Electronic signature according to Russian standards: practical use in enterprises

    State and commercial enterprises


    The first part of the article dealt with the use of electronic signatures in commercial enterprises. In state-owned enterprises and banks, things are a little different. Here you need to use a certified cryptographic provider, and the keys themselves must be stored on tokens. Therefore, the second part of this article will show how to use a certified cryptographic provider and tokens to store keys outside the computer. First, we will talk about the cryptographic provider, and then we will consider the practical use of the program.

    Not many companies provide certified crypto providers in the vastness of Russia: Crypto-PRO LLC, Lissi LLC, InfoTeKS OJSC, Signal-COM CJSC and some others.
    The CyberSafe program supports working with a certified cryptographic provider from KRIPTO-PRO LLC, which provides the ability to generate and verify electronic signatures in accordance with Russian standards GOST R 34.11-94 / GOST R 34.11-2012 and GOST R 34.10-2001 / GOST R 34.10- 2012.

    Can I use CyberSafe?


    Encryption of personal files is one thing, but the state and banking sectors are completely different. What standards allow CyberSafe to be considered a program that uses SKZI certified by the FSB of Russia and does not require appropriate certification? The answer to this question can be obtained in the passport (form) for the CryptoPro CSP software product and in the methodological recommendations for ensuring personal data security with the help of cryptocurrencies during their processing in personal data information systems using automation tools. The latter were approved by the FSB of Russia on February 21, 2008 No. 149 / 54-144.
    In the passport on CryptoPro CSP we read paragraph 1 of section 2:

    It is allowed to use cryptographic protection measures for cryptographic protection of personal data


    Next, we open the methodological recommendations and read paragraph 1 of section 5:

    5.1. Embedding cryptocurrencies of class KC1 and KC2 is carried out without control by the FSB of Russia (if this control is not provided for by the technical task for the development (modernization) of the information system).


    In accordance with the requirements for electronic funds and the requirements for CA funds, which were approved by order of the Federal Security Service of Russia dated December 27, 2011 No. 796, six classes of cryptocurrencies are established - KS1, KS2, KS3, KV1, KV2, KA1. Embedding cryptocurrencies of class KC3, KV1, KV2 and KA1 is carried out only under the supervision of the FSB of Russia. As for classes KS1 and KS2, there is no control by the FSB. You can read more about cryptographic protection classes at the link provided at the end of the article.
    As you can see, CyberSafe is not only possible to use, but also necessary. The source code of the encryption library that the program uses is available to everyone (a link to it is on the main page of the cybersafesoft.com website ) at:www.assembla.com/spaces/cybersafe-encryption-library/wiki The
    following is the code for the encryption and signature function to ensure that the implementation is reliable (sheet 1).

