Import Substitution Operating Systems. How do I see domestic OS

    When we talk about the distribution of the operating system, then it is first and foremost not about the kernel of the operating system, but about those applications that are part of the distribution. And when we talk about import substitution of operating systems, then we are talking about a particular version of Linux. Nothing else is proposed for import substitution in the Russian market. As for the linux kernel, Linus Benedict Torvalds is responsible for its development.. And honestly, I do not know anything about the Russian linux kernel. But the environment of any linux distribution is developed by various organizations, and not to list them all: KDE, Mozilla, Google, IBM, etc. etc. And one would expect that with the advent of domestic OS ala linux, this list will be expanded with domestic developments or modifications. But this is not. No, this is not necessarily a domestic browser or email client in these distributions. But I would like to see something refined to reflect the Russian realities in the digital economy. Let's stop on this.

    They will say to me: - “And why, what does not suit from what is?”. First, if we don’t contribute anything, then why do we call “domestic software”? Only due to the fact that, at best, is stored in Russia? As an example, let's consider the use of X509 electronic certificates, electronic signatures, encryption of documents and traffic (tls / https). And this helped me a very interesting analysis (in some ways I may not agree with him, but this particular) problems with the use of digital signature tools that arise for users of Linux. Here is one of the conclusions:
    In some cases, developers of public service portals recommend using non-Registry operating systems, as well as software and configurations that deliberately reduce the security of user data.
    By the words “non-registered operating systems”, naturally, one should understand MS Windows. Standard among government portals, and other services should be considered as a benchmark portal Public services. It allows you to work with it from any native OS of the Linux family. All in all, the plugin that it distributes provides support for the PKCS # 11 standard for tokens / smartcards and this makes it independent of the OS, and for MS Windows it provides support for the MS CSP standard with Russian cryptoalgorithms. And that's all. It (the state service plugin) does not impose a cryptographic provider (whether it is CSP or PKCS # 11) from one manufacturer or another, it checks the cryptographic provider compliance with the standard. And why this positive experience does not extend to other departments mystery. Moreover, the practice of plug-ins is still flawed, it binds the user one way or another to certain operating systems, and even browsers. This browser supports these plugins (which CAPICOM alone is worth), but this one does not, etc. Why not to require in the authentication process, for example,

    And so, the first thing that needs to be done is to untie, make the service portals independent of the OS and crypto-providers, including modernizing the portal of state services.
    But today it is ridiculous, the whole company works on a domestic OS (including accounting), but for access to the FTS (GOST-tovy tls / https is required) they have a special computer with MS Windows.

    Above, we talked about improvements in domestic OS. Let's go back to them. Why and why they are needed. Today, having bought and installed a domestic OS at the workplace, the Russian consumer turns out to receive nothing from the point of view of Russian cryptography: he cannot create a request for a certificate (what is written so well here), do not view the normal GOST certificate, do not sign the document or verify the signature, do not protect your email. Immediately the question arises: - “And what have I acquired? Whether it was easier to download the Linux distribution on the Internet, especially since they are constantly evolving. ” In the West or the East, people acquiring (not necessarily for money) the OS immediately receive a bunch of useful services. And where are our Linux distributions with browsers or email clients using Russian cryptography, where are the utilities that allow us to verify the electronic signature delivered by the FTS under an extract from the Unified State Register? Etc. I do not know such distributions. Therefore, I take the Mageia distribution and attach to it everything that I am writing here:



    How certificates are stored and keys are used in most Linux applications. The absolute majority of applications in Linux (Mozilla, Google, LibreOffice, GnuPG, etc., etc.) use the NSS (Network Security Service) package as a certificate store:



    It is assumed that personal certificates (certificate plus private key) are stored on PKCS # 11 tokens / smartcards. At the same time, it is absolutely not important whether the hardware is a token or software or even cloud. This is an implementation, the main thing is to comply with the PKCS # 11 standard. NSS root certificates are stored in their own database. It should be noted that the developers of Mozilla, Google browsers provide their list of trusted root certificates. Unfortunately, there is not a single Russian root certificate in this list. NSS also maintains a database of modules (libraries) responsible for working with one type of token or another. The NSS package is not inferior to OpenSSL in any way, but it has one indisputable advantage - the availability of a certificate database.

    And what do we have in the end? The NSS package, which is included in the domestic Linux distributions, does not support working with the national GOST-based PKCS # 11 tokens. And this leads to the fact that Firefox and other programs do not want to work with domestic tokens. Do we have domestic tokens with built-in support for GOSTs? It turns out there are in sufficient quantities. This and hardware tokens from different manufacturers:



    Unfortunately, the vast majority of hardware tokens today are used as an ordinary flash drive for storing keys and certificates.
    There are free software tokens both non-certified and certified:



    And even PKCS # 11 cloud tokens are available:



    It is also a shame that the NSS package, which includes a number of utilities, comes with bugs that sometimes appear only on GOST certificates (pp and calgoid utilities).
    And it would be great if the domestic distributions included an NSS package that supports Work with PKCS # 11 tokens with GOST-based cryptography. It can be objected, it is difficult, expensive, etc. But if the developers were interested, then they knew that back in 2010 a bug was registered with GOST for NSS. I myself track NSS and add support for it to GOST, starting with NSS-3.11 and up to now NSS-3.41. And with whom I have just not met over the years (anyone can count), the result is zero. I like the answer: “Did they add them there in the west?” But they do not need. And it turns out to us too.

    And now, if NSS with the support of GOSTs would be in domestic distributions, then support for GOSTs in Firefox, Thunderbird, KMail, LibreOffice, etc. could be added with a little blood. And about all this anyway on the pages of Habr was written. Yes, I almost missed OpenSSL with GOST. There are also versions certified by the Russian Federal Security Service. And openssl with GOST-s almost automatically leads to the appearance in domestic distributions and versions of openvpn on GOST-ah:

    image

    Add Apache here, with support for tls / https on GOST-ah, and PHP with GOST will not hurt.
    And now, in the hands of a domestic OS user, there would already be both openssl and p7sign / p7verify utilities for signing files with electronic signature. But there would be a Cleopatra graphic utility for the same purpose and a GUI for NSS.

    To create a request for a certificate, you could use the guicreate_csp utility:



    And if someone wanted to deploy a certification center in their company, then please:



    Someone would have said, but what about certification? Are they selling and using certified Linux in the West? Of course not. But after all, all domestic manufacturers all of the above products are part of certified distributions. What prevents the certification include in the modified packages. And what would be cool distributions would be for use in the educational process in the specialty "Information Security" or in schools. In my opinion, the Ministry of Digital Development, Communications and Mass Communications of the Russian Federation should be interested in certification.
    And so, what is the conclusion? I remind you, we talked about the electronic signature, about the use of domestic cryptography.

    First, access to portals should not depend on the type of operating system and crypto-provider used.

    Secondly, domestic operating systems should have browsers with support for GOST https.

    Third, domestic OSs should include mail clients with GOST support (signing / encryption).

    Fourth, domestic OSs should incorporate electronic signature and encryption tools.

    Fifth, domestic OSs should have support for PKCS # 11 tokens / smartcards with Russian cryptography support.

    Now, if this minimum is implemented, then we can speak from domestic operating systems such as Linux.
    But not so long ago I was in the same ministry, and there I saw a unique import substitution: they were offered some kind of domestic Linux, they started a virtual machine with Windows and with all the gadgets that were used in the Ministry on Windows, and they could report on import substitution. I hope my last paragraph will not be a guide to action.

    This is really cool !!! What we just do not have!
    Tags:

    Also popular now: