April 28, 2014 at 17:56

Using encryption in Russian companies

    Introduction


    A little over two decades ago, cryptography in Russia was at approximately the same level of secrecy as weapons production technology - its practical application was exclusively within the military and special services, that is, it was completely under state control. It was not possible to meet any publications and scientific papers on this subject in the public domain - the topic of cryptography was closed.

    The situation changed only in 1990, when the encryption standard GOST 28147-89 was introduced . Initially, the algorithm had a chipboard neck and officially became “completely open” only in 1994.

    It is difficult to say exactly when it was in the Russian cryptography that an information breakthrough was made. Most likely, this happened when the Internet became available to the general public, after which numerous materials with descriptions of cryptographic algorithms and protocols, articles on cryptanalysis and other information related to encryption began to be published on the network.

    Under the circumstances, cryptography could no longer remain the prerogative of the state alone. In addition, the development of information technology and communications has necessitated the use of cryptographic protection by commercial companies and organizations.



    Today, the means of cryptographic information protection (CPSI) include:means of encryption, means of imitation protection, means of electronic digital signature, means of encoding, means of producing key documents and the key documents themselves . [4, p2-3.]

    The rest of the article will discuss what practical application at present encryption and cryptographic information protection are found in Russian companies and organizations. The following areas will be considered:

    • protection of personal data information systems;
    • protection of company confidential information;
    • corporate email encryption;
    • creation and verification of digital signatures.

    The use of cryptography and cryptographic protection in Russian companies


    1. The introduction of cryptocurrencies in personal data protection systems

    The activity of almost any Russian company today is associated with the storage and processing of personal data (PD) of various categories, the protection of which the legislation of the Russian Federation sets forth a number of requirements [1]. For their implementation, the company's management, first of all, is faced with the need to create a model of threats to personal data and develop on its basis a personal data protection system , which should include a cryptographic information protection tool. [2, p. 1.]

    The following requirements are put forward for the cryptographic information protection system implemented in the personal data protection system:

    • The cryptographic tool should function smoothly in conjunction with hardware and software that can affect the fulfillment of the requirements for it. [3, p. 15.]
    • To ensure the security of personal data during their processing, cryptocurrencies certified in the certification system of the FSB of Russia should be used. [3, p. 15.]

    A cryptographic tool, depending on the level of protection it provides, can be assigned to one of six classes (KC1, KC2, KS3, KV1, KV2, KA1). The introduction of a cryptocurrency of one class or another with a protection system is determined by the category of intruder (subject of attack), which is determined by the operator in the threat model.

    Thus, cryptographic protection tools are now effectively used by companies and organizations to protect the personal data of Russian citizens and are one of the most important components in personal data protection systems.

    2. Protection of corporate information

    If in clause 1 the use of krpitogarficheskikh funds is due primarily to the requirements of the legislation of the Russian Federation, then in this case, the management of the company itself is interested in the application of CIPF. Using an encryption tool, the company is able to protect its corporate information - information representing commercial secrets, intellectual property, operational and technical information, etc.

    Today, for effective use in a corporate environment, an encryption program must provide:

    • data encryption on a remote server;
    • support for asymmetric cryptography;
    • transparent encryption;
    • encryption of network folders;
    • the ability to differentiate access rights to confidential information between company employees;
    • the ability to store private keys on external storage media (tokens).

    So, the second application of cryptographic information protection is the protection of company confidential information. An encryption tool that supports the above features can provide fairly reliable protection, but it should certainly be used as part of an integrated approach to information protection. This approach additionally implies the use of firewalls, antiviruses and firewalls, and also includes the development of a model of information security threats, the development of the necessary information security policies, the appointment of those responsible for information security, electronic document management, control and monitoring of employees, etc.

    3. Electronic signature

    Electronic signature (EP) today is a full-fledged analogue of a handwritten signature and can be used by legal entities and individuals in order to provide legal force to a digital document. The use of electronic documents in electronic document management systems significantly increases the speed of concluding commercial transactions, reduces the volume of paper accounting documents, and saves employees time. In addition, EP reduces the enterprise’s expenses for concluding contracts, drawing up payment documents, receiving various certificates from government agencies, and much more.

    Cryptographic protection tools, as a rule, include functions for creating and verifying electronic signatures. The following requirements are put forward by such legislation by Russian legislation [5, p 3.]:

    When creating ES, they must:
    • show the person signing the electronic document the content of the information that he signs;
    • create electronic signature only after confirmation by the person signing the electronic document of the operation to create electronic signature;
    • unambiguously show that the electronic signature is created.

    When checking ES, they should:
    • show the contents of an electronic document signed by electronic signature;
    • show information on amendments to the signed electronic document;
    • indicate the person using the electronic key of which electronic documents are signed.

