A bit about the practice of using EDS in Russia
Most IT people know what EDS is. Somewhat fewer are aware of how EDS can be applied in real life. Even fewer people use this EDS in practice.
For those who have not yet figured out, the EDS stands for “digital signature”.
For two years I managed (read: directly moved) a project related to the narrow use of EDS in our life - submission of electronic reporting to the tax authorities. However, despite the narrow application, in the process I gained enough interesting knowledge about what constitutes an EDS in Russia. So I want to share.
')
The first sign that our country is slowly but surely moving along the path of progress was the law “On electronic digital signature”. He came out in 2002 and can be called “naked” in the jargon.
In 2002, this law “On EDS” represented exactly such a thing. For it talked about certificates, certificate authorities, and much more about what, which in fact in 2002 (and what to say, much later) did not exist at all. Basically.
In addition, the law is different. A simple example.
However, the imperfection of the law is still half the trouble. In March 2003, while everyone was stunned by the quality of the law on EDS and scratched the turnip, the Federal Agency for Governmental Communications and Information under the President of the Russian Federation (FAPSI), which was involved in cryptography, was abolished, transferring its functions to the FSB.
“What is the problem?” The reader may ask. So I will tell.
We dealt with all things related to encryption and information protection, first, FAPSI, then, in 2002, the FSB became involved.
Imagine the challenge facing the FSB. It seems that everything is clear, Comrade Colonel, but what about the hash - what is it, a kind of drugs, or what kind of sophisticated mathematics? However, I apologize for my acrimony;)
So, the task was to deal with the following: which algorithm to use? It is clear that asymmetric, it is clear that with an open and private key, but how long? If the two parties (the signing and verifying signature) do not agree on this, there will be no happiness, is it?
It turned out that:
1. Theory : an algorithm that can be used on the territory of the Russian Federation (which will be accepted as legally significant) should be at least certified by the FSB (i.e., tested for “impact resistance” and all that).
Practice: we have too few specialists in the FSB in normal cryptanalysis, therefore, it is difficult to obtain a certificate due to the long analysis of the algorithm itself.
2. Theory: an organization that intends to provide services related to EDS must use an algorithm that has been certified by the FSB.
Practice: due to the confusion of the concept of “algorithm” and the lack of straight-line developers, this meant that it was necessary to use not the “implementation” of the algorithm, but the software product that was provided by the developer who certified the algorithm. Long live the bloody monopoly. Artemy Andreich's groans about the maps for the GPS fades here.
3. Theory: an organization that intends to provide services related to EDS should receive 3 licenses: for use, for technical support, for the distribution of cryptographic protection tools.
Practice: to get a license without choosing a software package from paragraph 2 is impossible. Rather, it will not work, they will refuse. The “price” of the license for 2003 (with the condition of observing the kilometer list with requirements) was approximately $ 1,000 (as an acquaintance). In addition, the license from the developer of the software package is $ 1000 + fulfillment of the sales plan.
As a result, for 2003 it turned out like this - programs for working with algorithms 3 for the whole of Russia. And the most important thing is that in no dreadful dream these programs are not aware of the concept of CryptoAPI, that is, working with them “from the outside” - in any way or very difficult (well, through the command line, yes).
Oh yes, a lot. In addition to the general problem with the software, there is a problem with its development. Ready? Hold tight.
If you want to use your own algorithm (or publicly available), well, for example, RSA, then the scheme grows to the level of the Mission Impossible scenario. Why? But why.
1. Before you try to give something to the FSB for certification, you must obtain a license to develop those same cryptographic systems. Estimated price of $ 20,000 *.
2. After there is a license and a system, then its certification will rise at about $ 80,000 *.
3. Well, now the simplest thing is to persuade potential users (for example, the tax inspection) to use your system.
And leave here your concept of the market, they do not work here. There are no alternatives or competition. School portal is resting.
4. The problem of the regions. There are cases when in the region (beyond the Moscow Ring Road there is life!) They simply could not use the technology that was “lowered” from above. There were not enough staff, not enough knowledge, etc.
* The amounts indicated here are not official payments, of course. The money will go as “consulting services” to certain firms “helping” in this process.
No, but not everything is so bad, and there are prophets in their own country. For example, CryptoPro now reached a normal level and even made friends with CryptoAPI. But it is now, only in 2007. And that, really in large cities in the regions.
It seems, and the tax office with banks use EDS. And the point. No one else yet.
And the use of digital signatures in other cases remains, so far, an unrealizable dream.
Of course, in my review I did not talk about many juicy details, but I think they will be superfluous in this article. I wanted to show the real reason why we are so bad about the question of introducing EDS in different areas of our life.
Of course, welcome to the comments; I don't have much time for answers, but I will try.
With love,
maniaque
For those who have not yet figured out, the EDS stands for “digital signature”.
For two years I managed (read: directly moved) a project related to the narrow use of EDS in our life - submission of electronic reporting to the tax authorities. However, despite the narrow application, in the process I gained enough interesting knowledge about what constitutes an EDS in Russia. So I want to share.
')
1. Law and EDS
The first sign that our country is slowly but surely moving along the path of progress was the law “On electronic digital signature”. He came out in 2002 and can be called “naked” in the jargon.
Those who are really confronted with the application of laws in Russia understand that the law does not in itself establish individual issues of its own application. The sign of the “bareness” of the law is an abundance of formulations “in accordance with the current legislation”. So, each such formulation is a reference nafig.
In 2002, this law “On EDS” represented exactly such a thing. For it talked about certificates, certificate authorities, and much more about what, which in fact in 2002 (and what to say, much later) did not exist at all. Basically.
In addition, the law is different. A simple example.
The Law on EDS establishes the equality of an ordinary electronic signature (Article 4). However, for example, the Tax Code, although it provided for the transfer of the declaration to the tax inspectorate via "telecommunication channels", nevertheless, was silent about the signature format, electronic document format and in general. Therefore, despite the existence of a law on EDS, it was impossible to use it.
However, the imperfection of the law is still half the trouble. In March 2003, while everyone was stunned by the quality of the law on EDS and scratched the turnip, the Federal Agency for Governmental Communications and Information under the President of the Russian Federation (FAPSI), which was involved in cryptography, was abolished, transferring its functions to the FSB.
“What is the problem?” The reader may ask. So I will tell.
2. How about a specific application?
We dealt with all things related to encryption and information protection, first, FAPSI, then, in 2002, the FSB became involved.
Imagine the challenge facing the FSB. It seems that everything is clear, Comrade Colonel, but what about the hash - what is it, a kind of drugs, or what kind of sophisticated mathematics? However, I apologize for my acrimony;)
So, the task was to deal with the following: which algorithm to use? It is clear that asymmetric, it is clear that with an open and private key, but how long? If the two parties (the signing and verifying signature) do not agree on this, there will be no happiness, is it?
It turned out that:
1. Theory : an algorithm that can be used on the territory of the Russian Federation (which will be accepted as legally significant) should be at least certified by the FSB (i.e., tested for “impact resistance” and all that).
Practice: we have too few specialists in the FSB in normal cryptanalysis, therefore, it is difficult to obtain a certificate due to the long analysis of the algorithm itself.
2. Theory: an organization that intends to provide services related to EDS must use an algorithm that has been certified by the FSB.
Practice: due to the confusion of the concept of “algorithm” and the lack of straight-line developers, this meant that it was necessary to use not the “implementation” of the algorithm, but the software product that was provided by the developer who certified the algorithm. Long live the bloody monopoly. Artemy Andreich's groans about the maps for the GPS fades here.
3. Theory: an organization that intends to provide services related to EDS should receive 3 licenses: for use, for technical support, for the distribution of cryptographic protection tools.
Practice: to get a license without choosing a software package from paragraph 2 is impossible. Rather, it will not work, they will refuse. The “price” of the license for 2003 (with the condition of observing the kilometer list with requirements) was approximately $ 1,000 (as an acquaintance). In addition, the license from the developer of the software package is $ 1000 + fulfillment of the sales plan.
As a result, for 2003 it turned out like this - programs for working with algorithms 3 for the whole of Russia. And the most important thing is that in no dreadful dream these programs are not aware of the concept of CryptoAPI, that is, working with them “from the outside” - in any way or very difficult (well, through the command line, yes).
3. More obstacles?
Oh yes, a lot. In addition to the general problem with the software, there is a problem with its development. Ready? Hold tight.
If you want to use your own algorithm (or publicly available), well, for example, RSA, then the scheme grows to the level of the Mission Impossible scenario. Why? But why.
1. Before you try to give something to the FSB for certification, you must obtain a license to develop those same cryptographic systems. Estimated price of $ 20,000 *.
2. After there is a license and a system, then its certification will rise at about $ 80,000 *.
3. Well, now the simplest thing is to persuade potential users (for example, the tax inspection) to use your system.
And leave here your concept of the market, they do not work here. There are no alternatives or competition. School portal is resting.
4. The problem of the regions. There are cases when in the region (beyond the Moscow Ring Road there is life!) They simply could not use the technology that was “lowered” from above. There were not enough staff, not enough knowledge, etc.
* The amounts indicated here are not official payments, of course. The money will go as “consulting services” to certain firms “helping” in this process.
4. As a result?
No, but not everything is so bad, and there are prophets in their own country. For example, CryptoPro now reached a normal level and even made friends with CryptoAPI. But it is now, only in 2007. And that, really in large cities in the regions.
It seems, and the tax office with banks use EDS. And the point. No one else yet.
And the use of digital signatures in other cases remains, so far, an unrealizable dream.
Of course, in my review I did not talk about many juicy details, but I think they will be superfluous in this article. I wanted to show the real reason why we are so bad about the question of introducing EDS in different areas of our life.
Of course, welcome to the comments; I don't have much time for answers, but I will try.
With love,
maniaque
Source: https://habr.com/ru/post/28653/
All Articles