Means of cryptographic protection of information, or CIPF for short, are used to provide comprehensive protection of data that is transmitted over communication lines. To do this, you must comply with authorization and protection. electronic signature, authentication of communicating parties using TLS and IPSec protocols, as well as protection of the communication channel itself, if necessary.

In Russia, the use of cryptographic information security tools is mostly classified, so there is little publicly available information on this topic.

Methods used in CIPF

• Authorization of data and ensuring the safety of their legal significance during transmission or storage. To do this, algorithms for creating an electronic signature and its verification are used in accordance with the established RFC 4357 regulations and use certificates according to the X.509 standard.
• Protection of data confidentiality and control of their integrity. Asymmetric encryption and imitation protection are used, that is, counteraction to data spoofing. Complied with GOST R 34.12-2015.
• Protection of system and application software. Tracking unauthorized changes or malfunctions.
• Management of the most important elements of the system in strict compliance with the accepted regulation.
• Authentication of the parties exchanging data.
• Connection protection using the TLS protocol.
• Protection of IP connections using IKE, ESP, AH protocols.

The methods are described in detail in the following documents: RFC 4357, RFC 4490, RFC 4491.

CIPF mechanisms for information protection

1. The confidentiality of stored or transmitted information is protected by the use of encryption algorithms.
2. When establishing a connection, identification is provided by means of electronic signature when used during authentication (as recommended by X.509).
3. The digital document flow is also protected by means of an electronic signature together with protection against imposition or repetition, while the reliability of the keys used to verify electronic signatures is monitored.
4. The integrity of information is ensured by means digital signature.
5. Using asymmetric encryption features helps protect data. In addition, hashing functions or imitation protection algorithms can be used to check the integrity of the data. However, these methods do not support determining the authorship of a document.
6. Replay protection occurs by cryptographic functions of the electronic signature for encryption or imitation protection. At the same time, a unique identifier is added to each network session, long enough to exclude its accidental coincidence, and verification is implemented by the receiving party.
7. Protection against imposition, that is, from penetration into communication from outside, is provided by means of electronic signature.
8. Other protection - against bookmarks, viruses, modifications operating system etc. - provided through various cryptographic tools, security protocols, anti-virus software and organizational measures.

As you can see, electronic signature algorithms are a fundamental part of the means of cryptographic information protection. They will be discussed below.

Requirements when using CIPF

CIPF is aimed at protecting (by verifying an electronic signature) open data in various information systems general use and ensuring their confidentiality (electronic signature verification, imitation protection, encryption, hash verification) in corporate networks.

A personal means of cryptographic information protection is used to protect the user's personal data. However, special attention should be given to information relating to state secrets. By law, CIPF cannot be used to work with it.

Important: before installing the CIPF, the first step is to check the CIPF software package itself. This is the first step. Typically, the integrity of the installation package is verified by comparing checksums received from the manufacturer.

After installation, you should determine the level of threat, on the basis of which you can determine the types of cryptographic information protection necessary for use: software, hardware and hardware-software. It should also be borne in mind that when organizing some CIPF, it is necessary to take into account the location of the system.

Protection classes

According to the order of the FSB of Russia dated July 10, 2014, number 378, which regulates the use of cryptographic means of protecting information and personal data, six classes are defined: KS1, KS2, KS3, KB1, KB2, KA1. The protection class for a particular system is determined from the analysis of data on the model of the intruder, that is, from the assessment possible ways system hacking. Protection in this case is built from software and hardware cryptographic information protection.

AC (actual threats), as can be seen from the table, there are 3 types:

1. Threats of the first type are associated with undocumented features in the system software used in the information system.
2. Threats of the second type are associated with undocumented features in the application software used in the information system.
3. The threat of the third type is called all the rest.

Undocumented features are functions and properties software that are not described in official documentation or do not match it. That is, their use may increase the risk of violating the confidentiality or integrity of information.

For clarity, consider the models of violators, for the interception of which one or another class of cryptographic information protection tools is needed:

• KS1 - the intruder acts from the outside, without helpers inside the system.
• KS2 is an insider, but does not have access to the CIPF.
• KS3 is an insider who is a user of the CIPF.
• KV1 is an intruder that attracts third-party resources, such as cryptographic information protection specialists.
• KV2 is an intruder behind whose actions is an institute or laboratory working in the field of studying and developing cryptographic information protection tools.
• KA1 - special services of states.

Thus, KS1 can be called the basic protection class. Accordingly, the higher the protection class, the fewer specialists capable of providing it. For example, in Russia, according to data for 2013, there were only 6 organizations that had a certificate from the FSB and were able to provide class KA1 protection.

Used algorithms

Consider the main algorithms used in cryptographic information protection tools:

• GOST R 34.10-2001 and updated GOST R 34.10-2012 - algorithms for creating and verifying an electronic signature.
• GOST R 34.11-94 and latest GOST R 34.11-2012 - algorithms for creating hash functions.
• GOST 28147-89 and more new GOST R 34.12-2015 - implementation of data encryption and imitation protection algorithms.
• Additional cryptographic algorithms are in RFC 4357.

Electronic signature

The use of cryptographic information protection tools cannot be imagined without the use of electronic signature algorithms, which are gaining more and more popularity.

An electronic signature is a special part of a document created by cryptographic transformations. Its main task is to detect unauthorized changes and determine authorship.

An electronic signature certificate is a separate document that proves the authenticity and ownership of an electronic signature by its owner using a public key. The certificate is issued by certification authorities.

The owner of the electronic signature certificate is the person in whose name the certificate is registered. It is associated with two keys: public and private. The private key allows you to create an electronic signature. The public key is intended to verify the authenticity of the signature due to the cryptographic relationship with the private key.

Types of electronic signature

According to Federal Law No. 63, an electronic signature is divided into 3 types:

• regular electronic signature;
• unqualified electronic signature;
• qualified electronic signature.

A simple ES is created using passwords imposed on opening and viewing data, or similar means that indirectly confirm the owner.

An unqualified ES is created using cryptographic data transformations using a private key. This allows you to confirm the person who signed the document and to establish the fact that unauthorized changes have been made to the data.

Qualified and unqualified signatures differ only in that in the first case, the certificate for the ES must be issued by a certification center certified by the FSB.

Scope of electronic signature

The table below discusses the scope of EP.

ES technologies are most actively used in the exchange of documents. In the internal workflow, the ES acts as an approval of documents, that is, as a personal signature or seal. In the case of external document management, the presence of an ES is critical, as it is a legal confirmation. It is also worth noting that documents signed by ES can be stored indefinitely and not lose their legal significance due to factors such as erasable signatures, damaged paper, etc.

Reporting to regulatory authorities is another area in which electronic document management is growing. Many companies and organizations have already appreciated the convenience of working in this format.

In law Russian Federation every citizen has the right to use ES when using public services (for example, signing an electronic application for authorities).

Online trading is another interesting area in which electronic signature is actively used. It is a confirmation of the fact that a real person is participating in the auction and his proposals can be considered reliable. It is also important that any contract concluded with the help of ES acquires legal force.

Electronic signature algorithms

• Full Domain Hash (FDH) and Public Key Cryptography Standards (PKCS). The latter is a whole group of standard algorithms for various situations.
• DSA and ECDSA are US digital signature standards.
• GOST R 34.10-2012 - the standard for creating electronic signatures in the Russian Federation. This standard replaced GOST R 34.10-2001, which was officially terminated after December 31, 2017.
• The Eurasian Union uses standards that are completely similar to those in Russia.
• STB 34.101.45-2013 - Belarusian standard for digital electronic signature.
• DSTU 4145-2002 - the standard for creating an electronic signature in Ukraine and many others.

It should also be noted that the algorithms for creating ES have various appointments and goals:

• Group electronic signature.
• One-time digital signature.
• Trusted EP.
• Qualified and unqualified signature, etc.

In this article, you will learn what CIPF is and why it is needed. This definition refers to cryptography - the protection and storage of data. Information protection in electronic form can be done in any way - even by disconnecting the computer from the network and installing armed guards with dogs near it. But it is much easier to do this using cryptographic protection tools. Let's see what it is and how it is implemented in practice.

Key Goals of Cryptography

CIPF decryption sounds like a "cryptographic information protection system." In cryptography, the information transmission channel can be completely accessible to attackers. But all data is confidential and very well encrypted. Therefore, despite the openness of the channels, attackers cannot obtain information.

Modern means CIPF consist of a software-computer complex. With its help, information is protected by the most important parameters, which we will consider further.

Confidentiality

It is impossible to read the information if there are no access rights to it. What is CIPF and how does it encrypt data? The main component of the system is electronic key. It is a combination of letters and numbers. Only by entering this key can you get into desired section on which protection is installed.

Integrity and Authentication

it important parameter, which determines the possibility of unauthorized data modification. If there is no key, then the information cannot be edited or deleted.

Authentication is a procedure for verifying the authenticity of information that is recorded on a key medium. The key must correspond to the machine on which the information is being decrypted.

Authorship

This is a confirmation of user actions and the impossibility of refusing them. The most common type of confirmation is EDS (electronic digital signature). It contains two algorithms - one creates a signature, the second verifies it.

Please note that all transactions that are made with electronic signatures are processed by certified centers (independent). For this reason, it is impossible to forge authorship.

Basic data encryption algorithms

To date, a lot of cryptographic information protection certificates have been distributed, different keys are used for encryption - both symmetrical and asymmetric. And the length of the keys is sufficient to provide the necessary cryptographic complexity.

The most popular algorithms that are used in cryptoprotection:

1. Symmetric key - DES, AES, RC4, Russian Р-28147.89.
2. With hash functions - for example, SHA-1/2, MD4/5/6, R-34.11.94.
3. Asymmetric key - RSA.

Many countries have their own standards for encryption algorithms. For example, in the United States, modified AES encryption is used, the key can be from 128 to 256 bits long.

The Russian Federation has its own algorithm - R-34.10.2001 and R-28147.89, which uses a 256-bit key. Please note that there are elements in national cryptographic systems that are prohibited from being exported to other countries. All activities related to the development of CIPF require mandatory licensing.

Hardware crypto protection

When installing CIPF tachographs, it is possible to provide maximum protection information stored in the device. All this is implemented both at the software and hardware levels.

The hardware type of cryptographic information protection means are devices that contain special programs, providing strong data encryption. Also, with their help, information is stored, recorded and transmitted.

The encryption device is made in the form of an encoder connected to USB ports. There are also devices that are installed on motherboards PC. Even specialized switches and network cards with cryptoprotection can be used to work with data.

Hardware types of CIPF are installed quite quickly and are capable of exchanging information at high speed. But the disadvantage is the rather high cost, as well as the limited possibility of modernization.

Software crypto protection

This is a set of programs that allows you to encrypt information stored on various media (flash drives, hard and optical discs, etc.). Also, if there is a license for this type of CIPF, it is possible to encrypt data when transferring them over the Internet (for example, via Email or chat).

There are a large number of programs for protection, and there are even free ones - these include DiskCryptor. The software type of CIPF is also virtual networks, allowing the exchange of information "over the Internet". These are known to many VPN networks. This type of protection also includes the HTTP protocol, which supports SSL and HTTPS encryption.

CIPF software is mostly used when working on the Internet, as well as on home PCs. In other words, only in those areas where there are no serious requirements for the stability and functionality of the system.

Hardware-software type of cryptoprotection

Now you know what CIPF is, how it works and where it is used. It is also necessary to single out one type - software and hardware, which contains all the best properties of both types of systems. This method of information processing is by far the most reliable and secure. Moreover, the user can be identified different ways- both hardware (by installing a flash drive or floppy disk), and standard (by entering a login / password pair).

Software and hardware systems support all encryption algorithms that exist today. Please note that the installation of CIPF should be carried out only by qualified personnel of the developer of the complex. It is clear that such CIPF should not be installed on computers that do not process confidential information.

Cryptographic information protection - protection of information by means of its cryptographic transformation.

Cryptographic methods are currently basic to ensure reliable authentication of the parties to the information exchange, protection.

To means of cryptographic information protection(CIPF) include hardware, firmware and software that implement cryptographic algorithms for converting information in order to:

Protection of information during its processing, storage and transmission;

Ensuring the reliability and integrity of information (including using digital signature algorithms) during its processing, storage and transmission;

Development of information used to identify and authenticate subjects, users and devices;

Development of information used to protect the authenticating elements of a secure AS during their generation, storage, processing and transmission.

Cryptographic methods include encryption and coding of information. There are two main encryption methods: symmetric and asymmetric. In the first of these, the same key (which is kept secret) is used to both encrypt and decrypt the data.

