Get an electronic signature on Android. We sign applications on a smartphone using the FreeSigner program. Security system from a smartphone

Get an electronic signature on Android. We sign applications on a smartphone using the FreeSigner program. Security system from a smartphone

Interaction in in electronic format makes us more mobile. The invention of electronic signature mechanisms has made it possible to make the exchange of information more mobile with confirmation of integrity and authorship. And the use of electronic signatures on mobile devices is a logical evolutionary step and a new degree of freedom in our dynamic world.

Maxim Chirkov
Head of Service Development
EP of the company "Aladdin R.D."

Modern Russian legislation defines three types of electronic signature: simple electronic signature, enhanced unqualified electronic signature (unqualified electronic signature) and enhanced qualified electronic signature (qualified electronic signature).

Simple electronic signature

If we talk about a simple signature, then we can say with confidence that almost each of us has come across this type of signature on our phone, smartphone or tablet. This mechanism has long been adopted by institutions of the credit and financial sector and a number of online services. Indeed, each of us received so-called one-time passwords or one-time generated hyperlinks to confirm certain actions in personal account remote banking systems (RBS), management of telecom operator services, etc. It is important to note that when using a simple electronic signature, there is no way to check the signed data for changes since the moment of signing.

Unqualified electronic signature

A strengthened unqualified electronic signature is created using cryptographic means and allows you to determine not only the author of the document, but also check it for changes. To generate this type of signature, you can use tools with implemented well-known algorithms (RSA, DSA, GOST 31.10-2001, etc.). The main application is internal systems integrated with PKI, such as email, corporate portals, electronic document management systems, management systems, etc. When using Western algorithms, there are no particular difficulties in working on mobile platforms with these familiar systems, since the main common mobile operating systems contain the necessary cryptography and functionality. Moreover, it is good practice for developers to release corporate systems special mobile applications (mobile clients) with an adapted interface, even if the system has a Web interface and is accessible from a regular mobile browser.


In addition to internal corporate tasks, an unqualified electronic signature can also be used in intercorporate systems and public service systems. But we must understand that in order to recognize this type of electronic signature as an analogue of a handwritten signature, it is necessary to carefully study the regulations for electronic interaction and the use of electronic signatures, legal aspects and consolidate them in the agreement.

Qualified electronic signature

Technological difficulties of working with GOST signature and encryption:

  1. Operations required to hack the internal mechanisms of a mobile phone operating system.
  2. Issues arise with placement in public software repositories. since in fact this operation can be subsumed under the export of cryptography.
  3. When certifying an electronic signature tool, a list of OS versions on which its use is permissible must be determined.
  4. Storing cryptographic keys on a mobile device - the device becomes a carrier of key information with a special procedure for handling it.

Despite the fact that the current version of Federal Law No. 63-FZ “On Electronic Signatures” allows, under certain conditions, to recognize an unqualified electronic signature as an analogue of a handwritten signature, more and more systems use a qualified electronic signature, which implies the use of electronic signature tools certified by the FSB of Russia with implemented Russian cryptographic algorithms, and the certificate must be certain type and issued by an accredited certification center. The number of such centers, according to the Ministry of Telecom and Mass Communications, as of August 15, 2013 is 296 organizations. The undeniable advantage of a qualified electronic signature is its recognition as an analogue of a handwritten signature in all systems without additional conditions. Since the use of this type of electronic signature on mobile platforms raises the most questions, let’s consider the technologies that exist on the market.

Technologically, the difficulty of working with the “GOST signature” lies in the fact that mobile platforms do not contain tools that implement the required cryptographic algorithms. The most logical step is a completely software implementation of digital signature and encryption tools. Despite the apparent simplicity of implementation, many questions arise. Firstly, some products of this kind require operations to hack the internal mechanisms of the mobile operating system, for example Jailbreak on the iOS platform and UnlockRoot on Android, which cannot but affect overall security. Secondly, since such implementations contain Russian cryptography, questions arise with placement in public software repositories both from the policies of the repository owner and from the regulator, since in fact this operation can be subsumed under the export of cryptography. Thirdly, when certifying an electronic signature tool, a list of OS versions on which its use is permissible is necessarily determined, but new versions of mobile OS are released much more often than for PCs. Fourthly, a completely software implementation involves storing cryptographic keys on a mobile device, so the device becomes a carrier of key information with a special procedure for handling it.

Cryptography on a smart card

Hardware implementation of cryptography on an external device (smart card) is devoid of most of the above disadvantages. Indeed, keys generated in permanent key mode are stored on a smart card, which provides a much higher level of protection for key information than when stored directly on the mobile device itself. Issues related to the distribution of CIPF are also eliminated, since applications using the card do not contain cryptography.

Moreover, PKI smart cards with a MasterCard or Visa payment application and various radio tags “on board”, which contain a CIPF certified by the FSB of Russia, are already available on the market. These cards have been defined as a “single electronic employee ID” and allow not only to generate electronic signatures, store key information, authenticate both on regular PCs and on mobile devices, but also act as a visual pass, pass for access control systems and a salary card. The latter forces the user to pay great attention to the personal means of authentication, electronic signature and identification.


