Menu
homeErrors

Cryptographic means. Cryptographic information protection

The term "cryptography" comes from the ancient Greek words "hidden" and "write". The phrase expresses the main purpose of cryptography - the protection and preservation of the secrets of transmitted information. Information protection can occur in various ways. For example, by limiting physical access to data, hiding the transmission channel, creating physical difficulties in connecting to communication lines, etc.

Purpose of Cryptography

Unlike traditional methods of secret writing, cryptography assumes full accessibility of the transmission channel for attackers and ensures the confidentiality and authenticity of information using encryption algorithms that make the information inaccessible to outsiders. A modern cryptographic information protection system (CIPS) is a software and hardware computer complex that provides information protection according to the following main parameters.

  • Confidentiality- impossibility of reading information by persons who do not have appropriate access rights. The main component of ensuring confidentiality in CIPF is the key, which is a unique alphanumeric combination for user access to a specific CIPF block.
  • Integrity- impossibility of unauthorized changes, such as editing and deleting information. To do this, redundancy is added to the original information in the form of a verification combination, calculated using a cryptographic algorithm and depending on the key. Thus, without knowing the key, adding or changing information becomes impossible.
  • Authentication- confirmation of the authenticity of information and the parties sending and receiving it. Information transmitted over communication channels must be uniquely authenticated by content, time of creation and transmission, source and recipient. It should be remembered that the source of threats can be not only the attacker, but also the parties involved in the exchange of information with insufficient mutual trust. To prevent such situations, CIPF uses a system of time stamps to prevent repeated or reverse sending of information and changing its order.

  • Authorship- confirmation and impossibility of refusing actions performed by the user of the information. The most common method of authentication is the EDS system consists of two algorithms: for creating a signature and for verifying it. When working intensively with ECC, it is recommended to use software certification centers to create and manage signatures. Such centers can be implemented as a CIPF tool that is completely independent of the internal structure. What does this mean for the organization? This means that all transactions are processed by independent certified organizations and falsification of authorship is almost impossible.

Encryption algorithms

Currently, open encryption algorithms using symmetric and asymmetric keys with a length sufficient to provide the required cryptographic complexity predominate among CIPF. The most common algorithms:

  • symmetric keys - Russian R-28147.89, AES, DES, RC4;
  • asymmetric keys - RSA;
  • using hash functions - R-34.11.94, MD4/5/6, SHA-1/2.

Many countries have their own national standards. In the USA, a modified AES algorithm with a key length of 128-256 bits is used, and in the Russian Federation, the electronic signature algorithm R-34.10.2001 and the block cryptographic algorithm R-28147.89 with a 256-bit key. Some elements of national cryptographic systems are prohibited for export outside the country; activities to develop CIPF require licensing.

Hardware cryptographic protection systems

Hardware CIPF are physical devices containing software for encrypting, recording and transmitting information. Encryption devices can be made in the form of personal devices, such as ruToken USB encryptors and IronKey flash drives, expansion cards for personal computers, specialized network switches and routers, on the basis of which it is possible to build fully secure computer networks.

Hardware CIPF is quickly installed and operates at high speed. Disadvantages - high, compared to software and hardware-software CIPF, cost and limited upgrade capabilities.

Also included in the hardware category are CIPF units built into various data recording and transmission devices that require encryption and restriction of access to information. Such devices include automobile tachometers that record vehicle parameters, some types of medical equipment, etc. For full operation of such systems, separate activation of the CIPF module by the supplier’s specialists is required.

Software cryptographic protection systems

Software CIPF is a special software package for encrypting data on storage media (hard and flash drives, memory cards, CD/DVD) and when transmitted over the Internet (emails, files in attachments, secure chats, etc.). There are quite a lot of programs, including free ones, for example, DiskCryptor. Software CIPF also includes secure virtual information exchange networks operating “on top of the Internet” (VPN), an extension of the HTTP Internet protocol with support for HTTPS encryption and SSL - a cryptographic information transfer protocol widely used in IP telephony systems and Internet applications.

Software cryptographic information protection systems are mainly used on the Internet, on home computers and in other areas where the requirements for the functionality and stability of the system are not very high. Or as is the case with the Internet, when you have to create many different secure connections at the same time.

