PERSONAL ENCRYPTOR TECHNOLOGIES: FEATURES, POSSIBILITIES, PROSPECTS.

PERSONAL ENCRYPTOR TECHNOLOGIES: FEATURES, CAPABILITIES, PROSPECTS..

PERSONAL ENCRYPTOR TECHNOLOGIES: FEATURES, CAPABILITIES, PROSPECTS.

UKOV Vyacheslav Sergeevich, Candidate of Technical Sciences
NAZAROV Dmitry Mikhailovich

PERSONAL ENCRYPTOR TECHNOLOGIES: FEATURES, POSSIBILITIES, PROSPECTS

Nowadays, scientific and technological progress has made another technological breakthrough — technologies have appeared that have made it possible to bring guaranteed information protection tools as close as possible to a wide range of users and create personal encoders (PE), which until recently was impossible due to a number of problems, such as the creation, storage and distribution of key information, etc. This analytical review examines the main features, possibilities of use and development prospects of personal encoders technologies.

A possible classification of modern commercial encoders is shown in Fig. 1.


Fig. 1. Classification of modern commercial encoders

Analysis of the presented encoders shows that at present the greatest potential for the implementation of personal encoders that meet all modern requirements is provided by smart card technologies (smart cards), the features and capabilities of which we will consider in more detail.

Main directions of development of smart card technology

Digital Mind Mapscredit-card-sized plastic cards with embedded microcontrollers and secure memory are becoming smarter and smarter by the day. This is due to the use of more powerful and faster next-generation microcontrollers or processor cores optimized specifically to meet the needs of such cards. The familiar smart cards (ICs) with 8-bit microcontrollers have recently undergone significant improvements and have given rise to a variety of new families of devices in popular word lengths — 8, 16 and 32 bits.

Most smart cards are still 8-bit. Recently, their multifunctionality has increased significantly, which has added to their popularity. For example, one card allows you to perform banking transactions, pay for purchases in stores, keep a personal medical record of the owner, and much more. Now, when creating their own optimized crystals for smart cards, developers place their main hopes on the use of ultra-small 16- or 32-bit processor cores. An alternative to this is more high-performance 8-bit devices, such as RISC processors, which execute one command in just one cycle, as opposed to 6 — 12 cycles per command for most common microcontrollers, such as the 8051 series. For various smart card applications, depending on the required performance, there is already a wide range of microprocessor devices with different computing power on the market.

However, increasing productivity inevitably entails an increase in power consumption, which is absolutely unacceptable, since microcontrollers are powered by external power sources. Currently, smart cards are powered either through printed contact pads or via a radio channel, when the current required to power the device is induced in the loop antenna built into the card by an external high-frequency electromagnetic field, and the requirement for minimum power consumption is key here. In addition, since the board must retain data after power is turned off, it will require non-volatile but electrically reprogrammable memory (EEPROM).

To implement all the necessary functions in modern complex devices, in addition to high-performance microprocessors, a large amount of memory will be required to store all the necessary information. The current generation of microcontrollers, as a rule, has built-in ROM, as well as RAM and EEPROM. But the presence of a relatively small amount of reprogrammable memory is explained by physical and technological limitations on the density of the chip crystal layout. The simplest microprocessors have RAM of 128 bytes, EEPROM of 256 bytes and ROM of approximately 6 KB. The most complex modern microcontrollers can combine RAM of 6 KB, EEPROM of 16 KB and ROM of up to 32 KB. In addition, in the latest developments, the use of flash memory is becoming popular, which is a real alternative to ROM. As smart cards develop for storing data and programs, a double or 4-fold increase in the capacity of memory devices will be required.