Very efficient (fast and reliable) methods of symmetric encryption have been developed. There is also a national standard for such methods - GOST 28147-89 “Information processing systems. Cryptographic protection. Cryptographic Transformation Algorithm”.

Asymmetric methods use two keys. One of them, unclassified (it can be published together with other open information about the user) is used for encryption, another (secret, known only to the recipient) is used for decryption. The most popular of the asymmetric ones is the RSA method, which is based on operations with large (100-digit) prime numbers and their products.

Cryptographic methods allow you to reliably control the integrity of both individual portions of data and their sets (such as a message stream); determine the authenticity of the data source; guarantee the impossibility of refusing the actions taken ("non-repudiation").

Cryptographic integrity control is based on two concepts:

Electronic signature (ES).

A hash function is a hard-to-reversible data transformation (one-way function), which is usually implemented by means of symmetric encryption with block linking. The result of encryption of the last block (depending on all previous ones) is the result of the hash function.

Cryptography as a means of protecting (closing) information is becoming increasingly important in commercial activities.

Various methods are used to transform information. cryptographic means: means of encrypting documents, including portable ones, means of encrypting speech (telephone and radio conversations), means of encrypting telegraph messages and data transmission.

To protect trade secrets on the international and domestic market, various technical devices and sets of professional equipment for encryption and cryptoprotection of telephone and radio communications, business correspondence etc.

Scramblers and maskers are widely used, replacing the speech signal with digital data transmission. Means of protection for teletypes, telexes and faxes are produced. For these purposes, encoders are used, performed in the form of separate devices, in the form of attachments to devices or built into the design of telephones, fax modems and other communication devices (radio stations and others). Electronic digital signature is widely used to ensure the reliability of transmitted electronic messages.

Means of cryptographic information protection (CIPF)

"... Means of cryptographic information protection (CIPF) - hardware and (or) software certified in the manner prescribed by the legislation of the Russian Federation that provide encryption, integrity control and the use of EDS in the exchange of electronic documents;..."

Source:

"Methodological recommendations for the provision of organizations engaged in the production and (or) turnover (with the exception of imports and retail sales) of ethyl alcohol, alcoholic and alcohol-containing products on the territory of the Russian Federation, software tools of a unified state automated information system for recording the volume of production and turnover of ethyl alcohol, alcoholic and alcohol-containing products and their installation in technical means for recording and transmitting information on the volume of production and turnover of ethyl alcohol, alcoholic and alcohol-containing products into a unified state automated information system for recording the volume of production and turnover ethyl alcohol, alcoholic and alcohol-containing products" (approved by Rosalkogolregulirovanie)

"... Means of cryptographic information protection (CIPF) - a set of software and hardware that implement cryptographic transformations with background information and the function of generating and verifying an electronic digital signature..."

Source:

of the Board of the Pension Fund of the Russian Federation of January 26, 2001 N 15 "On the introduction in the system pension fund Russian Federation for cryptographic protection of information and electronic digital signature" (together with the "Regulations for the registration and connection of legal and individuals to the electronic document management system of the Pension Fund of the Russian Federation")

Official terminology. Akademik.ru. 2012 .

See what "Means of cryptographic information protection (CIPF)" is in other dictionaries:

CIPF- means of cryptographic protection of information CIPF means of controlling the security of information Source: http://pcweek.ru/?ID=476136 ... Dictionary of abbreviations and abbreviations

Guidance document. Protection against unauthorized access to information. Terms and Definitions- Terminology Guidance document. Protection against unauthorized access to information. Terms and definitions: 29. Security administrator An access subject responsible for protecting an automated system from unauthorized access to ... ... Dictionary-reference book of terms of normative and technical documentation

EToken- smart card and USB key eToken PRO, eToken NG FLASH, eToken NG OTP, eToken PRO (Java) and eToken PASS eToken (from English electronic and English token sign, token) a trademark for a line of personal products ... ... Wikipedia

OPTIMA-WorkFlow- This article or section contains a list of sources or external links, but the sources of individual statements remain unclear due to the lack of footnotes. You can improve the article by adding more precise references to the sources ... Wikipedia - Hardware encryption is an encryption process performed using specialized computing devices. Contents 1 Introduction 2 Advantages and disadvantages of hardware encryption ... Wikipedia

1.1. This Policy on the use of cryptographic information protection tools ( Further - Politics ) determines the procedure for organizing and ensuring the functioning of encryption ( cryptographic) means designed to protect information that does not contain information constituting a state secret ( Further - CIPF, crypto-means ) if they are used to ensure the security of confidential information and personal data during their processing in information systems.