    Listing 1. Encryption and signature function (GOST)
    function EncryptAndSign (ASignCertContent: string; AEncCerts: TStringList;
      FileName, OutFileName: string; out ErrText: String): Boolean;
    var
      hProv: HCRYPTPROV;
      hStoreHandle: HCERTSTORE;
      pSignerCert: jwawincrypt.PCCERT_CONTEXT;
      encCert: jwawincrypt.CRYPT_DATA_BLOB;
      SigParams: jwawincrypt.CRYPT_SIGN_MESSAGE_PARA;
      pCertContext: PCCERT_CONTEXT;
      Stream: TMemoryStream;
      Certificates: array [0 .. 100] of PCCERT_CONTEXT;
      EncParams: CRYPT_ENCRYPT_MESSAGE_PARA;
      cbEncrypted: DWORD;
      i: Integer;
      pszObjId: LPSTR;
    begin
      Result: = False;
      for i: = 0 to 100 do
        Certificates [i]: = nil;
      if not jwawincrypt.CryptAcquireContext (hProv, nil, nil, PROV_GOST_2001_DH,
        CRYPT_VERIFYCONTEXT) then
        Exit
      hStoreHandle: = CertOpenSystemStore (hProv, 'MY');
      if (hStoreHandle = nil) then
      begin
        ErrText: = 'ErrorOpenStore';
        Exit
      end;
      for i: = 0 to AEncCerts.Count - 1 do
      begin
        try
          encCert: = GetCertContent (FileToStr (AEncCerts.Strings [i]));
        except
          ErrText: = 'ErrorCertLoad';
          Continue
        end;
        pCertContext: = jwawincrypt.CertCreateCertificateContext (MYTYPE,
          encCert.pbData, encCert.cbData);
        pCertContext: = jwawincrypt.CertFindCertificateInStore (hStoreHandle, MYTYPE,
          0, CERT_FIND_EXISTING, pCertContext, nil);
        if (pCertContext = nil) then
        begin
          ErrText: = 'ErrorCertInStoreNotFound';
          Continue
        end;
        Certificates [i]: = pCertContext;
      end;
      encCert: = GetCertContent (FileToStr (ASignCertContent));
      // Open the certificate store
      pSignerCert: = nil;
      pSignerCert: = jwawincrypt.CertCreateCertificateContext (MYTYPE,
        encCert.pbData, encCert.cbData);
      pSignerCert: = jwawincrypt.CertFindCertificateInStore (hStoreHandle, MYTYPE, 0,
        CERT_FIND_EXISTING, pSignerCert, nil);
      if (pSignerCert = nil) then
      begin
        Exit
      end;
      with TMemoryStream.Create do
        try
          LoadFromFile (FileName);
          try
            try
              // Initialize the structure required for digital signature
              pszObjId: = szOID_RSA_MD5; // get certificate algorithm
              FillChar (SigParams, SizeOf (CRYPT_SIGN_MESSAGE_PARA), # 0);
              SigParams.cbSize: = SizeOf (CRYPT_SIGN_MESSAGE_PARA);
              SigParams.dwMsgEncodingType: = MYTYPE;
              SigParams.pSigningCert: = pSignerCert;
              SigParams.HashAlgorithm.pszObjId: = pszObjId;
              // for Signal - Com szOID_RSA_MD5; // 1.2.643.2.2.21
              SigParams.HashAlgorithm.Parameters.cbData: = 0;
              SigParams.cMsgCert: = 1;
              SigParams.rgpMsgCert: = @pSignerCert;
              SigParams.cAuthAttr: = 0;
              SigParams.dwInnerContentType: = 0;
              SigParams.cMsgCrl: = 0;
              SigParams.cUnauthAttr: = 0;
              SigParams.dwFlags: = 0;
              SigParams.pvHashAuxInfo: = nil;
              SigParams.rgAuthAttr: = nil;
              ZeroMemory (@EncParams, SizeOf (CRYPT_ENCRYPT_MESSAGE_PARA));
              EncParams.cbSize: = SizeOf (CRYPT_ENCRYPT_MESSAGE_PARA);
              EncParams.dwMsgEncodingType: = MYTYPE;
              EncParams.HCRYPTPROV: = hProv;
              EncParams.ContentEncryptionAlgorithm.pszObjId: = szOID_CP_GOST_28147;
              // GOST 28147-89 1.2.643.2.2.21 encryption algorithm
              if CryptSignAndEncryptMessage (@SigParams, @EncParams, AEncCerts.Count,
                @Certificates, Memory, Size, nil, cbEncrypted) then
              begin
                Stream: = TMemoryStream.Create;
                try
                  Stream.SetSize (cbEncrypted);
                  if CryptSignAndEncryptMessage (@SigParams, @EncParams,
                    AEncCerts.Count, @Certificates, Memory, Size, Stream.Memory,
                    cbEncrypted) then
                  begin
                    Stream.SetSize (cbEncrypted);
                    Stream.SaveToFile (OutFileName);
                    Result: = True;
                  end
                  else
                    ErrText: = SysErrorMessage (GetLastError);
                finally
                  FreeAndNil (Stream);
                end;
              end
              else
                ErrText: = SysErrorMessage (GetLastError);
            except
              ErrText: = SysErrorMessage (GetLastError);
            end;
          finally
            CertCloseStore (hStoreHandle, CERT_CLOSE_STORE_CHECK_FLAG);
          end;
        finally
          Free
        end;
    end;
    


    Practical use of the program


    First of all, you need to install a certified cryptographic provider "CryptoPro CSP". You can download the software product absolutely free, but after pre-registration at
    www.cryptopro.ru/downloads
    Download and run the installation file. Click the Install button and wait for the message indicating the successful installation of the software product (Fig. 1).


