Interesting solutions for electronic signature in the browser
In one of the comments to this topic , the domestic consumer of EDS wrote:
Specific such a dream. And now there are all the prerequisites for its execution.
In the topic, I’ll dwell a bit on Crypto-Pro solutions that allow you to make a qualified digital signature in the browser really convenient.
')
And I will also describe one original solution from the company Cryptocom ( www.cryptocom.ru ), which allows you to sign documents via the Internet with a qualified digital signature using almost any computer / browser without prior configuration and without system administrator rights (for the option “urgently need to conduct a transaction from the Internet - Turkish hotel cafe ").
Crypto-Pro specialists made cross-platform browser plugins . When a user logs in to the EDS web page, the server determines which plug-in is required depending on the browser, the plug-in installation program is launched. This program does not require a sysadmin to install. Everything is quite convenient and you can sign documents without dismounting from Mozilla FireFox.
Minuses:
The first problem can be smoothed. Crypto Pro has a version of CSP, which is a one-click installer - a software-hardware SKZI CryptoPro Rutoken CSP . This product is based on the CryptoPro CSP and Rutoken EDS, all the moments of pairing usb-token and the software part are already solved at the level of the product architecture. Thus, the complexity of installation and configuration of an IPMS is significantly reduced, and due to the fact that working with private keys goes at the hardware level, the overall level of security increases
In any case, a bunch of CryptoPro Rooken CSP + cross-browser plug-ins is a big step forward in terms of facilitating the life of technical support services for large projects.
Firm Cryptocom released product MagPro Crypto Tunnel . It allows you to do several things, in particular, to protect a web-connection with a certified guest TLS, authenticate yourself with a certificate on a site and sign a text message or file when sending via a web form with a qualified signature.
Crypto Tunnel is based on the open source application sTunnel. It works on the port forwarding principle. When starting the CryptoTunnel starts listening to an arbitrary port on localhost. At the same time, he has a remote host: port registered in the config for which connections should be forwarded. But he will forward them for a reason, and having pre-established a TLS connection with a remote host. It is through this TLS connection that the data is transmitted.
If you start the CryptoTunnel, pointing it to “listen” to 127.0.0.1:8080 :, and then the browser go to 127.0.0.1:8080, then the CryptoTunnel will establish a TLS connection with the remote host specified in its config file and start sending HTTP requests through it from the browser and HTTP responses from the web server. It should be noted that the developers have built in the automatic launch of the default browser for the user to the desired url (http://127.0.0.1:8080/).
Config example with comments:
With TLS I hope everything is clear, now let's move on to the EDS.
Since all application layer traffic (HTTP) goes through the Crypto Tunnel, some parts of the traffic can be marked in a special way. Upon seeing the marked part, the crypto tunnel will extract it from the POST request, decode it from url-encoded, sign it (after asking the user), carefully insert the signed message / file (or a separate signature) into the POST request and send it to the server. The main subtlety is taken into account - when transferring files, a POST request is formed in the form of a multi-part.
In order for the CryptoTunnel to understand which field of the transmitted web form should be signed, the sign_inputs and sign_files parameters are set in the config file. When designing a web form for entering user data, the website developer should follow the field that will be signed, as appropriate.
The main feature of the CryptoTunnel solution is that it works without installation, with all browsers, without complicated configuration of browser security policies. Crypto Tunnel can be put on
flash drive and run directly from it.
Those interested can see the solution on the demonstration site .
For reliable key protection, CryptoTunnel should be used in conjunction with Rutoken EDS Flash . In this case, the key is stored in the protected memory of Rutoken, and the Crypto Tunnel itself on its Flash memory, from where it starts. Since Rutoken EDS Flash uses the standard CCID driver, it does not require installation of any software to work on modern operating systems (starting with Windows Vista and Mac OS X 10.7), and the Rutoken EDS Flash support module is already included in the Crypto Tunnel.
I have a dream ... In fact - I have a dream that sometime in the future I can do without a bunch of “windows + IE” for client-banks and other software that uses crypto-pro. SBIS ++, for example. Damn, I hope that someday it will be.
Specific such a dream. And now there are all the prerequisites for its execution.
In the topic, I’ll dwell a bit on Crypto-Pro solutions that allow you to make a qualified digital signature in the browser really convenient.
')
And I will also describe one original solution from the company Cryptocom ( www.cryptocom.ru ), which allows you to sign documents via the Internet with a qualified digital signature using almost any computer / browser without prior configuration and without system administrator rights (for the option “urgently need to conduct a transaction from the Internet - Turkish hotel cafe ").
Crypto Pro Plugins
Crypto-Pro specialists made cross-platform browser plugins . When a user logs in to the EDS web page, the server determines which plug-in is required depending on the browser, the plug-in installation program is launched. This program does not require a sysadmin to install. Everything is quite convenient and you can sign documents without dismounting from Mozilla FireFox.
Minuses:
- for the plugins to work, you need to pre-install the CryptoPro CSP and configure it to use the key carrier Rutoken (this is not always easy for an unprepared person)
- will have to tinker with the security settings of the browser, since the plugin for IE is the same ActiveX
The first problem can be smoothed. Crypto Pro has a version of CSP, which is a one-click installer - a software-hardware SKZI CryptoPro Rutoken CSP . This product is based on the CryptoPro CSP and Rutoken EDS, all the moments of pairing usb-token and the software part are already solved at the level of the product architecture. Thus, the complexity of installation and configuration of an IPMS is significantly reduced, and due to the fact that working with private keys goes at the hardware level, the overall level of security increases
In any case, a bunch of CryptoPro Rooken CSP + cross-browser plug-ins is a big step forward in terms of facilitating the life of technical support services for large projects.
Crypto Tunnel
Firm Cryptocom released product MagPro Crypto Tunnel . It allows you to do several things, in particular, to protect a web-connection with a certified guest TLS, authenticate yourself with a certificate on a site and sign a text message or file when sending via a web form with a qualified signature.
Crypto Tunnel is based on the open source application sTunnel. It works on the port forwarding principle. When starting the CryptoTunnel starts listening to an arbitrary port on localhost. At the same time, he has a remote host: port registered in the config for which connections should be forwarded. But he will forward them for a reason, and having pre-established a TLS connection with a remote host. It is through this TLS connection that the data is transmitted.
If you start the CryptoTunnel, pointing it to “listen” to 127.0.0.1:8080 :, and then the browser go to 127.0.0.1:8080, then the CryptoTunnel will establish a TLS connection with the remote host specified in its config file and start sending HTTP requests through it from the browser and HTTP responses from the web server. It should be noted that the developers have built in the automatic launch of the default browser for the user to the desired url (http://127.0.0.1:8080/).
Config example with comments:
# verify=2 # client=yes # CAFile=..\crypto\ca.crt # engine=gost # sslVersion=TLSv1 # taskbar taskbar=yes # DEBUG=7 [https] # accept = 127.0.0.1:80 # connect = ca.cryptocom.ru:443 # ciphers = GOST2001-GOST89-GOST89 TIMEOUTclose = 0 # cert=..\crypto\client.crt # key=..\crypto\client.key # cert_sign=..\crypto\client.crt # key_sign=..\crypto\client.key sign_only_new=no # html-, sign_inputs=ID797C1C735EEB4926925375E1D6907834 # html-, , sign_files=IDCBB806E365FB4FBA9490AB20303971F4 With TLS I hope everything is clear, now let's move on to the EDS.
Since all application layer traffic (HTTP) goes through the Crypto Tunnel, some parts of the traffic can be marked in a special way. Upon seeing the marked part, the crypto tunnel will extract it from the POST request, decode it from url-encoded, sign it (after asking the user), carefully insert the signed message / file (or a separate signature) into the POST request and send it to the server. The main subtlety is taken into account - when transferring files, a POST request is formed in the form of a multi-part.
In order for the CryptoTunnel to understand which field of the transmitted web form should be signed, the sign_inputs and sign_files parameters are set in the config file. When designing a web form for entering user data, the website developer should follow the field that will be signed, as appropriate.
The main feature of the CryptoTunnel solution is that it works without installation, with all browsers, without complicated configuration of browser security policies. Crypto Tunnel can be put on
flash drive and run directly from it.
Those interested can see the solution on the demonstration site .
Rutoken CryptoTunnel
For reliable key protection, CryptoTunnel should be used in conjunction with Rutoken EDS Flash . In this case, the key is stored in the protected memory of Rutoken, and the Crypto Tunnel itself on its Flash memory, from where it starts. Since Rutoken EDS Flash uses the standard CCID driver, it does not require installation of any software to work on modern operating systems (starting with Windows Vista and Mac OS X 10.7), and the Rutoken EDS Flash support module is already included in the Crypto Tunnel.
Source: https://habr.com/ru/post/136572/
All Articles