RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2
2024/12/25 18:18:05

Encryption Certification (Licensing)

Licensing of activities in the field, information encryption carried out FSB of Russia on behalf, Governments of the Russian Federation began with Decree No. 334 in 1995, which strictly prohibited in the country any activities related to cryptography without licenses and certificates. FSTEC Mandatory certification encryption tools on the Internet is not required only if it is not a state secret. Certification will be required only for funds designed to protect information containing state secrets.

Content

[Collapse]

Chronicle

2024

FSB plans to expand data protection requirements in state IT systems and their list

In mid-December, the FSB of Russia published a draft order[1] called "Requirements for the protection of information contained in state information systems, other information systems of state bodies, state unitary enterprises, state institutions, using encryption (cryptographic) means." It is assumed that the public discussion of the order will last until December 27. The document under discussion will replace a similar order of the FSB No. 524 of October 2022, the name of which refers only to state information systems (GosIS).

File:Aquote1.png
In addition to GosIS, other information systems of state bodies, state unitary enterprises and state institutions are now subject to the order, "Anatoly Romashev, director of the design department of Informzaschita, explained for TAdviser. - In August 2024, federal law No. 216-FZ "On Amendments to Federal Law No. 149-FZ and Certain Legislative Acts of the Russian Federation" was adopted, in which the list of information systems has already been expanded. Therefore, the FSB changes its order so that it complies with federal law, as stated in the explanatory note to the draft order.
File:Aquote2.png

In addition, the document states that the information contained in the GosIS, other information systems of state bodies, PMT, state institutions is subject to protection using encryption (cryptographic) information protection means (CIPF).

Georgy Gabolaev, founder and CEO of Group-A, indicates that new types of information systems may fall under the requirements of the updated order:

  • Critical information infrastructure management systems, including energy and transport;
  • Computing centers provide the work of socially significant services, such as health care and education;
  • Local information systems of authorities using cloud technologies;
  • Municipal level information systems;
  • Data centers of private contractors providing development and support services for GosIS.

In these systems, you will have to comply with the FSB requirements for CIPF if:

  • Legislative and other NPAs of the Russian Federation provide for the obligation to protect the information contained in the relevant IEs using CIPF;
  • information is transmitted to the IE via communication channels passing beyond the perimeter of the protected territory of the enterprise (institution), enclosing structures of the protected building, the protected part of the building, the allocated room;
  • it is necessary to recognize electronic documents signed with an electronic signature as equivalent to hard copy documents signed with their own hand signature;
  • IE stores data on information carriers intended for recording, storing and reproducing information processed using computer equipment, unauthorized access to which by third parties cannot be excluded using non-cryptographic methods and methods.

For the cryptographic protection of the draft order, classes are introduced, each of which has a set of requirements. Determination of the CIPF class to be used to protect the information contained in the IE is carried out depending on the level of significance of the information processed in the system and the scale of the IE itself. The level of significance of the information contained in the system is determined by the degree of possible damage to the information holder or operator. Naturally, all CIPFs used for protection must be certified by the FSB according to the corresponding class of requirements.

FSB requirements for GosIS will be extended to ISDS, CII and state secrets

Also, according to Georgy Gabolaev, the order expands the categories of data that must be protected using CIPF. In particular, we are talking about adding data categories such as:

  • Personal data of high sensitivity level;
  • Data containing state secrets;
  • Information related to critical information infrastructure.

However, the requirements for their cryptographic protection are contained in the relevant federal laws No. 187-FZ for critical information infrastructure or No. 152-FZ for personal data.

In addition, Georgy Gabolaev points out that the project introduces new criteria for the classification of information systems, allowing you to more accurately determine the level of protection required for a particular system. Requirements for information system audit procedures have also been tightened, including regular monitoring of CIPF use, and responsibility for the implementation of monitoring mechanisms for unauthorized access attempts has been strengthened. The expert also notes that the authors of the document assume rapprochement with international standards for the protection of information, which will facilitate the integration of Russian GosIS into global systems if international cooperation is necessary.

Expanding the list of requirements and extending them to new companies may lead to an increase in the need of Russian companies and departments for appropriate cryptographic protection tools. The question arises: will Russian developers cope with the influx of new buyers?

