Moscow, 2009

ACCORD-TSHM

Accord. Reliability in an unreliable world.

OKB SAPRSpecial Design Bureau for CAD System Design

www.accord.ruaccord@accord.ru

Why does this happen —

yet the information still leaks out

you are using various information security products,

?

In order to provide security,

it is necessary to understand what exactly is the

OBJECT OF PROTECTION.

and not simply protect,

The objects of information protection

the computer equipment (CE);

the data that is stored and processed by the CE; data processing technologies;

data transmission channels.

are defined by the things that the intruder’s activities may be aimed at:

The goals of the information protection

protecting your computer from the unauthorized access;

delimitating the data access rights; providing the invariability of the data processing technology;

transferring data in a protected form.

are defined in accordance with the objects:

The goals of the information protection

Accord-TSHMand the information protection systems, which are based on it.

are solved by using the unauthorized

access control product

the user is exactly the one, who has the right to work on this computer;

the computer is exactly the one, that this user has a right to work at.

is reached by providing the operating system trusted startup mode, which guarantees that:

The computer protection from anunauthorized access

Accord-TSHM:

Trusted startup hardware

moduleProvides a trusted startup of the operating system, irrespective of its type, for an authenticated user.

What is secure boot?

blocking the operating system boot from the external storage mediums;

integrity checking of the PC hardware and the software utilities, using a step-by-step integrity inspection algorithm; the user identification/authentication.

The operating system boot is performed only after a successful completion of the following procedures:

Accord-TSHM —protection from an unauthorized access

Accord-TSHM provides the trusted startup of the operating systems, supporting the following file systems:

FAT 12, FAT 16, FAT 32,

NTFS, HPFS,

EXT2FS, EXT3FS, FreeBSD, Sol86FS,

QNXFS, MINIX.

Accord-TSHM —protection from an unauthorized access

In particular, the trusted startup mode is provided for the operating system families, such as:

MS DOS,

Windows,

OS/2,

UNIX,

LINUX,

BSD and others.

An unauthorized access control product Accord-TSHM consists of the hardware and software tools:

Hardware tools:

Controller; Contact device; Identifier;

Software tools: BIOS-controller of the Accord-TSHM complex; Firmware, which the TSHM functions has been realized in.

Functional sufficiency

of the resident software

TSHM functions

Complex administration

Identification/authentication

Step-by-step integrity inspection

mechanism

External devices blocking opportunity

Storing and applying the keys

Blocking bootfrom the removable

media for all users, except

for the administrator

The main versions of Accord-TSHM include the controllers:

for PCs with bussed interface PCI

Accord-5MX,

Accord-5.5 with a powerful cryptographic sybsystem.

Accord-TSHMAccord-5MX controller-based

For PCs with bussed interface PCI. Protection class up to 1B (inclusive.) Users registration – up to 128.

Accord-TSHMAccord-5.5 controller-based

In addition to the Accord-5MX characteristics, also has a hardware cryptographic subsystem: A powerful cryptographic calculator; A key information storage and monitoring tool.

Accord-TSHMAccord-5.5 controller-based

Hardware implementation of all Russian cryptographic algorithms:

Encryption by GOST 28147-89 (up to 12 Mbyte/sec); Calculation of the hash functions – GOST R 34.11-94 (6 Mbyte/sec); Calculation/checking of the electronic digital signature by GOST R 34.10-2001 (50/50/80 msec); Calculation of the authentication protection codes APC (3000 APC/sec).

Accord-TSHMAccord-5.5 controller-based

Hardware implementation of the foreign cryptographic algorithms:

RC2 encryption (about 4 Mbyte/sec), DES (24 Mbyte/sec),

DESX (22 Mbyte/sec), TripleDES (8 Mbyte/sec);

Hash-functions MD5 (15 Mbyte/sec) and SHA-1 (12

Mbyte/sec);

Electronic digital signature EDS (RSA (2048 bit - 350/350

msec, 1024 bit - 45/45 msec, 512 bit - 6/6 msec, 256 bit -

1/1 msec), DSA (12/15/27 msec 1024-bit)).

