What is an electronic signature. Basics of using an electronic signature in customs clearance

Due to the widespread use of information technology in all spheres of life of modern society, process management in organizations is no exception. Of particular importance in this area are electronic document management systems designed to organize and automate the processes of interaction between employees. The use of these systems ensures efficient document management of the organization and productive work of employees. To organize a full-fledged electronic document management, it is necessary to use an electronic signature, which will also be needed to conduct online trading operations and submit reports to some government agencies.

Legal basis

Initially, the electronic signature was used in banks of certain European countries, later the United Nations and the European Union dealt with the issue of its legal regulation. In the Russian Federation, the issue of legal regulation of the electronic signature arose in the second half of the 90s as part of the discussion in the State Duma of the security problems of cashless payments and electronic commerce and the lack of proper legal control mechanisms. For the first time, the concept of an electronic signature was formulated in the Federal Law of January 10, 2002 "On Electronic Digital Signature" (hereinafter referred to as the Federal Law of 2002), which has become invalid since July 2013. In accordance with this law, an electronic digital signature is a requisite electronic document designed to protect this electronic document from forgery, obtained as a result of cryptographic transformation of information using the private key of the electronic digital signature and allowing to identify the owner of the signature key certificate, as well as to establish the absence of information distortion in the electronic document.

Currently, the legal basis for the use of an electronic signature in the Russian Federation is the Federal Law of April 6, 2011 "On Electronic Signature" (hereinafter - the Federal Law of 2011). In accordance with it, an electronic signature means information in electronic form that is attached to other information in electronic form (signed information) or is otherwise associated with such information and which is used to identify the person signing the information. The current Federal Law defines the basic concepts and principles of using an electronic signature, fixes the types of electronic signatures and the conditions for their recognition, and also regulates the powers of state authorities, the rights and obligations of participants in electronic interaction using an electronic signature.

Thus, the current definition of an electronic signature is broader than the previous one, and now the concept of an electronic digital signature given in the previous law is close, but not identical, to the concept of an enhanced electronic signature, the features of which are the following:

Obtained as a result of cryptographic transformation of information using an electronic signature key;

Allows you to identify the person who signed the electronic document;

Allows you to detect the fact of making changes to an electronic document after the moment of its signing;

Created using electronic signature tools;

The electronic signature verification key is specified in the qualified certificate;

To create and verify an electronic signature, electronic signature tools are used that have received confirmation of compliance with the requirements established in accordance with the Federal Law "On Electronic Signature" of 2011.

It should also be noted that in the period from April 2011 to June 2013, both of the above laws acted in parallel, which was due to the need for time for the transition of market participants and government agencies to new certificates and rules for working with electronic signatures.

The essence of the electronic signature

An electronic signature in the Russian Federation is used by individuals and legal entities and is an analogue of the handwritten signature of an authorized person on paper and sealed, only in relation to giving legal force to an electronic document. The main purposes of using an electronic signature are:

Electronic document management of the company;

Participation in electronic trading on electronic trading platforms;

Submission of reports to government agencies.

The advantages of using an electronic signature for an organization are the following points:

Reducing the time for exchanging documents and making transactions;

Reducing the cost of creating, delivering, storing documents;

Guarantees of reliability and confidentiality of the transmitted information;

Efficient document exchange system for company employees;

Elimination of the problem of the presence / absence of authority to sign certain documents.

Thus, with electronic document management using an electronic signature, it is possible to avoid a lot of paper workflow problems, significantly reduce the time for information exchange and increase the efficiency of the organization as a whole.

In addition to the advantages of using an electronic signature, there are also disadvantages:

Use by unscrupulous users;

Inaccessibility / loss of electronic archives of all documents of organizations due to problems with equipment;

Hardware and software costs.

However, these shortcomings are more likely to be fears that are absolutely groundless in the case of the correct use of an electronic document management system with an electronic signature in an enterprise: the use of individualized software, the creation of backup copies of information, timely repair and replacement of equipment, etc.

The use of an electronic signature in the Russian Federation is carried out on the basis of several principles that are the fundamental foundations in this area:

Freedom to choose the type of electronic signature - the participant has the right to independently determine the type of electronic signature, if the requirement to use a specific type of electronic signature in accordance with the purposes of its use is not provided for by federal laws or regulatory legal acts adopted in accordance with them or by an agreement between participants in electronic interaction;

Freedom to use information technologies and technical means - the participant has the opportunity to use, at his own discretion, any information technology and (or) technical means that make it possible to fulfill the requirements of the Federal Law of 2011 in relation to the use of specific types of electronic signatures;

The inadmissibility of recognizing an electronic signature and (or) an electronic document signed by it as invalid only on the basis that such an electronic signature was not created by one's own hand, but using electronic signature tools for the automatic creation and (or) automatic verification of electronic signatures in the information system.

An analysis of the principles of using an electronic signature allows us to conclude that a participant in electronic interaction has the freedom to choose the type of electronic signature and the necessary technical means, depending on the goals of his activity and the legal regulation of this activity in terms of the presence / absence of mandatory requirements for an electronic signature.

Basic concepts

For a full understanding of the mechanism of functioning of an electronic signature, it is necessary not only to superficially understand its essence, but also to study the basic concepts that appear in this area.

Participants of electronic interaction are persons and (or) organizations that exchange information in electronic form, including state bodies, local governments, etc.

A corporate information system is an information system in which participants in electronic interaction make up a certain circle of people.

A public information system is an information system in which participants in electronic interaction constitute an indefinite circle of persons and in the use of which these persons cannot be denied.

An electronic signature key is a unique sequence of characters used to create an electronic signature.

Electronic signature verification key - a unique sequence of characters uniquely associated with the electronic signature key and designed to verify the authenticity of the electronic signature.

An electronic signature verification key certificate is an electronic document or a paper document issued by a certification center or a trustee of the certification center and confirming that the electronic signature verification key belongs to the owner of the electronic signature verification key certificate.

A qualified digital signature verification key certificate is an electronic signature verification key certificate issued by an accredited certification center or a trustee of an accredited certification center or a federal executive body authorized in the field of electronic signature use (the Ministry of Telecom and Mass Communications of the Russian Federation).

Electronic signature tools are encryption (cryptographic) tools that are used to create or verify an electronic signature, create or verify an electronic signature key.

A certification authority is a legal entity or an individual entrepreneur that performs the functions of creating and issuing certificates of keys for verifying electronic signatures, etc. At present, the functions of the head certification center in relation to accredited certification centers are carried out by the Ministry of Telecom and Mass Communications of the Russian Federation, which carries out the accreditation of certification centers.

Certification center tools - software and (or) hardware used to implement the functions of a certification center.

Types of electronic signature

Russian legislation provides for 3 main types of electronic signature:

1) simple electronic signature - an electronic signature, which, through the use of codes, passwords or other means, confirms the fact of the formation of an electronic signature by a certain person;

2) enhanced unqualified electronic signature (unqualified electronic signature) - an electronic signature that is obtained as a result of cryptographic transformation of information using an electronic signature key, and allows you to identify the person who signed the electronic document and detect the fact of making changes to the document after the moment of its signing, as well as created using electronic signature means;

3) enhanced qualified electronic signature (qualified electronic signature) - an electronic signature, which is obtained as a result of cryptographic transformation of information using an electronic signature key, allows you to identify the person who signed the electronic document and detect the fact of making changes to the document after the moment of its signing, and also creates using electronic signatures. At the same time, the electronic signature verification key is indicated in the qualified certificate, and electronic signature tools that have received confirmation of compliance with the requirements established in accordance with the legislation of the Russian Federation in this area are used to create/verify the electronic signature.

In connection with changes in legislation and the provisions of the Federal Law "On Electronic Signature" of 2011, where there is no previous concept of "electronic digital signature", it is necessary to consider the issue of the ratio of current signatures and new ones. Thus, signature key certificates issued in accordance with Federal Law No. 1-FZ of January 10, 2002 "On Electronic Digital Signature" are recognized as qualified certificates. At the same time, an electronic document signed with an electronic signature, the verification key of which is contained in the certificate of the electronic signature verification key, issued in accordance with the procedure previously established by law, during the validity period of the specified certificate, but no later than December 31, 2013, is recognized as an electronic document, signed with a qualified electronic signature. Also, in cases where federal laws and other regulatory legal acts that came into force before July 1, 2013 provide for the use of an electronic digital signature, an enhanced qualified electronic signature is used.

However, in order to fully apply the electronic signature in connection with the above changes, organizations need to take into account not only the legal aspects of the equality of certain types of signatures, but also explore the technical aspect. When comparing a certificate of a qualified signature and a certificate of an electronic digital signature enshrined in the Federal Law of 2002, there will be a difference in the presence / absence of the SNILS field (insurance number of an individual personal account in the Pension Fund of the Russian Federation), which may lead to the impossibility of using it in specific systems depending on their requirements. In this case, it is necessary to learn in advance about the requirements for the type of electronic signature for the specific purposes of the organization, or to have both certificates.

At the same time, it is important to know that a qualified electronic signature is not universal and its mandatory use is provided only for a number of information systems of state bodies, for example, such as the gosuslugi.ru portal or the reporting systems of the Federal Tax Service of the Russian Federation. As for trading platforms, they themselves determine the requirements for electronic signatures and have the right to use both a qualified signature and an electronic digital signature provided for by the 2002 Federal Law. qualified electronic signatures even by the end of the 2002 law.

In this scenario, the most logical for the organization is to determine the purposes of using an electronic signature. If this is reporting to government agencies, then it is urgent to obtain a qualified signature. However, if we are talking about other trade transactions, it is better to contact the certification center to obtain a qualified signature in order to avoid an awkward situation in the event that any site switches to its mandatory requirement.

It should also be noted that several interconnected electronic documents (package) can be signed with one electronic signature, and each such document individually is recognized as signed. At the same time, one should still not forget about the requirements for specific types of electronic signatures in some cases.

Electronic signatures created in accordance with the rules of law of a foreign state and international standards are recognized in the Russian Federation depending on the compliance with the features of a particular type. The issuance of a certificate of the electronic signature verification key in accordance with the norms of foreign law is not a reason for declaring the document invalid.

The procedure for obtaining an electronic signature

Obtaining an electronic signature takes place in several stages:

1. Finding the Right CA

To obtain an electronic signature, you must first determine the purposes of using an electronic signature by your organization and, depending on them, select a certification center that is authorized to produce certificates of electronic signature verification keys.

The competence of the certification center includes:

Creation and issuance of certificates of electronic signature verification keys to persons who applied for their receipt (applicants);

Approval of validity periods of certificates of electronic signature verification keys;

Cancellation of certificates of electronic signature verification keys issued by him;

Issuance at the request of the applicant of electronic signature means containing an electronic signature key and an electronic signature verification key (including those created by a certification center) or providing the possibility of creating an electronic signature key and an electronic signature verification key by the applicant;

Maintaining a register of certificates of electronic signature verification keys issued and canceled by him, including including information contained in certificates of electronic signature verification keys issued by this certification center, and information on the dates of termination or cancellation of certificates of electronic signature verification keys and on the grounds for such terminations or cancellations;

Approval of the procedure for maintaining the register of certificates that are not qualified, and the procedure for accessing it, as well as ensuring access of persons to the information contained in the register of certificates, including using the Internet;

Creation of electronic signature keys and electronic signature verification keys at the request of applicants;

Checking the uniqueness of keys for verifying electronic signatures in the register of certificates;

Implementation of verification of electronic signatures at the request of participants in electronic interaction;

Carrying out other activities related to the use of an electronic signature.

In addition, the Certification Authority has the following responsibilities:

Informing applicants in writing about the conditions and procedure for using electronic signatures and electronic signature means, about the risks associated with the use of electronic signatures, and about the measures necessary to ensure the security of electronic signatures and their verification;

Ensuring the relevance of the information contained in the register of certificates, and its protection from unauthorized access, destruction, modification, blocking, and other illegal actions;

Providing free of charge to any person at his request in accordance with the established procedure for access to the register of certificates the information contained in the register of certificates, including information about the cancellation of the certificate of the electronic signature verification key;

Ensuring the confidentiality of electronic signature keys created by the certification center.

Thus, the main functions of the certification center are to verify electronic signatures, the verification keys of which are indicated in the certificates of electronic signature verification keys issued by trusted persons, and to ensure electronic interaction between trusted persons, as well as trusted persons with the certification authority. Information entered in the register of certificates is subject to storage during the entire period of activity of the certification center, unless a shorter period is established by regulatory legal acts. In the event of termination of the activities of the certification center without transferring its functions to other persons, it must notify in writing the owners of certificates of electronic signature verification keys issued by this certification center and whose validity has not expired, at least one month before the date of termination of this activity. certification center. In this case, after the completion of the activities of the certification center, the information entered in the register of certificates must be destroyed. In the event of termination of the activities of the certification center with the transfer of its functions to other persons, it must notify in writing the owners of certificates of electronic signature verification keys issued by this certification center and whose validity has not expired, at least one month before the date of transfer of its functions . In this case, after the completion of the activities of the certification center, the information entered in the register of certificates must be transferred to the person who transferred the functions of the certification center that ceased its activities.

At the same time, it is also important to evaluate the stability and quality of the service provider, which, as a rule, are determined by the breadth of the areas of use of their certificates. And, of course, you should not make your decision depending on the price, since for full-fledged operation it is necessary to purchase a complete set in the form of a key carrier, a license for the right to use an electronic signature tool and a certificate of an electronic signature verification key. Prices vary. On the Internet, you can find the websites of certification centers in a suitable region and find out all the information in detail.

2. Submission of an application and documents for obtaining an electronic signature

Having decided on the certification authority, you must send an application for the issuance of an electronic signature certificate. Such an application can be submitted on the website by filling out a short form, after processing which the manager will call back to clarify the details of registration, and later it will be necessary to provide a list of documents to the Registration Center of the certification center. It is also possible to fill out a full registration card on the site and arrive at the place of issue of certificates by the time it is ready. At this stage, the application form depends on the choice of a specific certification authority.

After monitoring the sites of certification centers, the list of documents required to produce a qualified signature key certificate, as a rule, looks like this:

For legal entities

Notarized copy or original with a simple copy of the extract from the Unified State Register of Legal Entities

Notarized copy, or original with a simple copy of the certificate of registration with the tax authority

For individual entrepreneurs

Application for the production of a signature key certificate

A notarized copy or an original with a simple copy of an extract from the USRIP

Notarized copy or original with a simple copy of the certificate of registration with the tax authority

Copy of SNILS certificate holder

Copy of the passport of the future certificate holder

Copy of certificate recipient's passport

Power of attorney to obtain a signature key certificate (if this is not the owner of the certificate)

A power of attorney confirming the authority of the owner of the signature key certificate (if the owner does not have the right to act on behalf of a legal entity without a power of attorney)

For individuals

Application for the production of a signature key certificate

Notarized copy, or original with a simple copy of the certificate of registration with the tax authority

Copy of the passport

Copy of SNILS certificate holder.

3. Obtaining a certificate and a kit

The personal presence of the owner of the certificate or his trusted representative to obtain the certificate of the electronic signature verification key is a prerequisite for most certification centers. Despite the fact that in practice there are cases of providing services remotely using sending scanned application documents by e-mail and receiving an electronic signature certificate also by mail, fraudsters most often act in this way. Registration of a certificate and issuance of a set in a certification center will not take much time. This kit usually includes:

Key carrier (floppy disk, flash drive, token) containing files with an electronic signature key;

The certificate of the electronic signature verification key, which is also recorded as a file on the same key medium;

A copy of the certificate of the electronic signature verification key on paper with the signature and seal of the certification center;

License for the right to use a computer program, which in terms of the law is called an electronic signature tool;

The program of the electronic signature tool itself (installation files) and documentation for it on a CD.

In case of theft or loss of the electronic signature key, you must contact the certification center, report this fact and receive a new key and a new certificate of the electronic signature verification key, while all the stages of obtaining it will have to be repeated and the certificate will be completely different.

It is also important to note that the electronic signature has an expiration date, while the signature key validity period is distinguished - this is the period of time during which the key can be used to create a signature, and the signature verification key validity period is the period of time during which the key can be used to create a signature. verification of the validity of the electronic signature. As a rule, the first term is set to 1 year, and the second term is set from 1 to 15 years. But even after receiving a new signing key and a new certificate after the old one expires, until the "old" certificate expires, all "old" signatures will be considered valid.

Requirements for employees of the organization when working with an electronic signature

Despite the simple procedure for obtaining an electronic signature, for its effective use it is necessary to pay attention to ensuring information security at the workplace of employees. The procedure for ensuring information security when working with an electronic signature, as a rule, is determined by the head of the organization based on recommendations on organizational and technical protection measures, as well as the current Russian legislation in the field of information protection.

Employees who have access to key information and work using an electronic signature must be identified and approved in a specific list. They must undergo appropriate training and familiarize themselves with the documentation for a particular information system, as well as with regulatory documents on the use of an electronic signature. Most often, organizations have an employee responsible for the security of the operation of cryptographic information protection tools, who is engaged in the full process of supporting these processes, including the creation of specialized job descriptions. In case of dismissal or transfer to another department with a change in the work duties of an employee, it is recommended to change the keys to which that employee had access.

It should be noted that the above are the most general requirements, which once again emphasize the seriousness of using an electronic signature in an organization. However, in practice, each organization is individual in regulating this issue.

Registration of labor relations

Of particular relevance in recent years is the use of an electronic signature for registration of labor relations with employees who are in remote access. Thus, in April 2013, amendments to the Labor Code of the Russian Federation came into force, which regulate the regulation of the work of remote workers and provide for the conclusion of an employment contract on remote work through the exchange of electronic documents. However, within the framework of these labor relations, only a qualified electronic signature will be used for both parties: the employer and the employee. To confirm familiarization with the employment order, internal labor regulations, other documents in electronic form, the employee must also use only an enhanced qualified electronic signature.

At the same time, documents related to the work activity of a remote worker are also drawn up in paper form by means of copies of documents in electronic form, which are certified by a qualified electronic signature of the employer and sent to the remote worker for review. It is this copy that the employee signs with his electronic signature.

Responsibility for violation of legislation on electronic signature

Responsibility for violation of the provisions of the legislation on the use of an electronic signature is provided for different participants in electronic interaction. It is important to note that the Federal Law "On Electronic Digital Signature" of 2002 provides for criminal, civil and administrative liability in accordance with the regulatory legal acts of the Russian Federation for the illegal use of the digital signature of another person, including the illegal receipt of a private key and ( or) without proper authority, for illegal creation and use of private keys, as well as in case of infliction of losses to the user of the public key due to unauthorized access to the private key through the fault of the owner of the signature key certificate.

However, in the current law of 2011 there are no such references to the responsibility of participants in electronic interaction. At the same time, the legislator paid attention to the regulation of the responsibility of the certification center for harm caused to third parties as a result of non-fulfillment or improper fulfillment of obligations arising from the contract for the provision of services by the certification center, as well as non-fulfillment or improper fulfillment of the obligations provided for by this law.

Thus, after studying the legal regulation and organizational aspects of using an electronic signature, we can conclude that this technology is relevant at the present time. The widespread use of information technology and the transition to electronic document management will bear fruit in the near future, but this will take some time. The legal regulation of the mechanisms for the functioning of electronic signatures, including the transition period from the provisions of the law that has become invalid to the new legal order, needs additional elaboration. It is especially worth noting the complexity and complexity of the use of various types of electronic signatures, which negatively affects the perception of organizations in the process of introducing new technologies. In addition, the problematic point is the lack of sufficient legal regulation of the responsibility of all participants in electronic interaction. It is assumed that it is logical to establish additional responsibility of employees by local acts of a particular organization. However, at present in Russia, the circulation of electronic documents using an electronic signature is rapidly gaining momentum.

EDS standards in our country are established by law. The requirements for electronic signatures are contained in the Federal Law No. 63-FZ, and in the Order of the Federal Security Service of the Russian Federation No. 796. They define the structure and content of the requirements for electronic signature means.

EDS security requirements

Security standards indicate that an electronic signature must be created using tamper-resistant algorithms. First of all, this requirement concerns the selection of a key or the possibility of influencing it using software or hardware. In addition, the EDS should not be susceptible to attacks that affect the operating environment - for example, damaging the BIOS.

Although the standards do not contain information about the use of foreign keys, their use is one of the few ways to provide the required level of protection. At the same time, it must be remembered that all EDS components cannot be located on a physical one, usually represented by a USB key. The legal requirement in this case is unequivocal - encryption must be carried out by a program installed on the computer that uses external media as authentication. The standards also do not allow encryption using cloud services that do not have a level of security verified by government agencies.

Procedure for using an electronic signature

With regard to the process of certification of a document and reading an EDS, similar requirements are imposed:

1. The user must see the content of the signed document.
2. The user must confirm the signing of the document.
3. ES tools must unambiguously show that the signature has been created.

Regardless of the type, the information about the owner of the signature certificate must be “hard-wired” in the ES certificate. This greatly facilitates the analysis of disputable situations when interacting with government agencies or counterparties that process a large flow of document flow per day.

• Requirements for electronic signature tools
• Requirements for certification authority tools

The development of these documents was provided for by Part 5 of Article 8 of the Federal Law of April 6, 2011 No. 63-FZ "On Electronic Signature".

The requirements are intended for customers and developers of electronic signature tools and certification centers in their interaction with each other and with organizations conducting cryptographic and special studies of such tools, as well as in their interaction with the FSB, confirming the compliance of such tools with the established requirements.

I was primarily interested in how these requirements reflect issues related to records management. Many relevant items were found in "Requirements for the means of electronic signature".

When creating an electronic signature (ES), the ES tools must (clause 8):

• show the person signing the electronic document the content of the information he signs,
• create an ES only after the person signing the electronic document confirms the operation to create an ES,
• clearly show that the ES has been created.

When checking the ES, the ES tools must (clause 9):

• show the content of an electronic document signed by an ES,
• show information about making changes to the signed ES electronic document,
• indicate the person using the ES key of which electronic documents are signed.

These requirements do not apply to ES tools used for automatic creation and (or) automatic verification of ES in the information system (clause 10).

Depending on the ability to resist threats, ES tools are divided into classes (clause 12). Depending on the class, the requirements for recording events associated with the use of the ES tool differ:

33. For ES tools of classes KS1 and KS2, the need to present requirements for registering events and their content are indicated in the TOR for the development (modernization) of ES tools.

34. The composition of the ES tools of classes KS3, KB1, KB2 and KA1 should include a module that records in the electronic log of events in the ES and SF tools related to the performance of the ES tool of its target functions.

The requirements for the specified module and the list of registered events are determined and justified by the organization conducting the research of the ES tool in order to assess the compliance of the ES tool with these Requirements.

The requirements for ensuring the safety of the event log are also established:

35. The event log should be available only to persons specified by the operator of the information system in which the ES tool is used, or persons authorized by him. At the same time, access to the event log should be carried out only to view records and to move the contents of the event log to archive media.

Paragraph 36 seemed to me extremely controversial in the document, public key expiration date EP. The question immediately arises, what about those organizations that will sign documents with a permanent or long-term storage period with an electronic signature? What should they do with these documents in 15 years - throw them in the electronic trash (at the same time forgetting about the rights and obligations associated with them)?

From my point of view, either the authors of the document are at odds with the Russian language, and could not competently express their thought, whatever it may be, or they in trouble with the law, which does not provide for such stupidity as the loss of legal force by the signature.

36. Validity period of the ES verification key must not exceed the validity period of the ES key by more than 15 years.

37. The requirements for the mechanism for monitoring the period of use of the ES key, blocking the operation of the ES tool in the event of an attempt to use the key longer than the specified period, are determined by the developer of the ES tool and justified by the organization conducting research of the ES tool in order to assess the compliance of the ES tool with these Requirements.

The question also arises about the qualifications of the specialists of the Ministry of Justice, which successfully registered this document.

(EDS) is an attribute of an electronic document designed to protect this electronic document from forgery, obtained as a result of cryptographic transformation of information using the private key of an electronic digital signature and allowing to identify the owner of the EDS key certificate, as well as to establish the absence of information distortion in the electronic document.

Regulatory documents related to EDS

The use of EDS when concluding transactions is regulated by the Federal Law of January 10, 2002 N1-FZ "ON ELECTRONIC DIGITAL SIGNATURE". The law proclaims the general provisions of the "rules" in electronic markets regarding the recognition of an EDS in an electronic document as equivalent to a handwritten signature in a document on paper.

• Attached electronic digital signature

• Timestamp Service

  The validity period of any EDS certificate is limited to a certain period of time. After the expiration of its validity period, all documents created using this EDS lose their legal force, because. it is impossible to determine whether the certificate was up-to-date at the time of signing this document or not? This automatically means the invalidity of the document in accordance with the Federal Law "On Electronic Digital Signature".

  The time stamp service allows you to prove the fact of the existence of a document at a certain point in time.

  The time stamp service can be a Certification Authority that has an accurate and reliable time source and provides time stamp services.

  The time stamp is analogous to the date on the signed document. It also confirms that the certificate was valid at the time the document was signed. This means that it is still possible to use the revoked certificate to verify digital signatures created before the revocation. This problem is relevant for all electronic document management systems. The timestamp can also be used to confirm the receipt or dispatch of a document when needed.

  What else allows you to use a digital signature?

  An electronic digital signature is one of the most important elements for organizing a full-fledged electronic document management, because serves as an analogue of a person's handwritten signature. In addition, the use of a digital signature allows you to:

  * Integrity control of the transferred document: in case of any accidental or intentional change of the document, the signature will become invalid, because it is calculated based on the initial state of the document and corresponds only to it.
  * Protection against changes (forgery) of the document: the guarantee of forgery detection during integrity control makes forgery impractical in most cases.
  * Impossibility of refusal of authorship. Since it is possible to create a correct signature only if the private key is known, and it should be known only to the owner, the owner cannot refuse his signature on the document.
  * Evidence of document authorship: Since it is possible to create a correct signature only by knowing the private key, and it should be known only to the owner, the owner of the key pair can prove his authorship of the signature under the document. Depending on the details of the document definition, fields such as “author”, “changes made”, “timestamp”, etc. can be signed.

  What needs to be done to work with EDS?

  To work with EDS you need:

  • ensure the availability of a PC in accordance with the requirements;
  • ensure the availability of specialized software for working with EDS;
  • determine the person to whom the EDS certificate is issued;
  • choose the method of obtaining an EDS;
  • conclude a CA agreement and pay for services for issuing a signature key certificate.

  Leave your comment!

tools that provide, on the basis of cryptographic transformations, the implementation of at least one of the functions:

creation of ES using private key EI

confirmation using the public key of the ES

creation of private and public ES keys.

4. Encoding tools (manual ciphers)

Means that implement algorithms for cryptographic transformation of information with the implementation of part of the transformation by manual operations or using automated tools based on such operations.

5. Means of production of key documents.

Regardless of the type of key information carrier

6. Key documents (regardless of the type of media)

Compromise of cryptographic keys – theft, loss, disclosure, unauthorized copying and other incidents as a result of which cryptographic keys may become available to unauthorized persons and/or processes.

Personal data (PD) – any information relating to an individual identified or determined on the basis of such information (PD subject), including his last name, first name, patronymic, date of birth, address, family, social, property status, education, profession and other information.

PD Operator - state body or municipal body, legal or natural person organizing and/or carrying out PD processing, as well as determining the purposes and content of PD processing.

EP - information in electronic form that is attached to other information in electronic form (signed information) or otherwise associated with such information and which is used to identify the person who signed the information.

ES verification key certificate - an electronic document or a document on paper issued by a certification authority or an authorized representative of the CA, and confirming that the ES verification key belongs to the owner of the ES verification key certificate.

UC - a legal entity or an individual entrepreneur operating on the creation and issuance of public keys for verifying the ES, as well as other functions related to the ES and provided for by law.

Accreditation of CA - recognition by the federal executive body authorized in the field of ES use of the compliance of the CA with the requirements of the legislation.

CA funds - software and/or hardware used to implement the functions of the CA.

EP funds - encryption or cryptographic means used to implement at least 1 of the functions:

creation of ES

ES check

creating an ES key

creation of an ES verification key

EP key - a unique sequence of characters designed to create an ES. ES verification key - ... uniquely associated with the ES key and intended for ES authentication.

Qualified certificates of ES verification keys - ES verification key certificate issued by an accredited CA or a trustee of an accredited CA or a federal executive body authorized in the field of ES use (authorized federal body)

GOST R 51275

ZI. Informatization objects. Factors affecting information. Basic provisions.

Application area - The standard establishes a classification and a list of factors affecting the effectiveness of information protection in the interests of justified threats to information security to the requirements for information security at an informatization object. The standard applies to informatization objects, creation and operation in various fields of activity (defense, economics, science, and others)

Identification and consideration of factors affecting or those that may affect protected information in specific conditions form the basis for planning and implementing effective measures aimed at IS at the informatization object.

The completeness and reliability of the identified factors is achieved by considering the full set of factors that affect all elements of the RI (hardware and software for information processing, means of providing RI, and so on) and at all stages of information processing.

Identification of factors affecting protected information should be carried out taking into account the requirements:

sufficiency of levels of classification of factors, allowing to form their complete set;

classification flexibility. Allowing to consider a variety of classified factors, as well as to make changes without violating the structure of the classifications.

Factors affecting information:

objective internal signaling extraction of signals, functions inherent in the technical means of the OI side EMP the presence of acoustoelectric transducers in the elements of the TS OI defects, failures, failures, accidents of the vehicle and OE systems defects, failures, failures

Objective external man-made phenomena natural phenomena, natural disasters

Subjective internal disclosure of protected information by persons entitled to access to it illegal actions on the part of persons having the right of access to protected information UA to protected information shortcomings in the organization of the provision of data staff service errors

Subjective external access to protected information using the TS UA to protected information blocking access to protected information by overloading the technical means of processing information with false requests for its processing actions of criminal groups and individual criminal subjects distortion, destruction or blocking of information using the TS