Since semiconductor technologies are constantly improving, smart cards could become ultra-small single-board computers in the future. Such a card, for example, according to Siemens specialists, would not only be a high-performance processor combined with cryptographic equipment and a large-capacity memory device. It could contain an auxiliary keyboard, use an antenna to provide contactless power supply and communicate with external devices. To provide power independent of the reader, the cards could contain solar batteries. It is possible to integrate biometric sensors into the cards to identify the owner, such as a fingerprint reader, as well as a loudspeaker, alarm and display to display and control information. Although all of these ideas are still far from being implemented in practice, many of the technologies listed above already exist and are being successfully improved. In the meantime, developers are looking for the optimal solution for smart cards, taking into account the current level of technology, which is mainly based on 8-bit microcontrollers. There are no more than half a dozen companies involved in this industry, due to the high cost of emergency measures to ensure information security, which give banks, insurance companies and other organizations a guarantee that the information contained in the memory devices of the cards will not be used against their owners.

Measures to protect information in the IC from unauthorized access

Smart card supporters place great hopes on modern cryptographic protection technologies that help prevent unauthorized access to personal information. Some microprocessors developed for smart cards include specialized cryptographic coprocessors that provide a high level of information security by implementing RSA (with a key length of up to 2048 bits) or DES (with a key length of up to 1024 bits) encryption algorithms. A cryptographic coprocessor is necessary because these algorithms require a large amount of computation and cannot be executed on the microcontroller's central processor in a reasonably short period of time, such as that required to pass through a subway station turnstile.

In addition to using special encryption algorithms to protect information, some devices use hardware modules built into the crystal to prevent unauthorized access to the program and data. A new scheme developed by Schlumberger in collaboration with SiShell, allows semiconductor chip manufacturers to add a silicon shield to their products that protects them from unauthorized physical access.The shield prevents the device from being examined using electron beams or focused ion beams, which are typically used to detect, analyze, and correct errors introduced during the semiconductor chip manufacturing process.

In the system manufactured by SiShell, the chip substrate is made thinner. After the technological process is completed, the entire active area of ​​the chip is covered with a silicon cap. This cap is thick and opaque, and it also protects the crystal from destructive environmental influences, such as radiation or chemically aggressive environments. By using a thinner substrate, additional protection of the crystal from mechanical penetration is achieved. Any attempt to separate the protective cap from the active area will result in irreversible destruction of the chip.

In addition, chip manufacturers are making efforts to prevent tracking of data movement within the chip. Siemens initially encapsulated its EEPROM memory cells to prevent their examination. In addition to using ROM with a metal protective mask, the company uses embedded ROM to hide data patterns. Additional protection is provided by the introduction of additional shielding layers and encapsulation, similar to what SiShell does, as well as electrical circuits located outside the chip.

Russian smart cards of the RIK series

The need to develop systems using modern information technologies based on microprocessor plastic cards is beyond doubt today. For a number of years, FAPSI (FSB) specialists have been working with a number of Western companies — manufacturers of microprocessors and cards, such as Gemplus Card International, Siemens AG, Motorola, Giesecke & Devrient, to create a Russian version of smart cards using foreign crystals with domestic cryptographic algorithms. It should be noted that foreign companies — manufacturers of crystals and cards, while publishing a detailed list of consumer characteristics, nevertheless, classify special characteristics as confidential information. A significant part of special characteristics, as a rule, is not disclosed, making it virtually impossible to justify the reliability of card protection and their certification according to special requirements.

Thus, state policy in the field of informatization required the creation and organization of serial production of Russian smart cards, provided with reliable protection and a cryptographic component based on domestic standards. There was a need to create a map that could be used in application systems at various levels, from local to national systems.

Within the framework of a tripartite agreement between the enterprises «Angstrem», NTC «Atlas», the company «Union Card» and with scientific and technical support from FAPSI, a domestic microcontroller was developed and preparations for serial production of a card based on it were carried out. At present, this card is used, for example, in several experimental areas of the payment system «Union Card».

The created RIC has sufficient technical and special characteristics for most applications. It is built on the basis of the original RISC-architecture processor core, the performance of which allows achieving encryption speeds of up to 5 kB/s when implementing the encryption algorithm GOST 28147-89 in a secure design. The microcontroller contains 2 kB of non-volatile memory (EEPROM), 8 kB of program memory (ROM) and 256 bytes of random access memory (RAM).

