Electronic signature and business: is cloud ES used in Russia? cryptographic solutions. From Cloud Signature to Trusted Environment

Only crypto keys issued with CryptoPro CIPF can be transferred to the cloud.

The transfer is carried out in 2 stages, they are described below.

Checking the EDS for compliance with the requirements

Open the CryptoPro CSP cryptographic information protection tool (CIPF) control panel ("Start" - "Control Panel" - "CryptoPro CSP") as administrator ("General" tab - "Run as administrator") and go to the "Hardware" tab (Picture 1).

Figure 1 - Readers setup

Click the button Set up readers... ". The USB flash drive and floppy disk reader is installed by default when installing the CryptoPro CSP. Check that on the “Readers” tab there is an item “ All removable drives". If the item "All removable drives" is missing, it must be added through the button " Add…” (Figure 2).

Figure 2 - Managing readers

Make sure a blank USB flash drive is connected and accessible.

Go to the "Service" tab and click the " Copy».

Figure 3 - Tab "Service" button "Copy"

The Copy Private Key Container window opens.

In the "" window (Figure 3), fill in the "Key container name" field. It can be found in the container lists (button " Overview”) or certificates (button “ According to the certificate»).

After the key container is found, click the " Further". If a password is set for access to the private key, it will be requested.

Enter your password and click the " OK". A window for entering the parameters of the new private key container will open (Figure 4).

Figure 4 - Window for entering parameters of a new private key container

The window " Copying the private key container» (Figure 5).

Figure 5 - Window "Copy private key container"

Enter the name of the new key container and check the radio button " The entered name specifies the key container» to position « User».

Click the Done button. A window will open in which you need to select a USB flash drive to place the copied container (Figure 6).

Figure 6 - Media selection window

Click the button OK". A window for creating a password for access to the private key container will open (Figure 7).

Figure 7 - Password entry window

At this step, you should create a password for the new private key container and confirm it. This password will protect the digital signature, you will need to enter it each time you access it. After entering the required data, click the "OK" button. The cryptographic information protection tool (CIPF) "CryptoPro CSP" will copy the container of the private key to the USB flash drive.

To copy the EDS public key, launch the Internet Explorer settings panel (“ Start» – « Control Panel» – « Browser Properties» (Figure 8)) and go to the tab « Content» (Figure 9).

Figure 8 - " Control Panel» – « Browser Properties»

Figure 9 - " Browser Properties» - « Content» - « Certificates»;

On the Contents tab, click on the Certificates button. In the "Certificates" window, select the EDS certificate associated with the private key and click the "Export ..." button (Figure 10).

Figure 10 - Equipment "Certificates"

The window " Certificate Export Wizard» (Figure 11).

Figure 11 - Certificate Export Wizard

In the Certificate Export Wizard window that opens, click the " Further". In the next step, opt out of exporting the private key by checking the " No, do not export the private key” (Figure 12) and click the “Next” button.

Figure 12 - Selecting the type of keys for export

In the next step, select the EDS certificate file format by selecting the radio button in the "DER-encoded X.509 (.CER) files" field, and click the " Further» (Figure 13).

Figure 13 - Selecting the EDS certificate file format

At the final stage, specify the name and location of the file and click the " Further". At the last step of the wizard, check the selected options and click the " Ready» (Figures 14 and 15).

Figure 14 - Specifying the save path and the name of the certificate

Figure 15 - Saving the EDS certificate

The files obtained as a result of the above manipulations should be placed in a folder and copied to the cloud along the path " W:\EDS". This the folder is accessible only to the main user.

The result should be something like the following "W: \ EDS \ LLC Test" (Figure 16).

Figure 16 - EDS copied to the cloud.

The installation is carried out by information security specialists, they work on weekdays from 9 to 18 Moscow time. The application should indicate the name of the folder in which you saved the EDS.

If your keys are issued using the VipNet CIPF, then they will not work on the terminal farm (via Remote Desktop or RemoteApp). In this case, work can be done on a local PC using a thin client, more about installing and working in .

If the option of working in a thin client does not suit you, then the EDS should be reissued through CryptoPro, to approve the application for reissuing the certificate, you should contact your service organization.

EDS is a software tool for certifying electronic documents.

It includes an unpacker, a certificate and two key(stored in a special carrier– token).

An enhanced unqualified signature is used when certifying documents relating to the taxation of individuals and legal entities.

The issuance of such programs is carried out by certification centers. For getting EP you need to apply and submit documents (this is done online).

Electronic digital contains three main types:

qualified signature- issued exclusively by state centers and is designed to certify documents of high importance.
Unqualified EP. It is used in the implementation of electronic trading.
Simple EDS. She certifies documents with a low status.

Of the general advantages of a digital signature, it is worth highlighting:

Saving money and resources such as paper.
Convenience of registration of electronic documents.
Wide range of use (from individuals to large companies).
Exclusion of access of unwanted citizens to the documents of the owner.
Improving the efficiency of workflow and so on.

Cloud and storage

To start working with the program, you need to activate it. To do this, you can freely download a special driver from the official website of the certification center and install it on your PC. Then the EDS activation process begins:

A certificate is sent from the carrier - this is a kind of permission to use the ES by a specific person.
The process of exporting login keys (login and password) begins.
The user confirms the completion of the activation.

Due to the frequent loss of media, as well as cases of their theft, information technology developers have thought about a different option for storing data - using a remote server. - this is the same tool, only its basic information is contained in a special repository, in " cloud» data. Experts say that information stored on the cloud server, is better protected and excludes access by third parties.

They explain this by the fact that the carrier, where it is contained certificate with passwords, owner you can easily steal and sign for it electronic document. Consequently, user must securely store its token, and this is not always the case.

So, what is a cloud electronic digital signature EDS (electronic digital) we have considered, now we will analyze all its advantages:

The carrier is no longer necessary have on hand.
enjoy EP is possible on any device, even if it is not compatible with the token.
Significant time savings (searching, inserting media is no longer required).
Information stored in the cloud server, is available only to its owner.
Work is carried out stably even when the connection to the Internet is interrupted.

Trends

Many users who use EP, claim: “The stored electronic signature in the cloud could be hacked." Such incidents practically did not happen: people lost the carrier much more often.

Cloud digital signature makes it possible to conduct workflow in any corner of the world, regardless of the device. The countries of the European Union are actively engaged in the design of especially important documents through the cloud. Citizens of the Russian Federation got this opportunity, and they note that storing data on server much more convenient and easier.

The Russian Institute for the Development of the Internet is developing applications that allow you to correctly use EP using smartphones and tablet computers.

The market has been waiting for the "cloud" CEP for several years. Now that the solution has been found, tested and certified by the FSB of Russia, it's time to introduce it into everyday life..

The trend for mass digitalization, which has long been formed and continues to grow, sometimes pleases with truly breakthrough solutions that save finances, as well as months or even years of man-hours of their users. Another example is a "cloud" electronic signature.

"Cloud" qualified electronic signature(“cloud” CES) is a legally significant electronic signature implemented using a technology that transfers all computing operations using ES to an external service (“cloud”), leaving only the need for the user to confirm his identity and complete the operation in a convenient way ( e.g. through a mobile application).

To understand why many problems of the digital economy become irrelevant for the owners of a "cloud" qualified electronic signature, understanding the principles and advantages of the technology will help.

The essence of technology

The "cloud" electronic signature technology is based on 2 main elements: CryptoPro DSS 2.0* and CryptoPro HSM 2.0*, supporting the new GOST R 34.10-2012. You can read more about the transition to the new GOST for the formation of an electronic signature in the article "".

* Products of CRYPTO-PRO LLC - the market leader in the production and distribution of cryptographic information protection tools (CIPF) and electronic signatures.

CryptoPro DSS- this is a "cloud" ES server, a web interface or, more simply, a "shell" that the user sees and interacts with. CryptoPro DSS can be used both on its own and as part of other systems (RBS, EDF, ETP, applications for PC and mobile devices), for integration with which various APIs are provided (the basic part of the application programming interface, on the basis of which it is easy to add the desired functionality in various systems).

