home » Companies » Cloud electronic signature: pros and cons. The benefits of "cloud" CEP are now available to users

Cloud electronic signature: pros and cons. The benefits of "cloud" CEP are now available to users

As you know, the task of an electronic signature is to simplify the workflow. According to the 2011 law "On Electronic Signature", a digital document that is signed by an ES is equated to a paper document with a hand-made autograph.

"Cloudy" electronic signature It has all the properties of a regular one, only it is stored not on a flash drive or computer, but on the Internet - on a special secure server, “in the cloud,” says Igor Chepkasov, founder and president of the National Cryptocurrency Development Fund. The signing and encryption of the document also takes place there, therefore such an electronic signature does not require the installation of special software on the computer. The expert notes that one of the advantages of the "cloud" signature is the ability to sign documents (including reporting) and send them from anywhere in the world and from any device.

Anton Elikov (Merkat project) notes that an electronic signature “in the cloud” is something that many of us use every day without even noticing. “The most striking example is the authorization mechanism in mobile and Internet banks, when, after entering a password, you are sent a one-time PIN code via SMS. Such a two-level authorization, in essence, can already be an electronic signature, ”says the expert.

Why do you need e-mail. Sergey Kazakov, an expert in the field of information security at SKB Kontur, recalls that with the help of ES, companies submit reports to the tax and other regulatory authorities, conduct electronic document turnover. Digital signature is also widely used in the field public procurement. “According to our estimates, the total number of electronic signature users in Russia exceeds two million,” the expert notes. “The technology of “cloud” electronic signature, which appeared several years ago, makes this tool more accessible for business. This is confirmed by several tens of thousands of SKB Kontur customers who have made a choice in its favor,” says Mr. Kazakov.

note

While experts are talking about the spread of "cloud" ES, there is one problem - the issues of its application are not spelled out in regulations.

As Aleksey Dashkov, head of information security at System Software, notes, an ES performs the same function as a stamped signature. “It ensures the authenticity of the document and consists of a closed and public key. The document is signed using a private key, which is usually stored on a special medium - a token. You can purchase the service from a number of companies providing such services, no special requirements, except for the availability of a standard kit constituent documents not required,” he says.

“The “cloud” electronic signature is a regular electronic signature, but with one difference: the private key is stored on the servers of the certification center, and the signing of documents is carried out there. The signer's identity is usually verified by sending an SMS with a code to a mobile phone,” explains Mr. Dashkov.

Issue price

Igor Chepkasov said that the cost of an EP depends on its functionality and scope and ranges from 1,000 to 15,000 rubles. “At least, I personally met such prices when I needed an EP for work. A “cloud” electronic signature in some companies I know costs 3,000 rubles,” the expert shares.

The cost of a "cloud" signature varies for different operating companies. You can find an offer for 900 rubles a year. However, do not unconditionally believe advertising promises. We advise you to familiarize yourself with the price list for the "cloud" signature in detail and find out what is included in the price, and only after that make a decision on its purchase.

“The cost of a “cloud” electronic signature is usually included in the tariff of the service that the client buys. The only SKB Kontur service that sells it separately is the system electronic document management"Diadoc". In it, it is 900 rubles. At the same time, a regular certificate on a carrier with a license on a cryptographic information protection tool (CIPF) will cost 3,000 rubles, ”says Sergey Kazakov.

How does it work?

The technology is based on a specialized electronic signature server located "in the cloud". “If the user needs, for example, to send a report to tax office, its accounting system interacts with the electronic signature server and sends it a document to be signed. The electronic signature server is obliged to request permission from the user - this can be done by sending the transaction confirmation code to his mobile phone, as in the Internet bank, ”says Sergey Kazakov. By entering the confirmation code in the accounting system, the user authorizes access to the ES key, and a signature is created for the document. “All electronic signature keys are stored in encrypted form on a specialized device that meets the most stringent security requirements. The operator of the electronic signature server must take all measures to minimize the risk of unauthorized access to the keys,” says Mr. Kazakov.

In order to use a "classic" electronic signature, you need to purchase a token and specialized software - a cryptographic provider. “This is a significant expense, especially for start-up entrepreneurs. Then this software needs to be installed and configured, and if you are going to use the signature on several workstations - for each place separately. A “cloud” electronic signature does not require the purchase of software and pre-configuration, it cannot be lost or forgotten,” says Mr. Kazakov. Unlike traditional technologies, the "cloud" signature is available to users on any operating system and platform, including mobile devices.

Aleksey Dashkov notes that "cloud" ES are popular with small companies or individual entrepreneurs who actively use services "such as online accounting and online document management." IN large organizations who do not use "clouds", the use of such a signature, according to him, may be more expensive and more difficult than the use of a conventional ES.

What are the prospects?

According to Anton Elikov, the entire transport industry in Russia is waiting for the spread of the use of "cloud" electronic signatures. “One has only to imagine a situation when a forwarding driver goes on a flight not with a bundle of papers, but with a tablet. And right at the place of shipment, he signs a consignment note with the client! But the “cloud” electronic signature could bring the main benefit in the case when the delivery document differs from the actually shipped volume of products (resorting, breakage during transportation),” he notes. According to Mr. Elikov, such cases in practice sometimes happen up to 40 percent. “And all these documents are now sent on a long journey of interaction between the accounting departments on the part of the supplier and the buyer. Although the issue of discrepancies could be settled right at the place of shipment, and the fact of the change would be confirmed by a “cloud” signature,” the expert concludes.

