Electronic signature. Cloud electronic signature: advantages, disadvantages and ways of development
(EP) in the cloud. Basically, this topic is discussed by IT-specialists. However, with the development of services electronic document management(EDO), subject specialists - accountants, secretaries, and others - began to get involved in the topic of cloud ES.
Let me explain, a cloud-based electronic signature implies that your private ES is stored on the server and the signing of documents takes place there. This is accompanied by the conclusion of relevant contracts and powers of attorney. And the actual confirmation of the signer's identity occurs, as a rule, using SMS authorization.
The need to use cloud ES by an accountant depends on the mode in which he works. If you are often out of the office, or, for example, work for a company that provides accounting services (accounting outsourcing), then cloud-based ES will help you sign documents from anywhere. It does not need to install any additional However, despite the ease of use, not all companies are ready to use this feature.
So that you can choose for yourself whether you need a cloud-based electronic signature or not, we will consider all the pros and cons of using it. And also think about who might really need such a signature. By the way, in this article we will only talk about enhanced (hereinafter - UKEP).
Behind
Cloud electronic signature is cheaper than usual. This is mainly due to the fact that you do not need to purchase a cryptographic information protection tool (CIPF) and a token (flash drive with a certificate). As a rule, taking into account their acquisition, the price of the product takes off by 2-2.5 times.
Convenience and ease of use. To work with a cloud-based electronic signature, you do not need to install both the electronic signature certificate itself and special means to work with her. This means that you will not waste time figuring out how it all works.
Mobility. On this moment common and free solutions to use a non-cloud electronic signature on mobile devices Not yet. In this regard, a huge advantage of a cloud-based electronic signature is that you can work with it from any computer, tablet, smartphone with Internet access.
Against
You do not physically sign the document. You need to understand that in the case of a cloud-based electronic signature, the private part of the key, which is confidential and should belong only to you, will be located on the server of the certification center. Of course, this will be documented, and the servers themselves are securely protected. But here it all depends on the company's security requirements and on the documents associated with signing. If it is important for you that the owners of the private keys themselves sign the documents, then a cloud-based electronic signature will not suit you. In this situation, it is up to you to decide how much you trust the CA and the servers that store the private keys.
You can use cloud-based ES only in those services with which there is integration of the certification center software. This is also due to the fact that in the case of cloud ES, the private key is stored on the CA server. In order for the service you need to be able to use such a private ES key for signing, it needs to be able to send a request for generating an electronic signature to the CA server. It is clear that at the moment there are many services and all of them will not be able to provide integration with the CA software. It turns out that you will have to use cloud ES only with certain services. To work with other services, you will have to buy another ES certificate, and there is no way that these services will support any kind of cloud-based electronic signature.
And what?
Cloud electronic signature is a convenient, mobile and simple tool, but not the most flexible. And in terms of security, perhaps storing the private key on a secure server would be better than keeping a token in a drawer.
Who really needs an electronic signature? First of all, those who often work outside their office in the office. For example, auditors who often visit clients. Or and for whom it is important to sign documents anywhere. For them, a cloud-based electronic signature will become an indispensable assistant in their work.
Also, a lot depends on the policy of the company. If an organization moves towards cloud technologies, for example, in terms of storing documents, using services for internal and external document management, then electronic signatures will most likely also be cloud-based. Otherwise, accountants, clerks and other employees who usually do not leave their office during work do not need a cloud-based electronic signature. They can purchase an ES private key and an ES certificate in the usual mode, on a carrier that can be used in most services for exchange with counterparties and government agencies.
Recently, we often talk about electronic signature (ES) in the cloud. Basically, this topic is discussed by IT-specialists. However, with the development of electronic document management services (EDF), subject specialists - accountants, secretaries, auditors and others - began to get involved in the topic of cloud ES.
Let me explain, a cloud-based electronic signature implies that your private ES key is stored on the server of the certification center, and the signing of documents takes place there. This is accompanied by the conclusion of relevant contracts and powers of attorney. And the actual confirmation of the signer's identity occurs, as a rule, using SMS authorization.
The need to use cloud ES by an accountant depends on the mode in which he works. If you are often out of the office, or, for example, work for a company that provides accounting services (accounting outsourcing), then cloud-based ES will help you sign documents from anywhere. There is no need to install any additional software. However, despite the ease of use, not all companies are ready to use this opportunity.
So that you can choose for yourself whether you need a cloud-based electronic signature or not, we will consider all the pros and cons of using it. And also think about who might really need such a signature. By the way, in this article we will only talk about enhanced qualified electronic signature (hereinafter - UKES).
Behind
Cloud electronic signature is cheaper than usual. This is mainly due to the fact that you do not need to purchase a cryptographic information protection tool (CIPF) and a token (flash drive with a certificate). As a rule, taking into account their acquisition, the price of a certificate soars by 2-2.5 times.
Convenience and ease of use. To work with a cloud-based electronic signature, you do not need to install either the electronic signature certificate itself or special tools for working with it. This means that you will not waste time figuring out how it all works.
Mobility. At the moment, there are no common and free solutions for using a non-cloud electronic signature on mobile devices. In this regard, a huge advantage of a cloud-based electronic signature is that you can work with it from any computer, tablet, smartphone with Internet access.
Against
You do not physically sign the document. You need to understand that in the case of a cloud-based electronic signature, the private part of the key, which is confidential and should belong only to you, will be located on the server of the certification center. Of course, this will be documented, and the servers themselves are securely protected. But here it all depends on the company's security requirements and on the policy associated with signing documents. If it is important for you that the owners of the private keys themselves sign the documents, then a cloud-based electronic signature will not suit you. In this situation, it is up to you to decide how much you trust the CA and the servers that store the private keys.
You can use cloud-based ES only in those services with which there is integration of the certification center software. This is also due to the fact that in the case of cloud ES, the private key is stored on the CA server. In order for the service you need to be able to use such a private ES key for signing, it needs to be able to send a request for generating an electronic signature to the CA server. It is clear that at the moment there are many services and all of them will not be able to provide integration with the CA software. It turns out that you will have to use cloud ES only with certain services. To work with other services, you will have to buy another ES certificate, and there are no guarantees that these services will support any cloud-based electronic signature.
And what?
Cloud electronic signature is a convenient, mobile and simple tool, but not the most flexible. And in terms of security, perhaps storing the private key on a secure server would be better than keeping a token in a drawer.
Who really needs an electronic signature? First of all, those who often work outside their office in the office. For example, lawyers and auditors who often visit clients. Or executives and directors for whom it is important to sign documents anywhere. For them, a cloud-based electronic signature will become an indispensable assistant in their work.
Also, a lot depends on the policy of the company. If an organization moves towards cloud technologies, for example, in terms of storing documents, using services for internal and external document management, then electronic signatures will most likely also be cloud-based. Otherwise, accountants, clerks and other employees who usually do not leave their office during work do not need a cloud-based electronic signature. They can purchase an ES private key and an ES certificate in the usual mode, on a carrier that can be used in most services for exchange with counterparties and government agencies.
In the traditional understanding of the electronic signature (ES), which is familiar to the vast majority of users, the key of this very signature is stored by its owner. Most often, a certain secure key carrier in the format of a USB token or smart card is used for this, which the user can carry with him. This key carrier is carefully guarded by the owner from unauthorized persons, since the key falling into the wrong hands means its compromise. To use the key on the owner's device, a specialized software(SKZI), designed to calculate the EP.
On the other hand, in the IT world, the concept of "cloud computing" is increasingly being used, which in many ways has a lot of advantages compared to using traditional applications installed on the user's computer. As a result, there is a completely natural desire to take advantage of these advantages of cloud technologies to create "ES in the cloud".
But before solving this problem, it is necessary to define what we mean by "electronic signature in the cloud". Currently, in different sources you can find different interpretations of this concept, often suitable only for explaining on the fingers to a person "from the street" who went to the Certification Center to "buy an electronic signature".
What is a qualified electronic signature in the cloud
For the purposes of this article, as well as other popular science and practical discourses on cloud electronic signature, it is proposed to use the following definition.
Electronic signature in the cloud (cloud electronic signature) is a computing system that provides access via the network to the possibilities of creating, verifying ES and integrating these functions into the business processes of other systems.
In accordance with this definition, a local ES tool can also be used for a cloud-based electronic signature. For example, using , the user through a web browser can sign electronic document using the ES tool installed on its end device ( Personal Computer or tablet). In such a system, the signing key remains with the owner and security issues are resolved using standard set means known in the world as "traditional EP". You can call it if you like cloud ES with local ES tool.
Another version of the cloud ES is obtained with using an ES tool hosted in the cloud. For the convenience of further presentation, let's call such a schemecompletely cloud-basedto distinguish it from the previous one. This scheme regularly causes heated discussions among specialists, since it involves the transfer of the signature key itself “to the cloud”. This article is intended to clarify a number of issues related to the security of a completely cloud-based ES.
Let's start with the main
The main headache when transferring any IT system “to the cloud” is the pain of “security officers” (and lawyers helping them) associated with the transfer of information “there” for processing or storage. If earlier this information did not leave some protected perimeter, and it was relatively easy to ensure its confidentiality, then in the cloud the very concept of the perimeter is absent. At the same time, the responsibility for ensuring the confidentiality of information is, in a sense, “blurred” between its owner and the cloud service provider.
The same thing happens with the ES key transmitted to the cloud. Moreover, the ES key is not just confidential information. The key must be available only to one person - its owner. Thus, trust in a cloud signature is determined not only by the personal responsibility of the user, but also by the security of storing and using the key on the server and the reliability of authentication mechanisms.
Currently, certification tests of our solution are being carried out. This is a cloud ES server that stores user keys and certificates and provides authenticated access to them to generate an electronic signature. Both of the above-mentioned aspects of the security of cloud-based ES in particular are the subject of research conducted during the testing of CryptoPro DSS. At the same time, it is worth noting that a significant part of these issues has already been considered in the framework of case studies. , on which CryptoPro DSS is based.
In our country, the organizational and legal aspects of using cloud ES are still poorly developed, so in this article we will consider CryptoPro DSS from the point of view of the requirements for the signature server developed by the European Committee for Standardization (CEN).European way
October 2013 The European Committee for Standardization (CEN) approved the technical specification CEN/TS 419241 "Security Requirements for Trustworthy Systems Supporting Server Signing". This document requirements and recommendations are given for an electronic signature server designed to create, among other things, qualified signatures.
I would like to note that even now CryptoPro DSS fully complies with the requirements of this specification in the strongest version: the Level 2 requirements for the formation of a qualified electronic signature (in terms of European legislation).
One of the main requirements of Layer 2 is to support strong authentication options. In these cases, the user is authenticated directly at the signing server - as opposed to being allowed for Level 1 authentication by an application that accesses the signing server on its own behalf. All authentication methods supported by CryptoPro DSS satisfy this Level 2 requirement.
In accordance with this specification, user signature keys for the formation of a qualified ES must be stored in the memory of a specialized secure device (cryptographic token, HSM). In the case of CryptoPro DSS, such a device is the CryptoPro HSM cryptographic hardware and software module - certified by the FSB of Russia at the KB2 level as an ES tool.
Authentication of the user on the digital signature server to meet the requirements of Level 2 must be at least two-factor. CryptoPro DSS supports a wide, constantly updated range of authentication methods, including two-factor ones. In addition to the usual cryptographic tokens, a specialized smartphone application, such as one-time password generators (OTP tokens), can also be used as an authentication tool. The CEN document also mentions these methods.
Another promising method of Layer 2 authentication could be the use of a cryptographic application on the SIM card in the phone. In our opinion, this option for using SIM cards with cryptography is the most realistic, since it is hardly possible to build a functionally complete CIPF (or ES tool) according to the new requirements of the FSB on the basis of only a SIM card.
Technical specification in question also allows the use of an electronic signature server to generate signatures for a certain set of documents at once. This opportunity can be useful when signing a large array of homogeneous documents that differ only in data in a few fields. In this case, user authentication is performed once for the entire package of documents. Support for this use case is also available in CryptoPro DSS.
The CEN document also contains a number of requirements for the formation, processing, use and deletion of user key material, as well as for the properties of the internal key system electronic signature server and audit. These requirements are fully and even "with a margin" covered by the requirements for ES tools of class KB2, according to which the CryptoPro HSM PACM, which is responsible for these issues, is certified.
Our future
The CryptoPro DSS solution supports a wide range of authentication methods, among which it is possible to choose the right one for each task. The reliability of the safest of them meets the most stringent criteria of European requirements CEN / TS 419241 and, as we expect, in the near future will be confirmed by a certificate of conformity from the FSB of Russia.
Alexey Goldbergs,
deputy technical director
LLC "CRYPTO-PRO"
Stanislav Smyshlyaev, PhD,
head of information security department
LLC "CRYPTO-PRO"
Pavel Smirnov, Ph.D.,
Deputy Head of Development Department
LLC "CRYPTO-PRO"
Popular
- All profitable business niches
- Top bucks that pay in dollars
- Earning on comments
- Similar to vktarget. Vktarget reviews. How to get more tasks on the VKtarget project - basic recommendations
- How to start earning in the game Farm Neighbors?
- Cash farms with withdrawal
- Earn money for just sitting on the Internet!
- Choosing equipment for the production of cotton gloves Business plan for the production of work gloves
- Barbecue business: how to open a barbecue
- How to open a marriage agency from scratch?