Posting carrier usb electronic signature. What are the carriers of electronic signature

An electronic digital signature (EDS) issued by the certification center is stored on a special medium. He calls the token. The media looks like a regular USB flash drive, but differs in the internal software device. There are several types of tokens, and the user and the manufacturer are equally responsible for the use of the electronic medium.

Rutoken is a Russian trademark owned by the Aktiv company. The company is engaged in the creation of hardware and software products in the field of authentication, information security and electronic signature. The company issues smart cards and tokens for using the private EDS key and the EDS verification key. They are created in accordance with EDS cryptographic algorithms and are certified by the Federal Service for Technical and Expert Control, as well as the Federal Security Service (FSB).

Tokens can be supplemented with RFID tags created using contactless information exchange technology using specific electromagnetic radiation. The EDS key carrier is a small electronic device (USB stick). It has a built-in password protected memory card. The card contains a private key required to create an EDS.

The user authentication process also takes place using a token in 2 stages: first, a USB flash drive is inserted into a USB connector, a password is entered and connected to the server terminal. After disconnecting the token, the session is automatically blocked.

The device provides a secure connection to Internet networks and protected web resources. Rutokens are equally used in commercial and government organizations, as well as by individuals. The latest developments of the company made it possible to carry out document encryption operations both in the computer and inside the token, which provides increased EDS protection against viruses and third-party attacks.

Types of USB tokens

Rutoken EDS 2.0 was created to ensure the safe storage of EDS keys in internal memory and does not provide the ability to export information. It is used in electronic document management (EDM) and remote banking services. This Rutoken received the first certificate of conformity from the FSB on 10/34/2012 on such items as:

• EDS creation and verification;
• hashing function calculus algorithm;
• the process of calculating the hash function.

Rutoken S differs in that it provides a two-stage authentication of the owner, the safety of encryption keys and digital signatures, digital certificates. It is usually used in EDF of government organizations. This is due to the fact that the algorithms built into the token comply with the requirements of the regulators.

Rutoken Bluetooth saves the EDS certificate and certifies electronic documents created on mobile devices with iOS and Android operating systems. It has the full functionality of a regular token, but works over the Bluetooth wireless protocol. Data transmission security is ensured by sophisticated encryption algorithms.

The functions of Rutoken PINPad include displaying the document on the screen before the EDS is affixed in it. The device protects:

• from all types of online fraud;
• from attacks generated by remote control;
• from making changes to the document when sending it for signature.

Rutoken's built-in memory is used for:

• safety of software distributions (software);
• launching applications in automatic mode when connecting a digital media;
• lightweight OS boot.

With the help of Rutoken, you can also install a new OS, check its operability and integrity using the checksums that are written in the encrypted key area. The memory of the carrier is already 64 Gb. Rutokena PINPad received the FSB certificate of conformity in the KS2 class and meets the requirements of ФЗ-63.

The main purpose of Rutoken Lite is to authorize the computer system and protect the user's personal data. Built-in memory provides secure storage of the private key and EDS, passwords and other information.

What to look for when choosing the EDS key carrier

When choosing the carrier of the electronic signature key, you need to make sure that the manufacturer or authorized dealer has a license to release and sell the device. They buy Rutoken based on the area of ​​its application: if it is intended to work in a private company with official information or with government agencies, then it is better to choose a certified token with a set of drivers and additional utilities. The USB device must be accompanied by the operating information.

If the user intends to use Rutoken to store several certificates, then it is better to choose a drive with a large amount of memory. Models marked with "EDS" have built-in cryptography and do not require additional installation of a cryptographic provider. However, they can only work with software provided by the PKCS11 protocol. To use Rutoken only in the Unified State Automated Information System (EGAIS), the simplest flash drive version 2.0 is suitable.

Security of using USB-tokens

To ensure safe work with tokens, you need to adhere to the following rules:

• buy a device from official suppliers;
• receive an EDS certificate in a certification center that has a valid accreditation from the Ministry of Telecom and Mass Communications of the Russian Federation;
• provide the necessary level of personal information literacy (for yourself and the company's employees).

