Encryption Certification (Licensing)
Licensing of information encryption activities carried out by the FSB of Russia on behalf of the Government of the Russian Federation began with Decree No. 334 in 1995, which strictly prohibited any activity related to cryptography in the country without licenses and FAPSI certificates. Mandatory certification of encryption tools on the Internet is not required only if it is not a state secret. Certification will be required only for funds designed to protect information containing state secrets.
Content |
Chronicle
2024: FSB to simplify certification of banking applications
Federal Security Service Russia develops a new procedure for certification of banking mobile applications to work with. digital ruble As it became known on October 24, 2024 banks , they will be able to place their applications in stores until the complete verification software by the FSB cryptographic laboratory is completed.
The head of the expert division of the FSB, Alexei Petrov, spoke about the coordination of the new certification mechanism. According to him, "a decision was agreed on which, during the initial certification of the means, the documentation will identify functions related to cryptography, in the event of a change in which, with a new update, it will be necessary to carry out full certification."
If the update does not affect these functions, then the laboratory considers [the application] within a few days and directly informs the bank that everything is fine and this product can be used, he said. |
Stanislav Smyshlyaev, General Director of Cryptopro, explained that in order to work with a digital ruble, banks are obliged to introduce domestic cryptographic protection instead of previously used foreign biometrics.
The head of the investigation department, T.Hunter market expert NTI SafeNet Igor Bederov clarified that the laboratory is assessing the code, checking for vulnerabilities, foreign integrations and risks of unauthorized access.
The FSB has six classes of certification of cryptographic protection tools. The review process can last several months, making it difficult for banks that need to release app updates weekly or monthly.[1]
2016
"Mandatory certification of coding means () enciphering when transmitting messages in an information and telecommunication network, Internet massively used to protect information that does not constitute a state secret, including in subscriber devices and mobile communication base stations, computers, equipment of the information and telecommunication Internet, is not required for compliance with information security requirements," the message says. FSB
Decree No. 334 of the Government of the Russian Federation of 1995 prohibited:
- the use of non-certified cryptographic tools by state organizations, as well as the placement of state orders at enterprises using non-certified cryptographic tools
- the use by commercial banks of uncertified crypto-tools in cooperation with the Central Bank of the Russian Federation
- the activities of legal entities and individuals related to the development, production, sale and operation of encryption tools, as well as the provision of any services in the field of information encryption
- import of foreign-made encryption tools into the territory of the Russian Federation without FAPSI permission
In other words, any activity in the field of encryption and any crypto-tools that do not have a certificate of the established sample were once and for all outlawed in our country.[2]
For those who are passionate about such an activity as downloading free programs like PGP, TrueCrypt and other information ransomware, or indulges in DES-style programming, AES and similar things should be remembered that this seemingly harmless activity of an inquisitive student is actually equated by our government with the number of such activities as the production of weapons of mass destruction, drugs or, say, the implementation of tests to penetrate the website of the Ministry of Defense. In this regard, this activity provides for quite specific criminal liability, at least under Article 171 of the Criminal Code of the Russian Federation.
In order to reconcile such a tough state position on cryptography with harsh reality, amendments and clarifications have been repeatedly made to the legislation on licensing cryptographic activities. At the moment, Decree of the Government of the Russian Federation of April 16, 2012 No. 313 "On licensing activities for the development, production, distribution of encryption (cryptographic) means, information systems and telecommunication systems" is in force....
Crypto tools for which in practice it is not possible to carry out licensing measures are excluded from licensing, including:
- crypto tools used with cell phones and credit cards
- crypto tools used in commercial television and radio equipment
- crypto tools used in ATMs and cash registers
- cryptographic tools implementing symmetric encryption algorithms with key length not more than 56 bits
- cryptographic tools implementing asymmetric encryption algorithms with a length with a maximum key length of 122 or 512 bits (depending on the type of algorithm)
- and so on.
Just in case, encryption tools also include information encoding tools, since the use of the word "coding" instead of "encryption" in technical documentation is a favorite way to bypass licensing restrictions by domestic software developers and system integrators.
Licenses of the FSB of Russia for encryption activities are now issued indefinitely, and not for 5 years as before, and licensing now does not apply to the maintenance of crypto tools performed for their own needs, but the requirements for the qualification of the licensee's personnel have been tightened.
Depending on the type of licensed encryption activity, the requirements for training in the specialty in the direction of "information security" in the amount of 100 to 1000 classroom hours and work experience from 3 to 5 years are established for managers and engineering workers of the licensee (who must be at least 2 people).
These requirements serve as a stumbling block for many organizations that have decided to legalize their activities in the field of cryptography. Not everyone can afford to send their employees to advanced training courses in the field of information security for a period of a month to six months.
Notes
See also
- Communications Compliance Certification (CCC)
- Encryption Certification (Licensing)
- Security Certificates
- Fiber Optic Certification
- Uptime Institute Tier Certification