IP traffic protection tools

Hardware IP-encryptor
 
  • CryptoIP-459

Designed for cryptographic protection of information

Description

IP-encryptor "CryptoIP-459" (TU U 26.2-32248356-022: 2014, expert opinion DSSZZI Ukraine 04/03 / 02-1056 from 29.04.2020) is designed for cryptographic protection of information with limited access (except for official information and information, constituting a state secret) and open information, the protection of which is established by law.

The IP-encryptor provides end-to-end encryption of IP traffic that is transmitted between secure LANs over a public IP network. CryptoIP-459 is the basis for creating virtual private networks (VPNs) with information encryption.

The device implements algorithms for cryptographic protection of information:

  • encryption - DSTU GOST 28147: 2009
  • hashing function - GOST 34.311-95
  • electronic digital signature - DSTU 4145-2002
  • session key generation - DSTU ISO / IEC 15946-3: 2006

Cryptographic systems can be built based on devices:

  • with public keys and support for PKI architecture
  • with public keys and manual distribution of subscribers' certificates

The device supports:

  • Two 10 / 100Base-T (TX) interfaces for connection to the global network
  • Two 10 / 100Base-T (TX) interfaces for LAN connection
  • USB 2.0 - for connection to the PC local control
  • CryptoIP-459D/DL

IP encryptors "CryptoIP-459D/DL" are designed for cryptographic protection of service information, provide end-to-end encryption of IP traffic that is transmitted between secure local area networks via a public IP network. "CryptoIP-459D/DO" is the basis for the creation of virtual private networks (VPN) with encryption of information

The devices implement algorithms:

  • Encryption — GOST 28147: 2009
  • Function caching — GOST 34.311-95
  • Electronic digital signature — DSTU 4145-2002
  • Generating a session key — ISO/IEC 15946-3: 2006

Cryptographic systems can be built based on devices:

  • With public keys and support for PKI architecture
  • With public keys and manual distribution of subscriber certificates
  • With symmetric cryptography

Devices support interfaces:

  • Two 10 / 100Base-T for connection to the global network
  • Two 10 / 100Base-T in "CryptoIP-459D" for connecting to a local network
  • One 100Base-FX in "CryptoIP-459DO" for connecting to a local networkUSB 2.0 — for connecting to a PC (configuration)

Software IP-encryptor 

  • CryptoIP VPN Client/Server

Software IP-encryptor CryptoIP VPN Client / Server - is represented by two software modifications that implement two modes of operation:

  • CryptoIP VPN Client - "client;
  • CryptoIP VPN Server - "server.

Modifications provide various possibilities of their connection to a network and are not interchangeable.

The "client" mode provides for the installation of IP-encryptor software directly on the client PC, while the client PC is connected to the public network, but also contains a segment of the protected network. For this purpose, an additional logical network interface is installed on the PC, designed to transmit encrypted information.

The "server" mode involves installing an IP-encryptor on a dedicated server that has two physical network interfaces. One interface connects to the public network, the second interface connects to the local network in which the information subject to cryptographic protection is processed. The information that passes through the gateway is encrypted and decrypted (depending on the direction) by the IP-encryptor in real time.

CryptoIP VPN Client / Server encrypts IP-traffic packets, encapsulates encrypted packets in new packets and transmits the latter to the IP-encryptor of the subscriber to whom the data is addressed. This ensures the confidentiality, integrity and authenticity of the contents of IP-packets.

Implemented cryptographic algorithms

  • Encryption - DSTU 7624: 2014 "Kalina-128/256", AES-256, GOST 28147: 2009
  • Hashing function - DSTU 7564: 2014 "Kupina-256", SHA-256, GOST 34311 95
  • Electronic digital signature - DSTU 4145-2002
  • Session key generation - according to the Diffie-Hellman scheme using elliptic curves according to DSTU ISO / IEC 15946-3: 2006, RFC 2631 (for DSTU 7624: 2014), DSTU ISO / IEC 15946-3: 2006, RFC 2631 (for AES- 256), Order of the Administration of the State Service of Special Communications and Information Protection of Ukraine 18.12.2012 № 739 (for GOST 28147: 2009)

The encryptor implements the ability to simultaneously use all the claimed encryption algorithms in one secure network for all types of cryptographic systems.

