryption on disks - user authentication, encryption key generation, storage of key information.
• Support for legacy applications and replacing password protection with more robust two-factor authentication .

Encryption hardware is implemented either in the form of specialized drives ( IronKey , eToken NG-Flah media, ruToken Flash media), or specialized hard drive access controllers (CRIPTON data protection devices, developed by ANKAD ^[2] ).

Protected drives are ordinary flash drives , data encryption for which is performed directly when writing information to the drive using a specialized controller. To access information, the user must specify a personal password.

The KRIPTON-type controllers are a PCI expansion card that provides transparent encryption of data recorded on a secure storage medium. There is also a software emulation of hardware encryption Crypton - Crypton Emulator.

Software encryption methods consist in creating secure media using certain software tools. There are several methods for creating secure storage media using software methods: creating a secure file container, encrypting a hard disk partition , encrypting the system partition of a hard disk.

When creating a secure storage medium using a file container, a specialized program creates a file of the specified size on disk. To start working with protected media, the user mounts it in the operating system. Mounting is performed by the program using which the media was created. When mounting, the user specifies a password (methods of user identification using key files, smart cards , etc. are also possible). After mounting in the operating system, a new logical drive appears, with which the user has the opportunity to work as with ordinary (not encrypted) media. After the session with the protected media is completed, it is unmounted. Information is encrypted on a secure medium immediately when information is recorded on it at the level of the operating system driver. It is almost impossible to gain access to the protected contents of the medium ^[3] .

When encrypting entire sections of a hard disk, the procedure is generally similar. At the first stage, a regular, unencrypted disk partition is created. Then, using one of the encryption tools, the partition is encrypted. After encryption, access to the partition can only be obtained after mounting it. An unmounted encrypted partition looks like an unallocated area of ​​a hard disk.

In the latest versions of encryption systems, it became possible to encrypt the system partition of the hard disk. This process is similar to encrypting a hard disk partition, with the exception that the partition is mounted when the computer boots before the operating system boots.

Some encryption systems provide the ability to create hidden partitions within encrypted storage media (any of the types listed above: file container, encrypted partition, encrypted system partition). To create a hidden partition, the user creates a secure medium according to the usual rules. Then, within the framework of the created media, another hidden section is created. To gain access to the hidden section, the user must specify a password different from the password for gaining access to the open section. Thus, by specifying various passwords, the user is able to work with either one (open) or another (hidden) section of the protected medium. When encrypting a system partition, it is possible to create a hidden operating system (by specifying the password for the open partition, one copy of the operating system is loaded, specifying the password for the hidden partition as the other). At the same time, the developers declare that it is not possible to detect the fact of the presence of a hidden partition within an open container ^[4] . The creation of hidden containers is supported by a sufficiently large number of programs: TrueCrypt , PGP , BestCrypt , DiskCryptor , etc.

• Information Security
• Hardware protection systems for information systems
• Encryption

• First AES practical hacking assessment: US $ 1.5 trillion and less than a year of computing
• openPGP in Russia