Software and hardware cryptographic protection

Combines the best qualities of hardware and software CIPF systems. This is the most reliable and functional way to create secure systems and data networks. All options for user identification are supported, both hardware (USB drive or smart card) and “traditional” - login and password. Software and hardware CIPFs support all modern encryption algorithms, have a wide range of functions for creating secure document flow based on digital signatures, and all required government certificates. Installation of CIPF is carried out by qualified developer personnel.

Company "CRYPTO-PRO"

One of the leaders of the Russian cryptographic market. The company develops a full range of programs for protecting information using digital signatures based on international and Russian cryptographic algorithms.

The company's programs are used in electronic document management of commercial and government organizations, for filing accounting and tax reports, in various city and budget programs, etc. The company has issued more than 3 million licenses for the CryptoPRO CSP program and 700 licenses for certification centers. Crypto-PRO provides developers with interfaces for embedding cryptographic protection elements into their own and provides a full range of consulting services for the creation of CIPF.

Crypto provider CryptoPro

When developing the Cryptographic Service Providers cryptographic architecture built into the Windows operating system, Cryptographic Service Providers were used. The architecture allows you to connect additional independent modules that implement the required encryption algorithms. With the help of modules working through CryptoAPI functions, cryptographic protection can be implemented by both software and hardware CIPF.

Key carriers

Various types of private keys can be used:

  • smart cards and readers;
  • electronic locks and readers that work with Touch Memory devices;
  • various USB keys and removable USB drives;
  • Windows, Solaris, Linux system registry files.

Cryptoprovider functions

CIPF CryptoPro CSP is fully certified by FAPSI and can be used for:

2. Complete confidentiality, authenticity and integrity of data using encryption and simulation protection in accordance with Russian encryption standards and the TLS protocol.

3. Checking and monitoring the integrity of the program code to prevent unauthorized changes and access.

4. Creation of system protection regulations.

The main tasks of protecting information during its storage, processing and transmission via communication channels and on various media, solved with the help of CIPF, are: 1.

Ensuring the secrecy (confidentiality) of information. 2.

Ensuring information integrity. 3.

Confirmation of the authenticity of information (documents). To solve these problems, it is necessary to implement the following

processes: 1.

Implementation of the actual information protection functions, including:

encryption/decryption; creation/verification of digital signature; creating/checking simulated inserts. 2.

Monitoring the status and managing the functioning of the KZI tools (in the system):

status monitoring: detection and registration of cases of malfunction of KZI tools, attempts of unauthorized access, cases of compromise of keys;

operation management: taking measures in the event of the listed deviations from the normal functioning of the CIS facilities. 3.

Carrying out maintenance of KZI facilities: implementation of key management;

performing procedures related to connecting new network subscribers and/or excluding departing subscribers; elimination of identified shortcomings of CIPF; introduction of new versions of CIPF software;

modernization and replacement of technical means of CIPF with more advanced ones and/or replacement of means whose service life has been exhausted.

Key management is one of the most important functions of cryptographic information protection and consists of the implementation of the following main functions:

key generation: defines a mechanism for generating keys or key pairs with a guarantee of their cryptographic qualities;

key distribution: defines the mechanism by which keys are reliably and securely delivered to subscribers;

key storage: defines a mechanism by which keys are stored securely and reliably for future use;

key recovery: defines the mechanism for restoring one of the keys (replacing it with a new key);

key destruction: defines the mechanism by which obsolete keys are securely destroyed;

key archive: a mechanism by which keys can be securely stored for their further notarized recovery in conflict situations.

In general, in order to implement the listed functions of cryptographic information protection, it is necessary to create a cryptographic information protection system that combines the digital security tools themselves, service personnel, premises, office equipment, various documentation (technical, regulatory and administrative), etc.

As already noted, to obtain guarantees of information security, it is necessary to use certified digital security tools.

Currently, the most widespread issue is the protection of confidential information. To solve this issue, under the auspices of FAPSI, a functionally complete set of tools for cryptographic protection of confidential information has been developed, which allows solving the listed problems of information protection for a wide variety of applications and conditions of use.

This complex is based on the cryptographic cores “Verba” (asymmetric key system) and “Verba-O” (symmetric key system). These crypto cores provide data encryption procedures in accordance with the requirements of GOST 28147-89 "Information processing systems. Cryptographic protection" and digital signatures in accordance with the requirements of GOST R34.10-94 "Information technology. Cryptographic information protection. Procedures for generating and verifying electronic digital signatures based on an asymmetric cryptographic algorithm."

The tools included in the CIPF complex allow you to protect electronic documents and information flows using certified encryption mechanisms and electronic signatures in almost all modern information technologies, including allowing you to: use CIPF in offline mode;

secure information exchange in off-line mode; secure information exchange on-line; protected heterogeneous, i.e. mixed information exchange.

To solve systemic issues of using CIPF, under the leadership of D. A. Starovoitov, the Vityaz technology of complex cryptographic information protection was developed, which provides cryptographic data protection in all parts of the system at once: not only in communication channels and system nodes, but also directly at user workplaces during the process of creating a document, when the document itself is protected.

In addition, within the framework of the general Vityaz technology, a simplified technology that is easily accessible to users for embedding licensed CIPF into various application systems is provided, which makes the range of use of these CIPF very wide.

Below is a description of the means and methods of protection for each of the listed modes.

Using CIPF in offline mode.

When working autonomously with CIPF, the following types of cryptographic information protection can be implemented: creation of a secure document; file protection;

creating a secure file system; creating a protected logical drive. At the user's request, the following types of cryptographic protection of documents (files) can be implemented:

encryption of a document (file), which makes its content inaccessible both when storing the document (file) and when transmitting it via communication channels or by hand;

development of a simulated insert, which ensures control of the integrity of the document (file);

generation of an electronic digital signature, which ensures control of the integrity of the document (file) and authentication of the person who signed the document (file).

As a result, the protected document (file) turns into an encrypted file containing, if necessary, an electronic digital signature. The digital signature, depending on the organization of the information processing process, can be presented as a separate file from the document being signed. This file can then be output to a floppy disk or other medium for delivery by courier, or sent via any available e-mail, for example via the Internet.

Accordingly, upon receipt of an encrypted file by e-mail or on one or another medium, the cryptographic protection steps performed are carried out in the reverse order (decryption, verification of imitations, verification of digital signature).

To carry out autonomous work with CIPF, the following certified tools can be used:

text editor "Lexicon-Verba", implemented on the basis of the CIPF "Verba-O" and CIPF "Verba";

CIPF software package "Autonomous Workplace", implemented on the basis of CIPF "Verba" and "Verba-O" for Windows 95/98/NT;

cryptographic disk driver PTS "DiskGuard".

Secure word processor "Lexicon-Verba".

The Lexikon-Verba system is a full-featured text editor with support for document encryption and electronic digital signatures. To protect documents, it uses the Verba and Verba-O cryptographic systems. What makes this product unique is that text encryption and signing functions are simply included as part of the functionality of a modern text editor. Encrypting and signing a document in this case turns from special processes into simply standard actions when working with a document.

At the same time, the Lexicon-Verba system looks like a regular text editor. Text formatting options include full customization of document fonts and paragraphs; tables and lists; headers, footnotes, sidebars; use of styles and many other functions of a text editor that meets modern requirements. "Lexicon-Verba" allows you to create and edit documents in Lexicon, RTF, MS Word 6/95/97, MS Write formats.

Autonomous workplace.

CIPF "Autonomous Workplace" is implemented on the basis of CIPF "Verba" and "Verba-O" for Windows 95/98/NT and allows the user to perform the following functions interactively:

encryption/decryption of files using keys; encryption/decryption of files using a password; affixing/removing/verifying electronic digital signatures (EDS) under files;

checking encrypted files;

affixing digital signature + encryption (in one action) of files; decryption + removal of digital signature (in one action) under files;

hash file calculation.

CIPF "Autonomous Workplace" is advisable to use for the daily work of employees who need to provide:

transfer of confidential information electronically by express or courier;

sending confidential information over a public network, including the Internet;

protection against unauthorized access to confidential information on employee personal computers.

Cryptography (from the ancient Greek κρυπτος - hidden and γραϕω - I write) is the science of methods for ensuring the confidentiality and authenticity of information.

Cryptography is a set of data transformation methods aimed at making the data useless to an attacker. Such transformations allow us to solve two main issues regarding information security:

  • privacy protection;
  • integrity protection.