The RIC information security system is based on the physical security system of the microcontroller crystal and is supplemented by software and algorithmic security measures implemented as part of the cryptographic module and operating system.

The RIC operating system implements algorithmic security measures, such as test checks when turning on the card's power, cryptographic data protection, monitoring their integrity, etc.

The cryptographic component of the operating system, in addition to GOST 28147-89, also includes DES and Triple-DES algorithms. The card has a built-in software and hardware random number generator, which provides support from the RIC for reliable cryptographic protocols of mutual authentication and the generation of one-time session keys for data encryption for interaction with terminal equipment.

In terms of its functionality and level of protection against unauthorized access to stored information, RIC is generally not inferior to its foreign counterparts. The technical characteristics of the Russian card determine a very wide range of areas of its possible use. Let us briefly consider the prospects for using RIC in systems for solving information security problems.

Integration of the RIC as a carrier of identification information into the means of access control to information system resources (in addition to or instead of a password entered from the terminal keyboard) will significantly increase the level of resource protection, since, unlike a password, the information stored in the RIC is reliably protected from unauthorized access in the event of accidental or malicious actions by an individual using the RIC. At the same time, the RIC hardware and software guarantee the transfer of identification information from the RIC to the terminal (offline mode) or to a remote system server (online mode) only in the event of a positive result of their mutual authentication in accordance with the reliable cryptographic protocols supported by the RIC operating system. The use of personal cards for access to resources allows for dynamic control of the user's work and, in the event of his/her absence or interruption in work (i.e. when the card is removed by the user from the receiving device), blocking access.

The use of microprocessor cards allows, among other things, to provide the following significant capabilities:

  • mutual reliable authentication (recognition) of the card user and the control device (electronic lock, access terminal or turnstile, etc.);
  • encryption of information transmitted between the card and the control device, so that the most confidential part of the data never leaves the card memory in clear text and cannot be intercepted by an intruder;
  • absolutely reliable registration by the system security administrator of all entries and exits to the protected area, while all card user data, the exact time of passage, etc. are recorded in the control logs (files or device memory);
  • automatic transmission of “alarm” signals in case of unauthorized entry into protected areas;
  • hidden signaling mode for “passage under control”, which means that the person with access rights is acting on the orders of the intruder;
  • hidden remote blocking mode (deactivation) of the card of a user who has been deprived of access rights;
  • access control systems based on smart cards make it possible to introduce various access hierarchies to protected objects and territories, allowing selected groups of users to pass only to the zones authorized to them and only at certain time intervals during a given period (day, week, month, holidays, years, etc.);
  • protected storage of passwords and secret keys on the card, which makes the loss of a user card safe for the system as a whole.

The implementation of these capabilities through the use of other control means (not smart cards) requires the presence of significantly more expensive and complex electronic devices and communication lines.

The use of RIC as a key information carrier is associated with the development of network and telecommunication technologies. Currently, data transmission systems tend to switch to the subscriber encryption principle or “point-to-point”, in which the encoder and key carriers are directly at the subscriber’s disposal. Under these conditions, the circle of people allowed to access key documents is significantly expanded, and the use of unprotected key carriers such as magnetic disks or magnetic stripe cards can lead to the compromise of confidential information due to the loss of such keys or their illegal copying. One solution to the problem is the use of key carriers that are algorithmically and physically protected from NSD.

Research conducted by specialists has shown that the security measures developed and integrated into the RIC hardware and software environment, as well as the special properties of the crystal, will ensure reliable protection of key media based on RIC.

The use of new pass documents created on the basis of plastic cards with a built-in microcontroller allows the use of modern information cryptographic technologies that provide a high level of protection against counterfeiting of such passes and additional security functions, in particular the creation of zones of different levels of access and monitoring of persons in them.

The card is printed with the details of the pass holder, access rights, and his/her photograph. The card memory also stores the details, access rights, and digital photograph, signed with an electronic digital signature.