Advantages

  • High level of protection of key information due to the use of a special security controller at the level of Common Criteria EAL5 +
  • High level of security of access to the protected network due to use of the carrier of the key information and two-factor authentication
  • Low acquisition costs (compared to hardware encryptors)
  • Convenient user interface
  • Work up to 4 years without the need to change the keys on the key data storage
  • Compliance with the legislative framework of Ukraine

Infrastructural software

  • CryptoProxy

Computer program "Special server software "CryptoProxy""

expert conclusion of Service State of Special Communication and Information Protection of Ukraine № 04/05/02-2879 dated 30.10.2020.

Using the CryptoProxy protocol gateway provides easy restructuring and scaling of secure VPNs. CryptoProxy software is designed to handle requests from subscribers' IP-encryptors belonging to a single secure VPN.

CryptoProxy performs the following functions:

  • receiving requests from IP-encryptors to obtain public keys of VPN users with whom you want to establish a connection;
  • transfer of requested public keys to IP encryptors or refusal to transfer keys.

CryptoProxy is not directly involved in the transfer of confidential information and does not ensure its confidentiality. The CryptoProxy protocol gateway ensures the integrity of the transfer of certificates and the public keys themselves to IP encryptors.

  • CryptoIP-403

The "CryptoIP-403" Key Data Generation and Recording Center (KDGRC) is designed to generate key and other key management documents for cryptographically protected IP networks.

Software " Key Data Generation and Recording Center CryptoIP-403"

expert conclusion of the State Service of Special Communication and Information Protection of Ukraine № 04/05 / 02-3029 dated 17.11.2020

KDGRC provides management of keys of the protected IP networks on the basis of the hardware and software IP-encryptors intended for protection of the confidential information.

KDGRC sets one of three modes of operation of each protected network:

  • with public keys and support for PKI architecture;
  • with public keys and manual distribution of subscribers' certificates;
  • with symmetric cryptography.

KDGRC performs the following main functions:

  • introduction of the structure of the secure network;
  • generation and recording of key data on key storage device;
  • generating public key certificate request files and generating network structure data for the VPN control center;
  • personalization of IP-encryptors;
  • saving information about the structure and subscribers of the network;
  • formation of initial documents (reports) on the performed actions.
  • CryptoIP-411D

CryptoIP-411D IP Traffic Control Center

It consists of two computer programs:

  1. СС-manager (expert of the State Service of Special Communication and Information Protection of Ukraine № 04/03/02-882 dated 09.04.2020р)
  2. CC-monitor (expert conclusion of the State Service of Special Communication and Information Protection of Ukraine № 04/03/02-884 dated 09.04.2020 р)

Control Center «manager» - is a software and hardware tool designed to service key data storages used in the system of cryptographic information protection CryptoIP.

The software performs the following functions:

  • introducing a network structure or downloading and editing a previously entered network structure, saving the edited network structure in a file;
  • generating key data for each network subscriber according to the subscriber connectivity scheme and preserving the structure;
  • setting the mode and parameters of the network;
  • recording key data on a microprocessor NCI (USB key, SIM card, smart card)
  • personalization of IP-encryptors and storage of key personalization data;
  • creating and exporting a network structure file for the VPN control center;
  • issuance of a report on the generation of key data and their recording on storages;
  • destruction of all key data and parameters after completion of work;
  • event logging.

The general view of the main window consists of three windows:

  1. The main form window displays a list of all subscribers.
  2. The second window displays the parameters for generating key data.
  3. The third window displays the network structure and the status of the KD generation process for each subscriber.

Control center "monitor" is designed to monitor the cryptographic network built on the basis of CryptoIP systems

The computer program implements a continuous management process, during which are carried out:

  • collecting information about the status of VPN elements;
  • displaying the state of network elements and the history of parameter changes to assess the current state of the network;
  • support for decision-making on network interference;
  • interactive selection and issuance of commands;
  • logging of network events and control commands.