CryptoPro HSM is a hardware-software cryptographic module designed for the safe storage and use of the secret keys of the ES of certification centers and users. CryptoPro HSM performs the operations of generating, verifying the ES and calculating the hash function values, encrypting and decrypting data.

The solution implemented by CRYPTO-PRO LLC allows you to transfer the ES key to the "cloud", allowing owners to gain mobility and forget about the risk of compromising the signature, losing the token, and a number of other related problems.

Learn more about the benefits of a "cloud" Qualified Electronic Signature

1 - Genuine mobility

The ES user is released from the "hard" binding to the configured workplace. The cycle of work on setting up cryptographic mechanisms and formats, for example, installing a cryptographic protection tool - the CryptoPro CSP program, and key management is handled by the server components of the solution. Now the electronic signature key can be accessed from a desktop computer, from a laptop, from a tablet, from a smartphone, and even from a phone that does not have an Internet connection. For CryptoPro DSS to work, you only need to install a convenient authentication tool.

Authentication options for users of the "cloud" CEP

a. the myDSS mobile app available for both iOS and Android;
b. SIM card with cryptographic applet;
c. smart card or USB token with cryptography;
d. use of the TLS protocol (transport layer security protocol).

2 - Protection against compromise of the highest level

Key storage - CryptoPro HSM, equipped with tamper sensors, mechanisms for trusted generation and destruction of keys, a "barrier" from leaks through side channels and from an internal intruder (administrator), as well as other levels of protection corresponding to the KV2 class. Keys become unrecoverable and uncompromising.

3 - Performance

The hardware resources of the solution provide a high speed of electronic signature calculation, allowing, by increasing them, to scale the performance to any required level.

4 - Reliability

With the "cloud" ES, the risk of failure of the key carrier, its breakdown, loss or theft is no longer terrible. Any failure will pass unnoticed to the user and without consequences due to the hardware redundancy of server components. Duplication is an example of hardware redundancy.

5 - Economic feasibility

The solution eliminates the need for mandatory expenses for a strictly regulated workplace setup, i.e., for the purchase and installation of local electronic signature tools, for the purchase of usb tokens and smart cards. Instead, users get flexibility in choosing authentication options, which involve simplified procedures for transferring cryptographic information protection and installing ES tools. The benefit of owning this solution is also ensured by the fact that serving multiple users, ensuring high performance, centralized key storage with hardware redundancy takes on a single server. Transition to "cloud" CEP will save the investment nested in:

a. an electronic document management system, since there will be no need to modify or change the existing system;
b. software for working with ES, since there will be no need to abandon the usual software, for example, CryptoPro CSP, when installing the "cloud" cryptographic provider Cloud CSP, will be able to "seamlessly" use the keys stored in the "cloud";
c. a batch of hardware tokens provided to the staff of the company, because they can act as one of the options for authenticating the owners of a "cloud" qualified electronic signature.

In addition, the transition to the new GOST R 34.10-2012, which is relevant for 2018 does not require additional investments from users neither in the purchase of new tokens, nor new software, provided that extended technical support is connected.

The question of "qualification" of "cloud" ES

Technically and organizationally complex in its implementation, the solution has come a long way from an idea to obtaining a certificate from the Federal Security Service. The process was complicated by the fact that in addition to the use of advanced technologies, it was necessary to ensure the proper level of user security.

On August 10, 2018, the developer company CRYPTO-PRO LLC received certificates from the Federal Security Service of Russia for all developed CryptoPro HSM 2.0 and DSS 2.0 configurations. This allows you to generate qualified electronic signatures using any of the above authentication methods.

Certificates of the Federal Security Service of Russia for various configurations of the solution

In order to clearly demonstrate the reliability of this solution, as an example, we will give one of the options for passing the authentication of a user of a "cloud" qualified electronic signature.