It is also necessary to have reliable means of protecting information that establish the authenticity of the owner of the signature or the person gaining access to the data. Authentication assumes that in the process of cryptographic calculations, the recipient of the information will be sure of the identity of the sender.

User responsibility

During production, a standard password is set for each token - 1234567890. Before use, the user enters this code, after which he must change the password to a personal one. This will ensure the safe use of the EDS key carrier and protect the PC from third-party intrusions.

The user is also obliged to keep the token in a safe place and ensure its safety from external damage.

Manufacturer's responsibility

The manufacturer of the USB drive is responsible for the absence of functions on the token that could harm its owner. To do this, each of the devices must have a certificate from the FSB and FSTEC (Federal Service for Technical and Export Control).

The FSTEC certificate is a confirmation that:

• there are no undeclared features in the program;
• the device protects data from third-party access;
• the device provides information storage and authentication.

The FSB of the Russian Federation certifies cryptographic information security tools. The presence of a certificate is a confirmation that the medium of the private key can be used to generate EDS, sign and verify signatures, encrypt data.

How to buy a token

The clients of the Center receive full support of the transaction, including:

• initial consultation;
• paperwork;
• selection of a certified device;
• sending the product to the customer.

All documents are drawn up in accordance with the requirements of the Federal Laws of the Russian Federation. The originals are sent to the postal address indicated in the application, and copies are sent to e-mail. Delivery times vary by region and range from 1 to 5 business days.

Rutoken is a secure digital device designed to store a private EDS key. Tokens differ in functions, memory size, the ability to use with mobile devices and cryptographic options. When purchasing Rutoken, the user must proceed from its subsequent use and the required amount of memory. The simplest drives are designed only to work with EGAIS, and PINPad tokens can be used even in the work of government agencies. By purchasing a media, the user assumes responsibility for its storage and correct use. To purchase, you must contact certified centers and require all accompanying documents.

When contacting the Certification Center, the head of the organization receives a set of software tools for creating an EDS, recorded on a special carrier of the electronic signature key. Currently, a USB device (eToken) and a smart card are used in this capacity.

What information is recorded on the media

The system of certification and protection of electronic documents is based on the following principle. Using a special encryption program, the sender generates a private key - this is a unique set of characters that is never repeated. On the basis of the private key, a paired public EDS key is created for it. With its help, the program encrypts the letter, and the recipient checks the signature, decrypts and reads it. Thus, the electronic signature verification key is a public key available to all users of the electronic document management system.

The right to transfer data via the EDM system is received only by a user who legally acquired an EDS in the Certification Center (CA). In doing so, he receives a secure physical medium called an eToken, which is inserted into any device with a USB connector. The device has its own built-in memory, which records:

• a private key to create a unique signature by the sender;
• the partner's public key for encrypting the transmitted document and checking the letters received from it;
• EDS verification key certificate - a file created by the CA and confirming the ownership of the EDS tool to the certificate owner.

Thus, the carrier of the electronic signature key is a hardware tool that works autonomously from a computer and stores all programs and information necessary for the operation of an EDS. They cannot be rewritten to another device, and an attempt to hack a device physically ends in the loss of information. You can only lose it. A smart card protects electronic signatures from hacking even better, but it is used less often because a special reader is required to use it.

How to get an electronic signature key

EDS funds for exchanging documents with government agencies can be purchased on a paid basis only at an accredited CA. On the website of each of them, you can find information on how to obtain an electronic signature key. As a rule, this requires only the manager's passport and his SNILS. After paying for the service, the applicant will receive an electronic signature key carrier, instructions on how to install the EDS key, and a certificate in paper form.

To work with the Federal Tax Service and other government agencies, the owner must receive from the CA, on the basis of an application, a key for verifying the electronic signature - this is, accordingly, the public key of the organization with which he intends to exchange documents. The public keys of organizations and entrepreneurs are entered by the Certification Center into the register, which is provided for use by the Federal Tax Service and other organizations.

Compromise of an electronic signature key

The private, or secret, key should only be kept by the owner. It serves two purposes:

• generates an electronic signature;
• decrypts the resulting file.

If it is lost or stolen, it is impossible to read the sent documents. If something like this still happened, or there was a suspicion that the key was hacked (it is found when the signature verification program is launched upon receipt of the document), then the key can no longer be used.

Thus, the compromise of an electronic signature key is the fact of access to the key by unauthorized persons, or a suspicion of the possibility of such an event. When it occurs, the ES owner must notify the Certification Center, which will add it to a special list and revoke the certificate. A signature created after this point is considered invalid.

A simple and unqualified electronic signature (ES) can be stored on any media, since there is no indication in this regard in the Federal Law No. 63-FZ “On Electronic Signatures”. The storage of qualified electronic signature should be taken seriously. This signature is equated to a handwritten signature, it is used in electronic trading and when concluding important transactions with counterparties. Therefore, it is safer to store it on a secure medium certified by the FSB.

Protected media for qualified electronic signature

Token (eToken, Rutoken, etc.)

Reliable and convenient storage medium in the form of a USB stick. Suitable for most applications, except for EGAIS. With its help, you can send a report to the tax office or Rosstat, sign an agreement and participate in electronic trading. To sign documents using a token, you need to install a cryptographic information protection tool (CIPF) on your computer.

Token with built-in cryptographic information protection tool (Rutoken EDS, Rutoken EDS 2.0, JaCarta PKI / GOST / SE)

A medium that looks like a regular token, but has a built-in cryptographic protection tool. Using an electronic signature on such a medium, you can sign documents on any computer without purchasing additional software. Rutoken EDS is suitable for remote banking services, working on state portals, submitting reports and document flow. It is not designed to work with trading floors and EGAIS. Rutoken EDS 2.0, like JaCarta PKI / GOST / SE, are used only for working with EGAIS.

Additional protection of electronic signature

Access to signature by pin-code

Each removable electronic signature contains a PIN code - a combination of characters, after entering which you get access to the signature. A pin code is entered every time a document is signed or any other access to the electronic signature is made. By default, the code is standard, but you can remove it altogether or change it to your own. We have prepared change instructions for Rutoken, eToken, JaCarta. If necessary, contact the CA, and our specialist will help you change the pin code.

Signature copy protection

By default, electronic signature keys are allowed to be copied to other media. You can turn on copy protection if you like. To do this, when placing an application, inform the manager that you need a non-exportable electronic signature key. In this case, it will be impossible to copy the signature from the media, since any attempt to export files will generate an error.

Unprotected carriers for qualified electronic signature

In theory, electronic signature can be written to any removable media. But files on a USB disk, floppy disk, or other medium are not protected in any way. If attackers steal and decrypt them, they will be able to sign any documents. Therefore, we do not recommend storing electronic signature files on such media.

Writing an electronic signature to the laptop register is a popular, but also unsafe option for storing a signature. Anyone who gains access to the system will be able to sign documents or create a copy of the key. If you need to move to another workplace, you will need the help of a qualified specialist to transfer the electronic signature key. Electronic signature can be completely lost if something happens to the computer.

What you need to remember when storing a qualified electronic signature

One media - for one employee
If you write down the electronic signature of different employees on one medium, then the confidentiality of private keys will be violated. And by law, all signatures will be invalid.

You cannot transfer your digital signature to another person
An electronic signature is an analogue of a handwritten one. It serves as an identifier for the owner. If you give the electronic signature to another person, and he signs a document with which you do not agree, then you will not be able to challenge this decision.

Electronic signature cannot be stored in the public domain
A qualified electronic signature must be stored in a safe or other secure place. A medium that just lies on the table can be easily stolen to sign a couple of "extra" documents. And when you notice this, then even in court you will not be able to prove your innocence.

When changing the details, change the e-signature.
Has the company changed its name, has the ES owner resigned or changed his position? Change your signature. Do not delay this, so as not to run into a bundle of payments signed by someone unknown, and not to violate clause 1 of Art. 2 of the Federal Law No. 63-FZ "On Electronic Signature", which requires accurate identification of the owner of the electronic signature. To replace the electronic signature, contact the manager who issued it. Or contact the certification center "Tensor" in a convenient way for you.

Renew your subscription in time
If you do not renew the electronic signature, it will become invalid. And you will not be able to sign any electronic document until you receive a new electronic signature at the certification center. Read about how to renew an electronic signature in our article.

Protect your workplace
Antivirus software protects you from any unpleasant surprises. Viruses are capable of imitating the behavior of the signature owner in order to sign several documents an attacker needs. And it will be difficult to prove that the signature was not put by you.

Do not store passwords on pieces of paper
This rule is the foundation of computer security. It applies not only to electronic signatures, but to all other areas. The password from the token, carefully written on a sticker near the computer, will indescribably please the intruder.

Application

• Ensuring strong two-factor user authentication in operating systems and business applications (Microsoft, Citrix, Cisco Systems, IBM, SAP, Check Point), for example,
  - to access personal computer data;
  - access to files located in the local network of the provider or the corporate network of the company;
  - organization of secure remote access (VPN), etc.;
• Protected storage of key information from Russian cryptographic information protection tools (CryptoPro CSP, Crypto-COM, Domain-K, Verba-OW, etc.);
• Protection of private keys of electronic digital signature (EDS) of users in electronic document management systems, formation of EDS of documents and transactions, ensuring secure work with e-mail;
• Protection of private EDS keys for users of remote banking systems.

Certified by FSTEC of Russia.

Rutoken Lite

Manufacturer: Company "Aktiv"
Application

Rutoken Lite devices are protected carriers of private keys for electronic signatures for accessing various resources, for electronic document management and remote banking services. On the Rutoken Lite key carrier, you can store secret keys or digital identifiers and read them, if necessary, upon presentation by the user of a PIN-code. Rutoken Lite provides two-factor authentication on computer systems. Successful authentication requires the fulfillment of two conditions: the user's knowledge of a unique password - PIN-code and his possession of a unique item - the device itself. This provides a much higher level of security compared to traditional password access.

Certified by FSTEC of Russia.

JaCarta LT

Manufacturer: Company "Aladdin R.D."
Application

JaCarta LT- USB token for two-factor authentication, secure storage of keys, key containers of certified Russian cryptographic information protection tools, user profiles and passwords, as well as licensed information from independent software developers. Storage of key containers for almost all software cryptographic tools (CryptoPro CSP, VipNet CSP, etc.). Offered as USB tokens in a Nano package.

Certified by FSTEC of Russia.

JaCarta SE (for EGAIS)

Manufacturer: Company "Aladdin R.D."
About the device

The newest product of the company "Aladdin R.D." - USB-token JaCarta PKI / GOST / SE is designed for electronic signature and strong two-factor authentication in specialized information systems.

JaCarta PKI / GOST / SE is simultaneously a means of electronic signature (ES) and a means of access to protected information resources of specialized systems, and also serves as a secure storage for keys and key containers of software cryptographic information protection tools.
The USB token has increased operational durability due to its unique miniature plastic housing. He is not afraid of dust and moisture.

Certified by FSTEC and FSB of Russia.

Rutoken EDS 2.0 (for EGAIS)

Manufacturer: Company "Aktiv"
About the device

Electronic identifier with hardware implementation of Russian standards for electronic signature, encryption and hashing. Provides secure storage of electronic signature keys in the built-in protected memory without the possibility of exporting them.

Rutoken EDS is designed for secure two-factor user authentication, generation and secure storage of encryption keys and electronic signature keys, encryption and the electronic signature itself "on board" the device, as well as storing digital certificates and other data.

On the State Services portal, there are several stages of registration, which open up different opportunities for users. One of the stages of user initiation is an electronic signature, thanks to which you can log in to your personal account, as well as order electronic services.

Initially, electronic signatures were used only by legal entities that preferred to communicate with tax authorities electronically. It made it possible to protect the documentation when sent for verification to the appropriate authorities. Later, this practice in a broad sense was adopted for individuals.

An electronic signature is a way to confirm the authenticity of a document. When creating an electronic signature, various types of encryption are used, so it can have a different appearance. This short cipher is then attached to the main document to be emailed.

The ES is valid for a year, after which it is necessary to renew its validity with the purchase of a new key or certificate. Please note that the service is chargeable. Its specific cost depends on the conditions that are included in the contract. To date, the minimum amount of electronic signature for individuals is 700 rubles. You can get acquainted with the tariffs on the official website of the certification center "RosIntegration".

Types of electronic signature

There are 3 types of electronic signature:

• Simple;
• Unqualified;
• Qualified.

1. A simple electronic signature is often used in everyday life. It is a one-time code. Users constantly encounter such data encryption, for example, when confirming a payment from a bank card. To successfully complete the operation, you must enter the code that is sent to the phone number associated with the card.
2. Unqualified ES is used in electronic documents. Users rarely encounter it in everyday life, because its registration is possible only in the control center. With the help of this type of electronic digital signature, you can “certify” your letters to government agencies when sending them electronically. However, the service itself has privacy restrictions.
3. A qualified electronic signature is an equal analogue of a paper signature for an individual. And in the case of legal entities, it can also replace the seal of the organization. Thanks to this type, documents can be sent by e-mail to any authority. There is no need to personally confirm any information.

How to get an EDS for the State Services website?

A simple and qualified electronic signature is used to work with the State Services portal. Obtaining any kind of identifier is directly related to registration on the site. However, due to the fact that these EPs have a different nature, the procedure for obtaining will be significantly different.

Important! A qualified electronic signature has more weight than a simple one, as it opens access to all portal services. The main difference is that a simple EDS gives access to viewing information, for example, about the amount of fines. However, only with a qualified electronic signature, the user becomes able to send applications for services in electronic form.

Creating a simple electronic signature

A simple electronic signature is created at the first stage of user registration on the portal. This is the so-called "simplified registration", which requires the visitor only to enter certain data into the database. Everything is done remotely and does not take very long.

A simple type of signature is assigned to absolutely all users of the portal, since this happens immediately after registration.

1. If you click on the "Personal Account" button, not only the login form will appear, but also under it there will be a link to the registration form, which must be selected.
2. The first page contains basic data about the user: full name, phone number, e-mail.
3. The system automatically generates the first simple electronic signature of a new user. The code is sent either by e-mail or to the phone in the form of SMS. The received code must be entered in the field that opened after filling out the first registration page. This signature confirms the visitor's desire to continue the design of the profile on the portal. However, even though a simple electronic signature has been generated and validated, its creation does not end there.
4. After entering the one-time code, there are still empty fields that must be filled in. In addition to a permanent password, the client must specify data on documents that will confirm his identity: SNILS, passport, TIN.

The information uploaded to the service is sent for verification. And if the data on them coincide with the data of the general database, the client can use the resource. In fact, at this stage, the creation of a simple electronic signature is over. The user can enter the portal, view the available information.

The reduced functionality of the portal can be expanded if you complete the registration of a simple electronic signature in an unqualified one. To do this, you must personally contact the Russian Post or. You must have a passport and SNILS with you. Employees of government agencies check the compliance of documents with those specified in the profile settings. And if these are really your documents, a one-time code is issued, which is entered in your personal account in the profile settings. After its introduction, the State Services reveal their full potential.

Note! Registration on the State Services portal is not required if the user initially contacts the MFC to create a simple electronic signature. After that, it is enough to select the entrance using SNILS at home.

Creation of a qualified electronic signature

A qualified electronic signature is issued on a USB stick at the control center. You need to contact the institution that creates a qualified electronic signature in your locality by phone and order an electronic signature. After that, you must personally come to the office with your passport. There are various tariffs at which the ES is created. To work with the State Service portal, the minimum tariff is suitable.

Together with a flash drive, which carries information about the electronic signature, the client receives software for installation on his computer, a license and a certificate. At home, you will need to install the program and insert the USB flash drive into the USB connector. In the authorization form on the State Service portal at the bottom, you must select "Login by electronic means". And then select the path to the removable media.

What can be used for EDS?

An electronic signature on the State Services is used to open access to all the features of the site:

• Sending an application for obtaining certificates, statements and so on;
• Payment of state fees with a 30% discount, if this is provided for by a specific service.

Additionally, an individual has the opportunity to send a tax return via the Internet. Also, legal entities continue to use ES. But at the same time, it is necessary that the certificate be filled out in the name of a person authorized to work with the State Services portal from his company.

Video:

Electronic signature on the State Services portal