The problems of protecting confidentiality and information integrity are closely related, so methods for solving one of them are often applicable to solving the other.

There are various approaches to the classification of methods for cryptographic transformation of information. Based on the type of impact on the original information, methods of cryptographic transformation of information can be divided into four groups:

The sender generates the plaintext of the original message M, which must be transmitted to the rightful recipient over an insecure channel. An eavesdropper monitors the channel with the goal of intercepting and revealing the transmitted message. To prevent an interceptor from learning the contents of a message M, the sender encrypts it using a reversible transform Ek and receives the ciphertext (or cryptogram) C=Ek(M), which is sent to the recipient.

The legitimate recipient by accepting the ciphertext WITH, decrypts it using the inverse transform Dk(C) and receives the original message in plaintext M.

Conversion Ek selected from a family of cryptographic transformations called cryptoalgorithms. The parameter by which a particular transformation is selected is called the cryptographic key TO.

The cryptosystem has different implementation options: a set of instructions, hardware, a set of programs that allow you to encrypt the plaintext and decrypt the ciphertext in various ways, one of which is selected using a specific key TO.

The encryption conversion can be symmetrical And asymmetrical regarding the decryption conversion. This important property defines two classes of cryptosystems:

  • symmetric (single-key) cryptosystems;
  • asymmetric (two-key) cryptosystems (with public key).

Symmetric encryption

Symmetric encryption, often called secret key encryption, is primarily used to ensure data confidentiality. To ensure data confidentiality, users must jointly select a single mathematical algorithm that will be used to encrypt and decrypt data. In addition, they need to select a shared (secret) key to be used with their adopted encryption/decryption algorithm, i.e. the same key is used for both encryption and decryption (the word "symmetric" means the same for both sides).

An example of symmetric encryption is shown in Fig. 2.2.

Today, widely used encryption algorithms include Data Encryption Standard (DES), 3DES (or “triple DES”), and International Data Encryption Algorithm (IDEA). These algorithms encrypt messages in 64-bit blocks. If the message is larger than 64 bits (as it usually is), you need to break it up into blocks of 64 bits each and then somehow combine them together. This merging typically occurs in one of the following four ways:

  • electronic code book (Electronic Code Book, ECB);
  • chains of encrypted blocks (Cipher Block Changing, CBC);
  • x-bit encrypted feedback (Cipher FeedBack, CFB-x);
  • output feedback (Output FeedBack, OFB).

Triple DES (3DES)– a symmetric block cipher created on the basis of the DES algorithm in order to eliminate the main disadvantage of the latter - the small key length (56 bits), which can be cracked by brute force. The speed of 3DES is 3 times lower than that of DES, but the cryptographic strength is much higher. The time required to cryptanalyze 3DES can be much longer than the time required to break DES.

Algorithm AES(Advanced Encryption Standard), also known as Rijndael - a symmetric block encryption algorithm - encrypts messages in blocks of 128 bits, using a key of 128/192/256 bits.

Secret key encryption is often used to maintain data confidentiality and is implemented very effectively using immutable firmware. This method can be used for authentication and maintaining data integrity.

The following problems are associated with the symmetric encryption method:

  • it is necessary to change secret keys frequently, since there is always a risk of their accidental disclosure (compromise);
  • It is quite difficult to ensure the security of secret keys during their generation, distribution and storage.

The term "cryptography" comes from the ancient Greek words "hidden" and "write". The phrase expresses the main purpose of cryptography - the protection and preservation of the secrecy of transmitted information. Information protection can occur in various ways. For example, by limiting physical access to data, hiding the transmission channel, creating physical difficulties in connecting to communication lines, etc.

The purpose of cryptography Unlike traditional methods of secret writing, cryptography assumes full availability of the transmission channel for attackers and ensures the confidentiality and authenticity of information using encryption algorithms that make the information inaccessible to outsiders. A modern cryptographic information protection system (CIPS) is a software and hardware computer complex that provides information protection according to the following basic parameters.

+ Confidentiality– impossibility of reading information by persons who do not have appropriate access rights. The main component of ensuring confidentiality in CIPF is the key, which is a unique alphanumeric combination for user access to a specific CIPF block.

+ Integrity– impossibility of unauthorized changes, such as editing and deleting information. To do this, redundancy is added to the original information in the form of a verification combination, calculated using a cryptographic algorithm and depending on the key. Thus, without knowing the key, adding or changing information becomes impossible.

+ Authentication– confirmation of the authenticity of information and the parties sending and receiving it. Information transmitted over communication channels must be uniquely authenticated by content, time of creation and transmission, source and recipient. It should be remembered that the source of threats can be not only the attacker, but also the parties involved in the exchange of information with insufficient mutual trust. To prevent such situations, CIPF uses a system of time stamps to prevent repeated or reverse sending of information and changing its order.

+ Authorship– confirmation and impossibility of refusing actions performed by the user of the information. The most common method of authentication is an electronic digital signature (EDS). The digital signature system consists of two algorithms: for creating a signature and for verifying it. When working intensively with ECC, it is recommended to use software certification centers to create and manage signatures. Such centers can be implemented as a CIPF tool that is completely independent of the internal structure. What does this mean for the organization? This means that all transactions with electronic signatures are processed by independent certified organizations and forgery of authorship is almost impossible.

Currently, open encryption algorithms using symmetric and asymmetric keys with a length sufficient to provide the required cryptographic complexity predominate among CIPF. The most common algorithms:

symmetric keys – Russian R-28147.89, AES, DES, RC4;
asymmetric keys – RSA;
using hash functions - R-34.11.94, MD4/5/6, SHA-1/2. 80

Many countries have their own national standards for encryption algorithms. In the USA, a modified AES algorithm with a key length of 128-256 bits is used, and in the Russian Federation, the electronic signature algorithm R-34.10.2001 and the block cryptographic algorithm R-28147.89 with a 256-bit key. Some elements of national cryptographic systems are prohibited for export outside the country; activities to develop CIPF require licensing.

Hardware cryptographic protection systems

Hardware CIPF are physical devices containing software for encrypting, recording and transmitting information. Encryption devices can be made in the form of personal devices, such as ruToken USB encryptors and IronKey flash drives, expansion cards for personal computers, specialized network switches and routers, on the basis of which it is possible to build fully secure computer networks.

Hardware CIPF is quickly installed and operates at high speed. Disadvantages: high, compared to software and hardware-software CIPFs, cost and limited upgrade capabilities. Also included in the hardware category are CIPF units built into various data recording and transmission devices that require encryption and restriction of access to information. Such devices include automobile tachometers that record vehicle parameters, some types of medical equipment, etc. For full operation of such systems, separate activation of the CIPF module by the supplier’s specialists is required.

Software cryptographic protection systems

Software CIPF is a special software package for encrypting data on storage media (hard and flash drives, memory cards, CD/DVD) and when transmitted over the Internet (emails, files in attachments, secure chats, etc.). There are quite a lot of programs, including free ones, for example, DiskCryptor. Software CIPF also includes secure virtual information exchange networks operating “on top of the Internet” (VPN), an extension of the HTTP Internet protocol with support for HTTPS encryption and SSL – a cryptographic information transfer protocol widely used in IP telephony systems and Internet applications.
Software cryptographic information protection systems are mainly used on the Internet, on home computers and in other areas where the requirements for the functionality and stability of the system are not very high. Or as is the case with the Internet, when you have to create many different secure connections at the same time.

Software and hardware cryptographic protection

Combines the best qualities of hardware and software CIPF systems. This is the most reliable and functional way to create secure systems and data networks. All options for user identification are supported, both hardware (USB drive or smart card) and “traditional” - login and password. Software and hardware CIPFs support all modern encryption algorithms, have a wide range of functions for creating secure document flow based on digital signatures, and all required government certificates. Installation of CIPF is carried out by qualified developer personnel.

Post Views: 294

Cryptographic methods of information protection

Cryptographic transformation is a transformation of information based on a certain algorithm that depends on a variable parameter (usually called a secret key), and has the property that it is impossible to restore the original information from the transformed one, without knowing the valid key, with a complexity less than a predetermined one.

The main advantage of cryptographic methods is that they provide high guaranteed security strength, which can be calculated and expressed in numerical form (the average number of operations or the time required to disclose encrypted information or calculate keys).