Connecting such cards to a mobile device on the iOS platform (iPad or iPhone) is done using a special smart card reader via the Apple Dock or Lightning connectors. Additionally, the reader has a microUSB connector and can be connected to a work computer (Win/Mac/Linux) as a regular CCID-compatible reader that does not require driver installation. If the Android device allows a USB connection, the same reader can be used on this platform.

SecureMicroSD Card

Another type of external cryptographic devices for mobile platforms is the SecureMicroSD card. A smart card chip with Russian and Western cryptography is implanted into the housing of a MicroSD flash memory card. Thus, Secure MicroSD combines cryptographic capabilities and functions of a Flash memory module on any device that supports the MicroSD memory card format.

The description of technologies should be completed with so-called SIM cards with electronic signatures “on board”. They differ somewhat from classic PKI smart cards both architecturally and in the method of accessing the cryptographic subsystem. In this case, the signing procedure involves the use of the operator’s infrastructure cellular communications, which carries certain risks. However, despite this, this technology quite promising and will allow us to bring electronic signatures to the masses. To date, several pilot projects have already started with similar combined SIM cards from cellular operators.

Today, there are several technologies on the market that allow you to use digital signature from any device (phone, smartphone, tablet) from anywhere in the world. They all have both pros and cons. However, we must not forget about information security threats on mobile platforms. Only an integrated approach will make it possible to safely use services with digital signatures on such now familiar mobile devices.

Guys, we put our soul into the site. Thank you for that
that you are discovering this beauty. Thanks for the inspiration and goosebumps.
Join us on Facebook And In contact with

10 years ago, to do 10 things, you needed 10 different devices. Today, many things for us have been replaced by the smartphone. We call, write, watch TV, read media and even pay using our smartphone. But that's not all.

We are in website We found some more useful smartphone tools that can help you in your daily life.

Inscription on the lock screen

  • You've lost your phone and the screen is, of course, locked graphic key. Secret code Only you own it. It would seem that there is no hope for the return of your favorite gadget. It turns out that there is! In new Android versions you can add a message to the lock screen and, for example, ask to return the gadget.
  • “Settings” - “Screen lock and passwords” - “Signature on the lock screen”. You can leave anything - a backup phone number or e-mail.

Guaranteed return of a lost smartphone

  • If the inscription is small, then you can play it safe. Anti-theft class applications will help. They have a wide range of actions. For example, Cerberus can secretly take pictures with a camera, activate a microphone, lock a smartphone and/or delete data from it, find out its coordinates, or sound a loud alarm to attract the attention of others.

Memory saving mode

  • Sooner or later, your smartphone's memory will let you down. To avoid this, you can use a flash drive, cloud services like Dropbox, or upload photos to your computer. Or you can be original and upload the photo to Telegram Messenger.
  • Telegram allows you to send files, messages, and links to yourself. It can be freely used and how cloud storage And How notebook. Just find your own number and text as much as you like.

Security system from a smartphone

  • One of the options for using an old smartphone is to create a simple security system for your home. Motion sensor app will turn your smartphone into a surveillance camera that takes pictures whenever someone appears in the frame. Photos are sent to you immediately.
  • You can also find out more about how you can assemble such a gadget. You can use your smartphone as a baby monitor for your child(in this case you will need an application that responds to noise). But remember that for real safety it is better to use special devices.

DVR

  • Another one useful feature using a smartphone camera - video recorder. The smartphone must be secured so that the camera has maximum visibility. For maximum effect You can use applications that are designed to turn your smartphone into a DVR.
  • Of course, we are not talking about using it all the time (for this it is better to buy a good DVR). But this is useful, for example, in cases where you rent a car on a tourist trip or use car sharing.

Access to the magic menu

  • If you take your phone very seriously and spend a lot of time with it, then there is nothing wrong with spending it detailed setup. To do this, you need to go to the “Developer Menu”.
  • Settings - “About phone” - tap 7 times on the “Build number” item. Congratulations, you are now a developer! This menu has many options to improve performance, connection quality and appearance systems.

Ultraviolet detector

    An ultraviolet detector is not only fun, but also useful. For example, you can use it to check banknotes for authenticity. You can do it at home with tape, a couple of markers and a smartphone.

    You will need a smartphone with a flash (flashlight), purple and blue markers and tape. Place a piece of tape on the flash, paint it with a blue marker, add another layer of tape on top, paint it with purple, then add two more layers in the same sequence. Ready! You can find out more about this simple device

Construction level from a smartphone

  • Smartphones have long been equipped with an accelerometer and a gyroscope - sensors that allow you to determine the position of the device in space. By downloading the application for Android or iOS, you can replace a standard construction spirit level with it. At least for small household needs, it is definitely suitable. For professional construction it is better to use a separate tool.