1.2. This Policy has been developed in pursuance of:

• federal law "About personal data" , regulatory acts of the Government of the Russian Federation in the field of ensuring the security of personal data;
• Federal Law No. 63-FZ "About electronic signature" ;
• Order of the FSB of the Russian Federation No. 378 "On approval of the Composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems using cryptographic information protection tools necessary to fulfill the requirements established by the Government of the Russian Federation for the protection of personal data for each of the security levels";
• FAPSI Order No. 152 " On approval of the Instruction on organizing and ensuring the security of storage, processing and transmission through communication channels using cryptographic protection of information with limited access that does not contain information constituting a state secret»;
• Order of the Federal Security Service of the Russian Federation N 66 " On approval of the Regulation on the development, production, sale and operation of encryption (cryptographic) means of information protection (Regulation PKZ-2005) »;

1.3. This Policy applies to crypto tools designed to ensure the security of confidential information and personal data during their processing in information systems;

1.4. Cryptographic tools information security ( Further - CIPF ) that implement encryption and electronic signature functions are used to protect electronic documents transmitted over public communication channels, for example, public network Internet, or dial-up communication channels.

1.5. To ensure security, it is necessary to use CIPF, which:

• allow integration into technological processes for processing electronic messages, provide interaction with application software at the level of processing requests for cryptographic transformations and issuing results;
• supplied by developers with complete set operational documentation, including a description of the key system, the rules for working with it, as well as the rationale for the necessary organizational and staffing;
• support the continuity of the processes of logging the operation of the CIPF and ensuring the integrity of the software for the environment of the CIPF functioning, which is a set of hardware and software tools, together with which the regular functioning of the CIPF takes place and which can affect the fulfillment of the requirements for the CIPF;
• certified by an authorized state body or have permission from the FSB of Russia.

1.6. CIPF used to protect personal data must have a class of at least KS2.

1.7. CIPF are implemented on the basis of algorithms that comply with the national standards of the Russian Federation, the terms of the contract with the counterparty.

1.8. CIPF, licenses, related key documents, instructions for CIPF are acquired by the organization independently or can be obtained from a third-party organization initiating a secure document flow.

1.9. CIPF, including installation media, key documents, descriptions and instructions for CIPF, constitute a trade secret in accordance with the Regulations on confidential information.

1. The procedure for using CIPF

2.1. Installation and configuration of cryptographic information protection tools is carried out in accordance with the operational documentation, instructions of the Federal Security Service of Russia, other organizations involved in secure electronic document management. Upon completion of installation and configuration, the readiness of the CIPF for use is checked, conclusions are drawn up on the possibility of their operation and the CIPF is put into operation.

Placement and installation of CIPF, as well as other equipment operating with crypto-means, in sensitive premises should minimize the possibility of uncontrolled access of unauthorized persons to these means. The maintenance of such equipment and the change of crypto keys are carried out in the absence of persons not allowed to work with CIPF data. It is necessary to provide for organizational and technical measures that exclude the possibility of using CIPF by unauthorized persons. The physical location of the CIPF should ensure the security of the CIPF, preventing unauthorized access to the CIPF. Access of persons to the premises where protective equipment is located is limited in accordance with the need for service and is determined by a list approved by the director.

The embedding of crypto-means of class KS1 and KS2 is carried out without control by the FSB of Russia ( if this control is not provided terms of reference for the development (modernization) of the information system).

The embedding of cryptographic tools of the KS3, KB1, KB2 and KA1 classes is carried out only under the control of the FSB of Russia.

The embedding of cryptographic tools of the KS1, KS2 or KS3 class can be carried out either by the user of the cryptographic tool if he has the appropriate license from the FSB of Russia, or by an organization that has the appropriate license from the FSB of Russia.

The embedding of a cryptographic tool of the KV1, KV2 or KA1 class is carried out by an organization that has the appropriate license from the FSB of Russia.