Authentication scheme for the "cloud" CEP user through the CryptoPro myDSS mobile application

Description of the typical scheme:

Creation of a document by a user in a service integrated with the CryptoPro DSS server.
Sending a document for signing to a user through the server.
Using the CryptoPro myDSS mobile application, the user is asked for permission to sign a document.
The document is displayed in the application, the user enters a password to confirm the operation (or, if the password is saved, passes Touch ID/Face ID authentication).
A cryptographic confirmation code that fixes the binding to the user, document content, operation time, and device fingerprint is sent to the server.
Upon successful verification of the confirmation code, CryptoPro DSS generates and sends a request to sign the document with the user's electronic signature key in CryptoPro HSM. The hardware-software cryptographic module performs the operation and sends the document signed by the CEP back to the server.
The signed document is sent to a system integrated with CryptoPro DSS (for example, EDF, RBS, etc.).

Implementation and cost of "cloud" qualified electronic signature

It is important to note that due to the technical and organizational features of the implementation of the solution, it is mainly focused on large organizations with an extensive network of electronic signature holders and high mobility of employees: for example, certification centers, banks, insurance, production and sales companies. This will not become an obstacle for organizations of a different type and scale to use the "cloud" CEP in practice. But it can lead to a disproportion between the cost of implementing the technology and the effect obtained.

Implementation of "cloud" CEP technology carried out with the help of an integrator company**. The integrator ensures the interaction of the developer LLC "CRYPTO-PRO" and the organization - the end user, which, due to the high technological complexity of the solution, needs the help of specialists.

The cost of implementing the required configuration of the solution, and hence the final price each "cloud" qualified electronic signature calculated for clients on an individual basis. These values do not have commercial "freedom", but are strictly determined by the analysis of the current technical equipment of the company, the time and labor costs of the integrator for the selection of suitable options, and then the necessary investments in the implementation of the chosen "path".

We invite readers of the site portal to get detailed advice on deploying the cloud-based qualified electronic signature technology in practice, applications are accepted by mail. In the body of the letter, you must specify the name of the organization, business line, contact person and phone number for feedback.

The article was created on the basis of information and reference materials of CRYPTO-PRO LLC and Analytical Center JSC. When using text or its fragments necessarily compliance with the rules indicated at the bottom of the portal

An electronic signature performs the same function as your regular stamped signature:

Confirms the authenticity of the document: helps to make sure that the document has not been changed and that it has reached the recipient in its original form.
Allows you to identify the author of the document.

The electronic signature consists of public and private keys. public key also called public, it is available to everyone and is used to check if the signature is valid, helps to identify the owner and confirm the authenticity of the signed document. private key- secret. With its help, a document is signed, it is available only to the owner of the electronic signature. From a technical point of view, an electronic signature is a set of characters encoded by cryptographic means.

A signature also protects documents from unauthorized access through encryption. Document flow with regulatory authorities necessarily takes place in encrypted form.

How does an electronic signature work?

Before sending reports to the tax authorities using a cryptographic tool and the public key of the recipient, your report is signed, encrypted and transmitted via secure communication channels. Only the inspector, the recipient of the report, can decrypt the document if he has his own secret private key. Then the inspector sends you response documents, they are already encrypted at the inspector's workplace using your public key and cryptographic tool, and decrypted at your workplace using your private secret key.

During decryption, the correspondence between the public key to which the document is encrypted and the user's private key is checked.

An electronic signature is issued by a certification center - an organization that has the right and accreditation for this. After signing the contract and other documents, the CA issues a certificate for your company.

An electronic signature can be stored on a computer, flash drive or rutoken. Rutoken is a USB authentication tool with additional protection of access to keys. Then, in order for the electronic signature to work, install cryptographic software on your computer.

Qualified electronic signature

On July 1, 2013, the Federal Law No. 1-FZ "On Electronic Digital Signature" dated January 10, 2002 became invalid. It was replaced by Law No. 63-FZ "On Electronic Signature" of 04/06/2011, which introduces the concept of a qualified electronic signature or QES.

Due to changes in legislation, the electronic signature for reporting to the CB is valid until December 31, 2013, and from January 1, 2014 it must be replaced with a qualified one.

From July 1, 2013, all users of Kontur.Elba began to receive a qualified electronic signature. If you received a digital signature before July 1, the service will offer to replace the EDS with the CES. The procedure can be completed online, without a visit to the service center, if at the time of registration of the application your signature is valid and the details have not changed.