Interesting statistics

  • If you or your loved ones have begun to notice that you literally won’t let go of your smartphone, then perhaps it’s worth thinking about. To understand how dependent you are on your phone and which application is “interfering” with you, you can find interesting statistics.
  • Doing this in iOS is as easy as shelling pears: “Settings” - “Battery” and click on the dial key to the right of the “Last 7 days” column. You will see a list of the most popular applications in descending order. But for Android you will have to install an application (yes, another one), for example, Instant.

Monochrome mode

  • To save battery power and protect your eyesight, when reading, you can use monochrome mode. To do this, in the developer’s “magic” menu you need to find the “simulate anomaly” item and turn on monochrome mode. This way your smartphone will display the picture in black and white.

Many companies have been trying to approach the problem of implementing an electronic signature on a smartphone and in the cloud since 2010–11. At that time, the “electronic government” project was actively developing. Experts and service users, not without reason, expected that most of the services in this project could be implemented in the “cloud”, which would open up the possibility of providing simple and convenient services, based, among other things, on a “cloud” electronic signature, for other projects and areas life of Russian society. However, for various reasons, e-government was implemented without an electronic signature in the cloud, and Rostelecom continues to offer familiar tokens to corporate and private users of State Services. Meanwhile, technologies that can still ensure the “take off” of the idea of ​​an electronic signature in the “cloud” already exist and are being successfully implemented.

What is an electronic signature and why does it need to be in the “cloud”?

Electronic signatures are increasingly becoming part of the everyday life of citizens and legal entities. According to the legislation of the Russian Federation (Federal Law of April 6, 2011 No. 63-FZ “On Electronic Signature”), an electronic signature is a full replacement for a handwritten signature and has full legal force. For ordinary citizens, an electronic signature provides remote interaction via the Internet with government agencies, educational and medical institutions. It allows companies and organizations to participate in electronic auctions, organize legally significant electronic document flow, and submit reports electronically to regulatory authorities.

For information

In the most general sense, an electronic signature is the result of a cryptographic transformation of an electronic document using the so-called “electronic signature key”. It allows you to unambiguously identify the person who signed the electronic document, as well as detect the fact that changes have been made to it after the moment of signing. An electronic signature is created using so-called “electronic signature tools”, which can be certified (this is a prerequisite for the formation of a qualified electronic signature) or uncertified (used for an unqualified electronic signature).

With a certain degree of simplification, we can say that the security of an electronic signature and the services provided on its basis is based on the fact that the electronic signature keys are kept secret, in a protected form, and that each user responsibly stores his signature key and does not allow incidents. And therefore, cryptographic algorithms and protocols, as well as software and hardware-software solutions based on them for generating an electronic signature, use these keys to provide the required information properties: integrity, reliability, authenticity (authenticity, non-repudiation).

“Traditional” and reliable carriers of electronic signature keys are electronic keys - a token or a smart card - which, being certified cryptographic means, must be subject to strict accounting and issued in strict accordance with the rules and requirements of industry regulators. At the same time, a bold assumption was repeatedly made among interested specialists that if it were possible to find another solution and completely get rid of tokens, switch to some “easier for the user” technology for storing signature keys, then the number of legal entities and citizens using electronic signature would increase significantly. In this regard, the transition to “cloud” storage of signature keys has long seemed to experts to be a promising solution. This idea gradually became even more relevant as smartphones and tablet computers, since connecting a token or smart card to them is far from a trivial task. “Cloud” storage of signature keys seemed to be a very convenient solution for fans of working and receiving information services directly on mobile devices without additional reading devices - tokens and smart cards.

In fact, the very idea of ​​storing the user’s electronic signature key in the “cloud”, in some “super-secure” place, for example, in an HSM (Hardware Security Module or as it is also called in the “hardware security module”) or somewhere Also, this idea is far from new. Moreover, this is a fairly common practice in a corporate environment, since the experience of using HSM to store user private keys in corporate infrastructure goes back almost ten years. Thus, the transition to this key storage technology on the scale of public services has long been considered as one of the difficult, but nevertheless potentially possible options. And in this regard, only one cornerstone security question remained: “how will a specific user-holder of an electronic signature key stored in the cloud gain access to this key”?

Access to the cloud - which option to choose?

One of the first, back in 2011–12, was the company CryptoPro to offer its “cloud” electronic signature technologies. This was the CryptoPro DSS (Digital Signature Server) service, based on the use of the CryptoPro HSM solution for storing electronic signature keys. As a method of accessing user keys, several options were offered to choose from: a multiple-time password, a one-time password, authentication using a token connected to a computer.

The first option – a reusable password – means that in order to sign something in the CryptoPro DSS “cloud”, the user must first authenticate in this “cloud” using a password. And in this regard, the user receives all the “delights” associated with using a reusable password: all security experts have been talking about the insufficient level of security of reusable passwords for decades, which is proven by many incidents with stolen password databases and often very in simple ways these passwords can be guessed or stolen.

The second option, a one-time password, involves transmitting a one-time sequence of characters for user authentication in the “cloud” via SMS or its generation using an OTP token (One Time Password). The most significant disadvantage of one-time passwords is that they are not tied to the operation that is confirmed with their help. That is, a one-time password can confirm any operation, even one created by an attacker. This fact has given rise to a large number of fraudulent schemes to “extract” these passwords from users - from fake sites and applications (phishing) to social engineering (extracting codes during personal communication). Linking to details is possible when sending a code via SMS, but this channel has long shown its complete inconsistency for transmitting confirmation codes (that is, one-time passwords), since SMS can be “intercepted” by dozens of different ways, the simplest of which is a Trojan app for a smartphone.

The third option is authentication in CryptoPro DSS using an electronic key (token or smart card), which is connected to the user’s computer. Of course, this is the safest and most common option. two-factor authentication and access to information resources and services. But, on the other hand, if the user has a token, then why does he need the CryptoPro DSS “cloud” with electronic signature keys? We install the crypto provider on the computer and the user gets the opportunity to work peacefully! Moreover, in some cases, signing documents with an electronic signature is possible in the token itself, which is one of the “best practices” in the security industry. Those. the whole idea of ​​​​simplicity and accessibility of an electronic signature in the “cloud” is killed in the bud by this option.

When analyzing the specifics of using a particular method of gaining access to electronic signature keys “in the cloud,” it should be taken into account that an electronic signature, as a rule, is accepted by some legally significant action (service). And its demand is due high level security, which is ensured by keeping the signature key secret and strong cryptographic algorithms. And if one of the authentication methods is used to access the key (reusable password, one-time password, SMS, etc.), then it turns out that the security properties of the electronic signature itself are replaced by the security properties of the authentication mechanism used. Since the security of the entire system is determined by the security of its weakest link, the electronic signature system as a whole cannot be more secure than, for example, a password for accessing signature keys. In practice, this may mean that an attacker receiving a password will allow him to sign any documents on behalf of a legal user, which is completely unacceptable for the implementation of “cloud signature” services with legally significant consequences.

Electronic signature on a mobile device. Problems and positive experiences.

Subsequently, many more serious and quite successful attempts were made to offer technologies and implement large-scale projects using “cloud” electronic signatures. These were also the operators mobile communications, and large international companies, such as Gemalto. But one of the most successful was the experience of the Finnish company Valimo, which, along with the mobile operator EMT (currently Telia Eesti), became an active participant in the Mobil-ID mobile identification project successfully implemented in Estonia. By the way, the Mobil-ID project, being a full-fledged mobile alternative to the famous Universal Electronic Card Estonia (ID cards), provided citizens with the possibility of a not quite “cloud” electronic signature. The solution allowed subscribers, using their mobile devices and special abilities SIM cards, sign electronic documents and confirm requests for e-government services. That is, the SIM card has become a means of electronic signature, and the solution generally provides services for generating a signature through interaction with a specific subscriber.

For information

The active phase of the Universal Electronic Card project in Estonia began in 2000. By the end of 2011, more than 1.1 million Estonian citizens (out of 1.6 million inhabitants at that time) had received plastic identification documents (ID cards) equipped with almost two dozen security elements: smart card chip, microprinting, hologram, etc. . An identification application was installed on the smart card chip, which required the user to enter a PIN code when interacting via the Internet with electronic government information systems, as well as an electronic signature application with its own separate PIN code. Thanks to this, the ID card has become a full-fledged means of identifying a person, on which both the personal data of a citizen of the country and the electronic signature key are stored. The only limitation was the need to use a personal computer or laptop, as well as an ID card reader.

In 2007, the Mobil-ID project was launched in Estonia, initiated by the mobile operator EMT (now Telia Eesti). The idea of ​​the Mobil-ID project was to record the mentioned citizen identification applications and his electronic signature on a SIM card mobile operator. Thus, the Mobil-ID user was able to identify himself using mobile phone, and this no longer required an ID card reader.

Currently, Mobil-ID is a Telia Eesti service - a full-fledged digital identity card in a personal smartphone (https://www.telia.ee/era/mobiil/lisateenused/mobiil-id). Mobil-ID certificates are issued by the Estonian Police and Border Guard Department, therefore, similar to an ID card, the Mobiil-ID service allows you to carry out various electronic transactions, receive e-government services, conclude contracts, sign documents with an electronic signature and vote in elections. The service is available to users both in Estonia and abroad, and although it was not a full-fledged “cloud” service, until recently it remained the only option for carrying out electronic transactions on a smartphone or tablet.

Several well-known companies on the market tried to adapt these technologies for Russia, but the Aladdin R.D. company advanced the furthest. The developer of authentication and electronic signature generation tools successfully went through the process of testing the technology at MegaFon and MTS, but, unfortunately, the project was not launched nationwide. What, in our opinion, are the reasons that did not allow the implementation of a promising project?

Firstly, SIM cards were no longer “regular SIM cards”, and due to the complexity of the tasks being solved and the requirements for them, they became several times more expensive. According to some reports, the cost increased up to 10 times, and someone had to compensate for these costs. For comparison, Estonia’s positive experience was largely due to the fact that Mobil-ID was the driving force in the project mobile operator with government participation, which could afford to incur additional costs and coordinate its actions with other operators. And in Russia, to implement a similar project, it was necessary to coordinate efforts and share costs for already 4 years largest operators mobile communications. At the same time, the solutions themselves - applications for identifying the user and generating his electronic signature - had to be installed on SIM cards of subscribers of all operators throughout the country, which greatly complicated the issues of SIM card production and the issues of their logistics on the scale of Russia, which has two orders of magnitude larger population than Estonia.

Secondly, a very complex organizational issue arose regarding the primary identification of citizens who receive SIM cards with an electronic signature. Currently, with certain reservations, any of us can buy a SIM card for ourselves, for members of our family, friends, but if this project started, then operators would be strictly obliged to carry out primary identification (for example, the way banks do now Federal law dated August 7, 2001 No. 115-FZ “On combating the legalization (laundering) of proceeds from crime and the financing of terrorism”). Accordingly, the costs and labor intensity of operators’ business processes would immediately increase significantly.

And thirdly, the eternal question arose: “Why?” What public services and services of commercial companies, provided exclusively on the basis of an electronic signature, were ready to be offered to individuals and legal entities in Russia? At that time, unfortunately, such services had not yet been provided, so there was no critical need to start the project yet.

Currently, an attempt to implement a “cloud” signature using SIM cards, announced by 1C, is ongoing. The technologies underlying this project were briefly presented mainly to Russian financial institutions (as part of the Ural Forum " Information Security financial sphere" 2017). Now there is very little information about the progress of this project and only time will tell whether users’ expectations of receiving a “cloud” signature using SIM cards from the 1C company will be met.

Another noteworthy promising attempt to implement a “cloud” signature for access from mobile devices was MegaFon’s own project. In this project, the operator proposed a compromise solution: to use an HSM to store electronic signature keys, and to provide users with access to their signature keys, a client part based on a specialized applet on a SIM card that generated simple one-time passwords.

On the one hand, the advantages of the proposed solution were obvious: there was no need to perform complex cryptographic operations on the SIM card, and, accordingly, more complex and expensive SIM cards with integrated cryptographic coprocessors were not required. The budget for such a project would be more realistic. But on the other hand, one-time passwords, which in the past were generated on OTP tokens, were again offered to access signature keys. These one-time passwords were simply “transferred” to the SIM card with all their shortcomings and limitations. Thus, again, the security of the entire electronic signature system would be replaced by the security of the signature key access password, and it would not be safer or more convenient to use than a simple one-time password.

What does the market expect from electronic signatures now?

Currently, the market is experiencing another surge of interest in cloud-based electronic signatures. It is noteworthy that this interest is predetermined by purely practical business objectives.

One of these tasks is the so-called “one-time signature”. In many areas, it is now required to provide a qualified electronic signature once, and solutions for generating such a “one-time signature” (without using signature keys again) are extremely in demand. Obviously, the “classic” options for issuing an electronic signature to clients are not entirely suitable - the timing and cost of issuing a token or smart card, deploying a crypto provider on the client’s computer, generating signature keys, issuing a certificate - all this is too complicated, expensive and time-consuming for one single signature . In such circumstances, offering a cloud signature seems to be a very suitable choice.

A case in point is real estate transactions. In particular, many developer companies and real estate traders work with clients in a certain “standard generally accepted” way: a client comes to them, and in order to register the transaction with the Federal Service for State Registration, Cadastre and Cartography (Rosreestr), it is necessary to collect installed package documents, go to this Rosreestr, submit these documents for registration, and then make another visit and receive the appropriate certificate for registration of ownership. It is noteworthy that now all this can be done electronically, at least Information Systems and the processes of Rossreestr allow this. In order to do this, you only need a qualified electronic signature of the parties to the transaction, with which the client and the developer will sign the generated package of documents. And the client only needs this operation once. Of course, real estate developers and traders, as well as other market players whose business requires a “one-time” electronic signature of the client, will not build a system for generating a signature in their infrastructure. They will use services that, by the way, some companies are already trying to offer.

For information

What does it mean when it says “an electronic signature has been issued to the client”? Every specialist will say that the signature itself is the result of cryptographic transformations of the information being signed, and the signature cannot be “issued” on a Flash media, token or smart card. And most certainly this is not just a means of signing - a direct technical means for generating electronic signatures of documents. So what is the correct use of a term that, as in other specific fields, has become a jargon?

So, an electronic signature “issued” to a specific client implies the presence of three components:

The first is an electronic signature facility. That is, directly a technical tool that implements a set of cryptographic algorithms and functions. For example, it could be a crypto provider (CryptoPro CSP, ViPNet CSP), an independent token (EDS Rutoken, JaCarta GOST) or a “cloud”.

The second is the key pair generated by the electronic signature tool. One of the keys in this pair is the electronic signature key (it is also sometimes called the “private” key), which is used to generate the signature. In the most general case, the “private” key can be stored in various places: on a computer (although this is very unsafe), on a flash drive (also unsafe), on a token (better, but unsafe), on a token/smart card in a non-removable form (the safest option). The second of the keys is the public key for verifying the electronic signature. It is necessary so that anyone can verify the correctness of the electronic signature. This key is not a secret, but is uniquely tied to the "private" key.

The third is the electronic signature verification key certificate, which is generated by the Certification Authority. Why do you need a certificate? When a person uses an existing electronic signature to generate a key pair, it will physically represent two impersonal sets of bytes. And when a person transfers a public key to someone for subsequent verification of an electronic signature, there is always a risk that this public key (an impersonal set of bytes) will be replaced by someone during the transfer process. And, accordingly, an attacker who has replaced this public key with his own will be able to impersonate a signer by simply intercepting messages, changing them and putting his electronic signature. To prevent this from happening, it is necessary to associate an anonymized set of public key bytes with the identity of a specific client, with a specific person or organization. And this is exactly what Certification Authorities (CAs) do. That is, a person or representative of an organization comes to the Certification Center, shows his passport and says: “Here I am, Ivan Ivanov, here is my electronic signature verification key. Please give me a document that this public key belongs to me – Ivan Ivanov.” And this document is the certificate. And the Certification Center is responsible for it, for its correctness. The CA is responsible (financially and administratively) for the certificates it issues. And if in some transaction a verification key certificate appears, issued in the name of Ivan Ivanov, but with a public key that does not belong to Ivan Ivanov, the CA will be responsible for this transaction. Moreover, the liability, as stated in the legislation, is about 50 million rubles. This is a very serious financial responsibility. That is, a CA is an organizational unit that deals with “matching” public keys and identities in the physical world.

In accordance with the legislation of the Russian Federation, there is a distinction between “electronic signature verification key certificate” and “qualified electronic signature verification key certificate” (qualified certificate), the first of which is issued by the Certification Center, and the second by the Certification Center accredited in accordance with the legislation of the Russian Federation. It is important to understand that the electronic signature verification key itself (public key) is a technical concept, while a public key certificate and a Certification Authority are an organizational concept.

Thus, when we say that a person has been “issued an electronic signature,” we mean that:

1. He has been given a signature device.

2. It has a key pair: open and private key, with the help of which an electronic signature is generated and verified.

3. The Certification Authority issued him a certificate for a public key, that is, the CA verified that the corresponding public key from the key pair actually belongs to this person.

And in relation to the “cloud” electronic signature, when we say that a person has been issued a “cloud” electronic signature, this means that a key pair was formed for the person in the “cloud”, they made sure that the public key actually belongs to this person, and issued the corresponding certificate, and that person was given a means to access their keys in the cloud.

Another business task is to become mobile. It's no secret that the user's attachment to the workplace with personal computer goes beyond the horizon by leaps and bounds. There are more and more scenarios for using services that involve working on a personal mobile device: usually a mobile phone or maybe a tablet.

Decision-making systems of collegial bodies, document flow, remote banking services, company management, electronic trading - these and many other services require less and less reaction time and greater mobility.

The business providing these services cannot fail to respond to these demands. And the electronic signature tools used must also meet them. And “traditional” tools, such as crypto providers and tokens, do not have the ability to work on mobile devices. And “cloud” technologies solve this problem.

Signing documents as a service - a professional bluff or a real service?

So, what is the point of a “one-time” qualified electronic signature service? When a client comes to complete a transaction, if he has a qualified electronic signature, it would be possible to collect and send documents, for example, as in the example with real estate, to the Russian Register in electronic form. And no one else should go anywhere. This is convenient, but the client needs to provide a qualified electronic signature, and where can one get it for a “one-time” signature? And recently, companies have appeared, usually Certification Authorities, which offer clients a “one-time” and “cloud” signature for little money. “We will make a qualified electronic signature for you,” such companies say. That is, a certain organization, at the client’s request, generates a key pair for him, here, in its Certification Center, issues a certificate for him, takes the collected set of documents from this person, signs on his behalf, and returns the already signed set of documents to the client himself. Of course, it’s convenient for solving a specific problem. But can such a service be considered legitimate?

In theory, under ideal conditions, this could probably be considered a “one-time” service. But from a legal point of view, from the point of view of common sense and the principles of electronic signatures themselves, enshrined in No. 63-FZ “On Electronic Signatures,” not everything is so smooth. Judge for yourself: some organization with rights incomprehensible to a particular person generates an electronic signature key for him and issues a qualified public key certificate in the name of this person. As a result, we get a complete set for generating an electronic signature, which, in its legal significance, is a replacement for your own handwritten signature. Using an electronic signature key, you can sign any documents and execute any orders that government authorities should take as a guide to action, since a public key certificate has already been issued and can be provided. The orders can be any, up to changing the first and last name. The paradox of the situation is that a person, having used such a service, no longer controls it in any way!

Of course, the legal agreements between the client and the company that are concluded to provide such services can be anything: a power of attorney for the formation of an electronic signature, an order, an agreement. The companies providing these services are very different, and they may have different legal structures, including well-thought-out ones that provide a certain guarantee of safety and quality of service. However, from the point of view of common sense, from the point of view of the principles of electronic signature, services in this form are not entirely correct. In our example of registering ownership rights to a property, nothing prevents the same company from first registering ownership rights to a client, and then in the next batch sending an application for re-registration of this ownership right to a completely different legal entity or individual. There are a huge number of fraud schemes: they have a certificate, they have an electronic signature key, they have all the details for the property itself. And nothing prevents them from using these funds, and no one will control or change this.

For information

Unfortunately, there was a precedent for a service company using an electronic signature key and a certificate for its client. Everything started logically and correctly: the Certification Center was registered and accredited, a set of certificates was issued for very real existing individuals, who were provided with “one-time” electronic signature services. But subsequently, the client’s property worth several hundred million rubles was “stolen.” An unsuspecting owner came to carry out transactions with his property, but found out that it had not belonged to him for a very long time: the property rights had been re-registered through several persons and the “final buyer” was quite respectable. The scandal was very big. Among other things, this incident marked the beginning, so to speak, of a “cleansing” of certification centers.

A scheme where a person has no control over their signature means is potentially risky large quantity fraud. Even if it is not the company that provides the service, even if it is an unreliable employee, for example, just an operator, but this will not make the fraud any less significant. Thus, a property in Moscow worth several tens of millions of rubles is half or even the entire amount of earnings of an average employee over his entire working life. Therefore, unreliable employees may decide: “let’s take away this property, and then burn it all with fire!” Thus, the scheme for providing “one-time” signature services itself has the potential for fraud. Of course, it is not a fact that these possibilities will necessarily be realized, but they exist, and they are completely real.

So, it turns out that schemes for providing “one-time” signature services are “on the verge of legality and illegality.” They can be used until someone digs deeper. In 2016, there was a big scandal with one very large bank, which also stated that they use a “cloud” qualified signature with access via SMS. As soon as all this was revealed, the bank was shocked by a series of inspections by regulators, in particular, by the Russian Federal Security Service. And very quickly the bank’s offers of these services to clients ended and were never resumed. By the way, the bank's contractor for these works was one of the most famous companies– operators of electronic reporting, one of the largest certification centers recognized by clients in the country.

Some service companies go further, although they provide a similar scheme. They also generate electronic signature keys for their clients, use a developed and more reliable system for managing the process of providing such “one-time” electronic signature services, but confirmation for signing client documents is made via SMS. For this reason, as we found out earlier, this entire system cannot be fully considered a qualified signature tool. Companies very convincingly explain that they bought a certified HSM, show paper on it: “Here we use a certified tool and confirm transactions using SMS.” But why doesn’t anyone read further on how to use this certified HSM? Meanwhile, in the “Rules of Use...”, which are an integral part of the industry regulator’s certificate, it is written that in order to provide access to HSM from the user to sign documents, it is necessary to install a set software, establish an encrypted secure channel, and so on and so forth. Because HSM is not a piece of hardware for use by arbitrary remote users, but a means for performing a set of specific operations within a specific organization, where it is possible to build a secure channel directly to this piece of hardware.

CryptoPro myDSS. Qualified electronic signature on a smartphone

Returning to the considered options for accessing electronic signature keys in the cloud, we will try to sum up some results and tell you about the complex solution CryptoPro myDSS. SafeTech specializes in transaction and document confirmation systems, especially in the banking sector, which has always been at the forefront of attacks by cybercriminals, and at the forefront of technologies to counter these attacks. This specialization allowed the company to develop its own PayControl () solution, which allows you to securely confirm operations and sign documents using a mobile phone: be it payment documents, login operations to portals or others informational resources and services.

Partnership with the CryptoPro company allowed us to find a stable niche for a comprehensive solution: a method for generating signature confirmations based on PayControl technologies was introduced into the CryptoPro DSS cloud service. The joint solution leverages advanced cloud-based key management and electronic signature functionality and provides a secure, mobile and convenient way to access signing functionality. In a complex solution, in order for the “cloud” (server part) to perform the signing, it needs permission to perform this action. The sanction depends on four components: time, the content of the document being signed, the unique characteristics of the smartphone, as well as a unique key that is stored on the user’s smartphone in a protected area. Of course, this is far from a one-time or multiple-password scheme; SMS, which in itself is unsafe, is not used here - this is a significantly more secure technology for confirming transactions and documents. And it is implemented in the form of a mobile application for modern mobile platforms.

Having developed and documented the scheme collaboration, the companies CryptoPro and SafeTech implemented it and submitted the solution for certification to the Federal Security Service Russian Federation. At the moment, it can be argued that comprehensive solution CryptoPro myDSS () as a whole, including the server part (in which the electronic signature keys are stored in the HSM), a system for managing signature generation processes on the server side, a smartphone application (which visualizes the document being signed to the user and develops sanctions for signing), as well as interaction channels client and server parts with implemented methods for protecting this channel - this entire complex solution is a full-fledged electronic signature tool. That is, with a certain degree of simplification, we can say that CryptoPro myDSS is a large token.

Currently, no one can be surprised by the trend towards “mobility”, abandoning the once traditional “hardware” and other devices for user authentication and electronic signature generation. Many users habitually work from tablets and smartphones, to which it is simply impossible to connect tokens and smart cards. In addition, market participants and users themselves recognized that SMS messages as a means of confirming transactions and documents have become far less secure and prohibitively expensive. For this reason, everyone began to pay attention to cloud signature technologies and secure technologies for accessing the keys of this signature. In this sense, the appearance on the market of the CryptoPro myDSS solution could not have come at a better time. Currently, the CryptoPro company is actively working to certify the solution in the FSB of Russia; a certificate has already been received for the server part of the CryptoPro DSS solution; certification of the entire solution is next in line.

The development of cloud signature technologies and technologies for secure access to electronic signature keys has gone through a rather long process of formation. This was not an easy path, but, as often happens, a path passed through trial and error. The solution developed to date, indeed, allows users to refuse to install crypto-currency on their computer, to refuse to purchase tokens and to be tied to their immediate workplace. Nowadays it is really possible to very simply and conveniently place a qualified electronic signature from your smartphone, gaining access anywhere and at any time. You can already sign any documents with your electronic signature, while maintaining all the security properties, and also, as they say, sign “with all the convenience.”

To sign PDF file, some sometimes have to perform a whole series of operations: first they download the file, then print it, sign it, scan the signed document and send it by e-mail. If you have to sign documents often, then constantly performing so many operations can become quite boring. More experienced users are finding ways to sign a PDF using a computer, but there is also a very easy way to do it using an Android device. To do this, you'll need the app, which costs $3.99, which in our opinion is not a big price to pay for something that will save you time and hassle.
Step 1: Install the SignMyPad application from Android Market.

Step 2: Open the downloaded PDF file using SignMyPad.

If the file is in the mail, then first save it in the memory of your device and then open it using SignMyPad.

Step 3: Click the “Add” button, which is located in the upper right corner, and select “Signature” from the list that opens.

Step 4: Enter the name in the field that appears and click “Done”. Then drag your signature to the appropriate area of ​​the document (scaling the signature can be done using a special ruler).
Step 5: Next, click on the green checkmark to complete the signing process and select the “Menu” button.
Step 6: Save the PDF file. You can save the document under the same name or add a signed note to the title to keep the original.

After all, you use mail from Google, don’t you? Setting up your signature in Gmail on Android will allow you to unobtrusively convey to the recipient the information you need (or not so much) :)

For example, the letter was sent from mobile device. Or that it was written from work. Or it will simply contain your name and something else (the address of your blog or social network page, for example). By the way, if you indicate in your signature that the letter was sent from a mobile phone, your addressee may be more lenient with your typos :) After all, you are much more likely to make mistakes when typing from a phone :)

The Gmail web interface easily allows us to create any signature that will be automatically added to your messages at the very end. What about adding a signature directly to Android?

Fortunately, mobile app Google mail also supports this feature.

Now let's move from theory to practice - let's establish a signature.

We launch the Gmail application on our Android device.

Swipe to the left to bring up the menu. Scroll to the very bottom and find the “Settings” item there. Let's go into it. Here we see a list of your accounts associated with this email application. As I wrote earlier, mail client, including third-party mail (Yandex, Mail.ru, Yahoo, etc.). So, select the account we need and log into it.

In the list that opens, select the “Signature” option. We go there and add the data that we want to see in our messages Email as a signature. You can enter multiple lines by pressing the Enter key to move to the next one.

Popular in the category:
Connecting your smartphone to your TV via USB, HDMI cable or wirelessly
Connecting your smartphone to your TV via USB, HDMI or wireless...
read
The computer turns on immediately after turning off - what should I do?
The computer turns on immediately after turning off - what should I do?
read
How to control a computer without a mouse using a keyboard
How to control a computer without a mouse using a keyboard
read
A simple DIY radio transmitter - making a spy for hardball
A simple DIY radio transmitter - making a spy for hardball
read

Latest Articles
How to register with Odnoklassniki in...
read
How to Solve Simple Integrals
read
We open access to the profile to all users...
read
Fixing microphone problems on Xiaomi
read
Sberbank: how to call the operator - instructions...
read
Connecting the front panel to the motherboard
read
Lenovo K3 Note - Specifications...
read
FPS in CS GO - how to increase FPS in CS:GO if...
read
Top