Electronic signature: "works" or not?
About a month ago, the Duma passed the law “ On electronic signature ”, which should now determine the conditions for its use in Russia. At the same time, since 2002, the old law “ On electronic digital signature ” has been in force, which regulates the same issues. It will remain in force until July 1, 2012, and those keys of signatures that were issued during its validity period will remain valid after that date.
The explanatory note to the new law states that the “old-style” EDS was not popular: until 2007, only about two hundred thousand signature key certificates were issued, the number of people using it was less than one percent of the Russian population. This led to the fact that many Russians believe that "the electronic signature in Russia does not work." The symptom of this was the numerous headlines that the newly adopted law “legalized the electronic signature”: indeed, the majority of our citizens in everyday life do not meet with it at all.
In order to understand why we need a new law on electronic signatures and what will change with its adoption, it is necessary to delve a little bit into the history of Russian “civilian cryptography”, that is, programs designed to encrypt and sign messages.
')
In contrast to the departmental, “civil cryptography” has always existed “on bird rights”. The state looked at it obliquely, the matter is that the encryption functions that are present in such software, along with the ability to generate an electronic signature. After all, the absence of a “back door” in programs created by independent developers (that is, the ability to decrypt a message without knowing the key) seriously hampers the work of the security services if they suddenly want to read what the users are talking about.
Trouble began to pursue civilian cryptography from its very inception. In the early nineties, programmer Philip Zimmerman created PGP (Pretty Pretty Privacy), which is still the most popular in this area. The program allowed to sign messages and files, as well as encrypt them. For the signature and encryption used two keys, public and private. Public keys users freely exchanged, and the private was supposed to be kept secret. To encrypt the message, a combination of the recipient’s public key and the author’s private key was used. For decryption, the recipient’s private key and the author’s public key were required. This scheme allowed us to exchange encrypted messages without fear that someone would intercept the key needed for decryption, since two keys were used, and one of them simply could not be intercepted. It is because of this that public-key encryption (or, as it is also called, “asymmetric encryption”) has become widespread on the Internet.
However, shortly after the creation of PGP, a criminal case was filed against Zimmerman. The reason was that Philip allegedly violated the ban on the export from the United States of programs that implement strong encryption. The case was dismissed only after three years, all charges were dropped from Zimmerman. Soon after, he founded the company PGP, inc., Which continued to develop the program. A ban on its export was circumvented very simply. It was distributed only to electronic copies, so the “foreign” version of PGP was compiled from scanned source text, which was exported from the USA in printed form. This is, of course, exotic, but approximately the state treated civilian cryptography in Russia.
Many people remember the famous Yeltsin " decree number 334 ", which simply forbade the use of any cryptographic tools that are not certified by FAPSI. Moreover, the ban extended not only to state organizations - it was forbidden to everyone to develop them and bring them into Russia. True, the decree did not provide for any liability for violating this prohibition, so many people looked at him through their fingers.
It was during its period that mass encryption technologies spread, including programs that come with Windows operating systems, as well as the very PGP that has become the de facto standard in this area today.
And so, in 2002, the first law on EDS was adopted. It extended only to legal relations arising from the commission of civil law transactions. In accordance with this law, the means for creating a “full-fledged” digital signature should have a certificate. All other cryptographic programs instantly acquired an incomprehensible status: theoretically, it was possible to sign documents with them, this was not prohibited by law. But the legal status of such a signature was not regulated in any way. To distribute keys, the law provided for the creation of a network of "certification centers", organizations that were supposed to engage in the creation of keys at the request of users. And it seems that precisely because of this, the EDS in Russia was so unpopular.
As you know, a signature based on asymmetric encryption requires two keys - a public one, which the key holder can exchange freely, and a private one that must be kept secret. Nobody should know your private key, and according to the Russian law on EDS, this key was generated by a “certification center”, that is, by completely unauthorized people. Therefore, such a small number of issued signatures is understandable. The law required the certifying center to keep the key secret securely, but elementary ideas about precaution required not to trust this key to anyone at all. Precaution, as a rule, won.
The new law “ On electronic signature ” in comparison with its predecessor is a downright liberalism masterpiece. The basic principles of issuing and using keys in it changed radically, the EU directive “On general principles of electronic signatures” became a model for the new rules. First of all, the law applies not only to civil law transactions: with the use of electronic signatures, you can now perform any “legally significant actions”, as an example of which the law mentions “the provision of state and municipal services” and “the performance of state and municipal functions”.
In the near future, mass sales of special “flash drives” with recorded keys will begin, which can be used to access the public services portal. The law introduces several types of electronic signatures, the simplest of which is called “simple”. It is an “electronic signature” which, through the use of codes, passwords or other means, confirms the fact that an electronic signature has been generated by a certain person. In the future, it may become a source of confusion, since previously it was not considered as an “electronic signature”, but was called “an analog of a handwritten signature”. These are all sorts of passwords, verification codes, and other means of identification.
In addition to the “simple”, there is also a “strengthened” electronic signature, and now it already involves the use of encryption tools. The list of such tools is not limited, they must meet the minimum requirements for reliability established in the fourth article of the law. This is one of the most important and useful innovations: now you can use not only certified programs for signing. The general requirement for any “enhanced” signature is to obtain a certificate, that is, a document confirming that the private key belongs to a specific person. The certificate is also issued by the certification center. However, if the compliance of the signature with the established requirements can be confirmed without it, it is not necessary to receive it.
A “reinforced” signature is “unqualified” and “qualified” —in the latter case, the services of a certification center are required. According to the new legislation, the operation of such centers is similar to the previous one: they also create signature keys for customers using certified programs - in fact, certification by the state makes the signature “qualified”.
Those keys that were issued during the period of the old law can be used in the future, according to the law, they are recognized as “enhanced qualified” signatures. And one more important innovation: the certifying centers under the new law issue “electronic signature tools containing an electronic signature key and an electronic signature verification key (including those created by the certification authority) or providing the ability to create an electronic signature key and an electronic signature verification key by the applicant”. From this confusing wording it is clear that the key itself can now be generated not only by the center, but also by the user himself. That is, it is no longer necessary to trust his uncle: issuing so-called “key certificates”, confirming that this key belongs to a certain person, becomes the main function of the CA.
In addition, a number of other useful innovations have appeared in the new law, which can lead to an increase in the number of people signing documents in electronic form. So, before the electronic signature could only use individuals, and now such a signature may belong to the organization, legal entity or government agency. The law describes the requirements for such signatures, in particular, when obtaining a certificate, it must indicate not only the organization itself, but also the person who is authorized to sign documents on her behalf.
True, how to replace such an authorized person in case of his dismissal, termination of the power of attorney and other force majeure circumstances: it is not clear what to do with the certificate in such cases, whether it is possible to enter a new employee who controls the signature or need to receive A new certificate (or even change the signature key). Regarding the legal validity of a “paper” document and its electronic copy, the law establishes the following rules: “by default” an electronic copy of a document is considered identical to paper only if it is signed with a “qualified” signature, that is, using certified programs. If the program does not have a certificate or uses a “simple” signature, the electronic document is considered to be “paper” only if it is expressly stated in the law or established by agreement of the parties.
The explanatory note to the new law states that the “old-style” EDS was not popular: until 2007, only about two hundred thousand signature key certificates were issued, the number of people using it was less than one percent of the Russian population. This led to the fact that many Russians believe that "the electronic signature in Russia does not work." The symptom of this was the numerous headlines that the newly adopted law “legalized the electronic signature”: indeed, the majority of our citizens in everyday life do not meet with it at all.
In order to understand why we need a new law on electronic signatures and what will change with its adoption, it is necessary to delve a little bit into the history of Russian “civilian cryptography”, that is, programs designed to encrypt and sign messages.
')
All persecuted.
In contrast to the departmental, “civil cryptography” has always existed “on bird rights”. The state looked at it obliquely, the matter is that the encryption functions that are present in such software, along with the ability to generate an electronic signature. After all, the absence of a “back door” in programs created by independent developers (that is, the ability to decrypt a message without knowing the key) seriously hampers the work of the security services if they suddenly want to read what the users are talking about.
Trouble began to pursue civilian cryptography from its very inception. In the early nineties, programmer Philip Zimmerman created PGP (Pretty Pretty Privacy), which is still the most popular in this area. The program allowed to sign messages and files, as well as encrypt them. For the signature and encryption used two keys, public and private. Public keys users freely exchanged, and the private was supposed to be kept secret. To encrypt the message, a combination of the recipient’s public key and the author’s private key was used. For decryption, the recipient’s private key and the author’s public key were required. This scheme allowed us to exchange encrypted messages without fear that someone would intercept the key needed for decryption, since two keys were used, and one of them simply could not be intercepted. It is because of this that public-key encryption (or, as it is also called, “asymmetric encryption”) has become widespread on the Internet.
However, shortly after the creation of PGP, a criminal case was filed against Zimmerman. The reason was that Philip allegedly violated the ban on the export from the United States of programs that implement strong encryption. The case was dismissed only after three years, all charges were dropped from Zimmerman. Soon after, he founded the company PGP, inc., Which continued to develop the program. A ban on its export was circumvented very simply. It was distributed only to electronic copies, so the “foreign” version of PGP was compiled from scanned source text, which was exported from the USA in printed form. This is, of course, exotic, but approximately the state treated civilian cryptography in Russia.
Many people remember the famous Yeltsin " decree number 334 ", which simply forbade the use of any cryptographic tools that are not certified by FAPSI. Moreover, the ban extended not only to state organizations - it was forbidden to everyone to develop them and bring them into Russia. True, the decree did not provide for any liability for violating this prohibition, so many people looked at him through their fingers.
It was during its period that mass encryption technologies spread, including programs that come with Windows operating systems, as well as the very PGP that has become the de facto standard in this area today.
And so, in 2002, the first law on EDS was adopted. It extended only to legal relations arising from the commission of civil law transactions. In accordance with this law, the means for creating a “full-fledged” digital signature should have a certificate. All other cryptographic programs instantly acquired an incomprehensible status: theoretically, it was possible to sign documents with them, this was not prohibited by law. But the legal status of such a signature was not regulated in any way. To distribute keys, the law provided for the creation of a network of "certification centers", organizations that were supposed to engage in the creation of keys at the request of users. And it seems that precisely because of this, the EDS in Russia was so unpopular.
As you know, a signature based on asymmetric encryption requires two keys - a public one, which the key holder can exchange freely, and a private one that must be kept secret. Nobody should know your private key, and according to the Russian law on EDS, this key was generated by a “certification center”, that is, by completely unauthorized people. Therefore, such a small number of issued signatures is understandable. The law required the certifying center to keep the key secret securely, but elementary ideas about precaution required not to trust this key to anyone at all. Precaution, as a rule, won.
As in europe
The new law “ On electronic signature ” in comparison with its predecessor is a downright liberalism masterpiece. The basic principles of issuing and using keys in it changed radically, the EU directive “On general principles of electronic signatures” became a model for the new rules. First of all, the law applies not only to civil law transactions: with the use of electronic signatures, you can now perform any “legally significant actions”, as an example of which the law mentions “the provision of state and municipal services” and “the performance of state and municipal functions”.
In the near future, mass sales of special “flash drives” with recorded keys will begin, which can be used to access the public services portal. The law introduces several types of electronic signatures, the simplest of which is called “simple”. It is an “electronic signature” which, through the use of codes, passwords or other means, confirms the fact that an electronic signature has been generated by a certain person. In the future, it may become a source of confusion, since previously it was not considered as an “electronic signature”, but was called “an analog of a handwritten signature”. These are all sorts of passwords, verification codes, and other means of identification.
In addition to the “simple”, there is also a “strengthened” electronic signature, and now it already involves the use of encryption tools. The list of such tools is not limited, they must meet the minimum requirements for reliability established in the fourth article of the law. This is one of the most important and useful innovations: now you can use not only certified programs for signing. The general requirement for any “enhanced” signature is to obtain a certificate, that is, a document confirming that the private key belongs to a specific person. The certificate is also issued by the certification center. However, if the compliance of the signature with the established requirements can be confirmed without it, it is not necessary to receive it.
A “reinforced” signature is “unqualified” and “qualified” —in the latter case, the services of a certification center are required. According to the new legislation, the operation of such centers is similar to the previous one: they also create signature keys for customers using certified programs - in fact, certification by the state makes the signature “qualified”.
Those keys that were issued during the period of the old law can be used in the future, according to the law, they are recognized as “enhanced qualified” signatures. And one more important innovation: the certifying centers under the new law issue “electronic signature tools containing an electronic signature key and an electronic signature verification key (including those created by the certification authority) or providing the ability to create an electronic signature key and an electronic signature verification key by the applicant”. From this confusing wording it is clear that the key itself can now be generated not only by the center, but also by the user himself. That is, it is no longer necessary to trust his uncle: issuing so-called “key certificates”, confirming that this key belongs to a certain person, becomes the main function of the CA.
In addition, a number of other useful innovations have appeared in the new law, which can lead to an increase in the number of people signing documents in electronic form. So, before the electronic signature could only use individuals, and now such a signature may belong to the organization, legal entity or government agency. The law describes the requirements for such signatures, in particular, when obtaining a certificate, it must indicate not only the organization itself, but also the person who is authorized to sign documents on her behalf.
True, how to replace such an authorized person in case of his dismissal, termination of the power of attorney and other force majeure circumstances: it is not clear what to do with the certificate in such cases, whether it is possible to enter a new employee who controls the signature or need to receive A new certificate (or even change the signature key). Regarding the legal validity of a “paper” document and its electronic copy, the law establishes the following rules: “by default” an electronic copy of a document is considered identical to paper only if it is signed with a “qualified” signature, that is, using certified programs. If the program does not have a certificate or uses a “simple” signature, the electronic document is considered to be “paper” only if it is expressly stated in the law or established by agreement of the parties.
Source: https://habr.com/ru/post/119610/
All Articles