The main disadvantages of cryptographic methods include:

Significant expenditure of resources (time, processor performance) to perform cryptographic transformations of information;
. difficulties in sharing encrypted (signed) information related to key management (generation, distribution, etc.);
. high requirements for the safety of private keys and protection of public keys from substitution.

Cryptography is divided into two classes: symmetric key cryptography and public key cryptography.

Symmetric key cryptography
In symmetric key cryptography (classical cryptography), subscribers use the same (shared) key (secret element) to both encrypt and decrypt data.

The following advantages of symmetric key cryptography should be highlighted:
. relatively high performance of algorithms;
. high cryptographic strength of algorithms per unit key length.

The disadvantages of symmetric key cryptography include:
. the need to use a complex key distribution mechanism;
. technological difficulties in ensuring non-repudiation.

Public key cryptography

To solve the problems of key distribution and digital signature, the ideas of asymmetry of transformations and open distribution of Diffie and Hellman keys were used. As a result, public key cryptography was created, which uses not one secret, but a pair of keys: an open (public) key and a secret (private, individual) key, known only to one interacting party. Unlike a private key, which must be kept secret, a public key can be distributed publicly. Figure 1 shows two properties of public key systems that allow the generation of encrypted and authenticated messages.

Two Important Properties of Public Key Cryptography

Figure 1 Two properties of public key cryptography


The data encryption scheme using a public key is shown in Figure 6 and consists of two stages. In the first of them, public keys are exchanged over an unclassified channel. At the same time, it is necessary to ensure the authenticity of the transfer of key information. At the second stage, message encryption is actually implemented, in which the sender encrypts the message with the recipient's public key.

An encrypted file can only be read by the owner of the secret key, i.e. recipient. The decryption scheme implemented by the message recipient uses the recipient's secret key to do this.

Encryption




Figure 2 Encryption scheme in public key cryptography.


The implementation of the digital signature scheme is associated with the calculation of a hash function (digest) of data, which is a unique number obtained from the original data by compressing it (convolution) using a complex but well-known algorithm. The hash function is a one-way function, i.e. It is impossible to reconstruct the original data from the hash value. The hash function is sensitive to all kinds of data corruption. In addition, it is very difficult to find two sets of data that have the same hash value.

Formation of digital signature with hashing
The scheme for generating an ED signature by its sender includes calculating the ED hash function and encrypting this value using the sender’s secret key. The result of encryption is the digital signature value of the ED (ED requisites), which is sent along with the ED itself to the recipient. In this case, the message recipient must first be given the public key of the message sender.




Figure 3 Digital signature scheme in public key cryptography.


The electronic digital signature verification (verification) scheme carried out by the message recipient consists of the following stages. At the first of them, the digital signature block is decrypted using the sender’s public key. Then the ED hash function is calculated. The calculation result is compared with the result of decrypting the digital signature block. If there is a match, a decision is made on the compliance of the EDS with the ED. The discrepancy between the decryption result and the result of calculating the ED hash function can be explained by the following reasons:

During the transmission process over the communication channel, the integrity of the electronic document was lost;
. when generating the digital signature, the wrong (fake) secret key was used;
. When checking the digital signature, the wrong public key was used (during transmission over a communication channel or during its further storage, the public key was modified or replaced).

Implementing public key cryptographic algorithms (compared to symmetric algorithms) requires more CPU time. Therefore, public key cryptography is usually used to solve problems of key distribution and digital signature, and symmetric cryptography is used for encryption. A widely known combination encryption scheme combines the high security of public key cryptosystems with the advantages of the high speed of symmetric cryptosystems. In this scheme, a randomly generated symmetric (session) key is used for encryption, which, in turn, is encrypted using an open cryptosystem for its secret transmission over the channel at the beginning of the communication session.

Combined method

Figure 4 Combined encryption scheme.


Public key trust and digital certificates
The central issue of the public key distribution scheme is the issue of trust in the received public key of the partner, which can be modified or replaced during transmission or storage.

For a wide class of practical systems (electronic document management systems, Client-Bank systems, interbank electronic settlement systems), in which a personal meeting of partners is possible before the exchange of electronic documents, this problem has a relatively simple solution - mutual certification of public keys.