File:Aquote1.png
In recent years, CIPF manufacturers have become accustomed to the increased demand for their products, so its increase, caused by the demand of information system operators who fall under the FSB order, should not be a surprise and insurmountable difficulty for them, "Anatoly Romashev said for TAdviser. - Moreover, many IPs probably already use domestic solutions, since in the public sector the process of import substitution is faster than in other organizations. Therefore, the growth in demand will not be such that its satisfaction becomes a difficulty for vendors.
File:Aquote2.png

FSB will simplify certification of banking applications

Federal Security Service Russia develops a new procedure for certification of banking mobile applications to work with. digital ruble As it became known on October 24, 2024 banks , they will be able to place their applications in stores until the complete verification software by the FSB cryptographic laboratory is completed.

The head of the expert division of the FSB, Alexei Petrov, spoke about the coordination of the new certification mechanism. According to him, "a decision was agreed on which, during the initial certification of the means, the documentation will identify functions related to cryptography, in the event of a change in which, with a new update, it will be necessary to carry out full certification."

FSB will facilitate the process of certification of banking applications

File:Aquote1.png
If the update does not affect these functions, then the laboratory considers [the application] within a few days and directly informs the bank that everything is fine and this product can be used, he said.
File:Aquote2.png

Stanislav Smyshlyaev, General Director of Cryptopro, explained that in order to work with a digital ruble, banks are obliged to introduce domestic cryptographic protection instead of previously used foreign biometrics.

The head of the investigation department, T.Hunter market expert NTI SafeNet Igor Bederov clarified that the laboratory is assessing the code, checking for vulnerabilities, foreign integrations and risks of unauthorized access.

The FSB has six classes of certification of cryptographic protection tools. The review process can last several months, making it difficult for banks that need to release app updates weekly or monthly.[2]

2016

"Mandatory certification of coding means () enciphering when transmitting messages in an information and telecommunication network, Internet massively used to protect information that does not constitute a state secret, including in subscriber devices and mobile communication base stations, computers, equipment of the information and telecommunication Internet, is not required for compliance with information security requirements," the message says. FSB


Decree No. 334 of the Government of the Russian Federation of 1995 prohibited:

  • the use of non-certified cryptographic tools by state organizations, as well as the placement of state orders at enterprises using non-certified cryptographic tools
  • the use by commercial banks of uncertified crypto-tools in cooperation with the Central Bank of the Russian Federation
  • the activities of legal entities and individuals related to the development, production, sale and operation of encryption tools, as well as the provision of any services in the field of information encryption
  • import of foreign-made encryption tools into the territory of the Russian Federation without FAPSI permission

In other words, any activity in the field of encryption and any crypto-tools that do not have a certificate of the established sample were once and for all outlawed in our country.[3]

For those who are passionate about such an activity as downloading free programs like PGP, TrueCrypt and other information ransomware, or indulges in DES-style programming, AES and similar things should be remembered that this seemingly harmless activity of an inquisitive student is actually equated by our government with the number of such activities as the production of weapons of mass destruction, drugs or, say, the implementation of tests to penetrate the website of the Ministry of Defense. In this regard, this activity provides for quite specific criminal liability, at least under Article 171 of the Criminal Code of the Russian Federation.

In order to reconcile such a tough state position on cryptography with harsh reality, amendments and clarifications have been repeatedly made to the legislation on licensing cryptographic activities. At the moment, Decree of the Government of the Russian Federation of April 16, 2012 No. 313 "On licensing activities for the development, production, distribution of encryption (cryptographic) means, information systems and telecommunication systems" is in force....

Crypto tools for which in practice it is not possible to carry out licensing measures are excluded from licensing, including:

  • crypto tools used with cell phones and credit cards
  • crypto tools used in commercial television and radio equipment
  • crypto tools used in ATMs and cash registers
  • cryptographic tools implementing symmetric encryption algorithms with key length not more than 56 bits
  • cryptographic tools implementing asymmetric encryption algorithms with a length with a maximum key length of 122 or 512 bits (depending on the type of algorithm)

  • and so on.

Just in case, encryption tools also include information encoding tools, since the use of the word "coding" instead of "encryption" in technical documentation is a favorite way to bypass licensing restrictions by domestic software developers and system integrators.

Licenses of the FSB of Russia for encryption activities are now issued indefinitely, and not for 5 years as before, and licensing now does not apply to the maintenance of crypto tools performed for their own needs, but the requirements for the qualification of the licensee's personnel have been tightened.

Depending on the type of licensed encryption activity, the requirements for training in the specialty in the direction of "information security" in the amount of 100 to 1000 classroom hours and work experience from 3 to 5 years are established for managers and engineering workers of the licensee (who must be at least 2 people).

These requirements serve as a stumbling block for many organizations that have decided to legalize their activities in the field of cryptography. Not everyone can afford to send their employees to advanced training courses in the field of information security for a period of a month to six months.

See also