Requirements for information security of RICs used as electronic documents are similar to the use of RICs as a means of payment. At the same time, during the development of specific systems using electronic documents, organizational security measures similar to those used in payment systems must be taken.

The prospects for the development of RIC are currently largely associated with the progress of the improvement of microelectronic production technology at the Angstrem enterprise. A special place is occupied by the work on introducing software and hardware into the RIC microcontroller, allowing for the effective implementation of asymmetric cryptographic algorithms, in particular the electronic digital signature standard GOST R-34.10. The use of such microcontrollers can become one of the technical solutions to the problem of creating personal media for a digital certificate system based on domestic cryptography, will increase the level of security of information exchange over the INTERNET and offer reliable solutions in the field of electronic commerce.

The Russian market today offers a whole range of smart cards, the classification of which is shown in Fig. 2.


Fig. 2. Classification of Russian smart cards

The main characteristics, features and possibilities of using RIC are given in Table 1.

Table 1. Main characteristics, features and possibilities of using RIC

Name

Memory, bit

Construction

Protection

Application

Note

KB5004BE1 microcontroller ROM, 8Kx16;
EEPROM, 128×128; RAM, 256×8
module  ISO 7816 GOST 28147-89, Triple-DES
  • UnionCard,
  • Sberbank,
  • payphone,
  • super protection
the strongest protection against unauthorized access
EPROM counter KB5004RR1 616 same 256-bit key, write protection
  • payphone,
  • gas station,
  • transport,
  • parking,
  • discount IR,
  • subscription
the best protection
with prepayment at the rate
EEPROM KB5004RR3 256×8 same protection from modification,
24-bit password
  • insurance and medical. policies,
  • access control,
  • prepayment of the IC,
  • discount IC,
  • subscription
most used
IC has 7 commands
EPROM KB5004HK2 64 cards, key fobs, boluses Manchester code
  • access control,
  • animal keeping,
  • property control
used for
building simple
identification systems
EPROM KB5004HK1 64 cards, key fobs, tags, disks identification
  • access control,
  • warehouse accounting,
  • property control
79-bit parcel, 1.5 m range
KB5004HK3 Crypto-EEPROM 8192 cards cryptography, keys, authentication
  • access control,
  • prepaid access,
  • warehouse accounting
up to 16 independent
applications in IR,
1.5 m range
EPROM KB5004HK6 512 cards, disks authentication
  • warehouse accounting,
  • transport management,
  • access control
reading-writing up to 1.5 m, readers: SBR-001… SBR-008
EPROM K563RT1 1024 blocks, modules Hamming error correction vehicle monitoring remote reading up to 50 m

In order to expand the scope of tasks solved, ICs are currently structurally implemented in the form of modules, cards, tokens, key fobs, tags, disks, etc. However, they have found the greatest application in the form of plastic boards of standard credit card sizes containing a silicon integrated circuit (IC) with its own built-in data processing tools, including various encryption techniques. The main components of the IC are a microprocessor, a memory device, and an operating system.

The core of the smart card is the operating system (OS). Let us dwell on it in more detail. OS RIK-2 is intended for use as a software component of the serially produced OJSC Angstrem microcontrollers of the KB5004BE1 type (as carriers of key and identification information, as well as smart cards for special applications).

The RIC-2 operating system provides:

  • the ability to one-way and mutually authenticate the card and external device based on symmetric cryptography methods;
  • the ability to identify the card owner based on the secret code of the data encryption/decryption function using the Russian cryptographic algorithm GOST 28147-89;
  • the function of generating an imitative insert;
  • the function of key diversification;
  • the ability to check the integrity of the mask ROM of the microcontroller programs using cryptographic methods;
  • structured access to information stored in the non-volatile memory of the card;
  • the ability to cryptographically protect information exchange between the card and terminal equipment;
  • the ability to use the card as a data encryptor.

The RIC-2 OS implements its functions by executing commands sent to the card by an external device (ED). The OS ensures the exchange of the card with the external device using the T0 data transfer protocol in accordance with ISO 7816-3. It is allowed to transfer data blocks up to 64 bytes in both directions. The exchange type (encoding type) is direct.