Decommissioning of CIPF is carried out subject to procedures that ensure the guaranteed removal of information, the unauthorized use of which may damage the business activities of the organization, and information used by information security tools from permanent memory and from external media ( with the exception of archives of electronic documents and protocols of electronic interaction, the maintenance and preservation of which for a certain period of time are provided for by the relevant regulatory and (or) contractual documents) and is drawn up by the Act. CIPF destroy ( dispose of) by decision of the owner of the cryptographic instrument, and with notification of the organization responsible in accordance with the organization of the copy accounting of cryptographic instruments.

scheduled for destruction recycling) CIPF are subject to withdrawal from the hardware with which they functioned. At the same time, cryptographic tools are considered withdrawn from the hardware if the procedure for removing the software of cryptographic tools provided for by the operational and technical documentation for the CIPF is completed and they are completely disconnected from the hardware.

Units and parts of general-purpose hardware suitable for further use, not specifically designed for hardware implementation of cryptographic algorithms or other cryptographic information protection functions, as well as equipment that works in conjunction with cryptographic tools ( monitors, printers, scanners, keyboards, etc.), it is allowed to use after the destruction of the CIPF without restrictions. At the same time, information that may remain in the memory devices of the equipment ( e.g. printers, scanners), must be securely removed ( erased).

2.2. The operation of CIPF is carried out by persons appointed by order of the director of the organization and trained to work with them. If there are two or more users of CIPF, the duties between them are distributed taking into account personal responsibility for the safety of crypto-means, key, operational and technical documentation, as well as for the assigned areas of work.

Users of cryptocurrencies are required to:

• not to disclose information to which they are admitted, including information about CIPF and other protection measures;
• not to disclose information about key documents;
• prevent copies from being made of key documents;
• prevent key documents from being displayed ( monitor) personal computer or printer;
• not allow recording of extraneous information on the key carrier;
• prevent key documents from being installed on other personal computers;
• comply with the requirements for ensuring the security of information, the requirements for ensuring the security of CIPF and key documents to them;
• report on attempts by unauthorized persons that have become known to them to obtain information about the cryptographic information protection tools used or key documents to them;
• immediately notify about the facts of loss or shortage of CIPF, key documents to them, keys to premises, vaults, personal seals and other facts that may lead to the disclosure of protected information;
• hand over the CIPF, operational and technical documentation for them, key documents upon dismissal or removal from the performance of duties related to the use of cryptographic tools.

The security of information processing using CIPF is ensured by:

• observance by users of confidentiality when handling information that they are entrusted with or become aware of at work, including information about the functioning and security procedures of the cryptographic information protection tools used and key documents for them;
• exact fulfillment by CIPF users of requirements for information security;
• reliable storage of operational and technical documentation for CIPF, key documents, media of limited distribution;
• timely detection of attempts by unauthorized persons to obtain information about protected information, about the used CIPF or key documents to them;
• taking immediate measures to prevent the disclosure of protected information, as well as its possible leakage when facts of loss or shortage of CIPF, key documents to them, certificates, passes, keys to premises, vaults, safes are revealed ( metal cabinets), personal seals, etc.

If necessary, transfer technical means communication of limited access service messages related to the organization and operation of the CIPF, these messages must be transmitted only using cryptographic means. The transfer of crypto keys via technical means of communication is not allowed, with the exception of specially organized systems with decentralized supply of crypto keys.

CIPF are subject to accounting using indices or conditional names and registration numbers. The list of indices, conditional names and registration numbers of cryptocurrencies is determined Federal Service security of the Russian Federation.

Used or stored CIPF, operational and technical documentation for them, key documents are subject to copy accounting. The form of the CIPF Logbook is given in Appendix No. 1, the Key Carriers Logbook in Appendix No. 2 to this Policy. At the same time, software CIPF should be taken into account together with the hardware with which their regular operation is carried out. If hardware or hardware-software cryptographic information protection means are connected to the system bus or to one of the internal hardware interfaces, then such crypto-means are also taken into account together with the corresponding hardware.

The unit of copy accounting of key documents is considered to be a reusable key carrier, a key notepad. If the same key medium is repeatedly used to record crypto keys, then it should be registered separately each time.

All received copies of crypto-means, operational and technical documentation for them, key documents must be issued against receipt in the corresponding copy-by-instance register to users of crypto-means who are personally responsible for their safety.

The transfer of cryptographic information protection tools, operational and technical documentation to them, key documents is allowed only between users of cryptographic tools and (or) the responsible user of cryptographic tools against receipt in the relevant logs of instance-by-instance accounting. Such transfer between users of cryptographic tools must be authorized.

Storage of CIPF installation media, operational and technical documentation, key documents is carried out in cabinets ( boxes, storage) individual use in conditions that exclude uncontrolled access to them, as well as their unintentional destruction.

The hardware with which the regular functioning of the CIPF is carried out, as well as the hardware and hardware-software CIPF must be equipped with means to control their opening ( sealed, sealed). Sealing place ( sealing) crypto-means, hardware should be such that it can be visually controlled. In the presence of technical feasibility during the absence of users of cryptographic tools, these funds must be disconnected from the communication line and put away in sealed vaults.

Making changes to the CIPF software and technical documentation for CIPF is carried out on the basis of received from the CIPF manufacturer and documented updates with fixation of checksums.

The operation of the CIPF involves maintaining at least two backup copies of the software and one backup key carriers. Recovery of CIPF performance in emergency situations is carried out in accordance with the operational documentation.

2.3. The production of key documents from the original key information is carried out by responsible users of the CIPF, using regular cryptographic tools, if such an opportunity is provided for by the operational and technical documentation in the presence of a license from the Federal Security Service of Russia for the production of key documents for cryptographic tools.

Key documents can be delivered by courier ( including departmental) communication or with specially designated responsible users of cryptographic tools and employees, subject to measures that exclude uncontrolled access to key documents during delivery.

To send key documents, they must be placed in strong packaging, which excludes the possibility of their physical damage and external influence. On the packages indicate the responsible user for whom these packages are intended. Such packages are marked "Personally". The packages are sealed in such a way that it is impossible to extract the contents from them without violating the packages and seal impressions.

Prior to the initial deportation ( or return) the addressee is informed by a separate letter of the description of the packages sent to him and the seals with which they can be sealed.

To send key documents, a cover letter is prepared, in which it is necessary to indicate: what is sent and in what quantity, account numbers of documents, and, if necessary, the purpose and procedure for using the sent item. A cover letter is enclosed in one of the packages.

The packages received are opened only by the responsible user of the cryptographic tools for which they are intended. If the contents of the received package do not correspond to those specified in the cover letter or the package itself and the seal - their description ( impression), and also if the packaging is damaged, resulting in free access to its contents, the recipient draws up an act that is sent to the sender. Key documents received with such shipments are not allowed to be used until instructions are received from the sender.

If defective key documents or crypto keys are found, one copy of the defective product should be returned to the manufacturer to determine the causes of the incident and eliminate them in the future, and the remaining copies should be stored until additional instructions from the manufacturer are received.

Receipt of key documents must be confirmed to the sender in accordance with the procedure indicated in the cover letter. The sender is obliged to control the delivery of his items to the addressees. If the appropriate confirmation has not been received from the addressee in a timely manner, the sender must send him a request and take measures to clarify the location of the items.

An order for the production of the next key documents, their production and distribution to the places of use for the timely replacement of existing key documents is made in advance. An indication of the entry into force of the next key documents is given by the responsible user of cryptographic tools only after receiving confirmation from them that the next key documents have been received.

Unused or out of action key documents are to be returned to the responsible user of cryptographic tools or, at his direction, must be destroyed on the spot.

Destruction of crypto keys ( initial key information) can be done by physically destroying the key medium on which they are located, or by erasing ( destruction) cryptokeys ( initial key information) without damaging the key carrier ( to enable it to be reused).

Crypto keys ( original key information) are erased according to the technology adopted for the corresponding key reusable media ( floppy disks, compact disks (CD-ROM), Data Key, Smart Card, Touch Memory, etc.). Direct actions to erase crypto keys ( initial key information), as well as possible restrictions on the further use of the relevant key reusable media are regulated by the operational and technical documentation for the relevant cryptographic information protection tools, as well as instructions from the organization that recorded the crypto keys ( initial key information).

Key carriers are destroyed by inflicting irreparable physical damage on them, excluding the possibility of their use, as well as restoring key information. Direct actions to destroy a specific type of key carrier are regulated by the operational and technical documentation for the relevant cryptographic information protection tools, as well as instructions from the organization that recorded the crypto keys ( initial key information).

Paper and other combustible key carriers are destroyed by burning or using any paper cutting machines.