    Fig. 1. CryptoPro CSP is successfully installed.

    Next, run the CyberSafe program. When you first start after installing CryptoPro CSP, you must install the CyberSafe GOST CA certificate (Fig. 2).


    Fig. 2. Install the certificate

    After installing the CyberSafe GOST CA certificate, it's time to talk about tokens. A token is a USB device that is used to authorize a user, protect electronic correspondence, secure access to remote information resources, and also to store cryptographic keys. Since tokens are quite expensive devices, CyberSafe can use ordinary flash drives instead. The flash drive will store the keys placed on it. However, on tokens, your keys are protected from copying, but on a flash drive - not. But given the cost of tokens, this decision is justified. In other words, CyberSafe saves you money.
    When using both tokens and regular flash drives for storing keys, your keys will not be stored on a computer, but on an external medium (token or flash drive).
    So, let's create the Crypto-Pro certificate. Select the menu command Certificates, Create . In the Create Certificate window, enter the email address, password, name and other information. Make sure that you have checked the Create Crypto-Pro certificate box (Fig. 3). If this check box is not selected, make sure that you have installed CryptoPro CSP and restarted CyberSafe after installation.


    Fig. 3. Creating a Crypto-Pro certificate. The

    next step is very important. You need to choose where to store the private key container - on a USB drive (Fig. 4a) or on a token (Fig. 4b). Select the token or removable drive on which you want to store the certificate (just make sure the selection is correct), or select Registryif you want to store the certificate in a computer.


    Fig. 4a. The certificate will be stored on a flash drive


    Fig. 4b. The certificate will be stored on the token.

    Next you will need a little physical work - you need to press the keys on the keyboard or move the mouse pointer until the key is created (Fig. 5).


    Fig. 5. The process of creating a key

    Next, you need to create a password for the container itself (Fig. 6a) or a pin code (Fig. 6b) for the token. This password must be different from the certificate password for security reasons.


    Fig. 6a. Password of the container (flash drive)


    Fig. 6b. Pin-code for the container (token)

    Next, you will see a message stating that the certificate was successfully created (Fig. 7), and after clicking Finishyou need to open your mailbox and find the certificate publication confirmation code there (unless, of course, you have chosen to publish the certificate) and enter it in the window that appears (Fig. 8).


    Fig. 7. Certificate successfully created


    . Pic. 8. Enter the certificate publication confirmation code.

    When you publish the certificate, you will see that it consists of six files (Fig. 9). After the certificate is published, you will see a message about its successful publication on the server. It is clear that at the time of publication, an Internet connection must be established. Open Explorer and view the contents of the flash drive. In the <name> .000 directory you will find private keys (Fig. 10).


    Fig. 9. The process of publishing a certificate


    Fig. 10. Private keys

    Go to sectionKeys and certificates, All keys and make sure that the certificate you created is in the list of certificates (Fig. 11).


    Fig. 11. The created certificate in the general list.

    Next, the created certificate can be used as usual (as was shown in the first part of the article). For example, it can be used to encrypt files. The encryption process is the same, so we will not consider it in detail. I can only say that when encrypting files, you need to select the crypto provider Crypto Pro GOST from the list Select the crypto provider (Fig. 12). Next, you will see a list of keys corresponding to this cryptographic provider.


    Fig. 12. File encryption in accordance with GOST

    Similarly, when transparently encrypting a folder (when you need to encrypt all files from this folder), you need to select the Crypto Pro GOST cryptographic provider from the corresponding list (Fig. 13).


    Fig. 13. Choosing a cryptographic provider with transparent encryption.

    You can also choose encryption according to GOST when encrypting a disk / partition (see. Fig. 14). In the Encryption type list , select GOST and set the encryption parameters.


    Fig. 14. Drive Encryption

    findings


    The CyberSafe program is not only possible, but also needs to be used in government organizations and banks, since the program supports a certified cryptographic provider (Crypto Pro) and allows you to not store certificates (keys) on a computer, but transfer them to external media.

    References


    The level of cryptographic protection during the implementation of the exchange of electronic messages protected by an electronic signature
    Form ZHTPI.00050-03 30 01 (CryptoPro CSP)
    Methodological recommendations
    Source code of the encryption library
    First part of the article

    Also popular now: