Comparative analysis of protected key carriers.
Comparative analysis of protected key carriers
The development of information technology has led to the emergence of the problem of storing classified information. The issue has become especially acute with the development of the Internet, the emergence of technologies for legally significant document flow, the transfer of tax reporting over the network, etc. All this requires the use of cryptographic methods for protecting information: electronic digital signatures, user certificates using the X.509 protocol, and encryption. This approach can protect the data being transmitted, but who or what will protect the information used by cryptographic protocols, namely key data?
The same situation occurs when a user logs in to a computer. An unprotected password can fall into the hands of an intruder, and the entire system will be compromised. The issue becomes significant when it comes to corporate network workstations, where confidential information, personal data, and trade secrets circulate.
The problem of storing confidential information is solved by:
— USB tokens;
— TouchMemory;
— Smart cards.
Protected storage media allow for two-factor user authentication, when a password or pin code from the storage media and the device itself must be provided to log in to the system.
The following options for using storage media are distinguished:
— User authentication in the operating system, directory services and networks (Microsoft, Linux, Unix, Novell operating systems).
— Protecting computers from unauthorized downloads.
— Strict user authentication, access control, protection of data transmitted over the network in web resources (online stores, e-commerce).
— E-mail – generation of digital signature and data encryption, access control, password protection.
— Public key encryption systems (PKI), certification authorities – storage of X.509 certificates, reliable and secure storage of key information, significant — reduction in the risk of compromising the private key.
— Organization of secure data transmission channels (VPN technology, IPSec and SSL protocols) – user authentication, key generation, key exchange.
— Document management systems – creation of legally significant secure document management using digital signature and encryption (transfer of tax reports, contracts and other commercial information via the Internet).
— Business applications, databases, ERP systems – user authentication, storage of configuration information, digital signature and encryption of transmitted and stored data.
— Client-Bank systems, electronic payments – ensuring the legal significance of completed transactions, strict mutual authentication and authorization of clients.
— Cryptography – ensuring convenient use and secure storage of key information in certified means of cryptographic information protection (crypto providers and crypto libraries).
— Terminal access and thin clients – user authentication, storage of session parameters and settings.
— Disk encryption – delimitation and control of access to protected data, user authentication, storage of encryption keys.
— Disk data encryption – user authentication, generation of encryption keys, storage of key information.
— Support for legacy applications and replacement of password protection with more reliable two-factor authentication.
— A USB token is a storage medium that resembles a USB flash drive. Prominent representatives of this type of secure storage medium are eToken and ruToken, developed by Aladdin and Aktiv, respectively.
eToken
eToken is a personal means of strong authentication and data storage, hardware support for working with digital certificates and EDS. This device is a development of Aladdin and is available in two form factors: USB token and smart card. In both cases, the interaction of media with various security software applications has a single structure, which is presented.
Aladdin presents a number of products that have their own advantages and purposes:
— eToken PRO;
— eToken PRO (Java);
— eToken GOST;
— eToken NG-FLASH;
— eToken NG-OTP;
— CryptoPro eToken CSP.
eToken can act as a single corporate card used for visual identification of an employee, for access to premises, for logging into a computer, into a network, for access to protected data, for protecting electronic documents (EDS, encryption), for establishing secure connections (VPN, SSL), for conducting financial transactions.
eToken PRO
eToken PRO is a secure device designed for strong authentication, secure storage of secret data, cryptographic calculations and work with asymmetric keys and digital certificates. The USB key is implemented on the basis of a smart card chip. eToken PRO includes hardware implementation of RSA 1024/2048, DES/56, TripleDES/168, SHA-1, MAC, iMAC cryptographic algorithms. The generation of RSA 1024/2048 key pairs is also implemented in hardware. Depending on the modification, the device includes secure memory of 32 or 64 KB.
eToken PRO (Java)
A more advanced device is the eToken PRO (Java), manufactured on the basis of the Atmel AT90SC25672RCT smart card chip. This key has the Athena OS755 smart card operating system installed with a Java virtual machine fully compatible with the Sun Java Card standard. Supported interfaces and standards: PKCS#11 version 2.01, Microsoft CryptoAPI, PC/SC, support for X.509 v3 certificates; SSL v3, IPSec/IKE; Microsoft CCID; eToken Minidriver.
This version has the following hardware algorithms: RSA 1024/2048, DES, 3DES, SHA-1.
Unlike eToken PRO, the secure memory of this device has been expanded to 72 KB and it is possible to download your own Java applets, for the development of which Aladdin provides the eToken Java Card SDK developer kit.
eToken GOST
eToken GOST is based on eToken PRO (Java), which allows loading and executing Java applets on the storage medium. This device is supplied with the Java Card Platform Specification 2.2.1 and Global Platform 2.1.1 operating systems. An important feature of this model is the hardware-implemented Russian cryptographic algorithms:
— Generation of a key pair, formation of an EDS, verification of an EDS in accordance with GOST R 34.10-2001.
— Calculation of a hash function in accordance with GOST R 34.11-94.
— Symmetric encryption in accordance with GOST 28147-89 in the modes of simple replacement and generation of imitative insertion.
— Pairwise key generation using the Diffie-Hellman algorithm in accordance with RFC 4357.
— Random number sequence generation.
— eToken GOST is available in 4 types:
— The eToken GOST USB key is designed as a keychain and is directly connected to a USB port.
— The eToken GOST/SC smart card can be used with any standard PC/SC compatible reader.
— eToken GOST/Flash combined USB key with an additional flash memory module of up to 4 GB.
— eToken GOST/OTP combined USB key with a one-time password generator.
eToken NG-FLASH
The eToken NG-FLASH device differs from its predecessors by the presence of built-in flash memory, the size of which can be 512 MB, 1 GB, 2 GB or 4 GB. For this reason, this media is released only as a USB key (previous eToken devices are released in two form factors: USB key and smart card). eToken NG-FLASH is based on the Infineon SLE66CX642 smart card chip with 64 KB memory and the Siemens CardOS 4.20B operating system. The device has hardware cryptographic algorithms RSA/2048, RSA/1024, DES, 3DES, SHA-1.
With a sufficiently large amount of flash memory, an operating system image can be written to the USB key, which can be loaded for work on the computer. In this case, part of the eToken NG-FLASH memory can be protected by rights delimitation, allowing the corresponding area to be read-only. This can be done using the eToken NG-FLASH Partition Tool utility, which allows you to mark the flash memory into two areas: read-only and an area accessible for reading/writing. In the area accessible only for reading, you can pre-install the applications required by the user and define a configuration file for their autorun. In this case, when connecting the eToken NG-FLASH to the computer, the flash memory area will be recognized as two logical disks. The applications will be autorun from the disk accessible only for reading/writing.
If necessary, the device's flash memory can be redistributed between areas (with the loss of the current contents of each area) and initialized anew by the user.
eToken NG-OTP
In terms of functionality, eToken NG-OTP is similar to eToken PRO and includes hardware-implemented cryptographic algorithms RSA/2048, RSA/1024, DES, 3DES, SHA-1, SHA-1 HMAC, and is also capable of hardware-generated RSA/2048 and RSA/1024 key pairs. The difference of this device is the presence of a built-in one-time password generator based on the HMAC algorithm. The device is equipped with a button and a display for displaying generated one-time passwords, has built-in batteries and a light indicator of operating modes, of which there can be two:
— connected to a USB port (smart card capabilities + OTP generation);
— autonomous (OTP generation only).
As a result of the autonomous mode, the user can log in to the system without the ability to connect the USB key to the computer by typing the password displayed on the token display on the keyboard.
eToken NG-OTP is available only as a USB key in two versions: with a memory size of 32 KB and 64 KB.
CryptoPro eToken CSP
CryptoPro eToken CSP is a hardware and software solution written to generate an EDS according to GOST R 34.10-2001 with full compatibility with CryptoPro CSP. The solution provides a full set of cryptographic operations implemented in the CryptoPro CSP 3.6 cryptographic information protection tool and full integration with the PKI infrastructure based on the CryptoPro CA. At the same time, all operations with private keys of the EDS are performed by hardware, inside the eToken chip, the private keys themselves never leave the chip and cannot be intercepted. The validity period of the user's private key is up to 3 years.