The logical interface for exchanging data between the card and the ED, implemented in the RIC-2 OS, complies with the international standard ISO 7816-4. The RIC-2 OS implements the principle of ensuring the delimitation of access of the external device to files. The RIC-2 OS supports the following file types:

  • DF – control files that combine files of one application;
  • EF – binary files intended for storing data;
  • KF – specialized files for storing keys and passwords.

For each file on the card, the types of access can be individually defined. The card can contain several applications. The RIC-2 OS, used as a software component of the serially produced microcontrollers of the KB5004VE1 type, complies with the FAPSI-approved Tactical and Technical Requirements for RIC as an Intelligent Carrier of Key and Identification Information.”

Main characteristics of RIC-2

The basic Russian smart card is based on the KB5004BE1 microcontroller with the UniCOS operating system. The operating system provides a platform that allows the implementation of a full range of applications for cashless payments using payment cards on the RIC, including: electronic wallet, electronic check, debit card, merchant card, telephone card and others.

Promising areas of application for the RIC are electronic passports, medical and social insurance cards, electronic identity cards, INN (individual taxpayer number) carriers.

In terms of special applications, the RIC can be used to build systems for access to objects and premises, user authentication to restrict access to information and telecommunications resources, and to use the RIC as a key information carrier, as well as a personal means of encryption and electronic signature of documents.

The RIC microcontroller has the following technical characteristics:

  • 8-bit high-performance microcontroller with RISC architecture;
  • 256 bytes of random access memory (RAM);
  • 2 KB of EEPROM;
  • at least 10 years of storage of recorded information;
  • at least 100,000 erase/write cycles;
  • serial access channel compatible with the ISO 7816-3 standard;
  • ISO 7816-2 compliant contact arrangement;
  • CMOS dual metal manufacturing technology;
  • Current consumption:
  • <2 mA at 5 V and 5 MHz;
  • <1 μA in low-power STOP mode.

The UniCOS operating system has the following characteristics:

  • ISO 7816-4 compliant;
  • cryptographic protocols based on the GOST 28147-89 algorithm;
  • flexible access control system;
  • ability to integrate additional functions;
  • internal self-testing;
  • failure protection system.

The UniCOS RIC OS access control system allows you to:

  • create files with a single entry;
  • allow reading of a file only after presenting a password and/or performing cryptographic authentication;
  • allow adding data to the file only after presenting a password and/or performing cryptographic authentication;
  • allow modification of data in the file only after presenting a password and/or performing cryptographic authentication;
  • encrypt transmitted data and decrypt received data using a key recorded in the card;
  • ensure secure data exchange between the terminal and the card using encryption (decryption) using a session key calculated as a result of performing cryptographic authentication;
  • provide the transmitted data with a cryptographic imitator that ensures integrity control, while the imitator can be generated either on the key recorded in the card or on the session key.

Personal encryptor based on RIK-2

The personal encoder RIK-2 is designed to encrypt and imitate personal documentary information. It can be used to encrypt confidential information that does not contain information constituting a state secret. In this case, the personal encoder RIK-2 with the entered keys is not a secret device, but measures must be taken to make it difficult for unauthorized persons to access it. The personal encoder mode is implemented in RIK-2 using the CRYPT command. This command encrypts or decrypts data, calculates or checks the imitate insertion of data on the key from the current KF. To calculate or check the imitate insertion, the data length must be at least 8 bytes.

The RIK-2 cryptographic information protection tool is certified by FAPSI according to level B of the “Temporary requirements for means of protecting confidential information”.

The use of workstations with the RIK-2 personal encoder is permitted only in organizations that have a license to operate cryptographic data protection tools. The key system of the RIK-2 personal encoder of the “full matrix” type cryptographic information protection tool ensures communication on the “each with each” principle and includes:

  • encryption keys, individual for communication with each subscriber of the communication network;
  • data encryption key for all subscribers of the communication network at once (broadcast key).