Igor Chepkasov says that at present there are already completely new developments using Blockchain technology, namely smart contracts. “Decentralization, the fundamental principle of the technology, provides absolute protection against compromise and unauthorized access to any document and the signature itself, since each such block element (signature, document, archive, etc.) is located in a strong chain of numbered blocks protected by the most complex cryptographic code,” he says. According to Mr. Chepkasov, it is impossible to make changes to a block already put into circulation; a smart contract is an electronic algorithm that describes a set of conditions, the fulfillment of which entails certain events. “His work is based on the creation and application of so-called low-trust protocols, where the protocol algorithm uses only software, and the human factor is excluded from the decision-making chain as much as possible - a person here acts exclusively in ro-and one of the parties involved in the implementation of the contract. For example, when sending payments, the execution of a contract is impossible without receiving the number of electronic signatures specified in the contract,” he notes.

In the meantime, while experts talk about the spread of the practice of using a "cloud" electronic signature and talk about the possibilities for developing technologies, there is one problem. It is connected with the fact that today the issues of applying such an ES are not properly spelled out in the regulations. But soon, namely, in the III quarter of 2016, Russians will have the legal opportunity to use an electronic signature without a material carrier - a USB flash drive or a SIM card. Such a norm is contained in the "road maps" for the program for the development of the Internet in Russia, which the Internet Development Institute prepared for the President of the Russian Federation. So we can expect that companies will soon stop being afraid of "cloud" technologies and begin to use such an electronic signature more actively in their work.

Electronic reporting in Russia appeared about 10 years ago. Over the past period, accountants have had many opportunities to evaluate its benefits. Every year, the number of companies reporting to in electronic format increases exponentially. To date, electronic reporting is evidence of the effective work of the company and an indicator of the level of qualification of an accountant. But if the assurance of reports with an electronic signature has become customary for Russian companies, then the use of a cloud-based electronic signature is a relative rarity.

Let's compare the possibilities of using a "traditional" and cloud-based electronic signature in several ways: the need for software, the security of data transfer, and the cost.

A traditional electronic signature requires the installation of a special program. At the same time, it will be possible to certify reports with an electronic signature only on the computer where the necessary software is installed. In addition, in Russian reality, situations often arise when an electronic signature key conflicts with an Internet banking key. In such a situation, the company is forced to use a dedicated computer to send electronic reporting. Traditional electronic signature software, like any software, requires periodic updates and maintenance costs.

The need to eliminate these deficiencies and the possibilities of high technologies made it possible to create a cloud-based electronic signature. Unlike traditional ES, cloud-based - does not require installation of software and cryptography on a computer. The certification center issues an electronic signature and places it in its certified secure cell (cloud). Access to this cell is available only to the owner of the signature using sms, which comes to the mobile phone. Since all information about access to a cloud-based electronic signature is stored on a cloud server in a certification center, an accountant can sign and send electronic reports from any computer, tablet, smartphone or even a mobile phone with Internet access. The undoubted advantage of a cloud-based electronic signature is the absence of costs for the purchase of software, its support and updating. This technology is also used in many Internet banks.

Despite the fact that a cloud-based electronic signature is still a fairly new concept for Russian accounting, successful experience in implementing new technologies has already been accumulated. First on Russian market implemented a cloud-based electronic signature using one-time passwords via sms Internet accounting "My business", together with the certification center "Kaluga Astral". To date, more than 100 thousand accounting reports have already been submitted using cloud-based ES.

“For two years of work, more than one thousand organizations have used the service, which have appreciated its convenience, accessibility and user-friendliness,” says Igor Chernin, Director of Kaluga Astral. “The service has increased the attractiveness electronic way submission of reports for small enterprises and individual entrepreneurs. Technical solutions in the field of platform development and in the field of using the "cloud" ES, which were implemented as part of the service, formed the basis of many similar products currently on the market."

Other market participants also appreciated the benefits of clouds. For example, the company CRYPTO-PRO, which occupies a leading position in the distribution of cryptographic information protection and electronic digital signature, has created a new hardware and software cryptographic module "CryptoPro HSM". Although this service is not yet used for reporting, there is already a movement and there is hope that in a couple of years it will be possible to forget about the traditional electronic signature in those places where there is no absolute need for it.

Ivan Piskunov

Multiple trend recent years suggests that many services are moving from traditional desktop installations to the clouds. was no exception and electronic signature. However, the migration of ES to the clouds is perceived by the community of users and experts is still very ambiguous. Among the undoubted advantages of new cloud solutions, information security issues stand apart. However, neither technology nor legislation stands still, and soon we can expect a new round of development of electronic signature with the participation of cloud computing.

Electronic signature as the basis of legally significant electronic document management

An electronic signature (hereinafter referred to as an ES) in accordance with Federal Law No. 63-FZ of 04/06/2011 is a mandatory legally significant requisite of an electronic document. In addition to this, the law also says that an electronic signature is an absolute analogue of the actual manual signature put on a paper document. In view of this, it is logical and quite reasonable to believe that electronic document management is a real alternative to traditional office work in general and, in particular, to individual processes for concluding and confirming various transactions, agreements, agreements, contracts, etc.

