Event program: main products; two-factor authentication; truly mobile electronic signature; Rutoken Base; system access control and management.
The event is attended by Andrey Ignatov, Product Manager and Valeria Valetina, Corporate Account Manager.
Andrey Ignatov, an employee of "Aktiv," began by discussing the company's products, the solutions they are based on, and what can be built on them.
Main products
The first product is Rutoken Light. This is a token without a crypto-core, which cannot generate keys for electronic signatures itself. It can only store what the program's crypto provider has generated for it. A new version of Rutoken Light has now been released. This is version Rutoken Light 10.10, with 64/128 KB of memory.
The Rutoken EDS 3.0 line is a new line that replaces the Rutoken EDS 2.0 line. The new line has 128 KB of memory.
Some models have even more memory, up to 160 KB. They have new algorithms, new improved speed characteristics. Some members of this line can even hash documents without losing performance compared to a computer. Hashing is a mathematical algorithm that is applied to documents of any size. And the client's megabytes can be run through this tiny token, which converts them into a numerical sequence of size 256 or 512. These tokens are certified by the FSTEC and FSB.
There is a standard token, a workhorse - Rutoken EDS 3.0. And there is an unusual extended version of it - the Rutoken 3.0 3100 NFC smart card with an NFC interface. They allow you to sign electronic documents when connected to mobile devices with an NFC interface using this device. Please note: the card or token signs. But you attach this card or token to the device, and the keys to your electronic signature are inside this card or token. They are always with you. And in this way, you can sign the necessary documents.
The Rutoken SP 3.0 SCR 3001 reader is used with Rutoken 3.0 NFC smart cards and the older Rutoken 2.0 contact smart card. An NFC reader is also expected, but it is not yet our own production. It does not damage cards and is certified by the FSTEC because it has a replaceable firmware.
And representatives of the older Rutoken EDS 2.0 flash line, which is being replaced by Rutoken SP 3.0 flash. This is a combination of a USB token with a cryptographic processor and secure flash memory. This is a regular token, it is also fast, because it was once the fastest in the Rutoken EDS 2.0 line, now it is comparable in speed to Rutoken EDS 3.0. It also has 128 KB of memory, which used to be unusual. But a 32 or 64 GB flash drive is installed there at the factory. And this flash drive has protected memory. That is, when you connect the token after entering the PIN code, access to the sections may change. For example, initially access to the sections was hidden, after connecting the token, access appears for reading and writing.
Thus, you can create hidden sections that will be activated and allow you to store protected files on them, accessible only when using the token.
A relatively new (about a year old) product is Rutoken UTP - this is a standard token with a screen, working according to the TOTP standard with two-factor authentication, which uses a code that changes every minute. It can be used in all cases where Time UTP is used. It is used strictly only for two-factor authentication. It cannot be used for any other purpose. It is not used for signing documents. You can use it for authentication to enter the signing system, but only that. It cannot independently generate an electronic signature.
And a new token called Rutoken MFA. This is an authenticator that supports the FIDO2 protocol. The essence of Rutoken MFA is that it, just like regular tokens, allows you to implement the ownership factor. The line will be released in three stages: 1) Miniature type-c with a touch button – this summer. 2) Micro version with a touch button – autumn 2023. 3) Full-size version with NFC + Type-A with a touch button in early 2024.
It works with all services that have already implemented this standard. And its implementation under the corresponding protocol. For example, this is Mail.ru or VK, Yandex, and foreign services, some of which are prohibited in Russia. Plus, you can create your own authentication system. There are currently two options. You can connect to both mobile devices based on Android and computers. It has a contact pad on the side, where the finger is drawn.
To authenticate, you just need to touch this pad. There is a micro full-size. It is inserted into the computer in the same way and you need to touch it. These two tokens are already available and can be obtained for testing.
Two-factor authentication
A classic electronic signature can be qualified, unqualified, but усиленной с помощью криптографии, это то, для чего создавались токены, и то, что конечно же, всегда будет использоваться с их помощью. Это подписание документов во внутреннем документообороте, кадровом внешнем документообороте, в нормативном документообороте, например, при сдаче отчетов, при маркировке алкогольной продукции, везде там происходит подписание, и везде может использоваться Рутокен.
Now let's talk about additional things. And the first solution is two-factor authentication, which tokens and smart cards have been used for a very long time, but in our country, strangely enough, they are not widespread. Although Orders 17 and 21 directly require the use of two-factor authentication. And a number of other regulatory documents. This is for state information systems access and access to work with personal data. And other "regulations" also explicitly require the use of two-factor authentication.
When you implement password protection, the password is an intangible thing, it is data, it is knowledge. You know the password, but it is easy to steal, easy to spy on, intercept, etc. If the password is stolen, the attacker can access resources and do what they see fit without you, without the legal owner. And you will never understand that the attacker has the password. You often may not even realize that the attacker is using it. Therefore, what is needed to make password protection reliable? Two-factor authentication is needed. In this case, two factors are introduced. The first is the ownership factor, when I have a physical device, in this case it can be a Rutoken. The second factor is knowledge. In this case, it is knowledge of the token's PIN code. If there used to be one factor: knowledge of the password, now there are two. In different cases, these different factors are implemented differently, we will talk about the most reliable way in my opinion.
A person comes with their token, connects it to a computer with Windows or Linux OS. The system prompts them to enter a password. After the password is entered, in this case the PIN code, the authentication process is performed. It is performed using electronic signature technology. What is the protection here? If the attacker spied on your PIN code, it will not give them anything. Authentication without a token is impossible. If you lose the token, it's okay. Because the PIN code is unknown. An attempt to guess the PIN code, if the number of allowed attempts is exceeded, will result in the token being blocked. And if an attacker is found who steals both your token and spies on your PIN code, you will discover that the token is missing, you will notify the administrator, and they will block access. That is, we are moving away from an intangible factor, from a password that is easy to steal unnoticed, to a token, which cannot be stolen unnoticed, because it is a tangible thing.
If authentication is implemented on a computer and the computer is in a Windows or Linux domain, then Rutoken EDS is used. There is a separate document for setting up in a Windows domain - Rutoken for Windows. It is available on our Rutoken website.
If your authentication is outside the domain, then Rutoken EDS is needed for Linux. If Windows is used, it does not support two-factor authentication outside the domain. Therefore, we created our own component - Rutoken Logon. This is a software product that is installed on each computer separately, which are not in the domain. And it already needs a separate Rutoken EDS or Rutoken Light token.
Plus, we recommend that in addition to buying one token or one card for each employee who will perform two-factor authentication, it is better to take it with a margin, in case of loss or failure. Ours rarely fail, they fail because they are long and stick out of a laptop or computer, and a person accidentally breaks it by catching it.
Who can this be offered to the customer? First of all, the information security service. For IT professionals, two-factor authentication is something that requires additional resources and some additional actions from them. If they can do without it, then they don't really need it. But for information security professionals, it is important. Compliance with "regulations", they will be punished for this if something happens due to the lack of adequate protection. Therefore, you should first contact the information security service and convince them that they cannot do without "two-factor authentication". And refer to the "regulations" at the same time.
Truly mobile electronic signature
Another option is a truly mobile signature. We have Rutoken EDS 3.0 3100 NFC cards and the same tokens. Different people have a need to sign documents not in the office, but using mobile devices. These can be employees, directors who are on a business trip or on vacation, etc. They need to attach a card to their smartphone in any place, or enter a code and sign the document. These can be emergency service employees, for example, ambulance or just doctors who have gone to a call to a sick person, and they need to fill out an electronic sick leave, issue an electronic prescription and sign it all with a qualified electronic signature. These can be teams of repairmen who have completed, for example, the repair of power lines and signed in the log about the work performed. So as not to write all this on paper in the office. With the help of these cards and these tokens, we make a mobile electronic signature, the keys of which are always with you. They are always in your pocket, in your wallet, on a keychain, if it is a token. You attach it to your smartphone and sign the document.
In order for this to work, the application on the mobile device must support the corresponding token. Such applications must be created independently, or take ready-made ones. If you are doing a project for a customer, then it is worth writing an application for them. We work with tablets and smartphones. The main thing is that there is an NFC interface. If there is no interface, but the tablet is running Android, we can use the contact interface through an adapter and plug a token into it.
We have our own Rutoken SDK. There are ready-made examples, such as a mobile bank. Based on these examples, which are present on our hub, it is possible, with the help of consultations from our engineers, to build your own applications for the customer. Everywhere where an electronic signature is required in the log, and at the same time it is difficult to do, for example, for miners, it is much easier to implement this with the help of secure devices. Here they have been instructed, he has a card hanging around his neck or on his belt, he has passed, attached the card, entered his individual PIN code and went on. You can simply put the phone on the aisle, everyone will pass, attach it, and this will mean signing an electronic signature that they have been instructed.
Who else can you offer? First of all, IT departments. But, if there is something specific there, i.e. emergency ambulance services. There are, however, regions where this is handled by the Ministry of Digital Development. If these are installers and miners, then it is quite possible that the interested service will be Labor Protection or the Internal Documentation System. That is, where there are problems with maintaining paper logs, you can easily close all their problems with maintaining logs and signing documents. They cannot perform full automation, because they require a manual signature of people, and we offer them a simple option. A record in the log is a record in the database. Writing such an application is very quick. Writing a server application that will track this is very easy and simple. And this is how a serious and critical task for enterprises is solved.
Rutoken Base
A new product is called Rutoken Base. This is a product that is responsible for accounting for cryptographic protection systems (cryptographic information protection systems), information protection systems (information protection systems) key pairs, key documents and certificates. The fact is that, on the one hand, regulatory authorities require all companies, especially government organizations, to keep records of them, organize their OKZ (cartographic protection body) and OCI (confidential information holder), keep reporting documentation in accordance with the requirements of Order 152 of the FAPSI. FAPSI no longer exists, but the order lives on.
Plus, all these tokens and certificates need to be managed. You need to see if the certificate of conformity for the hardware cryptographic protection system has expired, see where the tokens are installed, where they are connected, to which machines, whether someone has copied the key, if it is exported to a medium, whether the certificate of conformity for the token or the certificate of the electronic signature key for the employee has expired. And Rutoken Base is responsible for all this. It allows you to manage protected key media from various manufacturers and other key media. We can detect keys in the Registry, in the file system, on USB flash drives , etc.
We can interact with software crypto providers. Few people know, but the keys that are created on tokens, or even on flash drives, if it is a key that will then be included in a qualified key certificate when checking an electronic signature, then this is also a SPZI, also a means of cryptographic information protection that is subject to accounting. And it is usually not taken into account. And this is a potential threat of punishment from regulatory authorities. Plus, Rutoken Base allows you to perform management. It allows you to transmit commands or policies to tokens and perform, for example, blocking, initialization, etc. Rutoken Base is 100% for government organizations or companies with state participation. At the same time, Rutoken Base fits well into import substitution because the agents that are installed on workstations work under both Linux and Windows. And the servers only work under Linux. If a large percentage of employees use CEP (qualified electronic signature), then Rutoken Base is necessary here.