Electronic signature in the cloud of the bank. Cloud digital signature services

Only crypto keys issued from CryptoPro's cryptographic information protection system can be transferred to the cloud.

The transfer is carried out in 2 stages, they are described below.

EDS verification for compliance with the requirements

Open the control panel of the cryptographic information security tool (CIPF) CryptoPro CSP ("Start" - "Control Panel" - "CryptoPro CSP") as administrator (Tab "General" - "Run as administrator") and go to the tab "Hardware" (Picture 1).

Figure 1 - Configuring readers

Click the " Configure readers... ". The USB flash drive and floppy reader is installed by default when installing CryptoPro CSP. Check that on the "Readers" tab there is an item " All removable drives". If the item "All removable drives" is absent, it must be added via the button " Add to... ”(Figure 2).



Figure 2 - Managing readers

Make sure a blank USB flash drive is plugged in and accessible.


Go to the "Service" tab and click the " Copy».




Figure 3 - Tab "Service" button "Copy"


The Copy Private Key Container window opens.

1. In the "" window (Figure 3) fill in the "Key container name" field. It can be found in the lists of containers (the button “ Overview") Or certificates (button" By certificate»).

After the key container is found, click the " Further". If a password is set for access to the private key, then it will be requested.

Enter your password and click the " OK". A window for entering the parameters of the new private key container will open (Figure 4).




Figure 4 - Window for entering the parameters of the new private key container

The window “ Copying the private key container"(Figure 5).




Figure 5 - Window "Copying the private key container"

Enter a name for the new key container and select the radio button “ The name entered specifies the key container"To position" User».


Click the Finish button. A window will open in which you need to select a USB flash drive to place the copied container (Figure 6).





Figure 6 - Media selection window

Click the " OK". A window for creating a password for access to the private key container will open (Figure 7).





Figure 7 - Password entry window

At this step, you should create a password for the new private key container and confirm it. This password will protect the digital signature, you will need to enter it every time you access it. After entering the required data, click the "OK" button. The CryptoPro CSP Cryptographic Information Security Tool (CIPF) will copy the container of the private key to a USB flash drive.


To copy the public EDS key, run the Internet Explorer settings panel (" Start» – « Control Panel» – « Browser properties"(Figure 8)) and go to the" Content"(Figure 9).


Figure 8 - " Control Panel» – « Browser properties»





Figure 9 - " Browser properties» - « Content» - « Certificates»;

On the "Content" tab, click on the "Certificates" button. In the "Certificates" window, select the EDS certificate associated with the private key and click the "Export ..." button (Figure 10).




Figure 10 - Equipment "Certificates"

The window “ Certificate Export Wizard"(Figure 11).




Figure 11 - Certificate Export Wizard

In the Certificate Export Wizard window that opens, click the " Further". In the next step, do not export the private key by selecting the checkbox “ No, don't export the private key"(Figure 12) and click the" Next "button.




Figure 12 - Selecting the type of keys for export

At the next step, select the format of the EDS certificate file by checking the radio button in the field "X.509 files (.CER) encoded in DER", and click the button " Further"(Figure 13).





Figure 13 - Selecting the file format of the EDS certificate

At the final stage, specify the name and location of the file and click the " Further". At the last step of the wizard, check the selected parameters and click the " Done"(Figures 14 and 15).




Figure 14 - Specifying the path to save and name the certificate




Figure 15 - Saving the EDS certificate

The files obtained as a result of the above manipulations should be placed in a folder and copied to the cloud along the path " W: \\ EDS". This the folder is only accessible to the main user.

As a result, you should get something like the following "W: \\ EDS \\ OOO Test" (Figure 16).




Figure 16 - EDS copied to the cloud.

Installation is carried out by information security specialists, they work on weekdays from 9 to 18 Moscow time. In the application, you should indicate the name of the folder in which you saved the EDS.

If your keys are issued using the VipNet CIPF, then they will not work on the terminal farm (via a remote desktop or RemoteApp). In this case, work can be performed on a local PC using a thin client, for more details about installation and work in.

If the option of working in a thin client does not suit you, then the EDS should be reissued through CryptoPro, to approve the application for reissuing the certificate, you should contact your service organization.

Back in the last century, many enterprises began to massively switch to electronic document management... Everyone got computers with office programs. Documents were often typed in Microsoft Word or other text editors, exported to PDF, sent by email.

It seemed that if the workflow electronic, then we will soon forget about cabinets with paper archives, not a single sheet of paper will remain on the desktops. If suddenly a paper document is sent to the organization by regular mail, then the artifact will be immediately scanned and digitized. In reality, it turned out quite the opposite. It turned out that the more an organization uses computers for digital workflow, the more documents it prints... After all, each document must be endorsed. An unsigned document is simply a draft or information note. To obtain a signature, documents are printed and then often scanned back, keeping the originals in the archive.

Now it is clear what really electronic (paperless) workflow cannot be implemented without digital signatures.

Today B2B, B2C companies and state organizations are moving to the introduction of digital signatures for their undeniable advantages:

• Paperless document flow. Saving time, money and resources.
• Effective business processes. Signing in in electronic format makes every transaction a smoother process.
• Mobile capabilities. Communication within the organization and with customers becomes easier.

Public Key Infrastructure (PKI) provides integrity and confirms authorship of each document. Timestamps certify the time when the document was signed, which is necessary for transactions that are tied to a specific time, to ensure that non-repudiation is not possible and the data is retained for audit. Of course, the entire digital signature workflow system must comply with necessary requirementsoperating in the country of jurisdiction, as well as in countries where partners and clients work.

Uniform standards for electronic document management and digital signature infrastructure are gradually being developed. For example, in the countries of the European Union since July 1, 2016, the eIDAS (electronic IDentification, Authentication and trust Services) standard has been in effect for electronic identification, authentication and trust services. The US has adopted the 21 CFR 11 standard.

The world's largest trusted services for electronic documents are the Adobe Trusted List (AATL) and microsoft program Root Trust. The CAs included in this list issue certificate-based digital IDs and timestamping services that comply with regulatory requirements worldwide as an eIDAS standard. Electronic digital signatures are already supported for the most popular office document formats. Including the signature of the document by several persons, with timestamps is supported.

What is Digital Signing Service?

Digital Signing Service (DSS) is a scalable API-enabled platform for rapidly deploying digital signatures that provides:

For own service DSS requires more than just a signature workflow and user management. More signature certificates are required to verify the identity of the author of each document. This includes cryptographic elements such as key management, FIPS level 2 or higher key storage (such as hardware tokens or HSMs), OCSP or CRL service, and timestamp service. Bringing these components together, especially integrating with the Hardware Security Module (HSM) directly, whether in the cloud or on-premises, requires significant effort on the part of IT and Information Security along with good knowledge cryptography and the availability of the necessary resources.

It is important to consider these hidden costs and investments, as well as limitations and overheads, when evaluating digital signature solutions.

Separately, it is worth mentioning that if the DSS service is critical for the organization, then it should work with a high level of uptime and provide a large throughput... That is, you need to design your solution with a certain amount of redundancy - with a margin for the future. And it should be assumed that business is growth. The infrastructure must be scalable.

	Digital Signing Service	Traditional implementation
Integration with applications for signing documents	Through a simple REST API	Requires internal cryptographic expertise for configuration and maintenance
Cryptographic Signature Components (Certificates, OCSP, CRL, Timestamps	Included in the API, does not require advanced cryptography knowledge or development resources	They are separate, require separate calls from applications and internal development resources for customization
Scalability	High scalability - no additional configuration or integration required	Additional hardware purchase and configuration may be required
High availability and disaster recovery	Delivered through WebTrust-verified GlobalSign infrastructure with global data centers, redundancy and the best equipment to protect the network	Requires additional investment in equipment
Private key management and storage	Through REST API, no internal resources or hardware are used	The client is responsible for key management and storage (e.g. in the cloud or on-premises HSM)
Signature certificates	Support for signatures of two levels: departments and employees (e.g. John Doe, accounting)	Not all solutions support both types of credentials

The cloud service greatly simplifies the deployment of a workflow system with support for digital signatures. All operations just go through the API.

Cloud services differ in price and functionality. But they all guarantee flexibility, scalability and high level availability. Although the services are paid, they relieve companies from the need to invest in the development of their own solutions, including purchasing expensive cryptographic equipment.

Who needs a cloud-based digital signature service? In theory, these are any organizations of any size that develop or commission specially designed applications and intend to either integrate digital signatures there, or use an already integrated application.

• Document or application providers looking to integrate digital signatures or seals. Another option is to offer them to customers as a premium option as guaranteed protection of documents against forgery. A flexible model is supported here: digital signatures can be added as an additional layer or option.
• Businesses looking to integrate digital signatures or seals into their workflow.
• System integrators that integrate digital signatures into existing and new workflow systems.

Ultimately, it is up to each organization to decide which DSS option is best for their project requirements. It takes into account the requirements of the regulatory authorities, and the size of the organization, and other factors, often unique in each case.

Send your good work in the knowledge base is simple. Use the form below

good work to the site "\u003e

Students, graduate students, young scientists using the knowledge base in their studies and work will be very grateful to you.

Posted on http://allbest.ru

Federal State Budgetary Educational Institution higher education

"Tambov state University named after G.R. Derzhavin "

Cloud electronic signature: advantages, disadvantages and development paths

Kirillova Vladlena Olegovna

specialist of the educational and methodological department

Introduction

Together with the active informatization of all spheres of life of modern society, the transition to cloud computing and services is being implemented.

Government services are already functioning in cloud services due to their high performance for mass use by citizens. cloud signature security login banking

Transfer of workflow to cloud storage is also relevant for small dynamically developing business.

In the process of such a transfer, the question of the security and expediency of using a cloud signature arises.

Cloud signature can be actively used in such areas of activity as:

· Internet banking or mobile banking systems that require the use of a qualified electronic signature;

· Portals of public services, electronic reporting systems;

· E-commerce systems;

· Electronic document management systems.

Relevance. Electronic signature in the cloud (cloud electronic signature) is a computing system that provides access through the network to the possibilities of creating, verifying digital signatures and integrating these functions into the business processes of other systems.

A cloud electronic signature has all the properties of an electronic signature, only it is stored not on a token or a computer, but on the Internet - on a specialized secure server, in the cloud.

Cloud ES means that your private ES key is stored on the server of the certification center, and documents are signed there. On the one hand, the fact that the key and the signing of documents take place on the server side reduces the cost of the entire electronic signature system, on the other hand, the key is private and should be kept only by its owner, which creates a lot of questions about the security of this service.

Goals, objectives, materials and methods. The purpose of this work is to analyze scientific publications and legislation in the field of electronic signature and its subtype - cloud-based electronic signature.

The implementation of this goal is carried out by solving the following tasks:

Analyze scientific and educational literature on the topic "Cloud electronic signature";

To study various approaches to solving the inalienability of the user's electronic signature key;

Consider in more detail such developments as "Digital Signature Server" and "Hardware Security Module".

Research methods:

Analysis of documents, federal laws;

Analysis of data from periodicals, textbooks, practical manuals.

Scientific novelty. The novelty of this work lies in the concept of Cloud Signature, which is new for the IT industry of the Russian Federation. Cloud signature has its advantages and disadvantages.

Cloud electronic signature is usually cheaper than conventional electronic signature, this is due to the lack of the need to purchase a cryptographic protection tool and a token with a certificate.

For people far from information technologies, the fact of the ease of use of the cloud signature is important: there is no need to install an ES certificate and special tools for working with it on the AWS. You can work with cloud-based digital signature from anywhere in the world, from any device with an Internet connection.

However, there are also disadvantages, such as transferring and storing the key on the server.

The servers are reliably protected, but the fact of violation of the confidentiality of the key and its alienation from the owner makes the cloud-based digital signature unqualified, i.e. not confirmed by a certificate issued by an accredited certification center.

Orientation of cloud-based digital signature for one specific system, i.e. cloud e-signature service created for one information system, as a rule, is not applicable for another. In other words, the user is burdened with the need to possess the signature key for each of the systems.

Presentation of the main material

Cloud signature in today's understanding belongs to the category of enhanced unqualified signature. Most of the tasks performed by it correspond to the concept legally enshrined as an enhanced signature. But at the same time, this signature is not certified by the FSB as the regulator responsible for the security of signatures based on cryptographic methods. At present, the scheme for signing a document in the cloud looks like this: documents are signed on the DSS (Digital Signature Server) using keys stored in the HSM (Hardware Security Module). At the same time, user access to HSM is based on the use, as a rule, of non-cryptographic authentication systems, such as:

* classic one-factor authentication by login and password;

* two-factor authentication with additional input of a one-time password delivered to the user via SMS (OTP-via-SMS).

The main problem - user identification - persists for cloud signatures as well. Going to the cloud service, a person uses a login-password. This, of course, is not enough. You need to know exactly who entered with this username-password. You can use your fingerprint by sending it over an unencrypted connection to the server. The key factor will remain "unencrypted connection", because we do not have a means of cryptographic protection of information.

In this case, one of the main purposes of the EP is leveled? a reliable cryptographic method for identifying the author of an electronic document. This approach can be justified only for intercorporate electronic document management systems in which a DSS / HSM-based solution is implemented at the level of the corporations participating in them. In this case, outgoing documents in common system are processed according to the usual rules, and storage of keys in a secure cloud is implemented for the convenience of employees.

Federal Law No. 63-FZ of 06-04-2011 "On Electronic Signatures" establishes that electronic signature means must be used to create and verify a qualified electronic signature that have received confirmation of compliance with the requirements of this law, that is, certified for compliance with the requirements of 63-FZ at the regulator. A simpler check, control over the embedding of cryptographic information protection tools into a specific information system, where a cloud-based electronic signature is used, may not be enough.

Currently, companies developing information security tools are concerned about improving the security of user authentication when confirming the signing of a cloud-based electronic signature document and encrypting data when transmitting via the Internet. CRYPTO-PRO and SafeTech presented a joint development of CryptoPro myDSS based on the CryptoPro DSS cloud electronic signature (ES) software and hardware complex and PayControl electronic transaction confirmation system.

However, at the moment, the solution is being certified by the FSB of Russia, and the signature is qualified only, according to the developers. Kontur.Diadok also offers a qualified enhanced cloud-based electronic signature with a relatively low cost and authentication via login + password and SMS with a one-time password. The certificate of the FSB of Russia was not found on the website. Thus, the security of use is directly related to the access to the user's phone. Today, this risk is gradually decreasing, as installing a primitive password protection on the phone is an increasingly common practice among users.

Conclusion, results, conclusions

The use of cloud signature is one of the steps towards the development of the latest information technologies, our approach to a convenient digital future. However, there is still work to be done in this area.

There is a need for guarantees from the state in the form of a certificate of compliance with the information security requirements of cloud electronic signatures It is advisable to develop and implement a standard for the use of a cloud-based electronic signature.

Bibliographic list

1. Federal Law "On Electronic Signatures" dated 06.04.2011 N 63-FZ (latest edition) [Electronic resource]. - Access mode: http://www.consultant.ru/document/cons_doc_LAW_112701/ (date of access: 07.06.2017)

2. Cloud signature: convergence of practice and legislation [Electronic resource]. - Access mode: http://roseu.org/article/32 (date accessed: 07.06.2017)

3. CryptoPro myDSS [Electronic resource]. - Access mode: https://www.cryptopro.ru/products/mydss (date of access: 07.06.2017)

4. What is a cloud-based electronic signature? [Electronic resource]. - Access mode: http://www.diadoc.ru/lp-instruction (date accessed: 07.06.2017)

annotation

UDC 004.056.53

Cloud electronic signature: advantages, disadvantages and ways of development. Kirillova Vladlena Olegovna, specialist of the educational and methodological department. Federal State Budgetary Educational Institution of Higher Education “Tambov State University named after G.R. Derzhavin "

The article discusses the problem of using cloud-based electronic signatures from the point of view of legality and security. Various approaches to the study of the problem are highlighted, examples of Russian developments are given.

Keywords: e-signature, cloud, security, information technology, cloud technology

Annotation

Cloud electronic signature: advantages, disadvantages and ways of development. Kirillova Vladlena Olegovna, a specialist in the teaching and methodical department. Federal State Budget Educational Institution of Higher Education "Tambov State University named G.R. Derzhavin"

The article discusses the problem of using cloud electronic signature from the point of view of legality and security. Various approaches to the study of the problem are highlighted, examples of Russian developments are given.

Keywords: electronic signature, cloud, security, Information Technology, cloud technologies

Posted on Allbest.ru

Similar documents

Law "On Electronic Signatures". Definition, application technologies and principles of forming an electronic signature. Standard cryptographic algorithms. The concept of the signing key certificate and its authentication. Electronic document management systems.

presentation added 01/19/2014


Assigning an electronic digital signature. Using hash functions. Symmetrical and asymmetrical circuit. Types of asymmetric digital signature algorithms. Generating a private key and obtaining a certificate. Features of electronic document management.

abstract, added 12/20/2011


Scheme for the formation of an electronic digital signature, its types, construction methods and functions. Attacks on Electronic Digital Signatures and Legal Regulation in Russia. Tools for working with electronic digital signatures, the most famous packages and their benefits.

abstract, added 09/13/2011


General scheme of digital signature. Features of a public-key cryptographic system, stages of encryption. The main functions of an electronic digital signature, its advantages and disadvantages. EDS key management. EDS use in Russia and other countries.

term paper, added 02/27/2011


Legal regulation relations in the field of using electronic digital signatures. The concept and essence of an electronic digital signature as an electronic analogue of a handwritten signature, the conditions for its use. Signs and functions of an electronic document.

test, added 09/30/2013


Purpose and application of an electronic digital signature, the history of its occurrence and the main features. Types of electronic signatures in Russian Federation... List of algorithms for electronic signature. Forging signatures, managing public and private keys.

term paper, added 12/13/2012


Organizational and legal support of electronic digital signature. Law "On Electronic Digital Signature". EDS functioning: public and private keys, signature generation and message sending. Verification (verification) and scope of EDS application.

term paper added 12/14/2011


Concept, history of creation of electronic digital signature. Its varieties and scope. The use of EDS in Russia and in other countries, its algorithms and key management. Ways to counterfeit it. Attack models and their possible results. Social attacks.

abstract added on 12/15/2013


General characteristics of an electronic signature, its features and components, basic principles and advantages of its use. Use of electronic digital signatures in Russia and abroad. Legal recognition of its validity. EDS verification key certificate.

term paper, added 12/11/2014


Electronic digital signature: concept, components, purpose and advantages of its use. The use of digital signatures in the world. Legal bases and peculiarities of using EDS in Ukraine. The function of calculating a signature based on a document and a secret key.

Ivan Piskunov

The trend of several recent years suggests that many services are moving from traditional desktop instillations to the cloud. Was no exception and electronic signature... However, the migration of electronic signatures to the clouds is still perceived by the community of users and experts rather ambiguously. Among the undoubted advantages of new cloud solutions, information security issues stand apart. However, neither technology nor legislation stands still, and soon we can expect a new round of development of electronic signature with the participation of cloud computing.

Electronic signature as the basis for legally significant electronic document flow

An electronic signature (hereinafter referred to as ES) according to Federal Law No. 63-FZ dated 06.04.2011 is a mandatory legally significant requisite of an electronic document. In addition to this, the law also says that the electronic signature is an absolute analogue of the actual manual signature put on a paper document. In view of this, it is logical and fully justified to believe that electronic document management is a real alternative to traditional office work in general and in particular to individual processes of concluding and confirming various transactions, agreements, agreements, contracts, etc.

According to the above-mentioned federal law, ED, as a mandatory element of EDF, is designed to provide three key tasks:

1. Ensure unique identification of the person who signed

document;

2. Provide protection against unauthorized changes to the document;

3. Ensure the legal force of the electronic document.

The legal significance of the use of electronic signatures is enshrined in a number of domestic regulatory documents. Here are a few main links:

• · Art. 160, 434, 847 of the Civil Code of the Russian Federation, which regulate the practical use of electronic signatures in document flow.
• · Federal Law No. 63-FZ "On Electronic Signatures" dated 06.04.2011. The main and framework law describing the general meaning of the use of electronic signatures when making transactions of various nature and rendering services.
• · Federal Law No. 149-FZ “On Information, Information Technologies and Information Protection dated 27.07.2006. This document specifies the concept of an electronic document and all related segments.
• · Federal Law 402-FZ "On Accounting" dated 06.12.2011. The legislative act provides for the systematization of requirements for accounting and accounting documents in electronic form.
• · According to clause 3 of Article 75 of the Arbitration Procedure Code of the Russian Federation, documents obtained using the information and telecommunication network of the Internet and signed with an electronic signature are admitted as written evidence in arbitration disputes.

All the above facts and arguments mean that, using the electronic signature, we can always clearly know by whom and when the document was signed, be sure that after the signing, no changes were made to the document, and in case of disagreement between the parties and subsequent judicial proceedings to ensure the non-repudiation of the fact of the transaction (conclusion of a contract, etc.).

Currently, the legislation establishes three options for using electronic signatures on the territory of the Russian Federation, these are:

• · Simple EP;
• · Reinforced not qualified electronic signature;
• · Reinforced qualified electronic signature.

How do they differ and what kind of electronic signature can and should be used to perform financial transactions? Below we will analyze them. And so, let's start (see Figure 1)

1. Simple electronic signature

A simple signature, or as it is often called a "login-password" link, is an electronic signature that, through the use of codes, passwords or other means, confirms the fact of the formation of an electronic signature by a certain person.

A classic example, when you enter the PIN code of your credit card, say a passphrase (voice tag) in a telephone conversation with a bank call center, and the like - all this will be yours Simple Electronic Signature... In other words, the only function of such a signature is proof of authorship , personal identification. Simple DS provides a basic level of security and authentication. For instance. She signature is used to gain access to features Unified portal of public services ... A simple electronic signature cannot be used categorically when signing electronic documents or in the state information system (GIS) that contain state secrets.

2. EDS is reinforced unqualifiedif the following conditions are met:

• · Obtained as a result of cryptographic transformation of information using an electronic signature key;

• · Allows you to identify the person who signed the electronic document;

• · Allows you to detect the fact of making changes to an electronic document after the moment of its signing;

• · Created using means of electronic signature.

Reinforced unqualified EP allows you to identify the author of the signed document and prove the invariability of the information contained in it. IN unqualified electronic signature embedded cryptographic algorithms that provide reliable protection of documents in accordance with the Russian GOST on encryption. Such a signature is quite suitable for internal document flow in a company, as well as for sending electronic documents from one company to another. Unqualified electronic signature also suitable for electronic bidding.

3. And, finally, the third option, when the ES is enhanced skilledif it meets all of the above signs of unqualified ES and the following two additional signs:

• · The electronic signature verification key is specified in the qualified certificate;

• To create and verify an electronic signature, electronic signature means are used that have received confirmation of compliance with the requirements established in accordance with this Federal Law

It is worth noting. that the software required to work with the CEP must be certified by the Federal Security Service. Therefore, a qualified electronic signature gives documents full legal force and meets all the requirements for protection confidential information... Supervisory authorities, such as the Federal Tax Service, the Pension Fund of the Russian Federation, the FSS, recognize the legal force of only those documents that are signed by a qualified electronic signature

Figure 1. Types of electronic signatures

Electronic signature in cloud services

Over the past few years, the IT industry has firmly established trends in the transition from operating its own IT infrastructure to the use of cloud computing. This is, first of all, the replacement of traditional IT systems initially deployed on the material and technical basis of each hotel taken by the company with on-demand services, since SaaS, PaaS and IaaS. Based on the latest research "Cloud services in the corporate sector, Russia 2017". from SAP and Forrester, cloud technologies in Russia will grow faster than the entire IT market taken as a whole: for example, at an average annual rate of 21%, the cloud market will triple compared to 2015. The report says that large business is currently maximally ready to use cloud services: in this segment, over 90% of respondents know about cloud services, in small businesses - over 70%. IN big business 54.5% of respondents use cloud services from two or more categories at the same time, in medium business - 50%, in small business - 43%.

Current situation with the use of cloud-based digital signature in Russia

More recently, in June 2017, it became known that the FSB, together with Rostelecom, are creating an electronic signature that will “explode and turn the market”. The idea is still the same, to create an electronic signature that does not require the use of a token (media on a flash drive). This was announced by Mikhail Bondarenko, Director for Electronic Government at Rostelecom. “I have information from my colleagues from the Lubyanka that by the end of the year there should be a certain decision that will allow EDS in cloud, - he said, without giving any details, but opposing this solution to the common electronic signatures on tokens today. “In our opinion, it will explode and overturn the market for trusted authorization and identification”, he added. But there is a nuance, in addition to the use of "clouds" it is also supposed to use biometrics, i.e. individual biometric characteristics of each person as parameters for his unique authentication.

According to the same source from the words of Bondarenko - “ It is assumed that Rostelecom will become the operator of this platform and will conduct a pilot experiment with banks for two years, during which time biometric identification services will be provided to them free of charge ", noting that about ten banks, including Sberbank, VTB and Gazprombank, are participating in the pilot that has already started.

At the same time, the operator intends to complete the creation of the platform by the end of 2017. In addition, only from January 1, 2018, amendments to Federal Law 115 will presumably come into force, allowing the use of biometric identification in the financial sector - for opening and closing accounts, placing and withdrawing deposits , translations, etc. Thus, according to the top manager, the idea of \u200b\u200bcreating on the basis of the national biometric platform “ national bank identification and authorization "of residents of Russia.

Expert comments:

“According to our estimates, the total number of electronic signature users in Russia exceeds two million. The technology of "cloud" electronic signature, which appeared several years ago, makes this tool more accessible for business. This is confirmed by several tens of thousands of SKB Kontur clients who have made a choice in its favor, ” - says expert Kazakov.

A "cloud" electronic signature has all the properties of an ordinary one, only it is stored not on a USB flash drive or computer, but on the Internet - on a special secure server, "in the cloud", - says Igor Chepkasov, founder and president of the National Cryptocurrency Development Fund. - Signing and encryption of the document takes place there, therefore such an electronic signature does not require the installation of special software on the computer ”.Chepkasov notes that one of the key advantages of "cloud" signature is the ability to sign documents and send them from anywhere in the world and from any device.

Anton Elikov (Merkata project) notes that an electronic signature “in the cloud” is something that many of us use every day without even noticing. “The most striking example is the authorization mechanism in mobile and Internet banks, when after entering the password you will be sent a one-time PIN code via SMS. Such a two-level authorization in essence can already be an electronic signature ", - says the expert.

Igor Chepkasov talks about the possibilities of using electronic signatures in new services and services, for example, built on technology Blockchain, namely, smart contracts. “Decentralization - the fundamental principle of the technology's operation - provides absolute protection against compromise and unauthorized access to any document and the signature itself, since each such block element (signature, document, archive, etc.) is located in a solid chain of numbered blocks protected by the most complex cryptographic code ", - he says. So, according to the expert, it is impossible to make changes to the block already put into circulation; smart contract is electronic algorithm, describing a set of conditions, the fulfillment of which entails certain events. “His work is based on the creation and application of so-called low-trust protocols, where the protocol algorithm uses only software, and the human factor is excluded from the decision-making chain as much as possible - the person here acts exclusively as one of the parties involved in the implementation of the contract. For example, when sending payments, the execution of the contract is impossible without receiving the number of electronic signatures specified in the contract "- he notes.

Currently, certificates of electronic signature verification keys (SKP) are issued on special media, said Mikhail Evraev, deputy head of the Ministry of Telecom and Mass Communications. Moreover, the average cost of such a UPC is about 5 thousand rubles. "The cloud-based electronic signature system will allow you to create a signature without a physical medium, which will significantly reduce the cost of its use and increase the security of use," - explained the deputy minister.

The situation was also commented on by the Internet ombudsman Dmitry Marinichev, who is sure that a real revolution will take place in electronic signature technologies, as it already happened with information storage devices several years ago. For example, back in the 90s, films were sold on VHS cassettes, in the 2000s they appeared on CD, then on DVD, and ten years later they eventually spread on flash drives and on the Internet.

Prospects for using cloud-based digital signature for the banking industry

The electronic signature was conceived as a universal means of confirming the legal force of transactions, and in view of this, it has a wide range of applications, from using the portal of state services to ensuring electronic document flow between organizations and state regulatory bodies. For the banking industry, ES by individuals and legal entities is most often used to carry out financial transactions through RBS services. This includes online access to personal Area through web technologies and a mobile bank, i.e. account management through a socialized application from smartphones and tablets.

For example, the electronic signature for individuals in the largest federal bank, Sberbank, enables a banking organization to reduce paper turnover and increase the speed of customer service. That is, when opening a deposit, instead of installing a signature on 4 different documents, the visitor will need to enter his PIN (password to the digital signature) 1 time. This type of technology will be able to provide double client identification using a passport and using a card with a PIN code that only the owner can know. This will also help prevent possible fraud. So, according to the internal data of Sberbank, relevant for 2014, within twelve months after the launch of such a service, only residents of Moscow have performed more than three million transactions using an electronic signature.

The procedure for obtaining the corresponding electronic signature key of the Bank of Russia is quite simple, you need to register online on the specialized site "Sber Key". So the bank gives the right to an electronic signature to any of its owners to take part in the auction and make a placement on the necessary electronic resources personal statements.

Another vivid option for the massive use of cloud-based electronic signature can be the Sberbank Business Online available in the Internet bank, which has become the official tool of Sberbank for the electronic signing of multilateral and bilateral agreements between any legal entities and individual entrepreneurs (IE) - the so-called intercorporate EDI. As explained, thanks to this system, labor costs for processing one document are reduced from 2-3 minutes to 10-15 seconds. In addition, by abandoning paperwork, the company can significantly reduce the cost of stationery, rent storage facilities, replacement of consumables for office equipment, etc.

Cloud ES security issues

Despite all the tangible advantages of using electronic signature in the clouds, this concept did not find wide support from information security experts. So, according to some experts, the use of electronic signature in a mobile phone is a significant security threat. You don't need to be an expert to see the depressing statistics on the growth in the number of mobile malware that intercepts the user's SMS messages, masquerades as official mobile banking applications and performs other unauthorized actions without the user's knowledge.

In view of this, only a trusted environment (isolated), in which the user and technical means at the time of interaction, protected from outside interference. It is difficult to call a mobile phone such a trusted environment - the user can install any applications at his discretion. The situation is worse, if only if the operating system of the device is "rooted". However, there is a way out - as already described earlier, this is the use of a special SIM-card integrated with the electronic signature.

When using remote banking services, cybercriminals often carry out a “man-in-the-browser” attack, which is a private implementation of a “man-in-the-middle” attack, when, replacing the details of a legal payment, showing the user the correct data, and sending their substituted ones to the bank. With the new security function, such an intruder's trick will no longer work - having received the details, a special applet on the SIM card will display them on the phone screen and ask for a PIN code. Having visually checked the correctness of the details, the user enters the PIN code of his electronic signature for confirmation, signs them and then sends them back to the gateway, which transmits the information to the bank.

Sergey Gruzdev, cEO developer company domestic systems cryptographic protection "Aladdin R. D" highlights another way to use this technology - “In addition to authenticating and signing documents, the developed system can be used to notify a bank client about transactions with his account, which has become especially relevant in light of the entry into force of the ninth article 163-FZ "On the national payment system" ... Unlike the most popular method at the moment - SMS-informing, in this case bank secrecy is guaranteed (no one can read the notifications, neither infecting the smartphone with a virus, nor even replacing base station), and the spoofing of messages by hackers is excluded. "

Another problem remains, when, for example, in case of loss and deliberate theft of the phone and the stored PIN-code in notes or other internal memory of the phone. In this case, the attacker will be able to spend all the money at least from the owner's mobile account, and, for example, sign documents binding the subscriber, say, pay for purchases on credit at one of the popular online stores. However, even these risks are reliably prevented in much the same way as with payment and credit cards. The owner of the account (card) can limit the daily volume and content of transactions allowed from this SIM card, as well as use the option to disable his / her digital signature for a time period while he / she does not use it.

July 22, 2014 08:50

Cloud technology continues to transform industry after industry, appearing where it would seem least logical. The process is largely reminiscent of the birth and triumphant march of computers across the diverse landscape of human activity. Today, few people think about how computers have changed the production of newspapers and magazines, production, agriculture, and especially business in all its forms. Now everything around the clouds is changing in the same way, and some areas are already in the second circle. For example, accounting.

In 1994, the Main Security Department of the FAPSI developed the first electronic signature standard in Russia, but then the country was still in a very troubled time, so they really started talking about the electronic signature only 8 years later, in 2002, when a new standard for electronic signature was approved , in fact equalizing the Russian concept of "electronic signature" and the international concept - "digital signature". So the history of this technology in our country, although it has already been twenty years old, is actually used no more than ten.

And b aboutfor most of this decade, the technology worked like this. On the computers of the organization (as a rule, only in the accounting department), special software was installed to work with electronic signatures, and the USB-media contained personalized keys, which were stored in a single copy. I must say that security in this case was ensured almost complete. Without taking possession of that same "flash drive" with keys - a token - it was impossible to sign documents on behalf of the organization. But there were also disadvantages! The token can be stolen, lost, destroyed physically - and then you will have to go through the authorization procedure again at the certification center. And if you need to sign urgent documents? In a word, cloud technologies have already stood on the threshold to change the next industry forever, and today the electronic document management sector can become the locomotive of their development.

We asked Anastasia Shchepina, an industry specialist, an analyst of the company, to tell us about the benefits of EDF implementation Synerdocs, which believes that the reluctance of business to switch from paper to electronic documents, from an electronic signature on a medium to a cloud-based electronic signature in most cases is associated with fears and habits:

“Fears need to be allayed, and established processes need to be replaced with new, more efficient ones, and new habits must be developed that will allow you to work and make a profit faster. Fears are usually associated with distrust of the servers that store the private keys of electronic signatures. In fact, the servers that store the keys are well protected. I think it's even safer than carrying a token or flash card with you. Of course, this is a matter of trust, but now cloud technologies are just evolving, and CAs take this seriously.

Now about habits. Many articles have already been written about the advantages of electronic document management, there is no secret here. Cloud electronic signature adds advantages: it allows you to reduce the cost of acquiring electronic signatures, makes it possible to sign documents at any time and in any place where there is Internet. As a result, it turns out that the competitors of a conservative company, which are open to new technologies, make their business more efficient and gain a competitive advantage. This can force a business to start moving first to electronic document management using electronic signatures on a medium, and later, possibly, to cloud-based electronic signatures. "

How does the familiar ES technology look like in the cloud? The certification authority creates your electronic signature and places it in its own cloud. In this case, no tokens are needed: authorization takes place via SMS, through the attached mobile phone... The signature itself is located in the cloud, so you can sign invoices and other documents from any device with Internet access: from an office computer, from a personal laptop, from a tablet or even a smartphone. This approach has obvious advantages. According to Synerdocs analyst Anastasia Shchepina, there are two main advantages of a cloud-based electronic signature.

1. Its cost is lower. The purchase of a cloud-based e-signature is less expensive than a regular purchase. This is due to the fact that to work with this signature, you do not need to purchase a medium and a means of cryptographic information protection (hereinafter - CIPF). In the case of a cloud-based electronic signature, the CIPF is located only on the server where the private key is stored. All this is formalized by the relevant agreements and powers of attorney.

2. Mobility. Now the Internet is almost everywhere, which means that you can sign documents with a cloud electronic signature from any tablet, smartphone, device that supports Internet access. Neither paper nor an electronic signature on the medium provides such an opportunity. Cryptographic information protection tools for mobile devices are, of course, being developed now, but generally without cryptographic information protection tools on your device, you must agree, it's easier to work. In addition, you do not have to install the private key of the cloud-based digital signature personally or pay to the CA employee who will configure everything. There will be no need to train users to work with cryptographic information protection tools and electronic signature certificates.

But, having a lot of positive qualities, the cloud signature also has negative aspects. Despite the fact that more than 100,000 cloud electronic signatures have already been issued through popular accounting services in 2013, the widespread use of signatures is still questionable. Anastasia Shchepina believes that the business has not yet fully decided on the technical component of using cloud-based digital signature:

If we talk about cloud-based electronic signature in document flow, then it is not yet clear how it will work with several EDF services. Most likely with great difficulty. The private key is stored on the CA server, the EDM service needs to make a request there to generate an electronic signature. At the moment, not all services will easily integrate with software CA, you will have to take this into account when switching to a cloud signature. You may have to buy a separate signature for each service.

The second minus is more from the conceptual area. The essence of the electronic signature implies the replacement of a handwritten one: that is, you personally, with my own hands sign the document with the confidential part of the key. You and only you should have it. In the cloud version, the private key is not in your hands - but somewhere there, on the CA server. That is, in fact, you do not sign with your own hands, but through an intermediary. Of course, all this will be documented, and the servers themselves are reliably protected, but not in all organizations the security service will approve of this. If it is important for you that the documents are signed by the owners of the private keys themselves, then the cloud electronic signature will not suit you.

In general, the prospects for cloud-based digital signature and electronic document management in our country are encouraging. The State Duma has already approved the development plan e-government until 2018, which also includes a number of measures to promote business. For example, "a decrease in the average number of appeals of representatives of the business community to a government authority to receive one government service." And even if the thesis does not sound very impressive, since they plan to reduce the number of requests to only two, this is already some progress, leading us to the European scenario. That is, such a situation when opening a business, paying taxes and signing any documents will be possible on the Internet, and often from a smartphone.