Accord-TSHM may also include the controllers:

Accord-4.5

for PCs with bussed interface ISA;

Accord-PC104for PCs with PC-104 standard;

Accord-5МХ mini-PCIfor notebooks and other computers with bussed interface mini-PCI;

Accord-TSHMAccord-4.5 controller-based

For PCs with bussed interface ISA. Protection class up to 1B (inclusive.) Users registration – up to 128.

Accord-TSHMAccord-5МХ mini-PCI controller-based For notebooks and other computers with bussed interface mini-PCI. Protection class up to 1B (inclusive.) Users registration – up to 128. Hashing by GOST R 34.11-94 up to 17 Kb/sec. Production/checking of the Authentication Protection Code – 17 APC/sec.

Individual packaging

TM-identifiers (standard packaging),

smart-cards,

fingerprint reading devices,

PCDST (personal cryptographic data security tool) SHIPKA.

in accordance with the customer’s requirement, Accord-TSHM and Accord-TSHM-based systems may use various identifiers:

All of the Accord-TSHM modifications:

may be used at any PC 386+, which has a free PCI (ISA) slot;

use personal TM-identifiers DS 1992 – DS 1996 with the memory volume up to 64 Kbit (or other identifier upon the customer’s request) for the user identification and provide for the registration of up to 128 users at the PC;

use a password up to 12 symbols for the users authentication, entered from the keyboard;

All of the Accord-TSHM modifications:

work with the following types of file systems: FAT 12, FAT 16, FAT 32, NTFS, HPFS, FreeBSD, Ext2FS, Sol86FS, QNXFS, MINIX;

provide the integrity control of the PC hardware before the operating system boot;

provide the integrity control of the programs and data before the operating system boot (for the operating systems of the Windows family, there is an option of integrity control for the particular register paths);

perform the boot blocking from the alienable carriers (FDD, CD ROM, ZIP-drive);

perform the registration of the users activities in the system log, located in the permanent memory of the controller;

provide the system administration.

All of the Accord-TSHM modifications:

assigning the general system settings;

users registration;

assigning the access right to the users and user groups;

selecting the objects, which are subject to integrity control:

files and directories, register paths and values, utility areas of the hard disk, hardware tools;

working with the event log.

System administration:

use

r

Accord-TSHM unauthorized access control product architecture specifics

Microprocessorsoftware

Databases(users, equipment, controlled objects

Event log

Identifiers reader

R only

R/W

Add only

PC

controllerSystem bus

ISA

ISA

ISA – Information security administrator

TSHM software

Permanent memory

PC RAM

TPM software

use

r

Randomnumber

generator

Microprocessor

Reliability in an unreliable world:

impossibility of the introduction of changes into the firmware;

impossibility of concealment of an unauthorized access from the information security administrator;

possibility of building the Accord-TSHM-based information protection systems (when installing special software).

The Accord-TSHM architecture provides:

Delimitation of the data access rights

Accord-1.95 – for the MS DOS, Windows 9x and Windows Millenium operating systems;

Accord-NT/2000 – for the Windows NT, Windows 2000, Windows XP, Windows 2003 and Vista operating systems;

is provided by the hardware/software complexes, based on Accord-TSHM and special software

Information protection management

is provided by the Accord-RAU subsystem, which joins the automated workplace of the information security administrator (AWP ISA) and the user terminals, equipped with the Accord-AMDZ-based hardware/software complexes.

based on the protected network data exchange

Cryptographic algorithms

have been realized in the Accord-5.5 controller, which may be used for data encryption, signing its electronic digital signature and protecting the information technologies with the help of the authentication protection codes (APC).

for the information technologies protection and data transfer in a protected form

Certificates

FAGCI,Government Technical Commission of Russia and FSTEC of Russia,the Ministry of Defence of the Russian Federation,GosStandard of Russia,Sanitary & Epidemiological Station of the Russian Federation.

The protection level, provided by Accord-TSHM and the Accord-TSHM-based systems, is approved by 20 conformance certificates, issued by:

Reinforcing the protective properties of the unauthorized access control products of the ACCORDтм family

A personal cryptographic data security tool –

SHIPKA

may be reached by using the following as a hardware identifier:

Moscow, 2009

ACCORD-TSHM

Accord. Reliability in an unreliable world.

OKB SAPRSpecial Design Bureau for CAD System Design

www.accord.ruaccord@accord.ru