How and with what to protect your data on PCs and drives today?

Currently, it is almost impossible to guarantee the safety of corporate or user information on various mail services, personal computers and cloud storages. Mail can be hacked, information from your own computer or from the computer of colleagues can be copied by company employees and used for their own purposes. Is there a way to protect information? Today no company gives a 100% guarantee of data protection; of course, you can take a good step towards preserving your data. Encryption is commonly used to protect data.

Encryption can be symmetric and asymmetric, the only difference is in the number of keys used for encryption and decryption. Symmetric encryption uses one key to encode and decode information. The laws of the Russian Federation without licensing their activities allow the use of a symmetric key with a long
no more than 56 bits. For asymmetric encryption, two keys are used: one for encryption (public) and one for decoding
(closed). For asymmetric encryption, the laws of the Russian Federation, depending on the algorithms, allow a maximum key length of 256 bits.
Consider some devices for protecting information on removable
drives:

  1. DatAshur from the British company iStorage is a USB flash drive with buttons on the body. The device performs hardware encryption using the AES256 symmetric algorithm. 10 attempts are given to enter the PIN code, in case of incorrect input, the data on the device will be
    destroyed. The device includes a battery for entering a PIN code before connecting to a PC.
    Advantages: robust case, protection against brute-force PIN-code, data destruction.
    Flaws: it is not clear what will happen if the battery is discharged; You can try to pick up the PIN code by shabby buttons or simply delete all the competitor's data and remain unnoticed, and this, in my opinion, is potentially more harm than copying data by a competitor (although there is an opportunity to make protection).
  2. Samurai is a Moscow company, I suppose that they work in cooperation with iStorage or their distributors, but also make their own products, for example Samurai Nano Drive. They use 256-bit encryption, they produce various devices aimed more at destroying information.
    The pros and cons are similar to those of DatAshur.
  3. Cryptographic USB flash drive-reader from Milandr company with encryption function, allows you to encrypt information on microSD cards. The device is made on the company's own processor. Made like a regular USB flash drive.
    Dignity: encryption algorithm GOST-89 with a key length of 56 bits (it is not clear from the documentation how GOST-89 calculated for 256 bits was converted), work with an unlimited number of microSD cards.
    Flaws: the device works only with microSD cards, it is not known whether there is a possibility of switching to more strong encryption algorithms.
  4. Key_P1 Multiclet - a device for information protection from OJSC "Multiclet", a processor developer. Let's consider the device in more detail (hereinafter we will designate the device as Key_P1).
Key_P1 is made with three connectors: USB - socket and plug, as well as a slot for SD cards.

Initial functions of the device (in the future, the software is expanded, see below for additional functionality):

  • protection against modified (spyware) flash drives.
  • encryption of information using the DES algorithm with a 56-bit key
    (after obtaining a license AES and GOST-89 with a key length of 256 bits).
  • the ability to recover information in case of loss of the Key_P1 device and the drive.
  • the ability to synchronize keys to exchange files between users.
  • displaying the time of switching off the device Key_P1.

A more detailed description of the device's functions will be later in this article. The encryption keys are stored in the flash memory of the processor of the device in question.
Key_P1 can work with an unlimited number of drives and an unlimited number of personal computers, there is no binding to a specific PC.

Block diagram of the whole system:

Description of structure elements:

  • the server generates the firmware, updates the Key_P1 Manager, firmware and applications Key_P1_for_Windows (or Key_P1_for_Linux) for the user's drive (flash drive).
  • (OS software) Key_P1 Manager - performs component updates, initializes Key_P1, generates a set of keys for Key_P1, etc.
  • firmware Key_P1 - is a program executed on the Key_P1 device.
  • application for the drive - Key_P1_for_Windows (Key_P1_for_Linux) (both applications are loaded onto the user's flash drive and authenticate the user and display the last time the device was turned off for Windows and Linux).

Let's take a closer look at the main functions of the device.

  1. Information is encrypted not with one key, but with several (maximum 1024). Encryption occurs sector by sector for each drive. Thus, one file can be encrypted with several tens of keys.
  2. Protection against modified drives occurs due to the control of service information transmitted using SCSI commands
  3. Information recovery:
    • Keys are generated by the user on a PC using the Key_P1 program. The manager (in this case, the user) can make a backup copy of his keys in case of recovery.
    • Keys are generated by the Key_P1 device. In this case, the user cannot make a backup copy of his keys.
    • User can back up their encrypted information
  4. Key synchronization is the generation of identical keys for different users according to a given initial value and a selected algorithm. The Key_P1 device provides the ability to store 50 keys for synchronization. Those. users can store an 8 byte label and the key itself. To synchronize keys and start exchanging encrypted files, users need to:
    • transfer to each other by verbal agreement, phone call, SMS, e-mail or an inscription on the sand, the initial value for initializing the key, as well as the key generation algorithm;
    • generate a key and assign a label - no more than 8 characters (bytes);
    • copy the key to the Key_P1 device;
    • encrypted files can be exchanged from any PC, i.e. when downloading the software and installing it on any "foreign" PC with the Key_P1 device connected, after entering the pin-code, the user will see the keys and their corresponding labels and will be able to encrypt files with the necessary key for exchange with another user.
  5. After launching the key_p1_for_windows.exe (for Windows) or key_p1_for_linux (for Linux) program, the Key_P1 device displays information about the time of the last shutdown of the device with an accuracy of two minutes. This function allows the user and / or the company's security service to establish the fact and determine the time of unauthorized disconnection of Key_P1, which makes it difficult for an intruder and makes it easier to find him.

To start working with the device you need:

  1. Install software, download firmware from server
  2. Initialize Key_P1 (install firmware, set PIN, PUK codes)
  3. Initialize the drive (splitting the drive into two partitions: open and closed, which is accessible only after entering the PIN code)
The PIN-code entry window looks like this (sketch version):

In addition to the individual version, the corporate version will also be available:

Company employees download the Key_P1 Manager program from a corporate server or removable media and install it on their OS. Then they download the keys generated by the security service or the IT service of the company. Further, by analogy with the individual version, the P1 Key and the drive are initialized. Unlike the custom version, in the corporate, the multi-department manager can choose which department to encrypt files for. The list of departments is formed by authorized employees of the company.

Inside the department, employees can exchange encrypted information by encrypting files through Key_P1 Manager and Key_P1. The enterprise security service has the ability to create various differentiation of rights by department (for example: the "Programmers" department will be able to encrypt files for the "Accounting" department). In addition, an enterprise can put into the device an algorithm for generating one-time passwords for authentication on servers, computers, etc., in order to increase security and ensure the protection of commercial and other types of secrets.
As an additional functionality of the device:

  • Mac OS support;
  • Key_P1 can contain the function of generating one-time passwords for organizing two-factor authentication on servers
    various services. Two-factor authentication provides additional protection for your account. To do this, when logging into the system, not only the username and password are requested, but also unique "confirmation codes". Even if an attacker finds out your password, he will not be able to gain access to your account.
  • storage of personal data with automatic substitution during authentication in social networks, payment systems, etc.
  • using the device for authorization on a PC.

From this list, the most interesting is the storage of usernames and passwords of users from various resources. The only question is how to do it more conveniently. Perform automatic substitution of a pair of username and password or enable the user, after entering the PIN-code, to view the username and password in clear text, as the Google Chrome browser allows.

Now let's turn to the consideration of the hardware level of the device.

The main functions of the device are encryption and protection against unauthorized operation of drives.

Consider how the device encrypts data:

  • encrypt a file on the drive - in this case, the file will be encrypted with more than one random key, but depending on the size of the file and the size of the drive sector (this is the smallest addressable memory cell in the drive), the file will be encrypted with several keys per drive sector;
  • encrypt a file on a PC - in this case, the file will be encrypted with a key randomly selected on the device and the contents of the file will be returned by the device to the PC in encrypted form, in addition, this content will be “wrapped” in a special container containing the number of the key with which the file was encrypted;
  • encrypt a file for another user - in this case, the file will be encrypted by the device without any container using a pre-formed key with a corresponding label (for example, "colleagues1"), and the contents of the file will be returned to the PC.
The function of notifying the user about a file size change will also be available if an existing file on the drive is replaced with a new one with the same name. The functionality of the device provides a "read-only" mode to protect against unauthorized copying of information to the drive when working on a PC infected with viruses.

To cut off spy devices, "Key_P1" filters service commands sent to drives, which provides protection against infecting the drive with a hardware virus, and the "Key_P1" device analyzes the descriptor table sent by the drive and, based on this information, drives are blocked, which are trying to present themselves to the PC system as a combined device (such as a keyboard and a storage device) or any other device other than a storage device.

Let's consider the implementation of the device at the circuit level.

The device is based on the Russian multicellular processor P1. To interact with the USB host interface, the stm32f205 processor is introduced into the circuit. The multicellular processor is clocked by the stm32f205 processor, the firmware is loaded via the spi interface. The P1 processor takes over all the basic functions of encrypting and hashing information. One of the interesting features of most encryption algorithms is their good parallelism. Due to this fact, it is rational to use a processor with hardware parallelization of operations.


As a result of the modernization of the device, the following scheme is assumed:

Interaction with USB host can be provided by FTDI chip.
The device has connectors that allow you to work with USB drives and microSD, SD cards.

Advantages:

  • encryption with a large set of keys at the hardware level by sectors of the drive
  • control of service commands between PC and drive
  • storing a pair "login-password"
  • read-only operation
  • support for USB drives, SD, microSD cards
  • work with an unlimited number of drives
  • corporate version
  • the ability to recover information

Disadvantages: not a specialized case, lack of protection against opening (Although protection against opening is not decisive for such habr users as BarsMonster :)

P.S. As an additional functionality, the idea of ​​creating an application for secure exchange was considered, by analogy with skype, qip, but only directly, to specific users without a connecting server, but for some reason, it was decided not to touch this area.
In addition, on March 25, a project started on Kickstarter.com dedicated to this device.