When used in systems that process information that contains data constituting a state secret, smart cards with an embedded RIK-2 OS must be provided with the following measures:

  • thermoelectric training of microcircuits;
  • additional organizational measures to ensure that access to these cards is restricted;
  • the required attenuation level for protection in the secondary power supply circuit must be at least 47 dB;
  • when turning on the RIK-2 outside the reader, the size of the controlled zone must be at least 1.5 m, it must be located at a distance of at least 0.2 m from extraneous wires and cables (except for power cables) that go beyond the controlled zone).

Practical implementation of personal hardware encoders

One of the first hardware personal means of cryptographic protection of information in Russia is Shipka-1.5 by OKB SAPR (photo 1).


Photo 1. External appearance of the personal encoder Shipka-1.5

Shipka-1.5 is an abbreviation for the words Encryption – Identification – Signature – Authentication Codes. Outwardly, this product is no different from a regular USB key, but at the same time it performs all the functions of the words that make up its name. Shipka-1.5 is a USB device that has the following hardware implementation:

1. All standard Russian cryptographic algorithms:

  • encryption (GOST 28147-89);
  • hash function calculation (GOST R 34.11-94);
  • digital signature calculation and verification (GOST R 34.10-94, GOST R 34.10-2001);
  • calculation of the ZKA (to ensure that the data is processed correctly and there are no violations in the technology, protective authentication codes (ZKA) are used; for this purpose, the result of operations is checked at certain points and, if it does not match the “correct” one, an alarm signal is given).

2. A number of foreign algorithms:

  • RC2, RC4 and RC5 encryption, DES, 3DES, RSA;
  • MD5 and SHA-1 hash functions;
  • EDS (RSA, DSA).

3. Two isolated non-volatile memory blocks:

  • 4 KB memory for storing critical key information, located directly in the computer;
  • for storing various key information, passwords, certificates, etc. – memory of up to 2 MB, part of which can be allocated to organize a small-capacity secure disk.

4. Hardware random number generator.

With the help of the Shipka-1.5 device, you can solve a wide variety of information security problems at both the personal and corporate levels, for example:

  • encryption and/or signing of files;
  • secure password storage for various web services;
  • hardware user identification in diskless thin client solutions;
  • hardware user identification for the Accord-NT/2000 PAC installed on laptops;
  • hardware authorization when loading Windows OS on a PC;
  • key storage and hardware random number generator for cryptographic applications;
  • smart card in typical solutions – such as authorization when logging into a Windows domain, encryption and/or signing of messages in mail programs (for example, Outlook Express), to obtain Certification Authority certificates for pairs of “user name + public key”, if it is necessary for this public key to be considered legal in the PKI;
  • to protect information technology using cryptographic algorithms.

Hardware implementation of calculations without involving computer resources is an important difference between the Shipka-1.5 device and other known solutions based on USB keys, which in fact are only non-volatile memory and a USB interface adapter, and the entire critical level of calculations is implemented in them by software. In the Shipka-1.5 device, only transport procedures and data format matching procedures that do not affect security are implemented by software, all other functions are performed by hardware.

This means that no one will be able to interfere with the authentication, encryption or digital signature processes and falsify them. It also means that after the Shipka-1.5 device is turned off, no traces of the user's secret keys remain in the computer's memory and no one else will be able to use them. At the same time, all these features can be used on any computer, since all key information is stored in the Shipka-1.5 device.

However, this does not mean that anyone who takes possession of the Shipka-1.5 device will automatically take possession of all the information stored in it — access to it is protected by a PIN code, and if the permissible number of incorrect entries is exceeded, the device is blocked and all information on it is destroyed.

The ability to store passwords in the Shipka-1.5 device will allow the user not to choose between the reliability of the password and the ease of remembering it, while avoiding such common mistakes as storing passwords in a notepad or on pieces of paper, as well as using the same password in different cases.

Being a USB device, Shipka-1.5 does not require the use of rather expensive Card-readers, which are necessary for working with smart cards, which means that its use as a smart card is not only more convenient, but also more economical. In addition, the Shipka-1.5 device is fully programmable. This makes it possible to easily expand its functionality.

Today, in the Russian information security market, in addition to the Shipka-1.5 device discussed above, there is already a whole range of hardware devices for personal cryptographic (guaranteed) protection.

In particular, the Aktiv company, together with the Ankad company, developed a number of personal electronic identifiers of the ruToken series (photo 2), which are a fully functional analogue of a smart card, made in the form of a miniature USB keychain. These electronic identifiers are connected to a computer via a USB port and do not require an additional reader. Such ruToken has its own file system, hardware implementation of the encryption algorithm according to GOST 28147-89 and contains up to 128 KB of protected non-volatile memory.


Photo 2. General view of personal
identifiers of the ruToken type

The use of ruToken allows to significantly increase the efficiency of information protection due to the fact that network login, protection of electronic correspondence and data encryption can be carried out on the basis of digital certificates stored in the protected memory of ruToken. When using such an electronic identifier, the level of network security and user convenience are simultaneously significantly increased.

The electronic identifier ruToken allows to provide:

  • reliable two-factor authentication of users;
  • storage of encryption keys, passwords and certificates in the memory of ruToken;
  • protection of electronic mail (digital signature, encryption);
  • reduction of operating costs, ease of use.

The new electronic identifier ruToken RF has even greater capabilities, which is an integrated device (two in one) and is designed to provide users with access to computer information resources and physical access to premises. The fundamental difference between ruToken RF and the electronic identifiers discussed above is the presence of a passive radio frequency tag of the EM Marine type based on the EM4102 microcircuit, which has significantly expanded its functionality and ensured:

  • strict two-factor authentication when accessing a computer and protected information resources;
  • secure storage of cryptographic keys, passwords and digital certificates;
  • use in access control and management systems;
  • use in systems for recording working hours and auditing employee movements;
  • 3 levels of access to ruToken RF memory: guest, user, administrator;
  • pass for electronic checkpoints.

Since ruToken RF combines a contactless pass for entering a room and a means of accessing a computer network in one key fob, it is most effectively used in complex security systems. To exit the room, it must be presented, and when the identifier is disconnected from the computer's USB port, the user session is automatically blocked. Depending on the user's memory capacity, three modifications of ruToken RF are currently available, with 8, 16 and 32 KB, respectively. The main technical characteristics and features of ruToken RF and RFID tags are given in Table 1, respectively. 2 and 3.

Table 2. Main technical characteristics and features of ruToken RF

Characteristic Meaning (feature)
Encryption algorithm GOST 28147-89
Implementation of the encryption algorithm hardware
Interface type USB interface
EEPROM memory capacity, kB 8, 16, 32, 64, 128
Overall dimensions, mm 58x16x8
Weight, g 6.3
Length of unique serial number, bit 32
Standards support ICO/IEC 7816, PC/SC, GOST 28147-89, Microsoft Crypto API, Microsoft Smartcard API, PKCS #11 (V.2.10+)
Support OS Windows 98/ME/2000/XP/2003
Availability of proprietary Crypto Service Provider and ICC Service Provider with standard sets of interfaces and API functions
Approximate price, $ 24.5

 Table 3. Main technical characteristics and features of the RFID tag

Characteristic Value (feature) Note
Tag type EM Marine (UNIQUE) passive tag
Chip EM4102  
Manufacturer EM Microelectronics Switzerland
Operating frequency 125 kHz 100 – 150 kHz
Modulation type amplitude Manchester
Transmission rate 2 kbaud  
Read/write mode read only  
Code length 64 bits  
Reading distance 40 – 50 mm depends on the reader

In connection with the massive development of mobile communication systems, the problem of guaranteed protection of personal information during its storage and transmission via mobile communication channels has recently become very relevant. The personal encoder provides the possibility of subscriber encryption on a point-to-point basis.”

