Moscow, 2009 ACCORD-TSHM Accord. Reliability in an unreliable world. OKB SAPR Special Design Bureau for CAD System Design
Why does this happen — yet the information still leaks out you are using various information security products, ?
In order to provide security, it is necessary to understand what exactly is the OBJECT OF PROTECTION. and not simply protect,
The objects of information protection the computer equipment (CE); the data that is stored and processed by the CE; data processing technologies; data transmission channels. are defined by the things that the intruder’s activities may be aimed at:
The goals of the information protection protecting your computer from the unauthorized access; delimitating the data access rights; providing the invariability of the data processing technology; transferring data in a protected form. are defined in accordance with the objects:
The goals of the information protection Accord-TSHM and the information protection systems, which are based on it. are solved by using the unauthorized access control product
the user is exactly the one, who has the right to work on this computer; the computer is exactly the one, that this user has a right to work at. is reached by providing the operating system trusted startup mode, which guarantees that: The computer protection from an unauthorized access
Accord-TSHM: Trusted startup hardware module Provides a trusted startup of the operating system, irrespective of its type, for an authenticated user.
What is secure boot? blocking the operating system boot from the external storage mediums; integrity checking of the PC hardware and the software utilities, using a step-by-step integrity inspection algorithm; the user identification/authentication. The operating system boot is performed only after a successful completion of the following procedures:
Accord-TSHM — protection from an unauthorized access Accord-TSHM provides the trusted startup of the operating systems, supporting the following file systems: FAT 12, FAT 16, FAT 32, NTFS, HPFS, EXT2FS, EXT3FS, FreeBSD, Sol86FS, QNXFS, MINIX.
Accord-TSHM — protection from an unauthorized access In particular, the trusted startup mode is provided for the operating system families, such as: MS DOS, Windows, OS/2, UNIX, LINUX, BSD and others.
An unauthorized access control product Accord-TSHM consists of the hardware and software tools: Hardware tools: Controller; Contact device; Identifier; Software tools: BIOS-controller of the Accord-TSHM complex; Firmware, which the TSHM functions has been realized in.
Functional sufficiency of the resident software TSHM functions Complex administration Identification/ authentication Step-by-step integrity inspection mechanism External devices blocking opportunity Storing and applying the keys Blocking boot from the removable media for all users, except for the administrator
The main versions of Accord-TSHM include the controllers: for PCs with bussed interface PCI Accord-5MX, Accord-5.5 with a powerful cryptographic sybsystem.
Accord-TSHM Accord-5MX controller-based For PCs with bussed interface PCI. Protection class up to 1B (inclusive.) Users registration – up to 128.
Accord-TSHM Accord-5.5 controller-based In addition to the Accord-5MX characteristics, also has a hardware cryptographic subsystem: A powerful cryptographic calculator; A key information storage and monitoring tool.
Accord-TSHM Accord-5.5 controller-based Hardware implementation of all Russian cryptographic algorithms: Encryption by GOST (up to 12 Mbyte/sec); Calculation of the hash functions – GOST R (6 Mbyte/sec); Calculation/checking of the electronic digital signature by GOST R (50/50/80 msec); Calculation of the authentication protection codes APC (3000 APC/sec).
Accord-TSHM Accord-5.5 controller-based Hardware implementation of the foreign cryptographic algorithms: RC2 encryption (about 4 Mbyte/sec), DES (24 Mbyte/sec), DESX (22 Mbyte/sec), TripleDES (8 Mbyte/sec); Hash-functions MD5 (15 Mbyte/sec) and SHA-1 (12 Mbyte/sec); Electronic digital signature EDS (RSA (2048 bit - 350/350 msec, 1024 bit - 45/45 msec, 512 bit - 6/6 msec, 256 bit - 1/1 msec), DSA (12/15/27 msec 1024-bit)).