    4. Email Encryption

    For most companies, email is the primary means of communication between employees. It's no secret that corporate email today sends a huge amount of confidential information: contracts, invoices, information about the company's products and pricing policies, financial indicators, etc. If such information is available to competitors, this can cause significant damage to the company until the termination of its activities.

    Therefore, the protection of corporate mail is an extremely important component in ensuring the information security of a company, the implementation of which is also possible thanks to the use of cryptography and encryption tools.

    Most email clients such as Outlook, Thinderbird, The Bat!etc., allow you to configure the exchange of encrypted messages based on public and private key certificates (certificates in X.509 and PKCS # 12 formats, respectively) created using cryptographic protection.

    It is also worth mentioning the possibility of cryptographic tools to work as certification centers (CA). The main purpose of the certification center is to issue encryption certificates and confirm the authenticity of encryption keys. In accordance with Russian law, CAs are divided into classes (KS1, KS2, KS3, KV1, KV2, KA1), each of which has a number of requirements [5]. At the same time, the class of cryptographic information protection devices used in CA tools should not be lower than the corresponding class of CAs [5, p. 14.].

    Using CyberSafe Enterprise


    When developing the CyberSafe Enterprise program, we tried to take into account all the above features, including them in the functional set of the program. So, it supports the functions listed in clause 2 of this article, email encryption, creation and verification of digital signatures, as well as work as a certification center.

    The presence of a public key server in CyberSafe allows companies to organize a convenient key exchange between their employees, where each of them can publish their public key, as well as download the public keys of other users.

    Further, we will dwell in more detail on the possibility of introducing CyberSafe Enterprise into personal data protection systems. This opportunity exists thanks to the support of the cryptographic service program.CryptoPro CSP , certified by the Federal Security Service of the Russian Federation as a cryptographic information protection system of classes KS1, KS2 and KS3 (depending on version) and is stipulated in clause 5.1 of the “Methodological recommendations for ensuring the security of personal data using cryptographic means” :
    “Embedding cryptocurrencies of class KC1 and KC2 is carried out without control by the FSB of Russia (if this control is not provided for by the technical task for the development (modernization) of the information system).”

    Thus, incorporating the integrated CryptoPro CSP CIP, the CyberSafe Enterprise program can be used in the personal data protection system of classes KC1 and KC2.

    After installing CryptoPro CSP on a user's computer, when creating a certificate in CyberSafe Enterprise, it will be possible to create a CryptoPro certificate:



    Next, select the storage location of the CryptoPro private key container and set a password for the container. The operating system registry or removable media (token) can be used for storage:





    After completing the creation of the CyberSafe certificate, CryptoPRO keys are also created, displayed on your bunch and are available for use:



    In the event that there is a need to export CryptoPro keys to a separate file, this can be done through the standard CyberSafe key export function:



    If you want to encrypt files for transfer to other users (or sign them with your digital signature) and use CryptoPro keys from the list available cryptographic providers, you need to select CryptoPro:



    If you want to use CryptoPro keys for transparent file encryption, in the certificate selection window as a cryptographic provider you should also specify CryptoPro:



    In CyberSafe, it is possible to use CryptoPro and the GOST algorithm to encrypt logical disks / partitions and create virtual encrypted disks:





    Also, based on CryptoPro certificates, it can be configuredemail encryption . In KryptoPro CSP, the algorithms for generating and verifying ES are implemented in accordance with the requirements of the standard GOST R 34.10-2012, the data encryption / decryption algorithm is implemented in accordance with the requirements of the standard GOST 28147-89.

    Today CyberSafe is the only program that combines the functions of encrypting files, network folders, logical drives, email and the ability to work as a certification center with support for encryption standards GOST 28147-89 and GOST R 34.10-2012.

    Documents:

    1. Federal Law "On Personal Data" dated July 27, 2006 No. 152-FZ.
    2. The provision on ensuring the security of personal data during their processing in personal data information systems , approved by the Decree of the Government of the Russian Federation of November 17, 2007 No. 781.
    3. Methodological recommendations on ensuring the security of personal data with cryptocurrencies during their processing in personal information systems data using automation tools approved by the management of the 8th Center of the FSB of Russia on February 21, 2008 No. 149 / 54-144.
    4. Regulation on the development, production, sale and operation of encryption (cryptographic) means of information protectionapproved by Order of the Federal Security Service of the Russian Federation dated February 9, 2005 No. 66.
    5. Requirements for electronic signature means and Requirements for means of a certification center , approved by Order of the Federal Security Service of the Russian Federation of December 27, 2011 No. 796.
    Tags:

    Also popular now: