Cryptomach Defended Privacy

1. Cryptomach Ltd. defended privacy

3. Company Structure Department of scientific researches and hardware-software developments ( R&D ) Department of integrated security systems (ISS) Digital Signature Certification Authority (DSCA)

4. Loyalty Card with Digital Signature Function Contact chip (Infineon SLE66C42P) Contactless chip (NXP Mifare DESFire) with built-in antenna Plastic with printed personal information on the back side of the card Card Structure Supported Cryptoalgorithms Digital signature : DSTU 4145-2002 with key length 191 bit Session keys derivation based on DH scheme and DSTU 4145-2002 S ymmetric ciphering and MAC authentication : GOST 28147-89 Hash function : GOST 34.311-95 Authentication and traffic encryption for contactless interface : Triple-DES

5. Card’s Functions Card owner identification tool (ID data is digitally signed) Reliable private keys keeper and digital signature tool (keys are generated and used only in the chip memory) Establishing secure channel for confidential data flow protection between user’s workstation and a server of the system Payment Tool that supports National Payment System of Ukraine ( NSMEP), application « check » (PIN protected payments) Protected Storage of the Medical Emergency Information that provide secure reading and synchronization procedures Access Control Tool to the Private Information Storages on the workstation or at the network Contactless card for Physical Access Control Systems (PACS). One card could support up to 12 PAC zones with independent keys. Support of loyalty systems and prepaid services based on contactless technology Data Access Control Loyalty System support % Physical Access Control E mergency Information Payment Card Digital Signature Encrypted Tunnel with Server Owner Identification

6. Contactless Secure Physical Access Control Readers Implementation of cryptographic subsystem for monitoring and access control systems on the basis of contactless MIFARE Plus / DESFire / Ultralight C smart cards (with reliable encryption) Contactless smart card (compatible with DESFire ) or secure memory card (MIFARE Plus / Ultralight C) Crypto subsystem of PACS consists of three hardware elements : Executive (Door) Contactless Reader Service Contactless Reader

7. Main Features of Secure Readers Supporting of open cryptographic standards : 3DES / AES, with key length 112 and more bit Key system fully defined by customer, each card has unique secrete key Contactless cards support : ISO 14443A/B Open protocol and command system for operating with card : MIFARE DESFire EV1 One card supports up to 12 zones (access areas) with independent key systems Provide a flexible and full secure key management system Model with PIN-keyboard (by order) 2 bi-color LEDs and sound indication of operation state Communication interface of executive and service readers with host-computer : USB 2.0 Communication interfaces of executive reader with PAC controller : Wiegand-26 /56 , KODOS, RS-232/RS-485 ( optional ) Product can be adapted according the customer’s demands after specifications approval

8. Readers Integration Support of widespread communication protocols with PAC controllers Cryptosystem is transparent for PACS Possibility of integration into existing PACS Possibility of step-by-step switch to cryptoprotected cards in the existing MIFARE based PACS

11. Secure keeping and usage of secret keys Hardware Security Module « cm Token» True Random Numbers Generator (based on physical noise processing) Mutual Dynamic Authentication based on a symmetric algorithm Establishing of secure channel with remote authentication server PIN-code protected storage of the authentication keys and confidential data access keys

12. Generation of the strong random sequences based on physical source of noise Real-time automatic check of generated random sequence for accordance to the FIPS 140-2 Supported encryption algorithms: AES -256 (FIPS 197) , GOST 28147-89, DSTU 4145-2002 (option) Models with PIN-keyboard or fingerprint sensor (by order) Device has the token form-factor of with USB 2.0 interface Product can be adapted according the customer’s demands after specifications approval Hardware Security Module « cm Token» 1 2 6 5 4 3

13. Joins LAN of remote offices in common virtual private network (VPN) with securing of the data transmitted through a public network Provides secure connection of portable workstations to data centre (server) by the ciphered and authentic channel D evice for traffic tunneling and VPN creation over public networks IPsec implementation supported by hardware acceleration (AES, SHA, TRNG) Network Security Device "IP-encryptor"

14. Traffic Inspection: FireWall, IDS, AntiVirus Network Safety Device "IP-encryptor" Full control over built-in Web- interface Ethernet : Up to 5x RJ-45 LAN Gigabit Ethernet ports IP-Router (Static, RIP, BGP), Proxy, Traffic shaper Traffic protection: AES-256, SHA-256, GOST 28147-89, GOST 34311-95 Smart card based boot authentication (option) Supports Public Keys Infrastructure Hardware True Random Numbers Generator Quiet Computing (models without moving parts)

