Implementation of the program "Electronic Russia", similar programs in the ministries and departments requires the construction of secure virtual private networks, (ZVKS) and the active use of public networks, particularly part of the Internet as a transport medium. However, the main threat to security when they connect to the Internet is the potential for penetration into the departmental automated systems (AS) at the connection point. This can lead not only to access to confidential information and breach of the functioning of the AU, but also access to the encryption algorithm and key information. That is why a Presidential Decree N611 On measures to ensure security of the Russian Federation in the sphere of international information exchange," stated that "subject international information exchange in the Russian Federation not to pursue the inclusion of information systems that process information that contains information that constitutes state secrets, and utility restricted information dissemination, and for which established special rules for access to information resources in part of the international exchange of information, including the international association networks, "Internet". Author is the source for more interesting facts. Point of connection to the Internet becomes part of the network and, consequently, the public. And since the point of operating continuously, an attacker can perform unauthorized access to the speaker, using flaws in the software. To exclude this possibility the technology was developed Shield, which involves the use instead of the traditional binary unary connection point, ie consisting of two servers, and security and the possibility of concealment (through encryption) the information transmitted.
Secure connection suggests the impossibility of unauthorized access to the segments ZVKS from any public network and guarantees the following requirements: the lack of networking between segments ZVKS and the public network, lack of opportunities not only to exchange information between the segment ZVKS and the public network, but also to determine the most the existence of a public network segment ZVKS and vice versa. " It is essential that the internal and external servers host ZVKS no networking, and all cryptographic transformations are on internal servers that are not connected to the Internet. CPS "KriptoKanal" is intended to create ZVKS by combining geographically remote LANs (the segments ZVKS) using as a transport Protection of public networks (including Internet), including the AU government and institutions of the Russian Federation, transport management systems, communications, energy, etc., and transfer them to confidential information. For authentication and integrity control algorithms are used digital signature GOST R 34.10-2001, a hash function GOST R 34.11-94 and GOST 28147-89 (authentication code). Used for encryption algorithm GOST 28147-89 in gammirovaniya mode with feedback. To access mobile or remote users ZVKS provides software complex KriptoKanal-client (GoK Shield Channel Client – GoK SCC), which is installed on workstations MS Windows operating system and Linux.
GoK SCC, has a built-in protection from unauthorized access, provide identification and authentication of the user on a personal electronic key eToken and identification computer user ZVKS. To create a secure channel GoK SCC uses the same methods and means that PAC SC-FW. The structure of CPS "KriptoKanal" also includes the ARM key generation, whose task is to generate the key information for each node ZVKS and export it to an electronic key eToken. On a personal electronic key eToken each user and site ZVKS stored user ID or node ZVKS, public key workstation GC, indoor and outdoor user keys, digital signature public key user key workstation GC, the initialization vector of random numbers, kriptoparametry.