CryptoPro eToken CSP resists attacks aimed at replacing the hash function value of the document being signed, replacing the value of the signature itself (for example, with terminal access), as well as selecting a PIN code. The solution supports a secure exchange protocol between the eToken hardware key and the CryptoPro CSP software components (technology for working with a functional key carrier — FKN).
The developers allow the possibility of additionally embedding a passive RFID radio tag into USB keys or eToken smart cards during the production of media. The presence of RFID allows an employee of the enterprise to pass physical access control to the premises using the ACS available in the organization. At the moment, RFID can be embedded in eToken PRO smart cards, eToken PRO USB keys, eToken NG-OTP and eToken NG-FLASH. The following types of radio tags are supported: EMMarin, HID, Mifare std 1k, BIM 002 (tag), KIBI 002 MT (card), Bewator Cotag, i-Class, i-Code, INDALA (FlexISO).
The presence of RFID in the token forces the user to remove the key from the computer when moving around the enterprise, since without it he will not be able to enter other premises. This eliminates the problem of employee negligence (may leave the computer with full access to its information), since when removing the USB key from the port or the smart card from the reader, the operating system is blocked.
Aladdin products have many security certificates, including FSTEC of Russia certificates. More detailed information can be found on the manufacturer's website at http://aladdin.ru/catalog/etoken/certificates/.
Rutoken
Rutoken was developed by Aktiv and Ankad companies taking into account modern requirements for information security devices. Unlike eToken, this device is supplied exclusively as a USB key and is aimed at the Russian consumer. The operating principle and purpose are similar to eToken, so we will not focus on this issue.
Main characteristics:
— Based on a protected microcontroller;
— Interface: USB;
— EEPROM memory: 32, 64 and 128 KB;
— Dimensions: 58x16x8 mm;
— Weight: 6.3 g;
— 32-bit unique serial number;
— Supported OS: Windows 98/ME/2000/XP/2003/Vista, Linux;
— Supported standards: ISO/IEC 7816, PC/SC, GOST 28147-89, Microsoft Crypto API and Microsoft Smartcard API, PKCS#11 (v. 2.10+);
— Own Crypto Service Provider and ICC Service Provider with standard sets of interfaces and API functions;
Possibility of integration into any smartcard-oriented software products (e-mail, internet, payment systems, etc.).
It is worth noting from the above characteristics a larger volume of built-in secure memory compared to eToken and the ability to support Linux operating systems.
Rutoken Magistra
Rutoken Magistra is based on the secure ST19NR66 microcontroller from STMicroelectronics. The device has a built-in Magistra operating system that uses a cryptographic module certified by the Russian FSB. Rutoken Magistra implements the following cryptographic algorithms: GOST 28147-89, GOST R 34.11-94, GOST R 34.10-2001, DES/3DES, SHA-1, RSA 1024.
Rutoken for CryptoPro CSP
Like CryptoPro eToken CSP, Rutoken is used for secure storage of digital certificates and private keys of digital signatures and encryption of CryptoPro CSP and CryptoPro Winlogon users. Thanks to the extended memory of Rutoken (up to 128 KB), this device can store up to 31 key containers.
Rutoken for CryptoPro JCP
Installing the Rutoken solution for CryptoPro JCP allows using Rutoken identifiers as key carriers for the cross-platform Java cryptoprovider of the Crypto-Pro company. This hardware and software solution can run on the following operating systems: Microsoft Windows XP/2003/Vista/7/2008 (32 and 64 bit), GNU/Linux and Mac OS X 10.5 Leopard.
CryptoPro Rutoken CSP
This hardware and software solution allows not only storing user certificates on a USB key, but also performing operations on private keys inside the device. The following algorithms are implemented in hardware for this purpose: key generation according to GOST R 34.10-2001, formation of an electronic digital signature according to GOST R 34.10-2001 and calculation of the Diffie-Hellman agreement key (RFC 4357). The CryptoPro Rutoken CSP SKZI is implemented on the basis of Rutoken EDS and CryptoPro software.
Rutoken EDS
Rutoken EDS is a hardware implementation of the Russian standard of electronic digital signature and a proven design of Rutoken identifiers. This device supports GOST R 34.10-2001, GOST 34.11-94, GOST 28147-89, generation of session keys (pairwise communication keys) according to the VKO GOST R 34.10-2001 (RFC4357) scheme and the RSA algorithm with keys up to 2048 bits. Rutoken EDS supports 3 categories of owners: Administrator, User and Guest. This product is supplied with a single memory size — 64 KB.
Thanks to the calculation of the EDS within the token, the private signature key does not leave the device. This eliminates the possibility of key compromise and increases the overall security of the system.
Rutoken Flash
This device is an analogue of eToken NG-FLASH, i.e. it includes both the basic properties of Rutoken and Flash memory. However, compared to eToken NG-FLASH, this product is supplied with a memory capacity of only 2 GB. However, if necessary, when ordering Rutoken Flash, you can specify the Flash memory capacity of 4 and 8 GB, then it will be increased.
The protected memory capacity of Rutoken Flash is 32 KB. The device supports transparent file system encryption according to GOST 28147-89. The average write speed is 5.8 MB/sec, and the read speed is 29.3 MB/sec.
Rutoken RF
Rutoken RF, in addition to the functionality of a key carrier, includes an RFID radio tag. The advantage of this device over the others is the same as that of eToken RFID. The following RFIDs can be integrated into Rutoken RF: EMMarine, Mifare, HID and Indala. At the same time, Rutoken can be supplied with a memory capacity of 32, 64 and 128 KB with each radio tag.
The availability of FSTEC and FSB certificates of Russia allows using Rutoken for successful certification of workplaces of employees of both commercial and state enterprises. More detailed information on product certification can be found on the manufacturer's website at http://rutoken.ru/products/certification/.
iButton
Another key data storage device is the iButton (popularly known as a «tablet»), developed by Dallas Semiconductor. Currently, these devices are manufactured by Maxim.
Each iButton is enclosed in a steel sealed cylindrical MicroCan case and has a unique number (ID) recorded during the manufacturing process. All iButton devices are manufactured to strict standards and can withstand serious mechanical (500 G) and temperature loads (operating temperature range -40°C to +85°C; storage temperature -55°C to +125°C).
The iButton is designed for 1 million write/read cycles, and data can be stored in the device for up to 10 years.
To connect the iButton to the computer, an additional reader must be installed, which is connected to the RS232 and USB ports depending on the reader type.
iButton devices have different built-in memory depending on the device type:
DS-1990 has no memory and is used to identify the owner by a unique number;
DS-1991 – 64 bytes;
DS-1992 — 1 Kbit;
DS-1993 — 4 Kbit;
DS-1994 — with timer and non-volatile memory of 4 Kbit;
DS-1995 — 16 Kbit;
DS-1996 — 64 Kbit.
Smart cards
Smart cards are plastic cards with a built-in microcircuit. In most cases, smart cards contain a microprocessor and an operating system that controls the device and access to objects in its memory. In addition, smart cards usually have the ability to perform cryptographic calculations. An example of such devices using smart cards from Aladdin (eToken PRO, etc., all details are described above) for storing key information and cryptographic algorithms.
Smart cards can be contact and contactless. The latter are usually used to identify the user in ACS systems.
Contact smart cards can be used as key information carriers. However, to use them, an additional connection of the reading device, including installation of the appropriate drivers, is required to the computer.
The main advantages and disadvantages of the main types of key information carriers can be listed in the table.
The choice of one or another device depends on the purpose of its use and the surrounding environment. In areas with low temperatures, as well as when used outdoors (access to premises, territory), reliable media such as iButton are required. However, the high functionality of USB keys and smart cards has its advantages. Their use is advantageous in office premises for the purpose of organizing legally significant document flow.
Tychinin Evgeny Viktorovich, Director of the company «Rekurs»
Magazine «Security Director», August 2010