Москва, 2011 OKB SAPR Если Вам есть что скрывать. [email protected].
-
Upload
joseph-glenn -
Category
Documents
-
view
249 -
download
6
Transcript of Москва, 2011 OKB SAPR Если Вам есть что скрывать. [email protected].
![Page 2: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/2.jpg)
Why do we insist on hardware?
How to provide the integrity of the software which checks the integrity?
Using some other software?
And how to check THAT software integrity?
Using…
![Page 3: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/3.jpg)
What should the unauthorized access protection tool be like?
independent from operation and file system of the PC
inaccessible for making changes
hardware.
![Page 4: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/4.jpg)
Basis: trusted startup
![Page 5: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/5.jpg)
Superstructure: trusted environment
![Page 6: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/6.jpg)
Superstructure: trusted system
![Page 7: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/7.jpg)
Superstructure: trusted infrastructure
![Page 8: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/8.jpg)
Superstructure: trusted virtual infrastructure
![Page 9: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/9.jpg)
Data Security Systems for Unauthorized Access Protection
Stationary
Based on Accord (Trusted Startup Hardware Module – TSHM) controllers
Mobile
Based on Enough TSHM controllers
![Page 10: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/10.jpg)
Cryptographic Data Security Tools
Stationary
Accord-U КВ2, Accord-U КС3
Mobile
PCDST SHIPKA, HSC Privacy
![Page 11: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/11.jpg)
Infrastructural solutions
Stationary
Accord-V., Accord-DAC, RCCS
Mobile
HSC «Center-Т», TST «MARSH!»
![Page 12: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/12.jpg)
Safe Official Storage Device
SECRET
For usage on separate PC or in LAN
![Page 13: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/13.jpg)
ACCORD
![Page 14: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/14.jpg)
it is the very user, who has a right to work on this PC;
it is the very PC, which the very user must use.
Can be achieved by the trusted startup mode, that confirms the following:
Unauthorized Access Protection
![Page 15: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/15.jpg)
Accord-TSHM. Trusted Startup
![Page 16: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/16.jpg)
Trusted Startup
the user identification/authentication.
integrity checking of the PC hardware and the software utilities, using a step-by-step integrity inspection algorithm;
blocking the operating system boot from the external storage mediums;
The operating system boot is performed only after a successful completion of the following procedures:
![Page 17: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/17.jpg)
Reliability in an unreliable world:
introducing modification into the Accord-TSHM firmware is impossible;
the controller’s even log is accessible only to the information security administrator, that is why concealing an attempt of UA from him is impossible;
on the basis of Accord-TSHM, there have been developed the access isolation and information protection control systems.
Accord-TSHM architecture provides
![Page 18: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/18.jpg)
Access Isolation
![Page 19: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/19.jpg)
Access Isolation
Accord-Win32, Accord-Win64 – for Windows;
Accord-Х – for Linux
Hardware-and-Software Complexes based on Accord-TSHM and special software
![Page 20: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/20.jpg)
HSC Accord
Identification/authentification of users (local and remote);
An isolated working software environment for each user on an individual basis;
Mutual authentification of interacting devices;
The users' access to data arrays and programs isolation (discretional access control method);
The access of users and processes to data arrays isolation (capability-based access control method).
![Page 21: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/21.jpg)
Terminal System Protection
![Page 22: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/22.jpg)
The user interacts only with the protected server;
With the server interacts only the user of protected “thin client”.
Interaction mode confirming that
Terminal System Protection
![Page 23: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/23.jpg)
Components of HSC Accord TSE
RDP and
ICA
This fact makes possible using already set channel for interacting instead of setting the new one.
Installed both into terminal servers and into users terminals interact through virtual channels based on protocols:
![Page 24: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/24.jpg)
Trusted infrastructure
![Page 25: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/25.jpg)
Trusted startup of the OS of the terminal client can be provided either by installing in it the Accord-TSHM, or by using HSC “Center-T” or TST “MARСH!”, entirely integrated with DSS UAA Accord.
of the remote access contains the protected terminal client – the trusted startup of its OS
Trusted infrastructure
![Page 26: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/26.jpg)
Trusted Virtual Infrastructure
![Page 27: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/27.jpg)
Accord-V.
Entirely integrates into the virtual infrastructure, so doesn’t need any additional servers;
Realizes the correct start conception at all levels of the system startup;
Doesn’t narrow the features of virtual infrastructure in safety sake, all its benefits stay available.
Data protection system
![Page 28: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/28.jpg)
Remote Access
![Page 29: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/29.jpg)
Remote Access
Terminal access (operation with terminal server in terminal session)
Web-access (operation through the web-interface with the web-resource)
Mixed system (operation in both modes)
Remote access systems can be built in several ways
![Page 30: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/30.jpg)
Remote Access
Thin clients are cheaper then PC It needs less costs for data protection tools with
the same security level You can use a lot of different computer kinds as
the client’s workplaces
is reasonable because it makes the system more budget
![Page 31: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/31.jpg)
Remote Access
Thin clients are cheaper then PC It needs less costs for data protection tools with
the same security level You can use a lot of different computer kinds as
the client’s workplaces
is reasonable if these principals ARE NOT TROUBLED while system building
![Page 32: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/32.jpg)
Remote Access
the remote source itself,clients’ workplaces and their interaction
is safe, if you protect
And components of DSS are to be the parts of the whole system, not the set of uncoordinated tools.
