Is there an alternative to MS Windows, IE and CSP when accessing the personal accounts of the portals of the Government Procurement Portal, the Federal Tax Service of Russia and the State Services?

And we will immediately give the answer - yes, it is possible and necessary, only not to refuse, but to give citizens and organizations the opportunity to use other operating systems, browsers and means of cryptographic information protection (SKZI). Answer the question and how - to comply with standards and technology. Why not to use authorized access via https protocol for access to personal accounts? And then there is no need to use only CSP a la Microsoft with the support of Russian cryptography. Then PKCS # 11 tokens and both the international standard and the standard supported by TC-26 , the PKCS # 12 standards (the same TC-26), something else but standard, will become in demand. In this case, it will no longer be about MS Windows, Interner Explorer and CSP, but about browsers or other programs that support https with Russian ciphers. This may be Internet Explorer, and modifications of the same Mozilla Firefox, finally Google Chrome or a proxy like stunnel.

How are things today? In principle, there is a backlog. Already today we can get into the personal account via authorized https with Russian codes and on the portal of the Federal Tax Service of Russia and on the portal of public procurement. And for this we do not need either MS Windows or Interner Explorer and even CSP is not required, as it is written in the documentation on these sites.

PKCS Token # 11

We will use the PKCS # 11 cloud token for demonstration as an IPMS. In principle, you can use any token with the support of Russian cryptography complying with the PKCS # 11 v.2.30 standard, if we are talking about the electronic signature GOST R 34.10-2001 (recall that this standard is valid only until December 31, 2018 and in fact from January 1 In 2018, it is necessary to receive certificates with an electronic signature key in accordance with GOST R 34.10-2012, if we want to save our money). If electronic key verification certificates are used in accordance with GOST R 34.10-2012, then the token must comply with the PKCS # 11 v.2.40 standard.
')
So, our task is to show an alternative to MS Windows. It can be both OS X and Linux and Android , etc. Let's stop on Linux. As a browser, consider the Redfox browser, which is a Mozilla Firefox browser that has been modified to support Russian cryptography.

The first thing to do is to get a personal certificate on the PKCS # 11 token at the Certification Authority accredited by the Ministry of Communications. If some CA cannot issue / issue certificates on PKCS # 11 tokens, then it is also not scary. Let him issue it on the CSP, but when generating a key pair, it will be necessary to indicate that the private key is exported. After that, using the utility P12FromGostCSP, we export the certificate and key pair to a secure PKCS # 12 container. Then we import the certificate and keys to the token that needs to be connected to the Redfox browser . You can make sure that it is in your hands that the PKCS # 11 token with Russian cryptography support and that your personal certificate is installed on it, you can use the p11conf utility . To make sure that the token with support for Russian cryptography, just look at its mechanisms ( GUI for MS Windows ):



To check that the token has your certificate and private key, it is enough to see which objects are on it ( Linux GUI ):



At the same time, one should not forget about importing the CA root certificates into the browser storage.

Portal of the Federal Tax Service of Russia

Personal account of a citizen on the portal of the Federal Tax Service of Russia is available for a direct link :



By selecting the appropriate certificate, the citizen will be in his personal account:



At the same time, the access channel to the personal account is protected:



Now you can view all the information relating to you, pay taxes, etc. Now about the electronic signature in your account.

Today, an electronic signature is usually placed using plug-ins. And if until recently it still had an excuse because NPAPI plug-ins were available for almost all browsers, today the situation has changed dramatically. Google more than a year ago refused to support NPAPI and switched to plugins on the Google Native Client platform. Mozilla Firefox browser from version 53.0 also refused to support NPAPI plug-ins and supports the WebAssembly standard . WebAssembly is an open standard developed by Mozilla, Google, Microsoft and Apple. As you can see, this group represents the developers of the four most common browsers, so that in the future you can still count on the development of WebAssembly as a universal standard. But this is a prospect.

That is why it would be reasonable to abandon plug-ins (especially considering that GOST R 34.10-2001 ceases to take effect and GOST R 34.10-2012 comes into force) and give citizens the right to decide where and how to sign documents with an electronic signature. And they will “bring” documents in the PKCS # 7 / CMS format to the personal account, i.e. documents with electronic signature. Moreover, this format is supported by TK-26 . This is more correct from a security point of view than storing a private key, for example, in the Federal Tax Service of Russia.

Unified procurement information system

But we go further. The Government Procurement portal actually provides access to two different offices - to a personal account of 44 FZ and a personal account of 223 FZ:



Access to the personal account for 223 FZ is carried out through the portal of public services , i.e. by presenting a certificate. Here we only note that since the certificate of an individual who was not registered on the public procurement portal was presented, he was denied access:



And so, we go to the personal account of 44 FZ:



Here we are offered a choice of two more branches to access our personal account. As it turned out, they are technologically identical:



After clicking the button “continue working with the site”, you will be asked to present a personal certificate:



After checking the certificate, a secure connection will be established, but unfortunately we will not receive access to our personal account - we simply don’t have it, we are an individual (see screenshot above). But those who are registered on the website of public procurement successfully log in to your office and will be able to work in it.



As for the site of public services and access to a personal account on it, it makes no sense to repeat, you can read here .

And so, what do we expect?

I would like access to electronic services, especially in the run-up to the digital economy, to be carried out via authorized https based on Russian cryptography using various operating systems and browsers. Secondly, if a signed document is required to be presented, a citizen must sign it himself using only his stored private key and transfer the signed document to the portal.

What does this give? It gives the most important thing - the citizen is not tied to a specific OS, nor to a specific browser, nor to a specific SKZI. Citizens and organizations are now using the PKI standards regulated by TC-26, and any cryptographic information security tools certified in the certification system of the Federal Security Service of Russia. The computer literacy of the population of Russia will grow, the work of the FAS Russia will be less, no one will talk (or more precisely impose) on the use of specific means, it will be only standard interfaces and protocols ...