How is an electronic signature different from a qualified electronic signature?

There are no fundamental differences between them. There are several legal and technical issues.

For example, according to Law No. 63-FZ, an electronic document signed by the CEP is equivalent to a paper document signed with a handwritten signature. In Law No. 1-FZ, signatures were recognized as equivalent.

Technical transformations of the electronic signature will not change your work. You will still be able to send reports from any device and from anywhere on the world map.

Send your good work in the knowledge base is simple. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Posted on http://allbest.ru

Federal State Budgetary Educational Institution of Higher Education

“Tambov State University named after G.R. Derzhavin"

Cloud electronic signature: advantages, disadvantages and ways of development

Kirillova Vladlena Olegovna

specialist of the educational and methodological department

Introduction

Along with the active informatization of all spheres of life in modern society, the transition to cloud computing and services is being implemented.

Public services already function in cloud services due to their high performance for mass use by citizens. cloud signature security login banking

The transfer of workflow to cloud storage is also relevant for a small dynamically developing business.

In the process of such a transfer, the question of security and expediency of using a cloud signature arises.

Cloud signature can be actively used in such areas as:

Internet banking or mobile banking systems that require the use of a qualified electronic signature;

portals of public services, electronic reporting systems;

e-commerce systems;

systems of electronic document management.

Relevance. An electronic signature in the cloud (cloud electronic signature) is a computing system that provides access via a network to the possibilities of creating, verifying ES and integrating these functions into business processes of other systems.

A cloud-based electronic signature has all the properties of an electronic signature, only it is stored not on a token or computer, but on the Internet - on a specialized secure server, in the cloud.

Cloud ES implies that your ES private key is stored on the server of the certification center, and the signing of documents takes place there. On the one hand, the fact that the key and the signing of documents occur on the server side reduces the cost of the entire ES system, on the other hand, the key is private and should be kept only by its owner, which creates a lot of questions about the security of this service.

Goals, objectives, materials and methods. The purpose of this work is to analyze scientific publications and legislation in the field of electronic signature and its subspecies - cloud-based electronic signature.

The implementation of this goal is carried out by solving the following tasks:

Conduct an analysis of scientific and educational literature on the topic "Cloud electronic signature";

To study various approaches to solving the inalienability of the user's electronic signature key;

Consider in more detail such developments as "Digital Signature Server" and "Hardware Security Module".

Research methods:

Analysis of documents, federal laws;

Data analysis of periodicals, educational literature, practical aids.

Scientific novelty. The novelty of this work lies in the concept of cloud signature, which is new for the IT industry of the Russian Federation. Cloud signature has its advantages and disadvantages.

Cloud ES is usually cheaper than regular ES, this is due to the absence of the need to purchase a cryptographic information protection tool and a token with a certificate.

For people far from information technology, the ease of use of a cloud signature is important: there is no need to install an ES certificate and special tools for working with it on the workstation. You can work with cloud ES from anywhere in the world, from any device with an Internet connection.

However, there are also disadvantages, such as transferring and storing the key on the server.

The servers are securely protected, but the fact of violation of the confidentiality of the key and its alienation from the owner makes the cloud ES unqualified, i.e. not confirmed by a certificate issued by an accredited certification authority.

Orientation of cloud ES to one specific system, i.e. a cloud ES service created for one information system, as a rule, is not applicable to another. In other words, the user is burdened with the need to have a signing key for each of the systems.

Presentation of the main material

The cloud signature in today's understanding belongs to the category of enhanced unqualified signature. Most of the tasks performed by it correspond to the concept legally enshrined as an enhanced signature. But at the same time, this signature is not certified by the FSB as a regulator responsible for the security of signatures based on cryptographic methods. Currently, the document signing scheme in the cloud looks like this: documents are signed on the DSS (Digital Signature Server) server using keys stored in the HSM (Hardware Security Module). At the same time, user access to HSM is based on the use, as a rule, of non-cryptographic authentication systems, such as:

* classic one-factor authentication by login and password;

* Two-factor authentication with additional input of a one-time password delivered to the user via SMS (OTP-via-SMS).