The first commercial project implemented in Russia was the product of the Federal State Unitary Enterprise “STC “Atlas” and its partner, the “Goodwin” concern – a special mobile radiotelephone (SMP), with the appearance of which in Russian GSM networks there appeared the possibility of further increasing the level of cryptographic protection – using additional subscriber encryption. Special mobile phone SMP-Atlas (M-539)became the first legally protected device in Russia, which is designed to transmit personal confidential data in encrypted form. The device has a built-in personal encoder, when disconnected, the handset operates as a regular GSM phone.

The GSM 900/1800 standard phone in open mode provides all the standard functions of a GSM terminal, and in protected mode — guaranteed protection of voice information. The dimensions of the device are 140x48x25 mm, weight 180 g with a battery, the capacity of which is enough for 3.5 hours of protected conversations. The device, which is capable of providing encryption with guaranteed resistance not only for speech, but also SMS, MMS, computer data and e-mail, is sold in Moscow cellular communication stores and costs about 2.5 thousand dollars. The encryption key is symmetrical, 256 bits. A special processor performs hardware encryption.

Similar functions are performed by the dual-processor Crypto Smart Phone (as the developers called it), created in ZAO ANKORT”.It can work with analog, digital and IP cryptophones developed by the same company in any standard GSM networks that provide data transmission. A public key is used to distribute keys. A common key is generated for each communication session. The user can independently generate and enter keys. The main features of the Crypto Smart Phone are given in Table 4.

Table 4. Main features of the Crypto Smart Phone

Category

Parameters and composition

Features and capabilities

General characteristics Transmission principle 900/1800 MHz radio modem
Operating modes
  • voice encryption in full-duplex mode,
  • standard GSM mode,
  • SMS encryption,
  • data encryption in the phone,
  • e-mail encryption and transmission
Processors:
    — main,
    — encrypting
Motorola MX21 266 M,
TMS 320 VC 5416
Cryptographic
characteristics
Crypto algorithm Symmetric, 256 bits
Key Distribution Method Public Key + Shared Key (generated for each session)
Key power 1077

Comparative characteristics of the considered commercial personal encryptors are given in Table 5.

Table 5. Comparative characteristics of personal encryptors

Personal encryptor (PE)

Developer

Encryption algorithm

Purpose

Key information carrier

Note

Information protection device Shipka-1.5 OKB «SAPR» GOST 28147-89, GOST R 34.10-94, GOST R 34.10-2001, GOST R 34.11-94 guaranteed protection of information and information technology microprocessor protected non-volatile memory up to 2 MB
PS, built into a special cellular phone SMP-Atlas FSUE “NTC “Atlas” + concern “Goodwin” GOST 28147-89 guaranteed protection of information transmitted over GSM networks Russian smart card RIC (microcircuit KB5004BE1) personal encoder built into a mobile radiotelephone
PS, built into Crypto Smart Phone ZAO “ANKORT” symmetrical, 256 bits guaranteed protection of information transmitted over GSM networks cryptographic processor based on TMS VC 5416 personal encryptor built into mobile radiotelephone
Personal identifier ruToken RF ZAO Aktiv GOST 28147-89 storage of key information, access control to PC resources and premises USB key fob full-functional analogue of smart card + radio frequency tag
PS built into a special cell phone Talisman-GSM Research Institute “KVANT” GOST 28147-89 cryptoprotection of speech information in GSM 900/1800 channels microprocessor hardware encoder-headset for a phone with Bluetooth support

As can be seen from Table 5, the integration of a microprocessor and flash memory in a personal encoder solves one of the most pressing problems of generating, storing and distributing keys, which makes it possible to solve many problems using both autonomous and built-in personal encoders today.

In conclusion of the analytical review, it should be noted that new technologies of personal encoders, becoming more accessible, provide a higher level of information security due to a significant increase in the efficiency of identification and guaranteed protection of information. These technologies are very promising for the creation of new technical means of protecting personal, confidential and secret information.

    Мы используем cookie-файлы для наилучшего представления нашего сайта. Продолжая использовать этот сайт, вы соглашаетесь с использованием cookie-файлов.
    Принять