![Page 33: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/33.jpg)
Bottleneck
HSC «Center-Т»(operation with terminal server in terminal session)
TST «MARСH!»(operation through the web-interface with the web-resource and mixed systems)
of the remote access system is the trusted environment at the client’s workplace
HSC «Center-Т» and TST «MARСH!» can be used in the same system in the same time, or in different systems, remote clients of which use the same computers for access to the remote resource.
![Page 34: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/34.jpg)
TST “MARСH!”
![Page 35: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/35.jpg)
Trusted Session definition
Trusted session (TS) – is the computer operation period when following conditions are provided:
the trusted startup of the OS the trusted connectionEDS using conditions
![Page 36: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/36.jpg)
«MARСH!» operation scheme
![Page 37: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/37.jpg)
Center-ТProtected network software
loading system
![Page 38: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/38.jpg)
System purpose
Organization of terminal access from workstations by software images loading to the terminal stations through the network. Ensuring of centralized management and audit of process of loading of images. Control of loaded images integrity. Realization of user entrance to the terminal server protected by HCS Accord TSE.
![Page 39: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/39.jpg)
Users’ operation order1. User starts terminal client
with SHIPKA-K connection;
2. Image of Initial Loading is loaded from SHIPKA-K, PIN-code is requested;
3. After PIN-code input software image is loaded, its integrity is checked;
4. After successfull integrity check management is transferred to loaded software image;
5. Terminal session is starting by means of loaded image.
![Page 40: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/40.jpg)
Remote Access
You are not to reequip your system or change its operation regulations
Security costs are less then for traditional approaches
You don’t loose investments as you can use quit different computers as clients’ workstations
Protected with TST “MARCH!” and/or HSC “Center-T” doesn’t loose its benefits
![Page 41: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/41.jpg)
Personal Cryptographic Data Security Tool
SHIPKA
![Page 42: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/42.jpg)
Функциональность ПСКЗИ ШИПКА
Hardware CDST Hardware identification/authentification of users in Accord
(on PC and also in terminal decisions) Hardware identification/authentification of users in OS
Windows Hardware identification/authentification of users in domain Protected keys storehouse for software CDST, including
VPN Web-forms and Windows-forms autofilling, protected
passcards storage (login/password)
PCDST SHIPKA is the base of HSC «Center-Т» and Privacy
![Page 43: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/43.jpg)
Cryptographic functions
File enciphering and signing (by means of keys or certificates)
E-mail messages enciphering and signing Self signed digital certificates generation, getting CA
certificates, storage and usage of certificates Key generating and management in three
paradigms :- exchanging keys and using them as is- using keys through the certificates- using keys in “web of trust” mode
![Page 44: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/44.jpg)
«Accord-U»
![Page 45: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/45.jpg)
«Accord-U» <–> SHIPKAentirely compatible:
can exchange keys;can provide all cross-operations;users’ software is absolutely the same.
It is reasonable to build systems, which combine the devices of both kinds. That will allow to get flexible and budget solution.
![Page 46: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/46.jpg)
Certificate of compliance to requirements of FSS of Russia
“Accord-U” versions has FSS certificates as CDST and EDS tool for FSS classes KC3 and KB2
![Page 47: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/47.jpg)
«Autograph» certification authority, built on the
base of OKB SAPR devices:
PCDST SHIPKA Accord-U HSC Accord
![Page 48: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/48.jpg)
Official Storage Device
SECRET
![Page 49: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/49.jpg)
Using the external storage devices threats
You can loose it – and someone can find it.
Inside threats can be realized (unauthorized usage of the official data).
Corporation computers can be infected with viruses.
![Page 50: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/50.jpg)
Traditional protection methodswhen using storage devices
PIN-code or fingerprint authentification; Encryption of data on the storage in a
background mode after authentification (unitary password input);
USB-filters (operation with “alien” storage devices barring);
Full usage barring.
![Page 51: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/51.jpg)
Official Storage Device “SECRET”
special USB storage device (mass storage), which can be used just on the legal computers (allowed by administrator):
Personal Secret; Trade Secret; Distinctive Secret.
![Page 52: Москва, 2011 OKB SAPR Если Вам есть что скрывать. okbsapr@okbsapr.ru.](https://reader035.fdocuments.net/reader035/viewer/2022081504/56649f065503460f94c1b012/html5/thumbnails/52.jpg)
Москва, 2011
OKB SAPR
Если Вам есть что скрывать.
Any offers?