Key documents are destroyed within the time limits specified in the operational and technical documentation for the relevant CIPF. The fact of destruction is documented in the relevant copy-by-instance registers.

Destruction according to the act is carried out by a commission consisting of at least two people. The act specifies what is destroyed and in what quantity. At the end of the act, a final entry is made (in numbers and in words) on the number of items and copies of the key documents to be destroyed, installing the CIPF media, operational and technical documentation. Corrections in the text of the act must be specified and certified by the signatures of all members of the commission who took part in the destruction. About the destruction carried out, marks are made in the corresponding journals of copy accounting.

Cryptokeys that are suspected of being compromised, as well as other cryptokeys operating in conjunction with them, must be immediately deactivated, unless otherwise specified in the operational and technical documentation of the CIPF. In emergency cases, when there are no crypto keys to replace the compromised ones, it is allowed, by decision of the responsible user of crypto tools, agreed with the operator, to use compromised crypto keys. In this case, the period of use of compromised crypto keys should be as short as possible, and the protected information should be as less valuable as possible.

About violations that can lead to compromise of crypto keys, their constituent parts or transmitted ( stored) with their use of the data, users of cryptographic tools are required to report to the responsible user of cryptographic tools.

Inspection of key reusable media by unauthorized persons should not be considered as a suspicion of compromising cryptokeys, if this excludes the possibility of copying them ( reading, reproduction).

In cases of shortage, non-presentation of key documents, as well as the uncertainty of their location, the responsible user takes urgent measures to search for them and localize the consequences of compromising key documents.

1. Key system management procedure

Registration of persons with key management rights is carried out in accordance with the operational documentation for the CIPF.

Key management is an information process that includes three elements:

- key generation;

— accumulation of keys;

- distribution of keys.

In the information systems of the organization, special hardware and software methods for generating random keys are used. As a rule, pseudo random number generators are used ( Further - PSCH ), with enough a high degree randomness of their generation. Quite acceptable are software key generators that calculate the PRNG as a complex function of the current time and ( or) number entered by the user.

Under the accumulation of keys is understood the organization of their storage, accounting and deletion.

Secret keys should not be written explicitly on a medium that can be read or copied.

All information about the keys used must be stored in encrypted form. Keys that encrypt key information are called master keys. Each user must know the master keys by heart, it is forbidden to store them on any material media.

For the condition of information security, it is necessary to periodically update key information in information systems. This reassigns both regular keys and master keys.

When distributing keys, the following requirements must be met:

- efficiency and accuracy of distribution;

— secrecy of distributed keys.

An alternative is for two users to obtain a shared key from a central authority, a key distribution center (KDC), through which they can securely interact. To organize data exchange between the CRC and the user, the latter is allocated a special key during registration, which encrypts messages transmitted between them. Each user is allocated a separate key.

KEY MANAGEMENT BASED ON PUBLIC KEY SYSTEMS

Prior to the use of a public key cryptosystem for the exchange of ordinary secret keys users should exchange their public keys.

Public key management can be done through an online or offline directory service, and users can also exchange keys directly.

1. Monitoring and control of the use of CIPF

To increase the level of security during the operation of cryptographic information protection in the system, it is necessary to implement monitoring procedures that record all significant events that took place during the exchange electronic messages, and all information security incidents. The description and list of these procedures should be established in the operational documentation for the CIPF.

Control of the use of CIPF provides:

• control over the compliance of the settings and configuration of information security tools, as well as hardware and software tools that can affect the fulfillment of the requirements for information security tools, regulatory and technical documentation;
• monitoring compliance with the rules for storing restricted access information used in the operation of information security tools ( in particular, key, password and authentication information);
• control of the possibility of access by unauthorized persons to information security tools, as well as to hardware and software tools that can affect the fulfillment of the requirements for information security tools;
• monitoring compliance with incident response rules information information (about the facts of loss, compromise of key, password and authentication information, as well as any other information of limited access);
• control of compliance of technical and software means of CIPF and documentation for these means with reference samples ( supplier guarantees or control mechanisms that allow such compliance to be established independently);
• control of the integrity of the hardware and software of the CIPF and documentation for these tools during the storage and commissioning of these tools ( using both the control mechanisms described in the documentation for the CIPF, and using organizational).

Download ZIP file (43052)

Documents came in handy - put a "like":