ACCORD TSHM (DSS PUA) means a trusted startup hardware module for IBM-compatible PCs (LAN servers and workstations) ensuring the protection of devices and information resources against any unauthorized access.
Trusted startup means starting up different operating systems only from predefined hard carriers (e.g. from the hard drive only) after the successful completion of the following special procedures: verification of the integrity of the computer's hardware and software (using the stepwise integrity control mechanism) and user's hardware identification/authentication.
In other words, it means the startup of the strictly pre-defined and unchanged OS and only after the confirmation that no unauthorized changes have taken place in the computer (at the hardware level and in essential applications) and the user who has the right to work at the PC at just that time is turning the PC on.
Five versions of ACCORD TSHM are available, thus making it possible to use it on computers differing in terms of bus interfaces:
1. Accord 5 (for PCs with the PCI bus interface).
2. Accord 5МХ - a unified controller for PCI and PCI-X bus interfaces.
3. Accord 5МХ mini-PCI - its functional analogue based on the mini-PCI standard.
4. Accord 5.5 - a unified controller (PCI, PCI-X) (as well as Accord 5.5.e - a PCI-Express option) featuring a powerful hard cryptographic subsystem.
5. Accord 6 – a unified controller (PCI, PCI-X) featuring hard cryptographic and communication subsystem.
The complex starts operating as soon as the regular PC BIOS is executed (before the operation system startup) and ensures the trusted startup of OS compatible with such file systems as FAT 12, FAT 16, FAT 32, NTFS, HPFS, EXT2FS, EXT3FS, FreeBSD, Sol86FS, QNXFS and MINIX.
In particular, it is related to such families of OS as MS DOS, Windows (Windows 9x, Windows ME, Windows NT, Windows 2000, Windows XP, Windows 2003, Windows Vista), QNX, OS/2, UNIX, LINUX, BSD, etc.
It is important to keep in mind that not only system files but also the registry affects the startup process of Windows operating systems. That is why it is not sufficient to control the file system to make sure that the OS startup is correct. It is also necessary to verify the invariance of individual registry branches. ACCORD TSHM features this option for all OS belonging to the Windows family.
All controllers can be equipped with two physical channel blocking relays (+/- 5V, 300 mA). The relays can control special interface slots for FDD and HDD (IDE) as well as other devices. It enables the administrator to block access for individual users to external (relative to the controller) devices, e.g. FDD, СD-ROM or printer.
Accord 5.5 controllers make it possible to mount up to three relays and are equipped with a motherboard control relay (ATX, EATX). The computer is turned off if the TSHM BIOS fails to start operating in N seconds (the time interval defined by the administrator).
Accord TSHM makes it possible to use smart cards, iButton devices and fingerprint scanners for user identification.
The event log kept during each work session of the user is stored in the controller's nonvolatile memory and is accessible only for the information security administrator.
Accord TSHM works successfully under different thin client configurations. The thin client's front-end software can be installed directly on the Accord controller. The volume of such software in the Accord 5.5 standard kit can amount to 16 MB and can be easily increased to make up to 1 GB upon the customer's request.
Accord 5.5 embodies both functions related to protection against unauthorized access and cryptographic functions. Its hardware implements encryption (based on the GOST R 28147-89 standard), hashing (based on the GOST R 34.11-94, MD5, SHA-1), authentication code generation/verification (based on the hashing function in accordance with the GOST R 31.11-94 standard) and EDS calculation/verification (based on the GOST R 34.10-94 and GOST R 34.10-2001) algorithms. The use of programmable logic (FPGA) makes it possible to change the set of implemented encryption algorithms on the available hardware base without the need to update it.Accord 5.5 controller, which is supplemented by a hardware-based cryptographic subsystem, which allows solving all tasks of the cryptographic information protection effectively and safely. The controller's cryptosystem includes a powerful cryptographic engine and tools for storing and monitoring the key information.
Accord-5.5 keeps hardware implementation of all Russian cryptographic algorithms, such as:
Encryption by GOST 28147-89 (up to 12 Mbyte/sec);
Calculation of the hash-functions - GOST R. 34.11-94 (6 Mbyte/sec);
Calculation/checking of the electronic digital signature by GOST R. 34.10-94 (3/3/7 milliseconds - 512 bit, 11/11/24 milliseconds - 1024 bit);
Calculation/checking of the electronic digital signature (EDS) by GOST R. 34.10-2001 (50/50/80 milliseconds);
Calculation of the authentication protection codes APC (3000 APC/sec);
And a range of foreign algorithms:
RC2 encryption (about 4 Mbyte/sec), DES (24 Mbyte/sec), DESX (22 Mbyte/sec), TripleDES (8 Mbyte/sec);
Hash-functions MD5 (15 Mbyte/sec) and SHA-1 (12 Mbyte/sec);
EDS: RSA (2048 bit - 350/350 milliseconds, 1024 bit - 45/45 milliseconds, 512 bit - 6/6 milliseconds, 256 bit - 1/1 milliseconds), DSA (12/15/27 milliseconds 1024-bit).
This list may be expanded because the controller is built on the basis of the modern programmable micrologic FPGA-type units.
At the present time, the abovementioned algorithms are implemented in the controllers not simultaneously, but in three different combinations. Depending on the customer's request, the following firmware versions are possible:
All of the above
By GOST R. 34.11-94
By GOST 28147-89
All of the above
SHA-1 and MD5
All of the above
SHA-1 and MD5
DES, DESX and TripleDES
4. Upon an individual order, it is possible to create a device, which would realize all of the abovementioned algorithms.
An important advantage of the Accord-5.5 controller is that the key data custody and processing always occur at the controller board and never in the computer's memory, because all of the algorithms are hard-wired. The non-volatile memory with the data organization similar to the file system ISO 7816 is used for the long-term storage of various key information (keys, passwords, key certificates).
You can refer to the controller's functions through a range of standard applications - due to the implementation of the Microsoft CAPI, PKCS #11 and TSS v1.10 interfaces.
Physically, the Accord-5.5 controller is a standard expansion board, installable into any empty PCI or PCI-X slot, supporting the bus-master mode (the board is fully compatible with the PCI 2.2 specification).
As for those of you, who have already purchased the Accord-5MX controller, we suggest that you expand its functions to the possibilities of Accord-5.5 with the help of the cryptographic accelerator Accord-5KU, which is set up at the controller's standard expansion slot. Accord-5KU includes all of the hardwired cryptographic algorithms of the Accord-5.5 controller.
The quality and reliability of the production of the OKB SAPR company are confirmed by the fact that the production is performed pursuant to the requirements ISO 9001-2001 (# ROSS RU.0001.13IS72, dated 23.07.2004), as well by an impressive implementation practice - in total, as of the end of the year 2005, more than 150 000 unauthorized access information protection tools ACCORDTM have been used in Russia.