Electronic signature in Bitrix24. Theory and experience of implementation

A well-established mechanism for rapid response to a changing reality is one of the rules of a successful business. The trends of modernity say to be more mobile, faster, more convenient for the client, for themselves. But we spend many hours signing documents that require the participation of more than one and not two parties. Even longer when workers are hundreds of kilometers away. The path to mobility may lie through the EDS - Electronic Digital Signature.

In this article we will talk about the types, advantages, disadvantages of EDS, integration possibilities and how in practice the implementation of EDS is implemented on the corporate portal Bitrix24.

Pro work and terminology

The EDS tool is a convenient and long-familiar to almost everyone who works with remote document management. However, implementing the EDS on the Bitrix24 Corporate Portal turned out to be a nontrivial task. Our acquaintance with this integration began with two client tasks:

1. Standard - embed signature documentation remotely.
2. Non-standard - to give the opportunity to employees scattered throughout the territory of Russia, debugged and in time to submit advance reports.

However, first, let's understand what it is - EDS and what it is eaten with.

Personal signature is one of the person's identifiers. Legislatively and with impunity, only this person, only his hand, can repeat it. And if it (the hand) is not capable, and an important transaction should not fail, a special notarial procedure is carried out and the signature is put by a trusted person.

We will not hide - the signature is forged. A matter of skill and habit. Although verification technologies have been developed - by pressure, thickness, lines - only the signature holder is the guarantor. Any squiggle incomprehensible to others is recognized as legitimate according to its author.

Significant transactions require a second “personal signature protection”. A person is asked to present an identity document with a photo, to put a signature in the presence of a confirming person - a notary. The latter guarantees that the signatory will fulfill the clauses of the contract, powers of attorney, statements

But participants in the process are not always within reach of each other. There is mail, but it is expensive and time consuming.

Here we go to the electronic signature . It is of three types ( FZ of 06/04/2011 No. 63-FZ “On Electronic Signature” ).

1. Simple electronic signature (PEP) . This is a familiar login-password pair. The apparent shortcomings of the probe begin with a low reliability and end with the absence of a protection mechanism against changes. Sometimes its use is possible even in court (for example, a document transmitted by e-mail, because there is a login and password), but it is difficult and not all cases work.

   
   

2. Unqualified electronic signature. Often use the prefix "enhanced", but in the legislation there is no such definition. She, unlike PEP:

   
   
   • cryptographic result;
   • contains the identifier of the signer;
   • allows you to determine whether changes are made to the electronic document.
   
   

3. Qualified electronic signature. Also use the prefix "enhanced". This is the same as unqualified, but with two important additions:

   
   
   • The certificate is issued by an accredited certification authority (hereinafter referred to as CA). CA checks all the necessary documents and acts as a guarantor of the authenticity of the data. Information about the author of the signature is stored in the TC. In the event of a dispute or misunderstanding, personal data is checked, so each certificate contains information about the certification authority that issued it.
     
   • Signature software certified by the FSB of Russia.

Everywhere in the text, the EDS is understood as the reinforced qualified or reinforced unqualified signature.

Let's sum up the intermediate result. An unqualified signature will be valid only between persons who have entered into an agreement and recognize the signature as valid. A qualified signature can certify almost any documents. They will be legitimate. Working with CA is an analogue of notarization. The exceptions are invoices for offsetting VAT. Electronic invoices are transmitted only through operators of electronic document management. Even an invoice signed by all the rules of EDS sent by e-mail will not be legitimate.

The question of choosing one or another type of signature depends only on the needs of business processes.

What is the output? Document formats with EDS

The next question is what do we get at the output? A document with a facsimile, with a watermark? What format of a document with EDS can I get?

There are two possible outcomes:

1. Container ("ordinary" signature). As a rule, this is an archive of the "* .sig" format. There are signed documents, information about the certificate with which the signature was made and the signature itself. A file of this format is opened only with the help of special software. Use the usual Adobe Reader or MS Office does not work - they are not adapted to work with cryptography. In addition to the data, signature and certificate, the user can save an unsigned copy of the document.

   
   
   
   
   

2. "Built-in" signature. We receive a file of the same format that we submitted for signature. In special areas of the signed document are placed on the certificate. Such a signature is possible only for files of the format:

   
   

   • PDF. The signature is invisible in the body of the document, but displayed in the signature panel. If desired, it can be visualized, for example, in the form of a stamp. When you click on it, the signature data is visible. By the way, in this form, as a rule, IFS documents are signed and sent (the xml variant is also used).

     
     
     
     
     

   • MS Office. The signature is placed in a special area of ​​the document and is visible on the signature panel or in the file properties.

     
     
     
     
     

   • XML. The signature along with its data is contained in the XML value domain and is embedded in the same XML envelope without changing the initial data.

The “embedded signature” option is most convenient to use. It is about him will be discussed in the material.

Unobvious subtleties of EDS

1. The different parties can sign one document exclusively in a uniform way: either only an EDS or only in paper form (for example, a contract between the Customer and the Contractor). The signature in paper form is not valid in electronic form, and the signature in electronic form is not valid in paper form. These are two different documents.

   
   

2. The document can be signed any number of times. That is, the employee first signed, then the accountant, then the CEO.

   
   

3. Several documents signed by EDS can be signed in one package (archive) by a completely different EDS. Other documents in the package with EDS also remain legitimate.

   
   

4. Documents can be signed by EDS in automatic mode. Suppose you have formed an invoice for payment in CRM - it automatically subscribed. You can send it to the client, the account is legitimate.

Pro tools and features

With the types of signatures and variants of the result sorted out. We now turn to the selection of tools. We keep in mind that there is a specific task - to integrate EDS on the corporate portal Bitrix24 .

An important step is the selection of a software supplier company for implementing EDS. The choice fell on the recognized leader in the industry with a wide range of tools that has no equivalent in the Russian Federation - CryptoPro . To solve our problem, the supplier offered several tools.

CryptoPro CSP (SKZI)

CryptoPro CSP Crypto Provider is installed locally on the user's PC. He signs documents by accessing the certificate in the registry, on eToken or RuToken, smart cards and other media.

Signature process

1. "Automatic" mode (ie, embedded in the portal). When uploading the file to the server and clicking on “Sign” with the help of the browser plug-in, a call to the CryptoPro CSP will be made. He will sign the file with the selected keys, which are recorded in the registry, or on the eToken client. In this mode, you can only make a “regular” (container) and XML signature, since only the hash of the document is transmitted. Sign inside a PDF or MS Office document does not work.

   
   

2. In the “manual” mode (that is, when leaving the portal) the signature is generated by the client itself using the software it uses. For example, MS Office, CryptoPro CSP and CryptoPro Office Signature must be installed to sign the MS Office document. In the MS Office interface, the user adds a signature to the document, using CryptoPro as a crypto-provider. After that, the signed file is uploaded to the personal account using the “attach document” function.

pros

• No internet connection required.
• You can use a portable usb-token.
• The cheapest option in terms of CryptoPro software, but not integration.

Minuses

• MS Office documents or pdf can only be signed into the file manually, in “automatic” mode only the container can be obtained.
• Signature occurs with the help of plugins, which creates inconvenience. They are less reliable. Many browsers refuse technologies on which they write plugins, integration becomes more complicated. This significantly increases the cost of technical implementation and support of the software in the future.
• The user is responsible for the operational status of the CSP. Requires current version of all programs, components. Updates occur frequently, therefore, the “settings” procedure will have to be repeated every time, which creates inconvenience.

CryptoPro DSS

CryptoPro DSS allows you to create a digital signature through a browser. Installation of the program on the user's PC is not required; you can sign documents from any device anywhere. Certificates with keys are stored on a secure module in specially deployed CryptoPro servers.

In CryptoPro DSS, you can configure the user authentication method:

• by login and password;
• using the certificate access code (PIN code, 4-5 digits);
• using digital certificates, usb-token or smart cards (in DSS lite mode, details below)
• with the additional input of a one-time password delivered to the user via SMS (OTP-via-SMS)

How does the process of signing the document

User clicks Sign. A request to the CryptoPro DSS is generated for signature. The portal asks you to enter a PIN for access to the certificate (if such a requirement is established), and the user receives a one-time password via SMS. After correct input, the document will be signed and saved on the portal, respectively, and then sent along the planned route. The client sees only the final result, he does not need to go to another window. What is important and convenient, the result comes in the same format pdf -> pdf, docx -> docx.

pros

• System support (operability, updates, etc.) on CryptoPro shoulders. They gave the request - got the result, the rest is not your worries.
• Support for pdf signature and MS Office, i.e. for viewing does not require specialized tools, unlike the container.
• The most user-friendly and stable way to integrate, as well as hassle-free for technical support and administration.
• The advantage is that you can sign documents from your mobile phone.

Minuses

• Signing up requires internet connection.
• The relative high cost and more complicated procedure of connecting to DSS. Used scheme with the operator. The operator’s connection is currently 39,000 rubles / year, plus the cost of certificates. They say that soon there will be no need to use operators at work. Are looking forward to.

CryptoPro DSS lite

This is the “lightweight” version of CryptoPro DSS. It is intended for signing digital signature documents in a browser using software. Difference from DSS - software installed on the user's PC is used as a cryptographic provider, which allows usb-Token and Smart-Cards to be used for signing.

DSS lite - “DSS mode” (i.e., included as part of a DSS product). The signing process is similar to DSS. Clicking "sign" sends the file to the DSS lite server, which generates a document hash and requests access to the crypto-provider (CSP installed on the user's PC) using a plugin. Favorable difference - you get the pdf and MS Office documents in their original form with the signature embedded in the document itself, and not in the container.

pros

• Support signature pdf and MS Office. To view the signed document does not require specialized tools.
• With DSS lite, you do not need to connect the operator, it is enough to “buy” access to the DSS lite.
• You can use a portable usb-token.

Minuses

• The signature occurs with the help of plug-ins, which creates inconvenience (they were mentioned above).
• Support for performance lies on the shoulders of the user - the same problem as with the CSP.
• Signing up requires internet connection.
• DSS lite requires a new certificate or reissue of the old one, which, in essence, is equivalent to. The old certificate, albeit from CryptoPro, can not be sewn into the program.

By the way, the functionality of DSS and DSS lite allows you to add a visual stamp / stamp / signature of your choice on the document. The EDS itself is invisible, and the stamp is a visualization tool.

Practical experience of implementation

EDS is really the right solution, first of all, for the immutability of the transmitted documents, the mobility of business processes and the preservation of time.

This task was also set for us - to implement a signature on the corporate portal 1C-Bitrix24. We need the right functionality, ease of use and proper budget investment.

But, as you know, the theory is often not comparable with practice. Solving real problems is more difficult, but more interesting.

A large biopharmaceutical company had two tasks:

1. Automate the business process of harmonizing documents.

   
   

   Feature - the ability to select specific participants in the agreement, its sequence. It was required to implement the project on a standard business process module of the corporate portal 1C-Bitrix24. For the customer it was important to develop a visual, simple and intuitive interface.

   
   

   This task is solved without any difficulties. But it is impossible to omit the fact that a standard business process module does not have special beauty and visibility. Therefore, advice, if you need a beautiful complex business process "for you", then it is better not to use a standard module. He imposes a framework, constrains and deprives of open space.

   
   

2. Implement an electronic signature on the 1C-Bitrix24 corporate portal for advance reporting.

Pre-project work

The company has a department whose main task is to distribute goods through promotion, lobbying of interests and other types of personal influence on doctors, pharmacists, representatives of the medical industry.

To do this, there is a staff of sales representatives scattered throughout the country, from Kaliningrad to Vladivostok. Each agent promotes a product in its own, fixed territory. More often it is his place of residence. He bears the costs - meetings, transportation, food - they are reimbursed by the company. The procedure for cost recovery is nothing more than the delivery of advance reports, so familiar to us on business trips.

The key and primary point was to describe step by step the business process of the delivery of advance reporting. Although it is standardized and enshrined in law, each organization has its own specifics. We will talk about it later. The ideal business process of a business trip, how the state conceived it, looks like this:

1. The general director signs an order to send an employee on a business trip. Often, these orders are signed after the trip retroactively, but this does not change the further legal process of the process.

   
   

2. A seconded employee receives a cash report. So he becomes a debtor to the company.

   
   

3. The sales representative travels on a business trip, saves all tickets, checks and other supporting documents. This is a key stage for reimbursement. All papers with information about expenses are the primary accounting documentation, the basis for increasing expenses or reducing the taxable base (profit of an organization). Of course, the legislation clearly states what expenses can be credited and which ones cannot. Everything is strictly standardized.

   
   

4. An employee on returning from a business trip prepares an advance report so that they “write off” the debt. The employee applies all supporting documents to the advance report: checks, tickets, etc.

   
   

5. According to the Russian legislation, any advance report must have three signatures: a seconded employee, a chief accountant and a general director. In small organizations, the CEO can combine the position of chief accountant, and in large organizations, the signature of the employee’s manager appears.

   
   

6. After delivery of the advance report, the employee is obliged to return the balance of funds or get the missing.

The process that we needed to automate for a client is identical in function, but has its own characteristics:

1. Employees are on business trips permanently - all working hours. Even a visit to the main office is a business trip, because employees have a permanent place of residence, as a rule, not in Moscow.

2. If the accountable money is running out, the next tranche can be issued only after a report on the previous ones. This is where many difficulties arose, for example:

   
   
   • Due to the remoteness of employees (Siberia, the Urals), originals of advance reports could go for a very long time. And correcting mistakes is a waste of time, money for courier service, red tape with over-signing and changing dates. It is very likely that the reporting period by the time of arrival of the originals may already be closed.
   • There are a lot of employees, everyone reports about once a month, many people forget something, lose something - it was difficult for accountants to align documents. But the accountant must reflect the operation in his system, and do not forget that the employee promised to convey or send.
   • Every employee has a cash limit, but there are exceptions to every rule. These exceptions are monitored by managers, it is they who are aware of the specific situation of the employee.

Arrangement of this process of systematization and optimization of advance reporting in the IT environment was phased.

Implementation

Initially, we looked at the problem through the lens of legislation. What restrictions it imposes, what is possible and what is not. Verdict: It is not prohibited to submit advance reports in digital format.

Since this business process was planned to be implemented on the Bitrix24 corporate portal, we studied the issue of integrating EDS into the portal. What is important, the whole process should take place in the single window mode from the portal.

As it turned out, no one had done anything like this before. According to CryptoPro, recognized leaders in the field of cryptographic information protection and EDS in Russia, we were the first to integrate with their PHP service.

But the biggest difficulty was this. Sales representatives use only one device - a corporate iPad. Such mobile devices do not like working with certificates in registries or on foreign keys (tokens, smart cards), there are not so many convenient solutions. We settled on integration with CryptoPro DSS.

As a result, the automated business process of advance reporting works as follows:

1. Each sales representative is issued an EDS certificate, his personal, nominal (in principle, he is and cannot be different).

   
   

2. If it is necessary to submit an advance report, an employee on his iPad tablet enters the company's corporate portal and falls into his personal balance.

   
   
   
   
   

3. There he creates a new advance report, step by step filling in all the lines. He writes expenses from checks which are in his hands. At the same time, the agent photographs checks on the same iPad, and attaches them to the online advance report.

   
   
   
   
   
   
   
   

   At this point, a draft report is created in 1C, which is assigned a sequence number, this is a very important point.

   
   

4. When everything is filled in, an advance report form is created automatically. It is typical, so the probability that the form will change is minimal.

   
   

5. The employee checks the form and signs it with EDS. The process of signing itself takes place according to the following algorithm:

   
   

   • The user on the corporate portal presses the button “sign EDS”.

   • A document through the SOAP protocol without opening additional windows is sent to CryptoPro DSS. CryptoPro DSS identifies the user in three steps:

     • Login / password from the DSS service - for convenience, they coincide with the login / password from the portal. It turns out that you do not need to enter anything, the user immediately goes to the second step of the check.

     • PIN code consisting of 4 or 5 digits (user selectable). Now the DSS service can use a certificate that is stored in its registry on the server.

     • One-time password - SMS to mobile phone. One document - one SMS.

       
       
       
       
       

       By the way, CryptoPro allows you to leave only a PIN code as a check or only SMS to save time. The accountants of the customer did so, leaving only the PIN-code.

     
     

   • The signed document is sent to the head of the employee. He checks the report form, limits, compares with the photographs of checks. If something is wrong, the employee returns comments with comments. Everything is in order - signs the document using a cloud EDS and sends it to the next step of approval.

   • The accountant also signs the EDS document and sends it to the general director. At this stage, the accountant can only carry out the completed and saved advance report in 1C. From this point on, a new tranche may be issued.

   • General Director signs the EDS report. In fact, the director's signature is already a formality required by law - the report has been checked by the manager, the accountant and the documents for the new trip can already be prepared.

   • After that, the employee is issued new funds, and his virtual account on the corporate portal is replenished, the balance is updated.

   • The employee is notified that the expense report is signed. He sends the original checks to the head office, and the accountant checks them against the report. As a rule, everything is the same, but if the facts of fraud are revealed and the check is not enough (although it is in the photo), the advance report is corrected in 1C, and measures are applied to the employee.

In the process of integrating the portal and CryptoPro DSS on the side of CryptoPro there were difficulties. For some reason, their software refused to work on its own documentation. But, ultimately, CryptoPro showed professionalism and corrected errors.

Result

At the moment, the introduction of such a system is worked out, it is working. A unique integration module has been developed that allows for the soap protocol to transfer data. For the user, this means that you do not need to click on the links, you do not need to leave the corporate portal windows to sign documents. It is very convenient. For companies with a large number of remote employees, with multi-stage signature of documents integrated in this way, EDS is a lifeline in the sea of ​​paperwork and courier service.