According to the above federal law, ES, as a mandatory element of EDI, is designed to provide three key tasks:

1. Provide unique identification of the signatory

document;

2. Provide protection against unauthorized changes to the document;

3. Ensure the legal force of the electronic document.

The legal significance of the use of electronic signatures is enshrined in a number of domestic normative documents. Here are some key links:

Art. 160, 434, 847 of the Civil Code of the Russian Federation, which regulate the practical use of electronic signatures in document management.
· Federal Law No. 63-FZ "On Electronic Signature" of 04/06/2011. The main and framework law describing the general meaning of the use of electronic signatures in transactions of various nature and the provision of services.
· Federal Law No. 149-FZ “On Information, Information Technologies and Information Protection dated July 27, 2006. This document specifies the concept of an electronic document and all related segments.
· Federal Law 402-FZ "On Accounting" dated 06.12.2011. The legislative act provides for the systematization of requirements for accounting and accounting documents in electronic form.
· According to paragraph 3 of Article 75 of the Arbitration Procedure Code of the Russian Federation, documents obtained using the Internet information and telecommunications network and signed with an electronic signature are allowed as written evidence in arbitration disputes.

All the above facts and arguments mean that, using the ES, we can always clearly know by whom and when the document was signed, be sure that no changes were made to the document after signing, and in case of disagreement between the parties and subsequent litigation proceedings to ensure the non-repudiation of the fact of the transaction (conclusion of a contract, etc.).

Currently, the legislation establishes three options for the use of ES in the territory Russian Federation, this:

· Simple EP;
· Reinforced unqualified ES;
· Reinforced qualified ES.

How do they differ and what kind of EP can and should be used to commit financial transactions? Below we will analyze them. And so, let's start (see Figure 1)

1. Simple electronic signature

A simple signature, or as it is often called a “login-password” link, is an electronic signature that, through the use of codes, passwords or other means, confirms the fact that an electronic signature has been formed by a certain person.

A classic example is when you enter your credit card pin, say the passphrase (voice tag) in telephone conversation with the bank's call center and the like - all this will be yours Simple Electronic Signature. In other words, the only function of such a signature is confirmation of authorship , personal identification. A simple ES provides a basic level of protection and authentication. For instance. She signature is used to gain access to features Single portal of public services. A simple electronic signature cannot be used categorically when signing electronic documents or in the state information system (GIS) that contain state secrets.

2. EP is reinforced UNQUALIFIED if the following conditions are met:

obtained as a result of cryptographic transformation of information using an electronic signature key;

allows you to identify the person who signed the electronic document;

allows you to detect the fact of making changes to an electronic document after the moment of its signing;

· is created using electronic signature means.

Reinforced UNQUALIFIED ES allows you to determine the author of the signed document and prove the immutability of the information contained in it. IN unqualified electronic signature cryptographic algorithms are laid down, which provide reliable protection of documents in accordance with Russian GOST for encryption. Such a signature is quite suitable for internal document management in a company, as well as for sending electronic documents from one company to another. Unqualified electronic signature also suitable for participation in electronic trading.

3. And, finally, the third option, when EP is enhanced qualified, if it meets all of the above features of an unqualified ES and the following two additional features:

· the electronic signature verification key is specified in the qualified certificate;

To create and verify an electronic signature, electronic signature tools are used that have received confirmation of compliance with the requirements established in accordance with this Federal Law

It is worth noting. that the software required to work with CEP must be certified by the Federal Security Service. Therefore, a qualified electronic signature gives documents full legal force and complies with all requirements for the protection of confidential information. Regulatory authorities, such as the Federal Tax Service, the Pension Fund of the Russian Federation, the FSS, recognize the legal force of only those documents that are signed by a qualified electronic signature

Figure 1. Types of electronic signatures

Electronic signature in cloud services

Over the past few years, the trends in the transition from operating your own IT infrastructure to using cloud computing have become firmly entrenched in the IT industry. This is, first of all, the replacement of traditional IT systems initially deployed on the material and technical base of each hotel company taken with on-demand services, tk. SaaS, PaaS and IaaS. According to a recent study "Cloud services in the corporate sector, Russia 2017". from SAP and Forrester companies, cloud technologies in Russia will grow faster than the entire IT market taken as a whole: thus, at an average annual rate of 21%, the cloud market will grow 3 times compared to 2015. The report states that large businesses are currently as ready to use cloud services as possible: in this segment, over 90% of respondents know about cloud services, in small businesses - over 70%. IN big business 54.5% of respondents use simultaneously cloud services from two or more categories, in medium business - 50%, in small business - 43%.

The current situation with the use of cloud ES in Russia

Most recently, in June 2017, it became known that the FSB, together with Rostelecom, was creating an electronic signature that would “blow up and turn the market upside down”. The idea is the same, to create an electronic signature that does not require the use of a token (carrier on a flash drive). Mikhail Bondarenko, director for e-government at Rostelecom, spoke about this. “I have information from colleagues from Lubyanka that a certain solution should be released by the end of the year that will allow making trusted digital signatures cloud-based,” he said, without giving any details, but contrasting this solution with electronic signatures on tokens that are common today. “In our opinion, this will blow up and turn the market for trusted authorization and identification,” he added. But there is a nuance, in addition to the use of "clouds", it is also planned to use biometrics, i.e. individual biometric characteristics of each person as parameters for his unique authentication.

According to the same source according to Bondarenko - “ It is assumed that Rostelecom will become the operator of this platform and will conduct a pilot experiment with banks for two years, during which time biometric identification services will be provided to them free of charge., noting that about ten banks, including Sberbank, VTB and Gazprombank, are participating in the pilot that has already started.

At the same time, the operator intends to complete the creation of the platform by the end of 2017. In addition, only from January 1, 2018, amendments to Federal Law 115 are expected to come into force, allowing the use of biometric identification in the financial sector - for opening and closing accounts, placing and withdrawing deposits , transfers, etc. Thus, according to the top manager, the idea of creating a “national bank for identification and authorization” of Russian residents on the basis of the national biometric platform is already being considered.

Expert comments:

“According to our estimates, the total number of electronic signature users in Russia exceeds two million. The technology of "cloud" electronic signature, which appeared several years ago, makes this tool more accessible for business. This is confirmed by several tens of thousands of SKB Kontur customers who have made a choice in her favor,- says the expert Kazakov.

A "cloud" electronic signature has all the properties of a regular one, only it is stored not on a flash drive or computer, but on the Internet - on a special secure server, "in the cloud",- says Igor Chepkasov, founder and president of the National Cryptocurrency Development Fund. - The signing and encryption of the document also takes place there, therefore such an electronic signature does not require the installation of special software on the computer. Chepkasov notes that one of the key advantages of the "cloud" signature is the ability to sign documents and send them from anywhere in the world and from any device.

Igor Chepkasov talks about the possibilities of using ES in new services, for example, built on the technology blockchain namely, smart contracts. “Decentralization, the fundamental principle of the technology, provides absolute protection against compromise and unauthorized access to any document and the signature itself, since each such block element (signature, document, archive, etc.) is located in a strong chain of numbered blocks protected by the most complex cryptographic code", he says. So, according to the expert, it is impossible to make changes to the block already put into circulation; a smart contract is an electronic algorithm that describes a set of conditions, the fulfillment of which entails certain events. “His work is based on the creation and application of so-called low-trust protocols, where the protocol algorithm uses only software tools, and the human factor is excluded from the decision-making chain as much as possible – a person here acts exclusively as one of the parties involved in the implementation of the contract. For example, when sending payments, the execution of the contract is impossible without receiving the number of electronic signatures specified in the contract., he notes.

Currently, certificates of electronic signature verification keys (SKP) are issued on special media, said Mikhail Evraev, Deputy Head of the Ministry of Telecom and Mass Communications. At the same time, the average cost of such an SPC is about 5 thousand rubles. "The cloud electronic signature system will allow you to create a signature without a material carrier, which will significantly reduce the cost of its use and increase the security of use,"- explained the Deputy Minister.

The situation was also commented on by the Internet Ombudsman Dmitry Marinichev, who is sure that a real revolution will take place in digital signature technologies, as happened several years ago with information storage devices. For example, back in the 90s, films were sold on VHS tapes, in the 2000s they appeared on CD, then on DVD, and ten years later they are finally distributed on flash drives and on the Internet.

Prospects for the use of cloud ES for the banking industry

An electronic signature was conceived as a universal means of confirming the legal validity of transactions, and in view of this, it has a wide range of applications, from using the public services portal to providing electronic document management between organizations and state regulatory authorities. For the banking industry, ES by individuals and legal entities most often used to make financial transactions through RBS services. This includes and online access in Personal Area through web technologies and mobile bank, i.e. account management through a socialized application from smartphones and tablets.

For example, EP for individuals in the largest federal bank - Sberbank makes it possible for a banking organization to reduce paper turnover and increase the speed of customer service. That is, during the opening of a deposit, instead of setting a signature on 4 different documents, the visitor will need to dial his PIN (password to the ES) 1 time. This type technology will be able to provide dual client identification using a passport and using a card with a PIN code that only the owner can know. This will also prevent potential fraud. So, according to internal data of Sberbank relevant for 2014, within twelve months after the launch of such a service, more than three million operations were performed by residents of Moscow using an electronic signature.

The procedure for obtaining the corresponding key of the electronic signature of the Bank of Russia is quite simple, you need to go through online registration on the specialized website "Sber Key". So the bank gives the right to an electronic signature to any of its owners to take part in the auction and place it on the necessary electronic resources personal statements.

Another illustrative option for the mass use of cloud-based ES can be, available in the Sberbank Business Online Internet bank, which has become the official tool for Sberbank for the electronic signing of multilateral and bilateral agreements between any legal entities and individual entrepreneurs(IP) - the so-called inter-corporate EDI. As he explained, thanks to this system, the labor costs for processing one document are reduced from 2-3 minutes to 10-15 seconds. In addition, by eliminating paperwork, the company can significantly reduce the cost of stationery, rental of storage facilities, replacement of consumables for office equipment, etc.

Cloud ES security issues

Despite all the tangible advantages of using ES in the clouds, this concept has not found wide support among information security experts. Thus, according to some experts, the use of ES tools in a mobile phone poses a significant security threat. You don't need to be an expert to see the depressing statistics of the growth in the number of mobile malware intercepting user SMS messages, disguising itself as official mobile banking applications and performing other unauthorized actions without the user's knowledge.

In view of this, guarantee information security ES can only be used in a trusted environment (isolated), in which the user and technical means at the time of interaction are protected from outside interference. Mobile phone It is difficult to call such a trusted environment - the user can install any application at his discretion. Worse situation, unless the operating system of the device is rooted. However, there is a way out - as already described earlier, this is the use of a special SIM card integrated with the EP.

When using remote banking services, attackers often carry out a "man in the browser" type attack, which is a private implementation of a "man-in-the-middle" attack, when, by replacing the details of a legal payment, showing the user the correct data, and sending their own, replaced ones to the bank. With the new security feature, such an attacker's trick will no longer work - having received the details, a special applet on the SIM card will display them on the phone screen and request a PIN code. Having visually checked the correctness of the details, the user enters the PIN code of his electronic signature for confirmation, signs them and then sends them back to the gateway, which transmits the information to the bank.

Sergey Gruzdev, CEO developer company domestic systems cryptographic protection "Aladdin R. D" highlights another way to use this technology - “In addition to authentication and signing documents, the developed system can be used to notify a bank client about transactions with his account, which has become especially relevant in the light of the entry into force of the ninth article 163-FZ "On the national payment system" . Unlike the currently most popular method - SMS informing, in this case banking secrecy is guaranteed (no one will be able to read the notifications, neither infecting the smartphone with a virus, nor even replacing the base station), and the substitution of messages by intruders is excluded.

Another problem remains, when, for example, in case of loss and deliberate theft of the phone and the PIN code saved in the notes or other internal memory of the phone. In this case, the attacker will be able to spend all the money from at least the owner's mobile account, and, for example, sign documents binding the subscriber, for example, pay for purchases on credit at one of the popular online stores. However, these risks are quite confidently prevented in much the same way as with payment and credit cards. The account (card) owner can limit the daily volume and content of transactions allowed from this SIM card, as well as use the option to disable his ES for a temporary period while he does not use it.

June 19, 2014 09:21 am

IN Lately we often talk about electronic signature (ES) in the cloud. Basically, this topic is discussed by IT-specialists. However, with the development of electronic document management services (EDF), subject specialists such as accountants, secretaries, auditors and others began to get involved in the topic of cloud ES.

Let me explain, a cloud-based electronic signature implies that your private ES key is stored on the server of the certification center, and the signing of documents takes place there. This is accompanied by the conclusion of relevant agreements and powers of attorney, and the actual confirmation of the identity of the signatory occurs, as a rule, using SMS authorization.

The need to use cloud ES by an accountant depends on the mode in which he works. If you are often away from the office or, for example, work for a company that provides accounting services (accounting outsourcing), then cloud-based ES will help you sign documents from anywhere. There is no need to install any additional software. However, despite the ease of use, not all companies are ready to use this opportunity.

So that you can choose for yourself whether you need a cloud-based electronic signature or not, we will consider all the pros and cons of using it. And also think about who might really need such a signature. By the way, in this article we will only talk about enhanced qualified electronic signature (hereinafter referred to as ECES).

Behind

Cloud electronic signature is cheaper than usual. This is mainly due to the fact that you do not need to purchase a cryptographic information protection tool (CIPF) and a token (flash drive with a certificate). As a rule, taking into account their acquisition, the price of a certificate soars by 2-2.5 times.

Convenience and ease of use. To work with a cloud-based electronic signature, you do not need to install either the electronic signature certificate itself or special tools for working with it. This means that you will not waste time figuring out how it all works.

Mobility. Currently common and free solutions for using a non-cloud electronic signature on mobile devices is not yet available. In this regard, a huge advantage of a cloud-based electronic signature is that you can work with it from any computer, tablet, smartphone with Internet access.

Against

You do not physically sign the document. You need to understand that in the case of a cloud-based electronic signature, the private part of the key, which is confidential and should belong only to you, will be located on the server of the certification center. Of course, this will be documented, and the servers themselves are securely protected. But here it all depends on the company's security requirements and on the policy associated with signing documents. If it is important for you that the owners of the private keys themselves sign the documents, then a cloud-based electronic signature will not suit you. In this situation, it is up to you to decide how much you trust the CA and the servers that store the private keys.

You can use cloud-based ES only in those services with which there is integration of the certification center software. This is also due to the fact that in the case of cloud ES, the private key is stored on the CA server. In order for the service you need to be able to use such a private ES key for signing, it needs to be able to send a request for generating an electronic signature to the CA server. It is clear that at the moment there are many services, and all of them will not be able to provide integration with the CA software. It turns out that you will have to use cloud ES only with certain services. To work with other services, you will have to buy another ES certificate, and there are no guarantees that these services will support any cloud-based electronic signature.

And what?

Cloud electronic signature is a convenient, mobile and simple tool, but not the most flexible. And in terms of security, perhaps storing the private key on a secure server would be better than keeping a token in a drawer.

Who really needs an electronic signature? First of all, those who often work outside their office in the office. For example, lawyers and auditors who often visit clients. Or executives and directors for whom it is important to sign documents anywhere. For them, a cloud-based electronic signature will become an indispensable assistant in their work.

Also, a lot depends on the policy of the company. If an organization moves towards cloud technologies, for example, in terms of storing documents, using services for internal and external document management, then electronic signatures will most likely also be cloud-based. Otherwise, accountants, clerks and other employees who usually do not leave their office during work do not need a cloud-based electronic signature. They can purchase an ES private key and an ES certificate in the usual mode, on a carrier that can be used in most services for exchange with counterparties and government agencies.

(4.33 - rated by 9 people)

Similar posts

Well, it's not true. For example, there has been Crypto-Pro for iOS for a long time. EDMS solution providers use it. For the same DIRECTUM, there is also an EDS based on Crypto-Pro for Android.

Physically, any electronic document is not signed by you. The software does it.

More precisely, not on the CA server, but in a specialized hardware server for storing keys of the electronic signature service that interacts with the information system (electronic document management).

In this case, indeed, the user does not need to install anything, but the entire security of using the key does not depend on the user, but on the reliability of the authentication of the key owner by the electronic signature service and the information system.

Well, the key can be used only in those information systems that are "connected" to the electronic signature service that stores and applies the owner's key. Those. the key will be "not fully functional" (for example, it cannot protect the connection to servers with cryptography, operating system, email and files, provide authorization for the STATE SERVICES and many other places), but only for a specific task in a specific system. It's like comparing a bus and a tram, everywhere there is +/-.

There are solutions, but they are not common due to their relative insecurity. Free unknown. And will they show up...

I have a slightly different point of view: if the primary one is not a cloud certificate, but a cloud service. Yes, a single cloud certificate can not be used for all services. But the value, in my opinion, is not in the certificate, but in the services. And there is nothing wrong with the fact that each service uses its own cloud key. Unlike "on premise" certificates (on tokens, smart cards, or in the registry of your personal device), you don't have to wear token beads or copy certificates to registries on all devices. Just sms will come from different numbers. Moreover, a cloud certificate is usually cheaper on premise, and no software (cryptoprovider) purchase is required. Well, from a security point of view, such a scheme a priori looks more reliable, since when one key is compromised, others can remain working (uncompromised).

There is nothing shameful, but the cost is more than using one full-function key (not beads) in many systems. In the threat model of using the "cloud ES key", the risk of security breaches in the authentication channel is added. In addition, OTPviaSMS is not safe to use everywhere. Yes, and psychologically, most people feel more confident when storing their key in their safe than with virtual key in virtual storage with a conditionally secure channel for managing its use.

Of course, this is true as long as the signing is initiated by one device, and the SMS with the signing confirmation code arrives on another device. And as soon as the mobile client is left alone, such a scheme is no longer a priori more reliable. Only user convenience remains, but not reliability.

The user can win, get some advantage over competitors using paper with ink or physical tokens with OneTimePassword hardware support, due to faster response, greater mobility. But he also takes big risks. Service unavailability risk. The risk of compromise of the mobile device. Risks are justified when it comes to small amounts of money. I would trust a deal for a million to the good old paper, signed in silence, without prying eyes, without intermediaries and without haste.

If you need to sign a package of 30 documents. And the service does not support batch signing. Then you will have to receive 30 SMS (or one with 30 confirmation codes) and enter confirmation codes 30 times. This is the time, and the reaction is no longer faster.

But if each service has its own service for setting up an ES, then the integration of services should be very close. And batch signing will be included there. For example, one logical SMS will come: "Code 0xs3cr3t for operation #22_1806. Dear Konstantin Vasilyevich. To confirm receipt of incoming documents for the period 06/01/2014-06/18/2014 (20 invoices, 7 acts of work performed and 3 waybills ), namely, the signing of 30 official documents confirming receipt, enter the specified code".

There are solutions. But, as far as I know, CryptoPro for iOS and Android is not distributed for free.

Agree. In general, this is what is meant. In this regard, using a cloud certificate is not very convenient.

In general, if you need to work with several services, then buying several cloud ES can be even more expensive than buying one qualified certificate, CIPF and token.

As for reliability, it is a question of trust in the security of the place where the keys will be stored, in the technologies with which the signing will be carried out. I think that while the technology is not very well tested, there will not be much trust. But, you see, using a cloud signature is still quite convenient in some cases. To understand which signature is suitable in a particular case, you need to look at the processes, study the needs, evaluate the pros and cons of both options, and then make a decision. Therefore, we try to show both sides of the same coin of cloud ES.

And for which platforms is CryptoPro free?

I think the technology solves little - the only question is trust in the solution provider to whom you entrust your certificate.

Therefore, when they talk about such technologies in the context of intra-corporate use, I also understand that it can "take off". As soon as we talk about trusting a certificate to a third party, I don't see any chance.

As far as I remember, Crypto-Pro for iOS and Android is not sold to end users. Therefore, everything goes at the discretion of the application software vendor. If he wants to give it to you for free, he will. If he doesn't want to, he won't. Or it can give in addition to the functionality for which you bought the solution.

Is this a guess (as in the original article) or can you back it up with real numbers?

As well as Microsoft, Facebook, Twitter and hundreds of other providers of federated authentication, and each resource chooses which provider to integrate with. Do you suggest doing the same with the storage of certificates?

And do I understand correctly that you equate federated authentication, in which no user data, with the exception of a very limited set transmitted with an authentication token, leaves the service perimeter and the EDS service through which all your signed data will have to pass?

It may not be. A cloud key does not require a token or software. The service may, for example, include the cost of issuing a cloud token in the subscription fee and provide cloud certificates "for free". In any case, this is a matter of marketing, not technology.

You can also sign a package of 30 documents. This is how the service itself is configured, whether it supports batch signing. And where does the key come from (from the cloud or from the registry / token) - this is already an orthogonal question. Thank you, you further developed this idea in a comment. This often happens on paper as well. The big boss can only sign the register of payments with his own hand, and the payments are then signed by authorized persons.

Glory to the point! :) While the cloud signature is used in cloud accounting and reporting.

Misha, already working :)

Eugene, I applaud your comment while standing :)

Misha, let's wait for Evgeny's answer, but I understood this as an example. A new, more convenient and perhaps less secure solution, due to its convenience, is accepted by consumers over time, as the resulting comfort outweighed the possible risks. Perhaps before the first disaster. It is possible that consumers will continue to use this solution after the negative event.

Cloud signature now seems more convenient, but a priori less secure. But some users will be seduced by the convenience and assess the security risks as acceptable. And will use the cloud signature.

Cloud signature is already working in the "low-cost" segment. It would be interesting to try it in the "enterprise" segment. Perhaps the words "CryptoPro HSM" or something else will calm the business. We must think, offer and try.

Well, remove the "mobility" argument from the "for" section in the article article.

Why is she there?

Do I understand correctly that cloud accounting is a service on which records are kept and from which reports are then sent? Why is it not enough just to authorize the user on the service in this case? Why else EDS - to meet the requirements of the regulator?

Where exactly? Within one service or services of one supplier? Ok, accepted.

Only now do I need to get a certificate from each supplier? So?

What exactly is it comfortable for?

I see a plus in only one thing - if you use a web service, then organizing a signature from a local client can be problematic.

In my opinion, at the mention of CryptoPro (as well as everything related to our strange "Russian qualified signature"), normal business is already beginning to be idioscarzic.

Yes, that's right, but it can be different services. Not everyone needs accounting and reporting. Many people prefer to keep accounting on premise, and then submit reports through the service. CEP is needed to comply with legal requirements.

Yes, it works inside the services of one provider. Theoretically, you can learn to provide a cloud certificate to other providers, if this will economic sense. But the value, in my opinion, is provided precisely by the services and environments where ES can be used, the mere possession of a cloud or regular certificate does not make economic sense.

In the case of a cloud certificate, the user does not need to install software on his device and think about copying certificates to each device or always carry a key carrier with him. Owning a cloud certificate is less of a hassle, so I wouldn't be so intimidated by getting a bunch of certificates from different providers. And the cost of the necessary software and key carrier (in the case of on premise certificates) will be noticeably less subscription payments, so the use of a single universal certificate is a matter of convenience rather than economic benefit.

Read about HSM - an interesting thing. Foreign competitors have similar solutions, and for a long time. So here CryptoPro uses the universal world experience.

I am glad that this topic is of interest. I will try to develop the above concept of a cloud service, taking into account the comments. 1. Cloud service as the development of information systems is already a fait accompli, which means that software manufacturers are being brought up to this standard. In terms of cost reduction - previously you had to buy 2-3 software product that meet your needs, now it is 1, and 30-40% lower in total cost.

2. What is digital signature And for whom is it primarily needed? The CPU is your identifier in IT systems, allowing you to say "I am I" to make decisions at any level of financial responsibility with a guaranteed level of protection against hacking or misuse. In any case, the appearance of the CPU is the evolution of a "live" signature in order to accelerate the implementation of the company's business processes. Those. if earlier a paper document was processed slowly, now one click is enough to make decisions.

3. Nobody says that there are ideal solutions and means. Indeed, CryptoPro has set the teeth on edge when using it. Recently I reinstalled the system for accountants using 1C, VLSI and 2 bank accounts through the web interface (using CryptoPro) - I cursed everything until I added all the necessary certificates and key support.

Michael, not exactly an equals sign. Rather, the identity sign, because FA allows you to implement a single window mechanism for users of different domains, i.e. acts as an identification guarantor for the authorization participant. The EDS service itself has authorization tools and solves its specific tasks. In this case, a clear example is the website of public services and satellite services (for example, ROI). The public services website is a FA that guarantees user identification for other services.

Sergey, I absolutely agree with you. A cloud signature can and should act as a single identification service accepted by other participants in business processes. Now, it's all too fragmented and there are many intermediaries in the way of document movement.

Where does this conclusion come from?

Maybe you don't know how to use it? Installing certificates is a very trivial task and no one raises questions. Moreover, technologically it is no different from installing certificates on other crypto providers.

Use CONVENIENT applications that work with CIPF and you will be happy.

Now what is sold under the name "cloud signature" cannot in any way perform the functions of an identification service, because itself depends entirely on authentication. The cloud signature does not have an identification task, it is required to transfer the signature generation process from the workplace to the cloud, but only for the reason that workplace user is not so safe to work with CIPF.

What is fragmented? What are the intermediaries? If about the CA, then it is needed for the manufacture of qualified certificates. If about the operator, how do you imagine it without him? Need electricity operator, network access operator, cloud signature service operator, operator information system etc. This is a specialized activity. We do not have subsistence farming.

No matter how I said it :) I completely admit the use cloud signatures for individual services, okay, let the services from one operator. But for the time being, I would hesitate to use it as a single identification service.

Yeah, lately one often hears how EDF operators are compared to air sellers. I’ll probably write a big article about what the operator does, in addition to ensuring legal significance, for now I’ll limit myself to theses:

1. Creation of ED. In the service interface, as a rule, you can create the most common EDs (ESF, TORG-12, acts, etc.).

2. Storage of ED. I can’t speak for all services, but Diadoc keeps your documents until you delete them yourself. Even if you are no longer paying a subscription fee.

3. Single legal space. Try to conclude agreements with all your counterparties, if you are, say, a telecom operator or an energy sales company!

4. Transport. Ok, will you be able to organize the transportation of electronic documents through communication channels and control the signing for all your 10,000 counterparties? Oh well...

5. Integration. I'll tell you a little story. One transnational corporation I decided to send through the operator ESF and TORG-12. Yes, the trouble is that ERP could only upload PDF and then in a special perverted format. IT Corporation was somewhere in Latin America and took orders for the development of next year. This is not counting the red tape with the formulation of m TOR and coordination on several continents. Who was able to quickly establish integration? That's right, operator.

Sergey, i.e. Can you summarize the failure of the IT infrastructure to ensure the required quality of ED within the existing ERP? Based on what you have said, ED is still in its infancy and cannot fully meet the needs of end users in full.

Then it turns out that paper manufacturers sell processed pulp.. :) EDF operators provide services that are in demand by the market (although some manage to sell canned air of the Alps)

Why so? Electronic document management is not an end in itself, it is a tool. It develops, and the requirements grow the same. Somewhere the requirements are higher, somewhere the ED itself forms the needs. In general, I believe that the state of EDI in Russia is more or less adequate to the requirements of the market.

Sergey, making such a conclusion, I am based on what you wrote above. After all, you are raising the question of the effectiveness of IT tools for the implementation of ED. In addition, the cloud service, as a service sector, is developing quite dynamically and the chances of an electronic signature appearing are a matter of time.

Daily subscription. Other types of subscriptions are available upon registration.

Recently, we often talk about electronic signature (ES) in the cloud. Basically, this topic is discussed by IT-specialists. However, with the development of electronic document management services (EDF), subject specialists - accountants, secretaries, auditors and others - began to get involved in the topic of cloud ES.

Cloud electronic signature means that your private ES key is stored on the server of the certification center, and the signing of documents takes place there. This is accompanied by the conclusion of relevant contracts and powers of attorney. And the actual confirmation of the signer's identity occurs, as a rule, using SMS authorization.

The need to use cloud ES by an accountant depends on the mode in which he works.

If you are often out of the office, or, for example, work for a company that provides accounting services (accounting outsourcing), then cloud-based ES will help you sign documents from anywhere.

There is no need to install any additional software. However, despite the ease of use, not all companies are ready to use this opportunity.

So that you can choose for yourself whether you need a cloud-based electronic signature or not, we will consider all the pros and cons of using it. And also think about who might really need such a tool. By the way, in this article we will only talk about enhanced qualified electronic signature (hereinafter - UKES).

A cloud-based electronic signature is cheaper than a conventional one. This is mainly due to the fact that you do not need to purchase a cryptographic information protection tool (CIPF) and a token (flash drive with a certificate). As a rule, taking into account their acquisition, the price of a certificate soars by 2-2.5 times.

Convenience and ease of use. To work with a cloud-based electronic signature, you do not need to install either the electronic signature certificate itself or special tools for working with it. This means that you will not waste time figuring out how it all works.

Mobility. At the moment, there are no common and free solutions for using a non-cloud electronic signature on mobile devices. In this regard, a huge advantage of a cloud-based electronic signature is that you can work with it from any computer, tablet, smartphone with Internet access.

Against

You do not physically sign the document. You need to understand that in the case of a cloud-based electronic signature, the private part of the key, which is confidential and should belong only to you, will be located on the server of the certification center. Of course, this will be documented, and the servers themselves are securely protected. But here it all depends on the company's security requirements and on the policy associated with signing documents. If it is important for you that the owners of the private keys themselves sign the documents, then a cloud-based electronic signature will not suit you. In this situation, it is up to you to decide how much you trust the CA and the servers that store the private keys.

You can use cloud-based ES only in those services with which there is integration of the certification center software. This is also due to the fact that in the case of cloud ES, the private key is stored on the CA server. In order for the service you need to be able to use such a private ES key for signing, it needs to be able to send a request for generating an electronic signature to the CA server. It is clear that at the moment there are a lot of services and all of them will not be able to provide integration with software UC. It turns out that you will have to use cloud ES only with certain services. To work with other services, you will have to buy another ES certificate, and there are no guarantees that these services will support any cloud-based electronic signature.

And what?

Who really needs an electronic signature?

First of all, those who often work outside their office in the office. For example, lawyers and auditors who often visit clients. Or executives and directors for whom it is important to sign documents anywhere. For them, a cloud-based electronic signature will become an indispensable assistant in their work.