Accord-TSHM may also include the controllers: Accord-4.5 for PCs with bussed interface ISA; Accord-PC104 for PCs with PC-104 standard; Accord-5МХ mini-PCI for notebooks and other computers with bussed interface mini-PCI;
Accord-TSHM Accord-4.5 controller-based For PCs with bussed interface ISA. Protection class up to 1B (inclusive.) Users registration – up to 128.
Accord-TSHM Accord-5МХ mini-PCI controller-based For notebooks and other computers with bussed interface mini-PCI. Protection class up to 1B (inclusive.) Users registration – up to 128. Hashing by GOST R up to 17 Kb/sec. Production/checking of the Authentication Protection Code – 17 APC/sec.
Individual packaging TM-identifiers (standard packaging), smart-cards, fingerprint reading devices, PCDST (personal cryptographic data security tool) SHIPKA. in accordance with the customer’s requirement, Accord-TSHM and Accord-TSHM- based systems may use various identifiers:
All of the Accord-TSHM modifications: may be used at any PC 386+, which has a free PCI (ISA) slot; use personal TM-identifiers DS 1992 – DS 1996 with the memory volume up to 64 Kbit (or other identifier upon the customer’s request) for the user identification and provide for the registration of up to 128 users at the PC; use a password up to 12 symbols for the users authentication, entered from the keyboard;
All of the Accord-TSHM modifications: work with the following types of file systems: FAT 12, FAT 16, FAT 32, NTFS, HPFS, FreeBSD, Ext2FS, Sol86FS, QNXFS, MINIX; provide the integrity control of the PC hardware before the operating system boot; provide the integrity control of the programs and data before the operating system boot (for the operating systems of the Windows family, there is an option of integrity control for the particular register paths);
perform the boot blocking from the alienable carriers (FDD, CD ROM, ZIP-drive); perform the registration of the users activities in the system log, located in the permanent memory of the controller; provide the system administration. All of the Accord-TSHM modifications:
assigning the general system settings; users registration; assigning the access right to the users and user groups; selecting the objects, which are subject to integrity control: files and directories, register paths and values, utility areas of the hard disk, hardware tools; working with the event log. System administration:
user Accord-TSHM unauthorized access control product architecture specifics Microprocessor software Databases (users, equipment, controlled objects Event log Identifiers reader R only R/W Add only PC controller System bus ISA ISA – Information security administrator TSHM software Permanent memory PC RAM TPM software user Random number generator Microprocessor
Reliability in an unreliable world: impossibility of the introduction of changes into the firmware; impossibility of concealment of an unauthorized access from the information security administrator; possibility of building the Accord-TSHM-based information protection systems (when installing special software). The Accord-TSHM architecture provides:
Delimitation of the data access rights Accord-1.95 – for the MS DOS, Windows 9x and Windows Millenium operating systems; Accord-NT/2000 – for the Windows NT, Windows 2000, Windows XP, Windows 2003 and Vista operating systems; is provided by the hardware/software complexes, based on Accord-TSHM and special software
Information protection management is provided by the Accord-RAU subsystem, which joins the automated workplace of the information security administrator (AWP ISA) and the user terminals, equipped with the Accord-AMDZ-based hardware/software complexes. based on the protected network data exchange
Cryptographic algorithms have been realized in the Accord-5.5 controller, which may be used for data encryption, signing its electronic digital signature and protecting the information technologies with the help of the authentication protection codes (APC). for the information technologies protection and data transfer in a protected form
Certificates FAGCI, Government Technical Commission of Russia and FSTEC of Russia, the Ministry of Defence of the Russian Federation, GosStandard of Russia, Sanitary & Epidemiological Station of the Russian Federation. The protection level, provided by Accord- TSHM and the Accord-TSHM-based systems, is approved by 20 conformance certificates, issued by:
Reinforcing the protective properties of the unauthorized access control products of the ACCORD тм family A personal cryptographic data security tool – SHIPKA may be reached by using the following as a hardware identifier:
Moscow, 2009 ACCORD-TSHM Accord. Reliability in an unreliable world. OKB SAPR Special Design Bureau for CAD System Design