Crypto DB

Description

Means of cryptographic information protection of Crypto DB provides reliable control and data protection from unauthorized actions of the system administrator of management of databases (DBMS) and other violators.

Security services are forced to trust database managers that leads to emergence of quite real risk of violation of confidentiality and leak important, and often and information, critical for the organization. At the same time most the organizations "bypasses" a problem of protection against the database administrator introduction of formal organizational restrictions and rules, application of complementary means of physical security and inclusion in models of threats of special exceptions. However such approach to solution is ineffective, at the same time the problem of vulnerability of DBMS from her administrator has the real effects which are expressed as in financial, and reputation losses.

The problem of prevention of leak of confidential information and protection against the database administrator successfully is solved the Crypto DB system using data encryption of information in the database. Data always are in encrypted form and become available only at successful authorization of the owner of a key of access.

"The crypto DB" uses resistant encryption algorithms and also algorithms of ensuring integrity of data. For high reliability of data protection the system of safe distribution and storage of encryption keys with use, including, hardware carriers of key information is implemented.

Protection of DBMS in digits

Import substitution

The system of cryptographic information protection of Crypto DB conforms to the main requirements of the state in the field of import substitution:

• code base of a product completely domestic;
• the owner of a product – Aladdin R.D. company – for 100% belongs to citizens of the Russian Federation;
• technical support is performed in Russian in the Russian Federation;
• it is certified FSB Russia according to requirements to a CIPF of class KC1 and class KC2;
• it is registered in the Unified register of domestic software (No. 509, No. 518, No. 4292, No. 4293).

Application of Crypto DB allows to fulfill the requirements of a number of regulating documents:

• Order of FSB of Russia No. 378 of July 10, 2014. "About the approval of Structure and the maintenance of organizational and technical measures for security of personal data at their processing in personal data information systems using the means of cryptographic information protection necessary for accomplishment of the security requirements of personal data set by the Government of the Russian Federation for each of security levels";
• Order of the Ministry of Telecom and Mass Communications of the Russian Federation No. 96 of April 1, 2015. "About the approval of the plan of import substitution of the software";
• Order of the Ministry of Telecom and Mass Communications No. 242 of September 29, 2011. "About the statement of a transmission order of registers of the qualified certificates of keys of verification of the electronic signature and other information in the federal executive authority authorized in the field of use of the electronic signature in case of the termination of activity of the accredited certification center"
• The order of FSTEC of Russia No. 21 of February 18, 2013 (an edition of March 23, 2017) "About the approval of Structure and the maintenance of organizational and technical measures for security of personal data at their processing in personal data information systems";
• Order of FSTEC of Russia No. 17 of February 11, 2013. "About the approval of requirements about the data protection which is not the state secret, contained in the state information systems".

Appointment

The crypto DB is a corporate system of the cryptographic information protection stored and processed in databases.

Basic purpose of a system is cryptographic protection (further enciphering) the data which are stored in tables of the database from unauthorized access. This software package allows to provide:

• prevention of unauthorized access to the confidential information placed in tables databases;
• data protection from malicious actions of the system administrator;
• enciphering and data protection when using three-unit architecture of access to the database;
• audit of actions of users and the database administrator at access attempts to the protected information.

Scopes of a system

Owing to universal use of DBMS for storage and processing of confidential information and also wide circulation of threats of a compromise of confidential information, Crypto DB has the wide scope of application extending to one and all industries of the market of the Russian Federation. The main users of Crypto DB are:

• public authorities and local government, the organizations of different patterns of ownership working with confidential information and personal data;
• the state organizations falling under action of a number of requirements of information security which obligations often join responsibility for ensuring confidentiality of information processed by them;
• the commercial organizations using, or planning implementation of the information systems processing data, crucial for their business.

Counteraction to threats of the organization

In terms of organization activity in general, the main effect from implementation of Crypto DB is significant reduction of risk of a compromise of critical information and all the effects accompanying it. Implementation of Crypto DB allows to organize a reliable encryption system in the shortest possible time and confidential information protection in databases having excluded thereby implementation of a number of modern threats:

Example of threat	The counter-measures implemented using Crypto DB
* Unauthorized access of the malefactor to the unprotected confidential information in DBMS.	* Cryptographic data protection in tables DBMS by method of their "transparent" enciphering using resistant encryption algorithms. Information in tables of the database is always stored in encrypted form. Even in case of withdrawal or theft of the hard drive or backup copies of databases, information cannot use.
* Access for undesirable persons to the infomation which is stored in the database during maintenance, backup and other service procedures.	* Reliable protection of encryption keys resistant asymmetric algorithms.
* Access to the protected confidential information to DBMS using the credentials received by methods of social engineering.	* Regular change of a key of the protected table for an enciphering column.
* Use of an unlimited information access with the rights of the Database manager.	* Optionally - two-factor authentication of the registered users of Crypto DB using digital certificates X.509.
	* Information obtained from the built-in system of audit gives reliable evidential base for investigation of incidents in the field of cybersecurity.

Specific Features

• Use of a fast and simple method of cryptographic information protection in implementation in DBMS.
• The minimum costs of time and resources for the organization of a centralized system of enciphering of information in databases.
• Simplicity in operation and lack of need of significant change of production processes for use of the Crypto DB.
• Orientation to the Russian market (support of algorithms of GOST).
• The optimal cost of licenses in rubles which is not depending on dollar exchange rate.
• The possibility of complex use and "seamless" integration is near a solutions of security of the leading Russian manufacturer of information security tools of Aladdin R.D.
• Compliance to requirements of the Russian legislation in use of a CIPF.
• The embodiment of world practices in the field of creation of products and solutions for providing Information Security.

General principles of system operation

Data protection is provided with data encryption "on the fly". At information requests from the database their deciphering is made, at record in the database — encryption. Information which is in the database is always ciphered. The encryption algorithm is selected by the information security administrator of Crypto DB at setup of a system and can be changed at any time in the course of work.

With the decrypted data in reply to the request in the database the authorized user works in the normal mode. To provide access to the protected information, the user it is necessary to have the key carrier (a smart card or an USB token), to know its PIN code and to have appropriate authority.

Functions and opportunities

Structure and system compatibility of Crypto DB

The Crypto DB system consists of the following a component:

• components of the Crypto DB server;
• security administrator management console;
• collectors of audit (optionally).

The Crypto DB system functions on different platforms of widespread DBMS:

• Oracle;
• Microsoft SQL Server;
• PostgreSQL;
• Tibero.

The client software of a system works running Microsoft Windows XP/Vista/7/8/8.1 operating system (32 and 64-bits).

Data encryption

The protected data storage using the resistant encryption algorithms which are built in Crypto DB:

• algorithms of GOST 28147-89 and GOST 28147-2012;

Enciphering of tables/columns of the database

"The crypto DB" can cipher separate columns of tables in DBMS. The uniqueness of this function is that at the same time she allows authorized users to see the decrypted data, and all the rest — their masking values. An authorized user is the one who has access to an encryption key. Such access should be appointed a security administrator. This method of protection excludes undesirable data access from the system administrator having the highest level of privileges in the IT system.

"Transparency" for applications

The application working with not ciphered data after encryption of tables using Crypto DB does not require any completion, both on the party of the client software, and on a database server.

Additional authorization

The additional authorization of users requiring presentation of the hardware key and input of a PIN code is made for confirmation of right of access to the protected information.

Irreversible removal of data

Removal of encryption keys from a system leads to irreversible loss of the ciphered data. It excludes a possibility of their further recovery.

Centralized operation

Accomplishment of the majority of service transactions and actions with setup of the Crypto DB system through the management console. The management console allows to work with an unlimited number of DBMS.

The centralized monitoring and audit

The uniform center of monitoring and audit accumulates information different office events of Crypto DB and access for users to the ciphered data.

Access isolation on the basis of a role model

Implementation of a flexible role model with reliable separation of operations on management of Crypto DB changed in full accordance with the operating policy of the organization.

Architecture

Scheme of component interaction

Purpose of components

• API "Crypto DB" is the core of Crypto DB performing all cryptographic transactions including enciphering of information, protection of encryption keys, safe transfer of encryption keys, ensuring integrity of data, office software, and the service information.
• Repository of Crypto DB – a set of information on the ciphered tables, encryption keys, users, settings of audit, a change history of the specified information.
• Service of calculation of keys – the service intended for safe transfer of encryption keys between the client and the server.
• The administration console "Crypto DB" is the security administrator console allowing to execute the following transactions:
  • - providing lifecycle of encryption keys;
  • - enciphering (reenciphering) of data in tables of the database;
  • - management of users (encryption keys of users);
  • - management of audit;
  • - control of integrity of own software and objects of users;
  • - control of wrong situations.

• The client's component (the Client of Crypto DB) – interface software for implementation of interaction with a CIPF for accomplishment on the certified CIPF of cryptographic transactions.

Certificates of the software

The Crypto DB system is certified FSB Russia. Certificate of conformity No. Federation Council/124-3249 certifies that Crypto DB conforms to requirements of GOST 28147-89, to GOST 34.12-2015 and Requirements to means cryptographic data protection, intended for the data protection which is not containing the data which are the state secret, class KC1 (for execution 1) and class KC2 (for execution 2) and can be used for cryptographic protection (creation and management of key information, enciphering of user data, calculation of the message authentication code for user data) the information which is not containing the data which are the state secret, stored in tables of databases under management DBMS Oracle, Microsoft SQL Server, PostgreSQL and Tibero.

Development History

2020: Compatibility with Jatoba DBMS

The companies "Aladdin R.D." and "Gazinformservice" announced on July 15, 2020 completion of tests on compatibility of the products. Results of tests confirm working capacity and correctness of joint functioning of "CIPF the Crypto DB" and Jatoba DBMS. In more detail here.

2018: Certificate of the class KC3 FSB of Russia

On August 27, 2018 the company "Aladdin R.D." announced obtaining one more certificate of conformity FSB OF THE RUSSIAN FEDERATION on means cryptographic data protection (CIPF) of Crypto DB of class KC3 in management systems databases (DBMS) Oracle, PostgreSQL and Tibero. In 2017 the Crypto DB 2.0 system was certified by FSB of Russia as a CIPF of classes KC1 and KC2.

The received certificate of FSB of Russia No. Federation Council/124-3472 of August 15, 2018 certifies that the CIPF "the Crypto DB 2.0" (execution 3) conforms to requirements of GOST 28147-89, GOST P 34.12-2015 and Requirements to the CIPF intended for the data protection which is not containing the data which are the state secret, class KC3 and can be used for cryptographic protection (creation and management of key information, enciphering of user data, calculation of the message authentication code for user data) the information which is not containing the data which are the state secret, stored in tables of databases under control of Oracle, PostreSQL and Tibero DBMS.

A system allows to prevent damage from leaks of the confidential information which is stored in the popular foreign DBMS which are widely applied in billing systems electronic document management systems, support systems of users CRM- ERP- HR systems, different state services, etc. Obtaining the certificate of conformity of FSB of Russia according to requirements to a CIPF of class KC3 allows us to deliver Crypto DB in the state organizations with the highest requirements to information security. Denis Sukhovey, director of business development of Aladdin R.D. company

Enciphering of tables of the database using the Russian cryptoalgorithms provides reliable data protection, and differentiation of access rights allow to exclude a possibility of a compromise of the protected information database administrators. Safety of the protected data is also ensured due to application at client workstations of strict two-factor authentication using hardware — USB tokens or smart cards of the JaCarta family.

In Crypto DB the built-in mechanism of audit which provides data collection, confirming the facts of access to the ciphered information is also implemented. It allows to reduce significantly risk of leaks of confidential information from DBMS as in it it is impossible to work under an assumed name and all actions of the user are personalized and recorded that allows to exclude an unprovability factor. Distinctive feature of a system is an opportunity to cipher separate columns of tables in DBMS therefore in them only authorized users can see data (unauthorized users will see an unreadable symbol set). The applications working with not ciphered data after encryption of tables using Crypto DB do not require any completion neither on the party of the client software, nor on a database server.

2017

Certificate of FSB of Russia

On December 20, 2017 the company "Aladdin R.D." announced obtaining the certificate of conformity FSB of Russia on means cryptographic data protection (CIPF) "Crypto DB" in database management systems (DBMS).

The received certificate of FSB of Russia No. Federation Council/124-3249 of December 12, 2017 will be certified that the CIPF "the Crypto DB 2.0" conforms to requirements of GOST 28147-89, GOST P 34.12-2015 and Requirements to the CIPF intended for the data protection which is not containing the data which are the state secret, class KC1 (for execution 1) and KC2 (for execution 2), and can be used for cryptographic protection (creation and management of key information, enciphering user data, calculation of the message authentication code for user data) the information which is not containing the data which are the state secret, stored in tables of databases under control of DBMS Oracle PostgreSQL Microsoft SQL Server Tibero.

"Use of enciphering in DBMS reduces risks of leak of important information and solves a problem of "protection against Admin of DBMS", providing controlled access only for authorized users. One more important advantage – significant economy of financial resources as certification of Crypto DB allowed us to provide to the organizations the domestic tool providing confidentiality of the data processed in DBMS without the need for failure or replacement of foreign software". Denis Sukhovey, Head of Department of development of technologies of Aladdin R.D.

Removal from sales of products of the line of eToken

The notification on plans of the termination of sale, support and maintenance of USB tokens and smart cards of the eToken PRO family (Java), eToken and CIPF of Kriptotoken as a part of the products eToken GOST^[1].

Products of the line of eToken are removed from sales since the beginning of 2017. The conditions of completion of sales and product lifecycle of a line of eToken PRO (Java) specified in the table provided below extend to all existing form factors (an USB token, a smart card and so forth). The list includes the products which both are not certified, and certified. The detailed list of models for all listed products is specified in the section "Articles and names" of the Notification.

Model

• last sale date on March 31, 2017, end date of support on December 1, 2020.
• eToken PRO (Java) eToken NG-FLASH Java eToken NG-OTP eToken PRO , ( ), (Java), Anywhere

• last sale date on January 31, 2017, end date of support on December 1, 2020.
• eToken 4100 Smartcard, eToken 5100/5105, eToken 5200/5205

• last sale date on August 31, 2017, end date of support on December 1, 2018.
• The products containing a CIPF of Kriptotoken (eToken GOST)

Technical support of the products purchased earlier will be performed before end of the paid period of technical support.

Instead of electronic keys of eToken PRO (Java) and eToken the Aladdin R.D. company offers new domestic USB tokens, smart cards, the built-in modules of security (chips), OTR tokens of JaCarta PRO, JaCarta PKI, JaCarta WebPass developed and manufactured by it in the Russian Federation.

The substituted model

• eToken, eToken PRO (Java), SafeNet eToken
  • JaCarta PRO - Compatible model
  • JaCarta PKI - Functional analog

• there is no eToken PRO Anywhere -
• eToken NG-FLASH (Java) - In 2018 it is going to provide a similar product in JaCarta line
• eToken NG-OTP (Java) - The functional analog creating value OTR and transferring him on USB port

2016: Crypto DB of v. 2.0

"Crypto DB" of v. 2.0 represents the system of the cryptographic confidential information protection which is stored and processed in DBMS on platforms Oracle MS SQL Tibero. The product is intended for ensuring privileged information loss prevention and access isolation of privileged users (database administrators) to the protected data.

A number of new features and opportunities is added to structure of this version of a product. Including support most of the DBMS widespread platforms is implemented. Along with the available support of the Oracle platform, the separate versions of a product providing cryptographic data protection in MS SQL and Tibero DBMS are released.

Advanced functionality of the module of the audit providing monitoring of access for users to the protected information. This functionality allows to book audit in the course of investigations of incidents of information security. Important feature is the binding of audit events to hardware number of a smart card that increases reliability of determination of authorship for the specified events.

At the same time, performance of a cryptographic core is increased that allows to avoid excessive increase in loading of DBMS at bulk encryption. Thus, the productive cryptocore of a system allows to use the product "Crypto DB" in the difficult, volume and high-loaded DBMS.

The mechanism of the postponed enciphering allowing to lower a simple system about one minutes, even in the presence of large volumes of data is implemented. Encryption of information can be performed gradually, for example, during the periods of the smallest loading of a system.

Besides, in the new version of a product are implemented: the mechanism of change of an encryption key and the subsequent reenciphering of information by analogy with the postponed enciphering; the mechanism of index search in the ciphered fields for versions of Oracle and Tibero, including the full text version of indexing; the possibility of creation of the database which is not containing up-to-date information, for example, for transfer for testing — up-to-date information is replaced with the masking values, and time of such preparation — is minimum.

2015: Crypto DB on the platform is released DBMS Tibero

On April 27, 2015 TmaxSoft also "Alladin R.D." announced release of mutually integrated product "Crypto DB" on the platform DBMS Tibero.

"Crypto DB" received the certificate of FSB. A system implements functions of the cryptographic information protection which is stored in databases from unauthorized access and is intended for security of the information systems and business applications using DBMS:

• billing systems,
• workflow systems,
• support systems of users (service HelpDesk),
• CRM,
• ERP,
• HR systems
• other.

Use of Tibero promoted expansion of sales channels and cost reduction, gives the chance to clients to migrate in Tibero without data loss and business logic.

"Today the customer needs the product not only solving these or those critical problems in the field of security or DBMS, but also allowing to execute transparent and seamless integration in the customer's infrastructure. Support is important, both from the developer DBMS, and from the developer of the means of cryptographic information protection (MCIP), – noted Ruslan Melnikov, the sales director of the Russian representative office TmaxSoft. – This solution drew our attention to those that in addition to data protection, we can closely build in it in DBMS Tibero and provide the necessary performance to our customers".

2013: The crypto DB - prolongs the certificate of FSB

On December 16, 2013 the company Aladdin R.D. announced prolongation of the certificate FSB on a CIPF of Crypto DB. The product can be applied to the cryptographic data protection, stored in tables databases under management DBMS Oracle.

The prolonged FSB Russia certificate of conformity No. Federation Council/124-2210 of November 6, 2013 on classes of protection of KC1, KC2 demonstrates that the CIPF of Crypto DB can be used for cryptographic protection (creation and management of key information, enciphering user data, calculation of the message authentication code for user data) the information which is not containing the data which are the state secret, stored in tables of databases under management DBMS Oracle.

For December 16, 2013 the product can be used in procedures of the strengthened authentication of users for access to the protected data with use of USB keys and smart cards of eToken and also in a new product line of JaCarta.

2011

In the next plans Aladdin — development of functionality of Crypto DB: support of work of the solution with the thin clients and different key carriers presented at the Russian market. Besides, the company is going to complete certification of Crypto DB in FSTEC Russia on use of this solution for protection of automated systems to level 1B inclusive and ISPDN of 1 class inclusive. The certification process started in 2010.

2008 – 2010

The technical specifications on creation of a CIPF of Crypto DB are approved with FSB of Russia. The certification process came to the end in October, 2010 with obtaining certificate No. Federation Council/124-1569. Thus, Crypto DB became the Russia's first certified CIPF for protection of Oracle databases.

The solution "Crypto DB" certified by FSB of Russia is focused on use in government institutions – the ministries and departments which there is a problem of personal data protection, an official and medical secret. Besides, the solution is demanded by the financial enterprises and banks, business companies for the confidential information protection processed and which is stored in Oracle DBMS. Now the first project on implementation of the certified solution "Crypto DB" in Federal Agency for Fishery comes to the end.

On November 25, 2010 the Aladdin R.D. company announced end of a certification process of the means of cryptographic information protection (MCIP) of Crypto DB intended for data protection in Oracle DBMS from unauthorized access. The solution received the certificate of FSB of Russia on classes of protection of KC1 and KC2. Existence of the certificate of FSB of Russia means that the solution "Crypto DB" can be used, including, state authorities and also banks, the commercial organizations which the problem of confidential data protection in Oracle databases faces.

According to the statistics, collected Verizon Investigative Response and United States Security Services, in 2010 98% of leaks happen from servers. On the server the most part of corporate information is stored. 70% of leaks are a result of actions of external agents, 48% of leaks were caused by insiders, 11% - are initiated by accomplices of their business orchestra seats, 27% of leaks happened because of participants of several categories of malefactors.

Leaks are performed in 48% of cases by the users who illegally appropriated privileges inappropriate to their ex-officio full powers. 40% of cases are caused by actions of hackers. 38% of leaks are caused by the malware, 28% of leaks are provoked by social methods (for example, a gift to the secretary). 15% are the share of the physical attacks.

For the last year the trend of theft by hackers not of the information, but accounts became noticeable. The same and with the malware. Here too the vector was displaced towards theft of accounts.

2007

Further development of the direction in protection DBMS Oracle of Aladdin R.D. company was predetermined by growth of needs of most the state and commercial enterprises for use of the Russian cryptography and creation of systems information security according to requirements of the Russian legislation. Customers began to apply cryptographic algorithms in authentication process, to formation of the EDS (GOST P 34.10-2001), protection of a communication channel (GOST 28147-89, GOST P 34.11-94) and enciphering given (GOST 28147-89). Specialists of Aladdin actively work on development of technical specifications and preparation of necessary documentation for creation and certification of a new solution.

Based on a complex of solutions SafeData the Aladdin R.D. company developed the means of cryptographic information protection (MCIP) of Crypto DB using national standards of cryptography in the environment of Oracle – Russian, Kazakhstan and Belarusian. The CIPF of Crypto DB is intended for ensuring confidentiality and integrity of information at its storage and processing on a database server of Oracle. The solution provides selective enciphering at the level of columns of tables in accordance with GOST 28147-89, protection of encryption keys using eToken, mandatory and discrete access restriction to information, audit and monitoring of an information access, protection against actions of database managers.

2005

The Aladdin R.D. company presented to the market a new solution of eToken SafeData – means cryptographic data protection (CIPF) based on the western cryptography for application of century DBMS Oracle. Key advantage of SafeData is its work at the application layer - mechanisms of protection are implemented using only regular development tools and access provided to Oracle DBMS. Thus, the solution is easily integrated with an information system of the customer. Data protection in tables using cryptographic methods, flexible management by keys enciphering, monitoring and audit of access to the ciphered data of all users working in a system belongs to features of SafeData.

Aladdin carries out the certified tests for compatibility and an opportunity for work of SafeData with family of business applications of Oracle which results confirmed correctness of work of the solution with all products of the Oracle Applications family. Within the active marketing program on promotion of this solution in Russia and the CIS countries of Aladdin provides training of technology partners which result was implementation of a number of projects on implementation of SafeData in Kazakhstan.

2004

The Aladdin R.D. company started product development for security of the information systems and business applications using DBMS Oracle: billing systems, workflow systems, user support (service HelpDesk) CRM ERP, HR systems and many others.

Creation of a product line for Oracle "Aladdin R.D." began with the solution on authentication of eToken SecurLogon intended for secure access in Oracle DBMS using technologies of smart cards. Need of the Russian customers for gain of security of the means of authentication which are built in products of Oracle became premises of creation of the solution. Often at the enterprises because of non-optimal creation of an information system employees it was necessary to use a set of passwords. The role of a human factor as passwords were, as a rule, stored on a leaflet in a box of a desktop or on the sticker pasted to the monitor increased in a similar situation. Development of an external system of authorization of employees on the basis of smart cards or the eToken USB keys allowed to solve this problem and it is reliable to protect confidential data in Oracle DBMS.

eToken SecurLogon for Oracle became the only thing in the market the solution providing two-factor authentication of users in Oracle DBMS. The system of two-factor authentication constructed using USB keys and smart cards of eToken as personal storages of digital certificates prevents a possibility of interception of identification data of the user by the potential malefactor. Use of eToken USB devices for confirmation of user rights on access to this or that information excludes a possibility of login under an assumed name and reduces risk of theft of data from a system. Providing authentication under the SSL protocol, eToken SecurLogon for Oracle allows to protect a communication channel between the DB server and a client workplace one of the encryption algorithms supported by Oracle.

Work on creation of eToken SecurLogon took about half a year. The first implementation took place in Kurgan branch "Uralsvyazinform". As a result of project implementation the telecom operator provided secure access to a billing system based on Oracle DBMS.

Actively developing the direction on security of products of Oracle, Aladdin R.D. closely interacts with the technology partners. So, the company together with Borlas consulting group in 2004 proposed to the market the complete solution for secure access of users to business applications of Oracle E-Business Suite. Among the most indicative implementations of this solution there is a creation of a system of two-factor authentication of users of electronic marketplace in Magnitogorsk Iron and Steel Works OJSC (MMK). As a result of this project the Russia's first system of legally significant document flow was constructed.