15. Secure Virtual Drive Secure Data Storage “ On-the-fly” encrypting by reliable ciphers without noticeable performance degradation Connection of the encrypted volume only after two-factor authentication (smart card + password) Securing of a virtual logical partition operated "below" a file system The standard recommended for usage in Ukraine that allows to use the product in the state organizations and establishments Secure Virtual Drive allows to select the symmetric block cipher for container securing: Allows to use the most modern international standards of symmetric enciphering providing high reliability and efficiency AES-128 / 192 / 256 (FIPS 197) Camellia-128 / 192 / 256 GOST 28147-89

16. Fast and transparent disk operation (after container mounting the operation with the secured volume is carried out in the same way, as for usual logical disks ) Creation of arbitrary amount of protected containers (files which store the enciphered logical volume) Simultaneous mounting up to 8 protected disks Change of access password and/or smart card to a container without re-enciphering Usage of the reliable random numbers generator for secret keys generation Possibilities of «Secure Virtual Drive»

17. Supports of various file systems - NTFS, FAT32, FAT Hot list for fast mounting of often used disks Possibility to hide the free (unused) space of the protected container Fast and reliable erasing of the protected disk content without possibility to restore Support of emergency and safe unmounting of used disks Possibilities of «Secure Virtual Drive»

18. Instant Messaging Encryption Software «Crypto-IM» Our Miranda IM plug-in provides secured interchange of Instant Messages between Cryptomach PKI users For the secure conversation establishing it is necessary, that both correspondents must have valid Cryptomach CA certificates and use Miranda IM with our plug-in Crypto-IM Protocol independent messages encryption by GOST 28147-89 or AES-256 / Camellia-256 (option) Digital signature and ECDH session key derivation support Certificate based talker authentication and key derivation Certificate status on-line validation support (by Cryptomach CA) Active smart cards and tokens usage for private keys keeping and operating Hardware based session keys generation

19. GSM Voice Encryption Software «CryptoPhone» Communication privacy the new service at the market of mobile communication

20. Application of the reliable cryptography for guaranteeing the traffic confidentiality and subscribers authenticity Secure channel establishing between end-users of GSM-communication GSM Voice Encryption Software «CryptoPhone»

21. Secure key setup protocol “ End-Point-to-End-Point“ Traffic protection Voice protection by usage of reliable and block cipher AES-256 (FIPS-197) Usage of the codec that provide sufficient quality for low bit rate Protected text messages exchange Protected File Transfer GSM Voice Encryption Software «CryptoPhone» 1 2 6 5 4 3

22. General-purpose cryptographic libraries for support of own and third-party software products GOST 28147-89 (4 modes of operation defined by standard) AES, Camellia, DES , Triple-DES (5 modes of operation: ECB, OFB, CFB, CBC, CTR) Ukrainian Hashing standard GOST 34.311-95 International Hashing standards SHA-2, SHA-1, MD-5 Ukrainian Digital Signature standard DSTU 4145-2002 Key establishment standard DSTU ISO/IEC 15946-3 Foreign Digital Signature standards GOST 34.10 - 2000, ECDSA, ECGDSA, ECKDSA IEEE P1363 Key agreement schemes ECKAS DH1, ECKAS DH2, ECKAS MQV Cryptographic Libraries

23. Pre-Boot Authentication Pre-Boot Authentication Hardware-software solution for user authentication before OS loading Working stations protection from unauthorized access Two-factor authentification of the user on the basis of the individual key carrier (smart card or USB-token) and the access password The software can be configured for operation with one or several OS In the case of key carrier absence or authentication fail, the workstation loading can be either prohibited, or default OS could be loaded

24. The solution supports the operation with following key carriers of Cryptomach Ltd. : Pre-Boot Authentication Optionally the range of the supported carriers can be expanded by certain models, and also the solution can be integrated with other tools of disk partition enciphering. Smart card / token of the «GOST Key Keeper» system Multifunctional smart-card «Social Card» USB- breloque «cmToken»

25. Our Services Software development for information protection systems with individual requirements Hardware and hardware-software development of information protection complexes with individual requirements Consulting in the field of information technologies and information protection Theoretical researches in the field of information protection systems, development of new cryptographic algorithms and protocols, cryptanalysis research Electronic digital signature services in the Digital Signature Certification Authority of "Cryptomach Ltd." Services of administration and technical support of informational infrastructure 1 2 6 5 4 3