Electronic signature: practical use of CyberSafe Enterprise software product at the enterprise. Part one

    We are all used to the term “electronic digital signature”, but now it’s more correct to use another term - “electronic signature”, because in April 2011 the Federal Law No. 63-ФЗ “On Electronic Signature” came into force (hereinafter simply the Law “On Electronic Signature” "). It is this law that replaced the law No. 1-ФЗ “On electronic digital signature”. Therefore, what we previously called “electronic digital signature” is now simply called “electronic signature”.

    What is an electronic signature?

    This part of the article will focus on the use of electronic signatures in a commercial enterprise. First, we will consider in which cases an electronic signature will become useful and useful at each enterprise, and then we will consider its practical use.
    First of all, it must be said what an electronic signature is. This is information that is attached to other information (to the information to be signed) in order to determine the person who signed the information, as well as the fact that the information has not changed after it was signed.

    The Law On Electronic Signature itself says the following: “electronic signature - information in electronic form that is attached to other information in electronic form (signed information) or is otherwise associated with such information and which is used to determine the person signing the information” .

    Thus, the main task of electronic signature is to establish the authorship of a document and to ensure that the document has not been modified after its signing.

    If you delve into the law “On Electronic Signatures”, then an electronic signature can be simple and enhanced. A simple electronic signature confirms only the fact of electronic signing of a document by a certain person.

    A strengthened electronic signature, in turn, is divided into a strengthened unskilled and enhanced qualified. Enhanced unqualified electronic signature allows you to:
    • Identify the person who signed the electronic document;
    • Determine the fact of a document change after signing (which is not allowed by a simple electronic signature).

    Also, an enhanced unqualified electronic signature must be obtained as a result of cryptographic conversion of information using an electronic signature key.

    An enhanced qualified ES is the same as an enhanced unskilled one, but the ES verification key is indicated in the qualified certificate, and to create and verify the ES, funds are used that have received confirmation of compliance with the requirements established by the Law on Electronic Signatures. The CyberSafe program considered below offers just the option of enhanced qualified ES.

    Cases of using an electronic signature in an enterprise

    Internal workflow

    The most common version of the company's internal workflow is business notes. It no longer makes sense to print a document and sign it yourself, if you can sign it with a digital signature and send it further down the chain.

    The electronic signature here saves not only time, but also money - reduces the consumption of paper and printer toner. Of course, the cost of one printed sheet of paper may not be very high, but quite a decent amount can be saved in a year, and this is not to mention the time that is expensive today.

    As a rule, the company uses network printers. The network printer can be located in another office or in general on another floor. An employee who has printed a service note needs to leave his office, get to the printer and find his note among the other documents. It takes 10-15 minutes to do everything about everything, and if you take into account the human factor (conversations with employees in the next office), then much more. As a result, these 10-15 minutes could be spent more productively than searching for a printed document.

    The second example is the process of negotiating a contract. Imagine that an employee Ivanov prepares a contract and sends it to the head for approval. The principle is the same as with a memo - why waste time printing a dialect if you can sign it with an electronic signature? The head makes changes to the contract, signs it and sends it to Ivanov. Considering that there will be many changes (after all, mistakes are inevitable anyway), the use of an electronic signature again saves a lot of time and money.

    In large corporate networks, where the head and even an ordinary employee of Ivanov may have an ill-wisher, an electronic signature is a reliable way to verify the authorship of the document and its immutability (that no one has made any changes to it without the knowledge of Ivanov or his head).

    You can argue that they have access rights and it is clear who last edited the document. Why do I need an electronic signature? Everything is as if correct, if not one but. In any system there is a user with maximum rights - an administrator who can not only change the document itself, but also its attributes (including the time / date of the change, the author of the last change, etc.).

    Exchange of documents with affiliates and partners

    When exchanging information with remote branches and partners of the company, email is usually used. And here you can use an electronic signature so that your partners and employees of remote branches can be sure that it was you who sent this message, and not someone who wants to appear to you.

    Yes, there is no practice of concluding contracts completely in electronic form. All the same, a wet seal and signature are still needed. Therefore, to seal the contract with a partner in full electronic form will not work. But then you can safely exchange messages with your partners and have no doubt that someone will fake your message or the message of the partner.

    As for the exchange of documents with remote branches, here you can use an electronic signature, as with internal document management. Now the document flow between branches takes place in half-digital form. Namely: the document must first be printed, then the leader must sign it, after which the secretary of the leader scans it and sends it by e-mail to the remote branch, where it is again printed.

    An electronic signature reduces this process: a document is signed with an electronic signature and sent to a remote branch, where the recipient can verify the electronic signature and make sure that the document was signed specifically by the manager.

    Some problems of the introduction of electronic signature in the enterprise

    It is still difficult for a person to get used to an electronic signature and they are not treated as something serious. Until the document has a “wet” signature, it is still not considered signed. Employees will still use copies of paper documents, lose their private keys, not considering them something important. How to overcome the psychological barrier? How to overcome the same "without a piece of paper - you are a bug, and with a piece of paper - a man"?

    It turns out that there is a way out and it consists in one more piece of paper. It is necessary within the enterprise to adopt the “provision on electronic document management”. All employees should familiarize themselves with it and affix their acceptance of this provision with their signature, not yet electronic. Then the employees will understand that everything is serious - because they are asked to sign. After that, they will begin to use electronic signatures, will take their private keys seriously, etc.

    In addition to the psychological barrier, there is one more - educational. It will be quite difficult for an experienced experienced employee who has several years to retire to explain what an electronic signature is and how to use it correctly. He has relatively recently mastered working with regular e-mail, and then asynchronous cryptography, public and private keys, etc. This is the main problem that I encountered relatively recently from my own experience.
    There is a solution, but it is not as simple as in the first case. At first, the task of training to work with electronic signatures can be assigned to the IT department. If all else fails, then it is already possible to go to the services of third-party specialists. After all, there are trainings on working with a computer, office applications, and e-mail. Similarly, you can find courses on modern document management.

    As with all innovations, you need to be prepared for a wave of rejection. But, when employees understand how good an electronic signature is, they will stop working the old fashioned way. To facilitate the transition to an electronic signature, it is necessary in the very situation that was just discussed to provide for some transitional period when you can still use the usual signatures. Just do not need to set too long a time, otherwise everyone will continue to use the usual signatures.

    There is another problem, but it is of a technical nature, therefore, it is solved quite simply. For the electronic signature to work, you need a certification authority (CA) of the electronic signature or a certification center. The law “On Electronic Signatures” clearly states what CA is:
    Certification Authority - a legal entity or an individual entrepreneur that performs the functions of creating and issuing certificates of keys for verifying electronic signatures, as well as other functions provided for by this Federal Law

    Therefore, a certification authority will have to either create its own, or use external centers, for example, a CyberSafe certification authority.

    The main task of the CA is to issue cryptographic certificates and confirm their authenticity.

    Practical part

    Before moving on to the practical part of our article, you need to talk about choosing software. Why is it worth choosing CyberSoft products?

    Firstly, the development company has all the necessary licenses of the FSB and FSTEC, as you can see at:


    Secondly, the source code of the library used by CyberSafe software is open to everyone and anyone can make sure that the solutions used in the software products are reliable and that there are no “holes”, “loopholes”, backdoors, or other misunderstandings in the program. Since the source code is publicly available, the company has nothing to hide. Try to find the source code of the same BitLocker from Microsoft.

    Now a little specificity. The source code for the encryption library is available at:


    A link to it is on the main page of the cybersafesoft.com/rus site .
    The function SMIME_OSSL_Sign () is used for encryption and signing, the code of which is shown in Listing 1. As you can see, the implementation uses OpenSSL, which has not been complained of for many years.

    Listing 1. Function SMIME_OSSL_Sign () used to encrypt and sign a message / document
    function SMIME_OSSL_Sign (
      AFileSpec, ACertFileSpec: String;
      out ErrMesg: String;
      SMIME: Boolean = False): Boolean;
      function getCertInfo (certSpec: String; var ACert: PX509; var AKey: PEVP_PKEY): Boolean;
        tbio: PBIO;
        cert: PX509;
        key: PEVP_PKEY;
        Result: = False;
        tbio: = nil;
        // Read the certificate and private key
        // must contain "BEGIN \ END CERTIFICATE" and "BEGIN \ END RSA PRIVATE KEY"
        tbio: = BIO_new_file (PAnsiChar (AnsiString (certSpec)), 'r');
        if tbio = nil then
      	  ACert: = PEM_read_bio_X509 (tbio, nil, nil, nil);
    	    BIO_reset (tbio);
    	    AKey: = PEM_read_bio_PrivateKey (tbio, nil, nil, nil {PAnsiChar (pass)});
          Result: = (ACert <> nil) and (AKey <> nil);
          if Assigned (tbio) then
            BIO_free (tbio);
      scert: array of PX509;
      skey: array of PEVP_PKEY;
      i: Integer;
      outf: PBIO;
      certs: TStringList;
      cms: PCMS_ContentInfo;
      outFileSpec: String;
      flags: Cardinal;
      Result: = False;
      OPENSSL_add_all_algorithms_noconf ();
      ERR_load_crypto_strings ();
      certs: = TStringList.Create;
        StrToStrings (ACertFileSpec, ',', certs);
        if certs.Count = 0 then
          ErrMesg: = stNoSignCertificates;
        SetLength (scert, certs.Count);
        SetLength (skey, certs.Count);
        for i: = 0 to certs.Count - 1 do
          scert [i]: = nil;
          skey [i]: = nil;
        // Open content being signed
        inf: = BIO_new_file (PAnsiChar (AnsiString (AFileSpec)), 'r');
        if (inf = nil) then
          ErrMesg: = Format (stErrorOpenFile, [AFileSpec]);
        flags: = CMS_BINARY or CMS_PARTIAL or CMS_STREAM;
        cms: = CMS_sign (nil, nil, nil, inf, flags);
        if (cms = nil) then
          ErrMesg: = Format (stErrorSignFile, [AFileSpec]);
        for i: = 0 to certs.Count - 1 do
          if getCertInfo (certs.Strings [i], scert [i], skey [i]) then
            if CMS_add1_signer (cms, scert [i], skey [i], nil, 0) = nil then
              ErrMesg: = stErrorAddSigner;
        outFileSpec: = GetTmpFileSpec;
        outf: = BIO_new_file (PAnsiChar (AnsiString (outFileSpec)), 'w');
        if (outf = nil) then
          ErrMesg: = Format (stErrorCreateSignedFile, [AFileSpec]);
        // Display S / MIME message 
    {if SMIME_write_CMS (outf, cms, inf, flags) = 0 then
            ErrMesg: = Format (stErrorWriteFile, [outFileSpec]);
        	if i2d_CMS_bio_stream (outf, cms, inf, flags) = 0 then
            ErrMesg: = Format (stErrorWriteFile, [outFileSpec]);
      	if Assigned (cms) then
    	   	CMS_ContentInfo_free (cms);
        if Assigned (inf) then
          BIO_free (inf);
        if Assigned (outf) then
          BIO_free (outf);
        for i: = 0 to certs.Count - 1 do
          if Assigned (scert [i]) then
            X509_free (scert [i]);
          if Assigned (skey [i]) then
            EVP_PKEY_free (skey [i]);
          scert [i]: = nil;
          skey [i]: = nil;
      if FileExists (outFileSpec) then
          DeleteFile (AFileSpec);
          CheckCopyFile (outFileSpec, AFileSpec);
          DeleteFile (outFileSpec);
          Result: = True;
          on E: Exception do
            ErrMesg: = E.Message;
      if not Result then
        ErrMesg: = Format (stErrorSignFile, [AFileSpec]);

    Thirdly, CyberSafe Enterprise can work as a certification authority. Therefore, we can assume that you have already solved the third, technical, problem.

    Theory and all reasoning and reflection mean nothing without practice. Consider using CyberSafe to sign service documents. Install CyberSafe. When you first start the program, you must accept the certificate from CyberSoft CA. In principle, this is written in the program manual, but it’s better to say it again than not to accept the certificate.

    Fig. 1. First launch of the program

    Next, go to Keys and certificates, Private keys and click Create. In the window that appears, enter the email address, password, your name and surname so that your employees can immediately understand who the certificate belongs to. Select the certificate expiration date and key length. For powerful computers it is better to choose the maximum key length, for not very powerful computers - 4096 bits. Remember, the longer the key, the more reliable the protection. Be sure to enable the Publish switch , after creation - your certificate will be automatically published on the CyberSafe server and your employees will be able to easily find it. If you are not going to create your own certificate server or use some external server, then publishing the certificate on the CyberSafe server is the best solution. If you rushed and did not turn on this switch, it doesn’t matter: after creating the certificate, highlight it and clickThe public .

    Fig. 2. Creating a certificate

    Click Next and wait until the program finishes creating the certificate (Fig. 3).

    Fig. 3. Certificate created

    Click Finish . Then the program will ask you to confirm your e-mail. A confirmation code will be sent to it, which will need to be entered in the window that appears (Fig. 4).

    Fig. 4. Enter the confirmation code to publish the certificate.

    Next you will receive a message that the certificate has been published successfully (Fig. 5). I think it’s not necessary to say that Internet access is required to publish a certificate on a CyberSafe server.

    Fig. 5. Certificate successfully published

    Your colleagues should also install CyberSafe and go through the process of creating a certificate and publishing it on the CyberSafe server. To search for a colleague’s certificate by e-mail, click the Search button and enter e-mail (Fig. 6). Next, you need to add your colleague's certificate, and he needs to add your certificate.

    Fig. 6. Adding a peer certificate

    Look at fig. 7. Your certificate is displayed in the list as a key pair - public and private key. The peer certificates added using the Search button are displayed as a single key and contain only the public (public) keys of your peers.

    Fig. 7. List of keys and certificates

    Now let's try to encrypt and sign a memo. Create a memo in any text editor. It can be Word, or maybe just Notepad - the essence of this will not change.
    Go to the Email section . digitally sign, Sign and click Add. files . Select the previously created memo (Fig. 8). You can select several files at once or even the entire folder (using the Add folder button ), but now for simplicity of the example we will work with one file. Highlight it and click Next .

    Fig. 8. Added service note.

    Select file encryption option - Encrypt files with recipient keys(fig. 9). This means that the recipient’s public keys will be used to encrypt the file. If you do not select your key, then even you will not be able to decrypt this file, despite the fact that you have encrypted it (Fig. 10).

    Fig. 9. Encrypt files for transfer to other persons

    Fig. 10. Selecting file recipients

    For the experiment, I did not select my certificate (Fig. 10) and when I tried to decrypt the file that I had just encrypted myself, I received the message Decryption of the file! Perhaps the file is encrypted with a different key .

    Next, from the Sign with private key list, you need to select your key so that the program signs notes on your behalf. You can select the encryption algorithm and key length. To start encryption, click the Encryption button .The program will report that our file has been encrypted successfully (Fig. 12). From fig. 12 shows who signed the document and to whom it is intended (who can read it).

    Fig. 11. We sign the note with our key

    Fig. 12. The note is encrypted.

    As you can see, we not only signed a memo, but also protected it from other users. No one but the users selected as recipients will be able to read it.
    The package containing the encrypted service note will be placed in the directory with the source file, the package name will be the same as the encrypted file (in our case, note01), and the extension will be csp. This file (with the extension .csp) must be transferred to the recipients, for example, sent by e-mail or transferred in some other way.
    Let's see how the recipient can open it, decrypt the files in the package and verify your signature. The recipient must start the CyberSafe program, go to the Email section . digital signature, Verify signature , click Add. files and select the package (file with the extension .csp). In the field above, you can select the folder in which the decrypted files will be placed (Fig. 13).

    Fig. 13. Selecting the .csp package.

    Then you need to click Next and select a certificate to decrypt. Since the package was addressed to your colleague, he must choose his certificate (Fig. 14). After clicking Nextthe program will ask you to enter the certificate password. If the password is correct, the program will decrypt the files and inform that the decryption was successful (Fig. 15).

    Fig. 14. Select Certificate

    Fig. 15. Files have been decrypted successfully.

    It is also necessary to verify the signature to make sure that no one has changed the package during its transfer. To do this, click the Verify signature button . Since the program accesses the certificate center when verifying the signature, Internet access is required to verify the signature. The result of the verification of the signature is shown in Fig. 16 - the signature is verified, the certificate is trusted and is not in the list of revoked ones, and the package was not modified after signing.

    Fig. 16. All is well

    Now let's see how the program will respond to a non-standard situation. Imagine that someone modified the package note01.csp. The program will report an error and refuse to decrypt the files (Fig. 17).

    Fig. 17. Error

    If the brute force method does not work, then the attacker, sneaking into your colleague’s computer at lunch time, may take a different path. He can delete the certificate issued for your colleague's e-mail (gaifylin@gmail.com), and recreate it for the same e-mail and try to decrypt the service note. Its logic is simple - he cannot use the certificate of your colleague, because he does not know his password, but he can delete it and create a certificate for the same e-mail. However, he will not succeed, because he can create at least a hundred certificates for one e-mail - the one that was first published on the CyberSafe key server will be considered trusted. He creates a certificate, enters from him the password specified during its creation, but, alas, he will not be able to read the service note (Fig. 18).

    Fig. 18. Error decrypting the file! Perhaps the file is encrypted with a different key.

    So, we just encrypted and signed a memo and, from our own experience, made sure that the program really works and protects your data from unauthorized reading and modification.


    From all that has been written earlier, it can be concluded that ES is a very useful innovation in the enterprise, since enterprises using the ES will receive the following advantages:
    1. Ability to protect documents from unauthorized reading and alteration
    2. Reduction of paper workflow due to the translation of some internal documents into electronic form
    3. The ability to determine the legal status of a document by electronic signature (establish authorship of a document).

    The entire system described above will only work for commercial organizations, but it can not be used for state-owned enterprises where a certified cryptographic provider is needed. Also, the described system can be used between different organizations for any documents, if the parties agreed to consider the keys and CA trusted.

    It is worth noting that the current version of CyberSafe is not a full-fledged corporate version, because at the moment there is no centralized issuance and distribution of keys. Therefore, in this version, the encryption administrator can generate keys and certificates and write to users on tokens (they will be discussed in the second part of the article). A full-fledged corporate version is expected by mid-2015.

    This concludes the first part of the article. In the second part, we will talk about the use of electronic signatures in government organizations and banks. It will be about using a certified crypto provider and tokens. In principle, everything that will be discussed in the second part of the article can be used in commercial enterprises, if necessary.


    Federal Law of 06.04.2011 N 63-ФЗ (as amended on 06/28/2014) “On electronic signature”
    Comparison of different versions of the CyberSafe program

    Also popular now: