SHIPKA-T (Terminal) is the software designed to provide the possibility to work with cryptographic resources of PCDST SHIPKA in the terminal access mode.
One software set is purchased for each terminal server, and it does not include PCDST SHIPKAs themselves: their number should be determined by the number of the intended users.
The price of SHIPKA-T includes the cost of a one-year license. The license cost for subsequent years is calculated by the number of SHIPKA-Ts used in the terminal mode of SHIPKA and should be paid separately.
To use SHIPKA in the terminal access mode you only need to install the software of SHIPKA-T in the manner described in the document called "PCDST SHIPKA . Installation and customization in terminal access systems". In this case the user should act in the same way as if he works with SHIPKA locally.
The following is the basic information about the features of working with a CDSS in the terminal access mode, as well as the features of implementing SHIPKA-T.
When penetrating into the terminal access system (TAS) of a cryptographic data security system (CDSS) the following problems may arise:
- A CDSS cannot provide for the work in the terminal access mode at all, because it does not support the procedures of remote cryptographic transformations.
- If user keys are stored in the terminal server (TS), they are not, strictly speaking, user keys, and the signature made with them does not confirm the authorship of the user.
- If the keys are on the side of the terminal client (TC), and the digital signature is developed on the side of the terminal server, but not on the side of the user being on the TC, then the private keys of key pairs are transferred through the network within a terminal session. Such a signature also cannot fully guarantee the authorship.
- In a significant number of cases, even in case of a digital signature being developed directly on the client, the transition of information data sets through the network is required in a terminal mode. While transmitting the data processed on the side of the terminal server, for example, after having computed the hash function on the basis of these data, a user who is on the side of the TC cannot be sure they are correct (they could be modified before the transmission through the network before the computation of the hash function, or the hash function could be calculated not on the basis of the transmitted data, the transmitted correct hash could be substituted on its way back).
- Even if all the computations are done on the side of the TC, during the computation the private key of the key pair can be loaded into the main memory of the TC or it can remain on the TC for a long-term storage. Given that the terminal clients are generally protected not so carefully as terminal servers, the private key can be illegally copied and used for personal gain.
This means that a cryptographic data security system should meet the following requirements when working in a terminal access mode:
- A CDSS should support the work in the terminal mode (Requirement 1).
- The private key of the key pair of the digital signature should be located on the TC (Requirement 2).
- Information data sets should be created on the TC (Requirement 3).
- The development of a signature and encryption should be performed on the TC (Requirement 4).
- Unauthorized use of the private key of the key pair within the period of its use or storage on the TC should be excluded (Requirement 5).
PCDST SHIPKA supports remote cryptographic transformations, so a system built on its basis satisfies requirement No. 1.
All the work with the private key of the key pair is performed within SHIPKA, which is connected to the terminal client, and requirements No. 2 and 3 are met.
SHIPKA implements all Russian cryptographic algorithms on the hardware basis and ensures secure storage of private keys of key pairs in the memory of the device. That means that all cryptographic operations are performed in a trusted environment, and the private key of the key pair never leaves the device and never gets into the main memory of the terminal client, which allows to satisfy requirements No. 4 and 5.
The clients run under the following operating systems can serve as terminal clients used in a terminal access system with the described system (for which the terminal software for PCDST is implemented):
- Win32 (Windows 98, Windows 2000, Windows XP);
The support of various terminal operating system allows to use thin clients of different manufacturers and models, which gives some freedom to the customer who wants to deploy the solution (these can be clients like Wyse, KAMI, Depo and many others). Terminal servers can run under both, Windows and Citrix.
Functionality of PCDST SHIPKA (terminal application)
The correct application of SHIPKA for cryptographic protection of electronic messages and documents using terminal access technologies is possible for the following reasons:
- Key information associated with the user and the software performing cryptographic transformations, is concentrated within a single device, is available for execution only to authorized users, and is technologically protected from unauthorized reading and modification;
- Own resources (a possibility to obtain a random sequence on the hardware basis, the possibility to store own private and public keys, the possibility to store a public key of the terminal server, as well as the possibility to compute and verify a signature) for ensuring protection of virtual channels built within the protocols RDP or ICA;
- Support of standard interfaces (crypto provider and PKCS#11), which allows to save a software user interacting with internal PCDST software from studying the features of implementing such interaction procedures.
Performance of cryptographic operations
All cryptographic transformations are performed directly within the device. The code implementing cryptographic algorithms is technologically protected from unauthorized changes.
The keys needed to perform cryptographic computations are also stored in the device, where they are generated with the help of a hardware random number generator. The keys are securely stored in the file system of SHIPKA, so any unauthorized access to the keys through extracting and direct reading of chips used to store files, is excluded. Another feature of key files is access control: despite the fact that such key files are file system objects, one cannot work with them as with usual files. Firmware of SHIPKA is designed in such a way that one can work with key files only from the cryptographic transformation functions and that's it. In their turn, the functions of cryptographic transformations obtain access to the key files only after the user is authenticated and confirms that he has the right of access to key data stored in SHIPKA through his PIN-code.
Thus, in case of applying SHIPKA for cryptographic transformations in the terminal mode:
- The key never leaves the device;
- The data needed to compute the hash function value pass through the device;
- The computation of the electronic digital signature and the encryption takes place within the device;
- The key never appears in the computer's memory;
- Unauthorized access to the key is technically possible neither when it is generated, nor when the device is working, nor when it is stored in the device.
The model of data transmission through virtual channels
The use of standard software of PCDST SHIPKA in a terminal session yields the following results: the user runs the programme on the terminal server, the programme via CryptoAPI (CSP) or PKCS#11 interface refers to the library of interaction with the firmware of PCDST, which, in its turn, refers to a device driver in order to exchange data with the device.
But the device is connected not to the server, but to the terminal. This means that the operating system should redirect the references from the terminal session to the device installed on the terminal. The software SHIPKA-T is designed for this very purpose.
This software can be divided into three main groups of functions:
- The functions of working with the device as with an object of the operating system;
- The functions of notification (notices of installation and removal of the device);
- The functions of exchange of commands and data with the device.
These three groups of functions are implemented for the terminal server and the terminal client. This means that the software SHIPKA-T includes two sets of software: to install on the TS (SHIPKA-TS) and on the TC (SHIPKA-TC). Moreover, the server component does not depend on the operating system of terminal clients, since virtual channels ensure a unified interface of interaction with the TC.
Interaction of the application with SHIPKA device in a terminal session
Implementation of the server component
The server component determines the mode of operation during the startup (locally, in a terminal session of Windows Terminal Server, in a terminal session of Citrix) and loads the necessary library. The latter, in its turn, creates virtual channels, which will serve all the future data interchange between applications that run in a terminal session, and SHIPKAs installed in the terminals.
Implementation of the client component
Client component for Win32
The client component for Win32 (Windows 98, Windows 2000, Windows XP) provides the processing of the commands of data interchange with the devices. At the moment of creation of a terminal session the libraries are initialized and the virtual channels with the terminal server are created. After that the libraries process the requests from the server component and transmit them through the library of interaction with PCDST firmware in the terminal to the device or report the facts of installation/removal of PCDST from the terminal.
Client component for WinCE
Windows CE (WinCE) is a variant of the Microsoft Windows operating system for handheld computers, mobile phones and embedded systems. Architecture x86, MIPS, ARM and processors Hitachi SuperH are supported. Windows CE is optimized for the devices that have a minimal memory size.
One of the features of the operating system Windows CE lies in the fact that in most cases the operating system being started up in a particular device cannot be added additional functions. Thus, the functioning of the client component needs the inclusion of RDP or Citrix ICA client, as well as the required libraries, at the stage of preparation of an image of the operating system.
In other aspects the client component for Windows CE is fully identical to the client component for Win32 in terms of its composition and dependencies.
Client component for "Kami-terminal"
"Kami-terminal" is a distribution package of Linux OS designed specifically for its use on terminal clients. This distribution package of OS Linux is described just as an example and is not the only one possible for the application of SHIPKA in the terminal mode.
The startup of "Kami-terminal" is performed in four stages:
- The startup of the basic image of the file system (FS). The basic part starts from the preliminary prepared carrier and consists of the Linux kernel and the image of the file system with the minimum set of files needed to install a network connection to the startup server.
- Authentication and the startup of a user profile. The user is offered to connect a PCDST and enter a PIN-code. Upon the successful completion of the authentication process the user profile is read from the device, on the basis of which the settings and the software package file is loaded from the startup server.
- Loading, testing and installing of software packages required to start a session with the TS. Software packages, specified in the settings file of the user profile on the server, are loaded from the startup server via the NFS protocol. For each loaded package the hash is computed, the value of which is compared to the corresponding value recorded in the user profile on the device. Upon the successful completion of testing the contents of the package are installed in the FS of "Kami-terminal".
- Start of a terminal session. On the basis of the contents of the settings file, a connection with the TS is set, and virtual channels are created.