This procedure consists in the fact that each party, during a personal meeting, certifies with an authorized person’s signature and seal a paper document - a printout of the contents of the other party’s public key. This paper certificate is, firstly, the party’s obligation to use this key to verify the signature on incoming messages, and, secondly, it ensures the legal significance of the interaction. Indeed, the paper certificates discussed make it possible to unambiguously identify a fraudster among two partners if one of them wants to change the keys.

Thus, in order to implement legally significant electronic interaction between two parties, it is necessary to conclude an agreement providing for the exchange of certificates. A certificate is a document that links the owner’s personal data and his public key. In paper form, it must contain handwritten signatures of authorized persons and seals.

In systems where there is no possibility of preliminary personal contact between partners, it is necessary to use digital certificates issued and certified by the digital signature of a trusted intermediary - a certification or certification center.

Customer interaction with the Certification Center
At the preliminary stage, each of the partners personally visits the Certification Center (CA) and receives a personal certificate - a kind of electronic analogue of a civil passport.

Figure 5 x.509 certificate.


After visiting the CA, each partner becomes the owner of the CA's public key. The CA public key allows its owner to verify the authenticity of the partner's public key by verifying the authenticity of the digital signature of the certification authority under the partner's public key certificate.

In accordance with the Law “On EDS”, the digital certificate contains the following information:

Name and details of the key certification center (central certification authority, certification center);
. Evidence that the certificate was issued in Ukraine;
. Unique registration number of the key certificate;
. Basic data (details) of the subscriber - the owner of the private (public) key;
. Start and end date and time of the certificate;
. Public key;
. The name of the cryptographic algorithm used by the owner of the public key;
. Information about restrictions on the use of signatures;
. A strengthened key certificate, in addition to the mandatory data contained in the key certificate, must have the attribute of a strengthened certificate;
. Other data can be entered into the enhanced key certificate at the request of its owner.

This digital certificate is signed with the CA's private key, so anyone with the CA's public key can verify its authenticity. Thus, the use of a digital certificate assumes the following scheme for electronic interaction between partners. One of the partners sends the other its own certificate received from the CA and a message signed with a digital signature. The message recipient performs peer certificate authentication, which includes:

Checking the credibility of the certificate issuer and its validity period;
. verification of the issuer's digital signature under the certificate;
. certificate revocation check.


If the partner’s certificate has not lost its validity, and the digital signature is used in relationships in which it has legal significance, the partner’s public key is extracted from the certificate. Based on this public key, the partner’s digital signature under the electronic document (ED) can be verified.
It is important to note that in accordance with the Law “On EDS”, confirmation of the authenticity of the EDS in the ED is a positive result of verification by the appropriate certified EDS tool using a signature key certificate.

The CA, ensuring the security of interaction between partners, performs the following functions:

Registers digital signature keys;
. creates, at the request of users, private and public digital signature keys;
. suspends and renews signature key certificates, as well as revokes them;
. maintains a register of signature key certificates, ensures that the register is up to date and that users have free access to the register;
. issues signature key certificates on paper and in the form of electronic documents with information about their validity;
. carries out, upon requests from users, confirmation of the authenticity (validity) of the signature in the digital signature in relation to the digital signature registered by him.


The CA creates conditions for the safe storage of secret keys on expensive and well-protected equipment, as well as conditions for administering access to secret keys.

Registration of each digital signature is carried out on the basis of an application containing the information necessary for the issuance of a certificate, as well as the information necessary to identify the digital signature holder and transmit messages to him. The application is signed with the handwritten signature of the owner of the digital signature, the information contained in it is confirmed by the presentation of the relevant documents. During registration, the uniqueness of public digital signature keys is checked in the registry and archive of the CA.

When registering with the CA, two copies of the signature key certificate are issued on paper, which are certified by the handwritten signatures of the holder of the digital signature and the authorized person of the certification center (CA) and the seal of the certification center. One copy is issued to the owner of the digital signature, the second remains in the CA.

In real systems, each peer may use multiple certificates issued by different CAs. Different CAs can be united by a public key infrastructure or PKI (Public Key Infrastructure). The CA within the PKI provides not only the storage of certificates, but also their management (issuance, revocation, trust verification). The most common PKI model is hierarchical. The fundamental advantage of this model is that certificate verification requires trusting only a relatively small number of root CAs. At the same time, this model allows you to have a different number of CAs issuing certificates.