The main problem - the identification of the user's identity - is preserved for the cloud signature. Going to the cloud service, a person uses a login-password. This, of course, is not enough. You need to know exactly who logged in under this login-password. You can use your fingerprint by sending it over an unencrypted connection to a server. The key factor will remain "an unencrypted connection", because we do not have a means of cryptographic information protection.

In this case, one of the main purposes of EP is leveled? a reliable cryptographic way to determine the author of an electronic document. Such an approach can be justified only for inter-corporate electronic document management systems in which a DSS/HSM-based solution is implemented at the level of participating corporations. In this case, outgoing documents in the common system are processed according to the usual rules, and the storage of keys in a secure cloud is implemented for the convenience of employees.

Federal Law No. 63-FZ of 06-04-2011 "On Electronic Signature" establishes that electronic signature tools that have received confirmation of compliance with the requirements of this law, that is, certified for compliance with the requirements of 63-FZ, must be used to create and verify a qualified electronic signature at the regulator. A simpler verification, control of the embedding of cryptographic information protection into a specific information system where a cloud-based electronic signature is used may not be enough.

Currently, companies developing information security tools are concerned about increasing the security of user authentication when confirming the signing of a cloud ES document and encrypting data when transmitted over the Internet. CRYPTO-PRO and SafeTech companies presented a joint development of CryptoPro myDSS based on the CryptoPro DSS cloud electronic signature (ES) software and hardware system and the PayControl electronic transaction confirmation system.

However, at the moment the solution is being certified by the FSB of Russia, and the signature is qualified only, according to the developers. Kontur.Diadoc also offers a qualified enhanced cloud-based ES with a relatively low cost and authentication via login + password and SMS with a one-time password. The certificate of the FSB of Russia was not found on the site. Thus, the security of use is directly related to access to the user's phone. Today, this risk is gradually decreasing, as the installation of a primitive password protection on the phone is an increasingly common practice among users.

Conclusion, results, conclusions

The use of a cloud signature is one of the steps in the development of the latest information technologies, our approach to a convenient digital future. However, there is still work to be done in this area.

State guarantees are required in the form of a certificate of compliance with the information security requirements of cloud electronic signature tools. It is expedient to develop and implement a standard for the use of a cloud-based electronic signature.

Bibliographic list

1. Federal Law "On Electronic Signature" of April 6, 2011 N 63-FZ (last edition) [Electronic resource]. - Access mode: http://www.consultant.ru/document/cons_doc_LAW_112701/ (date of access: 06/07/2017)

2. Cloud signature: convergence of practice and legislation [Electronic resource]. - Access mode: http://roseu.org/article/32 (date of access: 06/07/2017)

3. CryptoPro myDSS [Electronic resource]. - Access mode: https://www.cryptopro.ru/products/mydss (date of access: 06/07/2017)

4. What is a cloud electronic signature? [Electronic resource]. - Access mode: http://www.diadoc.ru/lp-instruction (date of access: 06/07/2017)

annotation

UDC 004.056.53

Cloud electronic signature: advantages, disadvantages and ways of development. Kirillova Vladlena Olegovna, specialist of the educational and methodological department. Federal State Budgetary Educational Institution of Higher Education “Tambov State University named after G.R. Derzhavin"

The article deals with the problem of using a cloud-based electronic signature from the point of view of legality and security. Various approaches to studying the problem are highlighted, examples of Russian developments are given.

Keywords: electronic signature, cloud, security, information technology, cloud technologies

Abstract

Cloud electronic signature: advantages, disadvantages and ways of development. Kirillova Vladlena Olegovna, a specialist in the teaching and methodical department. Federal State Budget Educational Institution of Higher Education "Tambov State University named G.R. Derzhavin"

The article discusses the problem of using cloud electronic signature from the point of view of legality and security. Various approaches to the study of the problem are highlighted, examples of Russian developments are given.

keywords: electronic signature, cloud, security, Information Technology, cloud technologies

Hosted on Allbest.ru