Software "CryptoPro CSP" is designed to control the integrity of system and application software, manage key elements of the system in accordance with the regulation of protection tools, authorize and ensure the legal significance of electronic documents when exchanging them between users. CryptoPro CSP, in addition to the crypto provider itself, includes CryptoPro TLS, CryptoPro EAP-TLS, CryptoPro Winlogon and CryptoPro Revocation Provider products.
The solution is intended for:
- authorization and ensuring the legal significance of electronic documents when they are exchanged between users, through the use of procedures for generating and verifying an electronic signature (ES) in accordance with domestic standards GOST R 34.10-2001 / GOST R 34.10-2012 (using GOST R 34.11-94 / GOST R 34.11-2012);
- ensuring confidentiality and control of the integrity of information through its encryption and imitation protection, in accordance with GOST 28147-89;
- ensuring the authenticity, confidentiality and imitation protection of connections via the TLS protocol;
- monitoring the integrity of system and application software to protect it from unauthorized changes and malfunctions;
- management of key elements of the system in accordance with the regulation of protective equipment.
Implemented Algorithms
- The hash function generation algorithm is implemented in accordance with the requirements of GOST R 34.11-94 / GOST R 34.11-2012 “Information technology. Cryptographic protection of information. hashing function.
- Algorithms for generating and verifying an electronic signature are implemented in accordance with the requirements of GOST R 34.10-2001 / GOST R 34.10-2012 “Information technology. Cryptographic protection of information. Processes of formation and verification of electronic digital signature.
- The data encryption/decryption algorithm and the simulation insertion calculation are implemented in accordance with the requirements of GOST 28147-89 “Information processing systems. Cryptographic protection”.
When generating private and public keys, it is possible to generate them with different parameters in accordance with GOST R 34.10-2001 / GOST R 34.10-2012.
When generating a hash function value and encryption, it is possible to use various replacement nodes in accordance with GOST R 34.11-94 and GOST 28147-89.
Supported key media types
- floppy disks 3.5;
- smart cards using smart card readers supporting PC/SC protocol;
- Touch-Memory DS1993 - DS1996 tablets using Accord 4+ devices, Sobol, Krypton electronic lock or Touch-Memory DALLAS tablet reader (only in Windows versions);
- electronic keys with USB interface(USB tokens);
- removable media with USB interface;
- Windows registry;
- Solaris/Linux/FreeBSD OS files.
| CSP 3.6 | CSP 3.9 | CSP 4.0 | CSP 5.0 | |
|---|---|---|---|---|
| Windows Server 2016 | x64* | x64** | x64 | |
| Windows 10 | x86 / x64* | x86 / x64** | x86/x64 | |
| Windows Server 2012 R2 | x64 | x64 | x64 | |
| Windows 8.1 | x86/x64 | x86/x64 | x86/x64 | |
| Windows Server 2012 | x64 | x64 | x64 | x64 |
| Windows 8 | x86/x64 | x86/x64 | x86/x64 | |
| Windows Server 2008 R2 | x64/itanium | x64 | x64 | x64 |
| Windows 7 | x86/x64 | x86/x64 | x86/x64 | x86/x64 |
| Windows Server 2008 | x86 / x64 / itanium | x86/x64 | x86/x64 | x86/x64 |
| Windows Vista | x86/x64 | x86/x64 | ||
| Windows Server 2003 R2 | x86 / x64 / itanium | x86/x64 | x86/x64 | x86/x64 |
| Windows Server 2003 | x86 / x64 / itanium | x86/x64 | x86/x64 | x86/x64 |
| Windows XP | x86/x64 | |||
| Windows 2000 | x86 |
The situation changed only in 1990, when the encryption standard GOST 28147-89 was put into effect. Initially, the algorithm had a chipboard stamp and officially became “completely open” only in 1994.
It is difficult to say exactly when an information breakthrough was made in domestic cryptography. Most likely, this happened with the advent of the general public access to the Internet, after which numerous materials began to be published on the network with descriptions of cryptographic algorithms and protocols, articles on cyptoanalysis, and other information related to encryption.
Under the circumstances, cryptography could no longer remain the prerogative of the state alone. In addition, the development information technologies and communications has led to the need for the use of cryptographic protection by commercial companies and organizations.
Today to means of cryptographic information protection(SKZI) include: means of encryption, means of imitation protection, means of electronic digital signature, means of coding, means of production of key documents and themselves key documents.
- protection of personal data information systems;
- protection of company confidential information;
- corporate encryption Email;
- creation and verification of digital signatures.
The use of cryptography and CIPF in Russian companies
1. Implementation of cryptographic tools in personal data protection systems
Almost any activity Russian company today is associated with the storage and processing of personal data (PD) various categories, to the protection of which the legislation of the Russian Federation puts forward a number of requirements. To fulfill them, the company's management, first of all, is faced with the need to form threat models personal data and developments based on it personal data protection systems, which should include a means of cryptographic information protection.The following requirements are put forward for the CIPF implemented in the personal data protection system:
- The cryptographic tool must function normally in conjunction with the technical and software tools that can affect the fulfillment of the requirements for it.
- To ensure the security of personal data during their processing, cryptographic means certified in the certification system of the FSB of Russia must be used.
Thus, cryptographic protection tools are now effectively used by companies and organizations to protect the personal data of Russian citizens and are one of the most important components in personal data protection systems.
2. Protecting corporate information
If in clause 1 the use of cryptographic means is conditioned, first of all, by the requirements of the legislation of the Russian Federation, then in this case the management of the company itself is interested in the use of CIPF. With encryption, a company can protect its corporate information- information representing a trade secret, intellectual property, operational and technical information and etc.Today, for effective use in a corporate environment, an encryption program must provide:
- data encryption on a remote server;
- support for asymmetric cryptography;
- transparent encryption;
- encryption of network folders;
- the ability to differentiate access rights to confidential information between employees of the company;
- the ability for employees to store private keys on external storage media (tokens).
3. Electronic signature
An electronic signature (ES) today is a full-fledged analogue of a handwritten signature and can be used by legal and individuals in order to provide the document with digital format legal force. The use of ES in electronic document management systems significantly increases the speed of concluding commercial transactions, reduces the volume of paper accounting documents, and saves time for employees. In addition, ES reduces the company's costs for concluding contracts, processing payment documents, obtaining various certificates from government agencies, and much more.Cryptographic protection tools, as a rule, include functions for creating and verifying electronic signatures. Russian legislation puts forward the following requirements for such CIPF:
When creating an EP, they must:
- show the person signing the electronic document the content of the information that he signs;
- create an ES only after the person signing the electronic document confirms the operation to create an ES;
- clearly show that the ES has been created.
- show content electronic document signed by ES;
- show information about making changes to the signed ES electronic document;
- indicate the person using the ES key of which electronic documents are signed.
4. Email Encryption
For most companies, email is the primary means of communication between employees. It's no secret that corporate e-mail is being sent today great amount confidential information: contracts, invoices, information about products and pricing policies company, financial performance, etc. If such information is available to competitors, it can cause significant damage to the company up to the termination of its activities.Therefore protection corporate mail- an extremely important component in ensuring the information security of the company, the implementation of which also becomes possible due to the use of cryptography and encryption tools.
Majority mail clients, such as Outlook, Thunderbird, The Bat! and others, allow you to configure the exchange of encrypted messages based on public and private key certificates (certificates in X.509 and PKCS#12 formats, respectively) created using cryptographic protection tools.
Here we should also mention the possibility of cryptographic tools to work as certification centers (CAs). The main purpose of a certification authority is to issue encryption certificates and authenticate encryption keys. In accordance with Russian law, CAs are divided into classes (KS1, KS2, KS3, KB1, KB2, KA1), each of which has a number of requirements. At the same time, the class of cryptographic information protection used in the means of the CA must not be lower than the corresponding class of the CA.
Using CyberSafe Enterprise
When developing the CyberSafe Enterprise program, we tried to take into account all the above features, including them in the program's functional set. So, it supports the functions listed in paragraph 2 of this article, email encryption, the creation and verification of digital signatures, and also works as a certification authority.Availability in CyberSafe public key servers allows companies to organize a convenient key exchange between their employees, where each of them can publish their public key, as well as download public keys of other users.
Further, we will dwell in more detail on the possibility of introducing CyberSafe Enterprise into personal data protection systems. This possibility exists due to the support of the CryptoPro CSP crypto provider program, certified by the Federal Security Service of the Russian Federation as a cryptographic information protection tool of classes KS1, KS2 and KS3 (depending on the version) and is specified in clause 5.1 "Methodological recommendations for ensuring the security of personal data using cryptographic tools":
“The embedding of cryptographic tools of the KS1 and KS2 classes is carried out without control by the FSB of Russia (if this control is not provided for by the terms of reference for the development (modernization) of the information system).”
Thus, having a built-in CIPF CryptoPro CSP, the CyberSafe Enterprise program can be used in a personal data protection system of classes KS1 and KS2.
After installing CryptoPro CSP on the user's computer, when creating a certificate in CyberSafe Enterprise, it will be possible to create a CryptoPRO certificate:
After the creation of the CyberSafe certificate is completed, the CryptoPRO keys are also created, displayed on your bundle and available for use:
In the event that it becomes necessary to export CryptoPro keys to a separate file, this can be done through the standard CyberSafe key export function:
If you want to encrypt files for transmission to other users (or sign them with your digital signature) and use CryptoPro keys for this, select CryptoPro from the list of available crypto providers:
In the event that you want to use CryptoPro keys for transparent file encryption, you should also specify CryptoPro as a crypto provider in the certificate selection window:
In CyberSafe, it is possible to use CryptoPRO and the GOST algorithm to encrypt logical disks/partitions and create virtual encrypted disks:
Also, based on CryptoPro certificates, email encryption can be configured. In KriptoPro CSP, the ES generation and verification algorithms are implemented in accordance with the requirements of the GOST R 34.10-2012 standard, the data encryption / decryption algorithm is implemented in accordance with the requirements of the GOST 28147-89 standard.
To date, CyberSafe is the only program that combines the functions of encrypting files, network folders, logical drives, e-mail and the ability to work as a certification authority with support for encryption standards GOST 28147-89 and GOST R 34.10-2012.
The documents:
1. Federal Law "On Personal Data" dated July 27, 2006 No. 152-FZ.2. Regulation on ensuring the security of personal data during their processing in personal data information systems, approved by Decree of the Government of the Russian Federation of November 17, 2007 No. 781.
3. Guidelines for ensuring the security of personal data with the help of crypto-means during their processing in personal data information systems using automation tools, approved by the leadership of the 8 Center of the FSB of Russia on February 21, 2008 No. 149 / 54-144.
4. Regulations on the development, production, sale and operation of encryption (cryptographic) information security tools, approved by Order of the Federal Security Service of the Russian Federation dated February 9, 2005 No. 66.
5. Requirements for electronic signature tools and Requirements for certification center tools approved by Order of the Federal Security Service of the Russian Federation dated December 27, 2011 No. 796.
Means of cryptographic protection of information of protection classes KS2 and KS1 in accordance with the requirements of the Federal Security Service of Russia differ in the actual capabilities of attack sources and the measures taken to counter attacks.
1. Current capabilities of attack sources
Cryptographic information protection tools (CIPF) of the KS1 class are used with the actual capabilities of attack sources, namely, to independently create attack methods, prepare and conduct attacks only outside the controlled zone.
CIPF class KS2 is used with the actual capabilities of attack sources:
- independently create methods of attacks, prepare and conduct attacks only outside the controlled zone;
- independently create attack methods, prepare and conduct attacks within the controlled zone, but without physical access to the hardware on which the cryptographic information protection system and their operating environment (SF) are implemented.
Thus, the CIPF of class KS2 differs from KS1 in terms of neutralization by the actual ability of attack sources, to independently create attack methods, prepare and carry out attacks within the controlled zone, but without physical access to the hardware on which CIPF and SF are implemented.
2. Versions of the CIPF protection class KS3, KS2 and KS1
Option 1 is the basic CIPF software providing the protection class KS1.
Option 2 is the CIPF of class KS2, consisting of a basic CIPF of class KS1 together with a certified hardware and software module trusted boot(APMDZ).
Option 3, this is the CIPF of the KS3 class, consisting of the CIPF of the KS2 class together with a specialized software to create and control a closed software environment.
Thus, the CIPF software of the KS2 class differs from the KS1 only by adding a certified APMDZ to the CIPF of the KS1 class. Differences of CIPF of class KS3 from class KS1 is the use of CIPF of class KS1 together with certified APMDZ and specialized software for creating and controlling a closed software environment. And also the difference between the CIPF of the KS3 class and the KS2 class is the use of the CIPF of the KS2 class together with specialized software for creating and controlling a closed software environment.
3. Measures to counter attacks
CIPF class KS2 does not apply measures to counter attacks, which are mandatory for the operation of CIPF class KS1, namely:
- approved the list of persons entitled to access to the premises;
- a list of persons entitled to access to the premises where the CIPF is located was approved;
- approved the rules for access to the premises where the CIPF is located, during working and non-working hours, as well as in emergency situations;
- access to the controlled area and premises where resources are located Information Systems personal data (ISPD) and (or) CIPF is provided in accordance with the access control regime;
- information about the physical protection measures of the objects in which the ISPDs are located is available to a limited circle of employees;
- documentation for CIPF is kept by the person responsible for CIPF in a metal safe (cabinet);
- the premises where the documentation for CIPF, CIPF and SF components are located, are equipped with entrance doors with locks, ensuring that the doors of the premises are permanently locked and opened only for authorized passage;
- representatives of technical, maintenance and other support services when working in the premises (racks) where the CIPF is located, and employees who are not users of the CIPF, are in these premises only in the presence of operating employees;
- employees who are users of ISPD, but who are not users of CIPF, are informed about the rules of work in ISPD and responsibility for non-compliance with the rules for ensuring information security;
- CIPF users are informed about the rules for working in ISPD, the rules for working with CIPF and responsibility for non-compliance with the rules for ensuring information security;
- registration and accounting of user actions with personal data;
- the integrity of information security tools is monitored.
CryptoPro has developed a full range of software and hardware products to ensure the integrity, authorship and confidentiality of information using electronic signature and encryption for use in various environments (Windows, Unix, Java). A new direction of the company's products is software and hardware for cryptographic protection of information using smart cards and USB keys, which can significantly increase the security of systems using ES.
Our company is a CryptoPro dealer and has a corresponding .
The cost of CryptoPro CSP products:
|
Please note that in order to continue working with GOST R 34.10-2001 in 2019 (disabling warning windows or prohibitions when accessing GOST R 34.10-2001 keys after January 1, 2019) using CryptoPro products, the following recommendations must be applied:
- Recommendations for disabling warning windows;
- Recommendations for postponing the date of blocking work with GOST R.34.10-2001 for users of CryptoPro CSP 4.0 operating in enhanced key control mode*;
- Recommendations for postponing the date of blocking work with GOST R.34.10-2001 for users of CryptoPro JCP 2.0.
*Disabled by default in these versions. More details in ZHTYaI.00087-01 95 01. Terms of use.
The operational documentation for CryptoPro CSP 3.9, 4.0 and CryptoPro JCP 2.0 explicitly states a ban on the generation of an electronic signature in accordance with GOST R 34.10-2001 from January 1, 2019. But, in connection with the postponement of the transition to GOST R 34.10-2012 until January 1, 2020, we sent relevant notices to the FSB of Russia, correcting this date. Information about the approval of notifications will be published on our website.
An attempt to use GOST R 34.10-2001 (except for signature verification) on all certified versions of CryptoPro CSP 3.9, 4.0 and CryptoPro JCP 2.0 released to date from January 1, 2019 will cause an error or warning (depending on the product and mode of operation), in accordance with the procedure for the transition to GOST R 34.10-2012 originally adopted in 2014 until January 1, 2019. Errors/warning windows can lead to the inoperability of automatic/automated systems when using GOST R 34.10-2001 keys, so please apply the above instructions in advance.
We also inform you that this moment Certification of updated versions of CryptoPro CSP 4.0 R4 and CryptoPro JCP 2.0 R2 is nearing completion, which will be announced on our website. We recommend updating to these versions when they are released.
