What does the carrier of the electronic signature key mean. How and where can you store an electronic signature

When contacting the Certification Authority, the head of the organization receives a set of software tools for creating an EDS recorded on a special key carrier electronic signature. Currently, a USB device (eToken) and a smart card are used in this capacity.

What information is on the media

Certification and protection system electronic documents based on the following principle. Using a special encryption program, the sender generates a private key - this is a unique set of characters that never repeats. Based on the private key, a paired EDS public key is created for it. With its help, the program encrypts the letter, and the recipient checks for a signature, decrypts and reads it. Thus, the electronic signature verification key is a public key available to all users of the electronic document management system.

The right to transfer data through the EDI system is obtained only by a user who has legally acquired an EDS from a Certification Center (CA). In doing so, he receives a secure physical medium, called an eToken, which is inserted into any device with a USB connector. The device has its own built-in memory, which records:

• private key to create a unique signature by the sender;
• the partner's public key for encrypting the transmitted document and checking the letters received from it;
• certificate of the digital signature verification key - a file created by the CA and confirming the ownership of the digital signature tool by the owner of the certificate.

Thus, the electronic signature key carrier is a hardware tool that works autonomously from a computer and stores all the programs and information necessary for the operation of the EDS. They cannot be rewritten to another device, and an attempt to hack the device physically ends in the loss of information. It can only be lost. A smart card is even better at protecting electronic signatures from being hacked, but is less commonly used, as it requires a special reader to use it.

How to get an electronic signature key

EDS tools for exchanging documents with government bodies can be purchased on a paid basis only in an accredited CA. On the website of each of them you can find information on how to obtain an electronic signature key. As a rule, this requires only the passport of the head, and his SNILS. After paying for the service, the applicant will receive an electronic signature key carrier, instructions on how to install the EDS key, and a certificate in paper form.

To work with the Federal Tax Service and other government agencies, the owner must receive from the CA, on the basis of an application, an electronic signature verification key - this is, accordingly, the public key of the organization with which he intends to exchange documents. The public keys of organizations and entrepreneurs are entered by the Certification Center into the register, which is provided for use by the Federal Tax Service and other organizations.

Compromise of the electronic signature key

The private, or secret key, should only be kept by the owner. It performs two functions:

• generates an electronic signature;
• decrypts the received file.

If it is lost or stolen, it is impossible to read the documents sent. If this nevertheless happened, or there is a suspicion that the key has been hacked (detected when the signature verification program is launched upon receipt of the document), then the key can no longer be used.

Thus, the compromise of an electronic signature key is the fact of access to the key by unauthorized persons, or the suspicion of the possibility of such an event. When it occurs, the ES owner must notify the Certification Authority, which will add it to a special list and revoke the certificate. A signature created after this point is considered legally invalid.

(EDS), according to 63-FZ on electronic signature, can be issued exclusively on key media(tokens), which are certified by the FSTEC and the FSB of Russia. Tokens themselves are of two types:

Let's take a closer look at how a USB token differs from a smart card and how they are similar.

Hardware token, USB key, cryptographic token - these are all names of the USB token. This token looks like a standard USB device that is connected to the USB connector. Transmits the generated key sequence to the client system via the RFID function or the Bluetooth wireless interface. Some cards also have a smart card chip built into them. The USB token itself is small and most often designed as a key fob.

Simply put, a token is, in some way, electronic key to access.

The USB token is protected from hacking in 2 ways:

1. Built-in tamper protection
2. Keypad for PIN code entry
3. Button for calling the generation procedure and a display for displaying the generated key.

Why do you need a USB token?

• Provide information security user
• Identify the owner of the USB key
• For secure remote access to information resources
• Store cryptographic key

(English) smartcard) is a plastic card with a built-in microcircuit. In most cases, smart cards contain a microprocessor and an operating system that controls the device and access to objects in its memory.

The smart card can be read by any standard PC/SC compatible reader.

Why do you need a smart card?

• One- and two-factor user authentication
• Storage of key information
• Carrying out cryptographic operations in a trusted environment

Recently, smart cards have become more and more popular: they are used in systems for accumulating discounts for credit and debit cards, student ID cards, GSM phones and travel tickets.

Order an EDS right now!	Do you have any questions? Call!

Required attribute - EDS key - is a unique list of alphabetic and numeric characters that is used to generate a signature. A simple EDS key is an identifier and a password, while an enhanced EDS key is a complex formation created using cryptological encryption algorithms.

Differences and features

• Unlike a hand-made stroke, an ES is not universal and can only be used within one department in accordance with OID - objective identifiers of the scope of the key. There are ES for: tax reporting;
• electronic auctions and tenders;
• public service portal.

Before getting an EDS legal entity, he should inform the representative of the manufacturer - the certification authority (CA) of all planned purposes of use. The required OIDs will be attached to a single key certificate, resulting in a universal and convenient ES.

An electronic signature (ES) verification key is a unique sequence of characters associated with an ES key. It can be used to establish the validity of a generated signature of any kind:

• CP simple EDS is used in accordance with the instructions of the operator information system, in which the file is signed and sent;
• the use of an unqualified enhanced EDS is permitted by law and without creating a KP certificate, if at the same time it satisfies technical requirements regarding security and privacy;
• The CP of a qualified EDS is contained in its certificate, which, in fact, distinguishes it from signatures of other types.

How many and which keys can you have?

Digital document management is actively developing. Only a small part of the technical and legal nuances has been unified. However, there are some shortcomings:

• there is no unified register of persons who have received and use ES (each CA maintains its own list of issued and canceled certificates);
• roaming and cross-certification between electronic document management operators are not implemented, which would ensure the interoperability of public key infrastructure domains;
• one person can own an unlimited number of signatures and valid certificates of the KP EP for use in different purposes.

In addition, a person acting on behalf of several institutions in the digital workflow must have a separate electronic signature key for the representation of each of them in the target system.

For example, a citizen can simultaneously own an electronic signature for reporting to the territorial body of the Federal Tax Service:

1. For tax returns in your own name as an individual.
2. For accounting and tax reporting:

• as a private entrepreneur;
• as an official of the enterprise (manager or accountant);
• as a representative by proxy of any business entity.

key pair

Two types of algorithms can be used to build an EP:

• symmetric crypto-encryption, which implies the signing of a document by the publisher and transfer to a trusted third party authorized to send it to the addressee;
• asymmetric encryption, in which different keys are used for forward and reverse transformations or a pair is present: the private key is strictly confidential, and the CP is openly published and protected from forgery.

Public key electronic digital EDS signatures is data that:

• are communicated via a public, technically unsecured telecommunications channel;
• are used to check the ES and reversely transform the contents of the file;
• its pair is a personal confidential key for the formation of an ES.

Electronic signature verification using public keys is commonly used in network protocols, such as SSL, SSH, S/MIME. They are based on the following principles:

• the key for creating an ES is kept in the strictest confidence by its owner;
• The CA generates a public key certificate, thereby ensuring its authenticity;
• file sharing participants do not trust each other, but each of them trusts the CA;
• only the CA has the authority to confirm that the public key belongs to the person who owns the private key.

private key digital signature EDS is a confidential component of a key pair. It has the following characteristics:

• used for the formation of EP;
• cannot be calculated from the signature or public key created with it;
• eliminates the possibility of counterfeiting the electronic signature in the case of using a strong cryptoalgorithm.

Proper operation of the EP is ensured by:

• reliable encryption methods;
• high-quality random number generators (the key must be absolutely unpredictable);
• secure media - smart cards or HSM, excluding the possibility of overwriting.

EP funds

In accordance with the provisions of the relevant law of 2011, electronic signature means are used to perform the following tasks regarding ES:

• creation;
• examination;
• generating a key and a verification key.

EP means are subject to use, which:

• assume a reliable determination of the fact of making any, including accidental, changes to the transferred document;
• ensure the impossibility of calculating the ES key.

When signing, they must:

• guarantee the signer the opportunity to familiarize himself with the contents of the file being certified;
• protect against accidental creation of ES.

When checking the ES, its means must:

• display the contents of the signed file;
• detect any edits that have been made;
• identify the person whose key was used to generate the signature.

Before you get an EDS key, you need to understand that only the means of a qualified EDS have passed the mandatory verification and certification. They are approved by the FSB, and therefore are the most reliable.

Functional key carrier (FKN)- this is new technology, which allows to significantly increase the security of systems using an electronic digital signature.

Functional key carrier - the architecture of software and hardware products with a smart card or USB key, hardware-based implementation of Russian cryptographic algorithms for electronic signature and encryption (GOST R 34.10-2001 / GOST R 34.11-94, GOST 28147-89), which allows you to safely store and use private keys in a secure memory card or USB key.

Recently, more and more attention has been paid to the security of storing private keys. Key containers on insecure media (such as floppy disks) are a thing of the past. However, key containers on secure media - USB keys and smart cards - which have become widespread, are subject to increasingly stringent requirements in the field of key protection.

Partially, these new requirements are met by USB keys and smart cards with hardware implementation of the signature, which are widely used in foreign practice. For example, USB keys and smart cards that meet PKCS#11 standards. But these standards were developed quite a long time ago and do not take into account the emergence of new threats, such as vulnerability to signature or hash value attacks in the communication channel between the microprocessor of the card (key) and software on the computer.

Architecture Functional key carrier, offered by CRYPTO-PRO, implements a fundamentally new approach to ensuring the secure use of a key on a smart card or usb token, which, in addition to hardware key generation and the formation of an ES in the microprocessor of the key carrier, allows you to effectively resist attacks associated with the substitution of a hash value or signature in communication channel between the software and hardware of the CSP.

The main advantages of FKN are:

• increased user key confidentiality;
• the generation of ES keys, approval keys, as well as the creation of ES, takes place inside the FKN;
• performing cryptographic operations on elliptic curves directly by the key carrier, support for the Russian ES;
• enhanced data protection during transmission over an open channel, due to the use of mutual authentication of the key carrier and the software component using the original CRYPTO-PRO protocol based on the EKE (encrypted key exchange) procedure. In this case, it is not a PIN code that is transmitted, but a point on an elliptic curve;
• transmission of a hash value over a secure channel that excludes the possibility of substitution;
• at no time, except for the creation of the container, is the user's key stored either in the key container or in the memory of the cryptographic provider and are not explicitly used in cryptographic transformations. Accordingly, even a successful hardware attack on a key carrier will not help to find out the key;
• the possibility of signature substitution in the exchange protocol is excluded, the ES is generated in parts - first in the key carrier, then finally in the CSP;
• the key can be generated by the FKN or loaded from outside.

Today, issuing authorities electronic signature, write down EDS key on special media. Only a certain person can have access to it. Often, Rutoken or Etoken acts as such a carrier.

Represents the physical medium on which the EP certificate. By appearance such a carrier resembles a conventional USB flash drive.

Rutoken is a compact and handy device. It is used for authorization on a personal computer and gaining access to the key. Due to its functions, this medium is able to secure the user's personal correspondence, any the documents and various information resources.

A device like Rutoken is able to bypass passwords of any complexity. Owner EDS now there is no need to write down your logins from sites anywhere and remember passwords. Now all digital information may be contained in electronic carrier. If necessary get access to your account to send documents should only be connected to a PC electronic signature carrier.

Select digital signature

The Etoken device is more secure than Rutoken. Issuing authorities give it for the purpose of control and reliable security keys required for authentication. Such electronic the carrier does not require additional special equipment for connection, as it is able to support work with any major systems and software applications.

To store and use electronic key you don't have to use tokens. You can use media such as a flash drive, disk, and even a mobile phone, but this will not be safe. If the flash drive is lost or the phone is stolen, attackers will gain access to EDS, and with a token it is almost impossible to implement. To get access to the token, you must enter a special secret pin code that only the owner knows electronic signature.

Submit data via email document flow only the user who received EDS and electronic key carrier from certifying UC. The built-in memory of such devices includes:

• Private electronic keys for the formation of electronic signatures.
• The public keys needed to decrypt and verify received files.
• The certificate required to verify the EDS key.

Certification and security system electronic documents, is built on a certain principle of operation. With the help of a specialized program, the sender must form a closed EDS key, and then based on it create an open key. Thanks to him, the program encrypts document, and the recipient has the opportunity to check the presence electronic signature, decrypt the file and read it.

Recorded medium EDS electronic key, functions from a PC offline and contains all the information important for work. If you try to rewrite it to another device or hack, all digital information will be lost.

Very often, when several companies interact with each other, documentation is required, certified by a personal signature one of the officials. Unfortunately, very often there is a situation when you urgently need to sign papers, but the manual cannot be found. Very handy in these cases. electronic signature contained on key carriers - tokens. With their help, you can perform various cryptographic operations so that all key private information does not leave the limits of the token. This eliminates the possibility of key compromise and makes it possible to increase the security of the entire system. Application EDS on the device token - it's fast, easy and convenient.