Even in the last century, many enterprises began to massively switch to electronic document management. Everyone got computers with office programs. Documents were often typed in Microsoft Word or other text editors, exported to PDF, sent by e-mail.

It seemed that if the workflow electronic, then we will soon forget about cabinets with paper archives, not a single paper sheet will remain on the desktops. If suddenly a paper document is sent to the organization by regular mail, then the artifact will be immediately scanned and converted to digital form. In reality, it turned out quite the opposite. It turned out that the more the organization uses computers for digital workflow - the more documents it prints. After all, each document must be endorsed. A document without a signature is just a draft or an information note. To get a signature, documents are printed out and then often scanned back, storing the originals in the archive.

Now it’s clear what really electronic   A (paperless) workflow cannot be implemented without digital signatures.

  Today B2B, B2C companies and government organizations are moving to the introduction of digital signatures for their undeniable advantages:

• Paperless workflow. Save time, money and resources.
• Effective business processes. Electronic signing makes each transaction a smoother process.
• Mobile features. Interaction within the organization and with customers is becoming easier.

Gradually developed common standards for electronic document management and digital signature infrastructure. For example, since July 1, 2016, in the EU countries, the eIDAS standard (electronic IDentification, Authentication and trust Services) has been in force for electronic identification, authentication and trust services. In the United States, 21 CFR 11 has been adopted.

The world's largest trusted services for electronic documents - Adobe Trusted List (AATL) and Microsoft Root Trust. Certification Authorities included in this list issue certificate-based digital identifiers and time stamp services that meet regulatory requirements in the world, like the eIDAS standard. Electronic signatures are already supported for the most popular office document formats. In particular, the document is supported by several persons with time stamps.

What is a Digital Signing Service?

For your own DSS service, you need to establish not only the signature workflow and user management. Signature certificates are also required to verify the identity of the author of each document. This includes cryptographic elements such as key management, a FIPS security level 2 or higher key storage system (for example, hardware tokens or HSM), an OCSP or CRL service, and a time stamp service. Combining these components, especially integration with the hardware security module (HSM) directly, whether cloud or on-premises, requires significant efforts from the IT department and the information security department along with good knowledge of cryptography and the availability of necessary resources.

It is important to consider these hidden costs and investments, as well as limitations and overheads, when evaluating digital signature solutions.

Separately, it is worth mentioning that if the DSS service is critical for the organization, then it should work with a high level of uptime and provide greater bandwidth. That is, you need to design your solution with a certain amount of redundancy - with a margin for the future. And it should be assumed that business is characterized by growth. Infrastructure must be scalable.

Cloud services vary in price and functionality. But they all guarantee flexibility, scalability and high availability. Although the services are paid, they save the company from the need to invest in the development of their own solutions, including the purchase of expensive cryptographic equipment.

Who might need a cloud-based digital signature service? In theory, these are any organizations of any size that develop or commission specially designed applications and intend to either integrate digital signatures there or use an already integrated application.

• Document or application solution providers who want to integrate digital signatures or stamps. Another option: to offer their customers as a premium option as guaranteed protection of documents from forgery. A flexible model is supported here: digital signatures can be added as an additional layer or option.
• Companies that want to integrate digital signatures or stamps into their workflow.
• System integrators who implement digital signatures in existing and new workflow systems.

Recently, it has often been a question of electronic signature (ES) in the cloud. This topic is mainly discussed by IT specialists. However, with the development of electronic document management services (EDI), subject specialists — accountants, secretaries, auditors, and others — began to get involved in the topic of cloud-based electronic documents.

A cloud-based electronic signature implies that your private key of the electronic signature is stored on the server of the certification center, and the signing of documents takes place there. This is accompanied by the conclusion of relevant agreements and powers of attorney. And the actual confirmation of the identity of the signatory occurs, as a rule, using authorization by SMS.

The need for a cloud-based EP to be used by an accountant depends on the mode in which it operates.

If you are often out of the office, or, for example, working in a company that provides accounting services (accounting outsourcing), then a cloud-based electronic signature will help you sign documents from anywhere.

You do not need to install any additional software. However, despite the ease of use, not all companies are ready to use this opportunity.

So that you can choose yourself whether you need a cloud-based electronic signature or not, we will consider all the pros and cons of its use. And also think about who such a tool can really come in handy. By the way, in this article we will only talk about enhanced qualified electronic signatures (hereinafter - UKEP).

Cloud based electronic signature is cheaper than usual. This is mainly due to the fact that you do not need to purchase a cryptographic information protection tool (Cryptographic Protection Tool) and a token (a flash drive with a certificate). As a rule, taking into account their acquisition, the price of a certificate takes off 2-2.5 times.

Convenience and ease of use. To work with a cloud-based electronic signature, you do not need to install either the electronic signature certificate itself or special tools for working with it. This means that you will not waste time figuring out how it all works.

Mobility. At the moment, there are no widespread and free solutions for using a non-cloud electronic signature on mobile devices yet. In this regard, a huge plus of cloud-based electronic signature is that you can work with it from any computer, tablet, smartphone, where there is Internet.

Against

Physically, the document is not signed by you. You need to understand that in the case of a cloud-based electronic signature, the private part of the key, which is confidential and should only belong to you, will be located on the server of the certification center. Of course, this will be documented, and the servers themselves are reliably protected. But here it all depends on the company's security requirements and on the policy associated with the signing of documents. If it is important for you that the documents are signed by the owners of the private keys, then a cloud-based electronic signature is not suitable for you. In this situation, it is up to you to decide how much you trust the CA and the servers on which the private keys are stored.

You can use cloud-based ES only in those services with which there is integration of certification center software. This is also due to the fact that in the case of a cloud-based ES, the private key is stored on the CA server. In order for the service you need to be able to use such an ES private key for signing, it needs to be able to send a request for the formation of an electronic signature to the CA server. It is clear that at the moment there are many services and all of them will not be able to provide for integration with the CA software. It turns out that you will have to use a cloud-based EP only with certain services. To work with other services, you will have to buy another ES certificate, and there are no guarantees that these services will support any cloud-based electronic signature.

And what?

Cloud-based electronic signature is a convenient, mobile and simple tool, but not the most flexible. And in terms of reliability, it might be better to store the private key on a secure server than on a token in a desk drawer.

Who really needs an electronic signature?

First of all, those who often work outside their office in the office. For example, lawyers and auditors who often go to clients. Or executives and directors who need to sign documents anywhere. For them, a cloud-based electronic signature will become an indispensable assistant in their work.

Also, a lot depends on company policy. If the organization is moving towards cloud technologies, for example, in terms of storing documents, using services for internal and external document management, then electronic signatures are also likely to be cloudy. Otherwise, accountants, clerks and other employees who usually do not leave their office while working, do not need a cloud-based electronic signature. They can purchase a private key of electronic signature and a certificate of electronic signature in the usual way, on a medium that can be used in most services for exchange with contractors and government agencies.

Cloud technologies continue to transform industry after industry, appearing where their appearance would seem to be the least logical. The process is largely reminiscent of the birth and triumphal procession of computers across a diverse landscape of human activity. Today, few people think about how computers have changed the manufacture of newspapers and magazines, production, agriculture, and especially business in all its manifestations. Now everything is changing in the same way around the cloud, and some areas are already in the second round. For example, accounting.

In 1994, the FAPSI General Directorate of Security developed the first standard for electronic signatures in Russia, but then there was still a very vague time in the country, so only 8 years later, in 2002, when the new standard for cryptographic protection was approved, they really started talking about electronic signatures actually equalizing the Russian concept of "electronic signature" and the international - "digital signature". So the history of this technology in our country, although it has been around for twenty years, is actually used no more than ten.

And b aboutfor most of this decade, technology has worked as follows. On the computers of the organization (as a rule, only in bookkeeping), special software for working with electronic devices was installed, and the USB key contained personalized keys stored in a single copy. I must say that security in this case was provided almost complete. Without capturing the very “flash drive” with the keys - the token - it was impossible to sign documents on behalf of the organization. But there were cons! The token can be stolen, lost, destroyed physically - and then you will have to go through the authorization procedure again in the certification center. And if you need to sign urgent documents? In a word, cloud technologies were already on the threshold to forever change another industry, and today the electronic document management sector can become a locomotive of their development.

We asked industry specialist Anastasia Shchepina, company analyst, to talk about the benefits of introducing EDI. Synerdocs, which believes that the reluctance of a business to switch from paper to electronic documents, from an electronic signature on a medium to a cloud-based electronic signature, in most cases is associated with fears and habits:

“Fears must be dispelled, and the established processes should be replaced with new, more effective ones and new habits will be developed that will allow working and making profit faster. Fears, as a rule, are connected with distrust of servers on which private keys of electronic signatures are stored. In fact, the servers on which the keys are stored are reliably protected. I think this is even more reliable than carrying a token or flash card. Of course, this is a matter of trust, but now cloud technologies are only developing, and certification authorities take this seriously.

Now about habits. A lot of articles have already been written about the advantages of electronic document management, there is no secret. Cloud-based electronic signature adds benefits: it allows you to reduce the cost of acquiring electronic signatures, makes it possible to sign documents at any time and anywhere where there is Internet access. As a result, it turns out that the competitors of a conservative company that are open with new technologies make their business more efficient and gain a competitive advantage. This may make the business begin to switch first to electronic document management using an electronic signature on a medium, and subsequently, possibly, to cloud electronic signatures. ”

How does familiar ES technology look in the cloud? The certification authority creates your electronic signature and places it in its own cloud. In this case, no tokens are needed: authorization is via SMS, through an attached mobile phone. The signature itself is located in the cloud, so you can sign bills and other documents from any device with Internet access: from an office computer, from a personal laptop, from a tablet or even a smartphone. This approach has obvious advantages. According to Synerdocs analyst Anastasia Shchepina, there are two main advantages of a cloud-based electronic signature.

1. Its cost is lower. Acquiring a cloud-based electronic signature is less expensive than buying in a regular mode. This is due to the fact that to work with this signature, you do not need to purchase a medium and a cryptographic information protection tool (hereinafter - CIP). In the case of a cloud-based electronic signature, the CIPF is located only on the server where the private key is stored. All this is formalized by relevant agreements and powers of attorney.

2. Mobility. Now the Internet is almost everywhere, which means that you can sign documents with a cloud electronic signature from any tablet, smartphone, device that supports Internet access. Neither paper nor electronic signature on the medium gives such an opportunity. CIPF for mobile devices are now being developed, of course, but without CIPF on your device, you see, it’s easier to work. In addition, you will not have to install the private key of the cloud-based EP personally or pay the CA employee who will configure everything. It will not be necessary to train users to work with cryptographic information protection certificates and certificates of electronic signature.

But, having a lot of positive qualities, the cloud signature also has negative aspects. Despite the fact that more than 100,000 cloud-based electronic signatures for 2013 have already been issued through popular accounting services, the widespread use of signatures is still in question. Anastasia Shchepina believes that the business has not yet fully decided on the technical component of using cloud-based ES:

If we talk about cloud-based electronic documents in the workflow, it is not yet clear how it will work with several EDI services. Most likely with great difficulties. The private key is stored on the CA server, the EDI service needs to make a request there to generate an electronic signature. At the moment, not all services will be easily integrated with the CA software, you will have to take this into account when switching to a cloud signature. You may have to buy a separate signature for each service.

The second minus is rather from the conceptual field. The essence of an electronic signature implies the replacement of a handwritten one: that is, you personally, with your own hands, sign a document using the confidential part of the key. It should be with you and only you. In the cloud version, the private key is not in your hands - but somewhere there, on the CA server. That is, in fact, you do not sign with your own hands, but through an intermediary. Of course, all this will be documented, and the servers themselves are reliably protected, but not all organizations will approve the security service. If it is important for you that the documents are signed by the owners of private keys, then a cloud-based electronic signature is not suitable for you.

On the whole, the prospects for cloud-based electronic documents and electronic document management in our country are encouraging. The State Duma has already approved an e-government development plan until 2018, which includes a number of measures to promote business. For example, "a decrease in the average number of appeals of representatives of the business community to a state authority for one state service." And although the thesis doesn’t sound very impressive, since the number of calls is planned to be reduced to only two, this is already a definite progress leading us to the European scenario. That is, in such a situation, when you open a business, pay taxes and sign any documents, it will be possible on the Internet, and often from a smartphone.

Send your good work in the knowledge base is simple. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Posted on http://allbest.ru

Federal State Budgetary Educational Institution of Higher Education

“Tambov State University named after G.R. Derzhavina

Cloud-based electronic signature: advantages, disadvantages and development paths

Kirillova Vladlena Olegovna

department Specialist

Introduction

Together with active informatization of all spheres of life in modern society, a transition to cloud computing and services is being implemented.

Government services already operate in cloud services due to their high performance for mass use by citizens. cloud signature security login banking

The transfer of workflow to cloud storage is also relevant for small dynamically developing businesses.

In the process of such a transfer, the question arises of the security and advisability of using a cloud signature.

Cloud signature can be actively used in such fields of activity as:

· Internet banking or mobile banking systems, which require the use of a qualified electronic signature;

· Public services portals, electronic reporting systems;

· E-commerce systems;

· Electronic document management systems.

Relevance. An electronic signature in the cloud (cloud-based electronic signature) is a computer system that provides access through the network to the possibilities of creating, verifying electronic signatures and integrating these functions into the business processes of other systems.

A cloud-based electronic signature has all the properties of an electronic signature, it is only stored not on a token or computer, but on the Internet - on a specialized secure server, in the cloud.

Cloud ES implies that your ES private key is stored on the server of the certification center, and the documents are signed in the same place. On the one hand, the fact that the key and signing of documents occurs on the server side reduces the cost of the entire ES system, on the other hand, the key is private and should be stored only by its owner, which creates a lot of questions about the security of this service.

Goals, objectives, materials and methods. The aim of this work is to analyze scientific publications and legislation in the field of electronic signature and its subspecies - cloud electronic signature.

The implementation of this goal is carried out by solving the following tasks:

To conduct an analysis of scientific and educational literature on the topic "Cloud-based electronic signature";

To study various approaches to solving the inalienability of a user's electronic signature key;

To consider in more detail such developments as “Digital Signature Server” and “Hardware Security Module”.

Research Methods:

Analysis of documents, federal laws;

Analysis of the periodical press, educational literature, practical manuals.

Scientific novelty. The novelty of this work lies in the new concept of Cloud Signature for the IT industry of the Russian Federation. A cloud signature has its advantages and disadvantages.

Cloud-based ES is usually cheaper than a conventional ES, this is due to the lack of the need to purchase a cryptographic information protection tool and a token with a certificate.

The simplicity of using a cloud signature is important for people far from information technology: you do not need to install an ES certificate and special means of working with it on your workstation. You can work with cloud-based ES from anywhere in the world, from any device connected to the Internet.

However, there are disadvantages, such as the transfer and storage of the key on the server.

The servers are reliably protected, but the fact of violation of the confidentiality of the key and its alienation from the owner makes the cloud ES unqualified, i.e. not confirmed by a certificate issued by an accredited certification authority.

Orientation of cloud ES to one specific system, i.e. A cloud-based EP service created for one information system is generally not applicable to another. In other words, the user is burdened with the need to have a signature key for each of the systems.

Statement of the main material

Cloud signature in the current sense refers to the category of enhanced unskilled signature. Most of the tasks performed by her correspond to the concept legally enshrined as an enhanced signature. But at the same time, this signature is not certified by the FSB as a regulator responsible for the security of signatures based on cryptographic methods. Currently, the document signing scheme in the cloud will look like this: documents are signed on the DSS (Digital Signature Server) server using keys stored in the HSM (Hardware Security Module). At the same time, user access to HSM is based on the use, as a rule, of non-cryptographic authentication systems, such as:

* Classic one-factor authentication by login and password;

* two-factor authentication with the optional entry of a one-time password delivered to the user via SMS (OTP-via-SMS).

The main problem - user identification - is also retained for a cloud signature. When accessing a cloud service, a person uses a login password. This, of course, is not enough. You need to know exactly who is logged in with this username and password. You can use your fingerprint by sending it over an unencrypted connection to the server. The key factor will remain the “unencrypted connection”, because we do not have the means of cryptographic protection of information.

In this case, one of the main purposes of ES is leveled? reliable cryptographic method for determining the author of an electronic document. Such an approach can only be justified for systems of inter-corporate electronic document management in which a solution based on DSS / HSM is implemented at the level of the corporations participating in them. In this case, outgoing documents in the common system are processed according to the usual rules, and the storage of keys in a secure cloud is implemented for the convenience of employees.

Federal Law dated 06-04-2011 No. 63-ФЗ “On Electronic Signature” stipulates that electronic signature means that have received confirmation of compliance with the requirements of this law, that is, that have passed certification for compliance with the requirements of 63-ФЗ, must be used to create and verify a qualified electronic signature. at the regulator. A simpler verification, control of embedding cryptographic information protection into a specific information system that uses a cloud-based electronic signature, may not be enough.

Currently, information security companies are concerned about increasing the security of user authentication when confirming the signing of a cloud-based electronic document and encrypting data during transmission over the Internet. Crypto-PRO and SafeTech presented a joint development of CryptoPro myDSS based on the CryptoPro DSS software and hardware complex for cloud electronic signature (EP) and PayControl electronic transaction confirmation system.

However, at the moment the solution is being certified by the FSB of Russia, and the signature is qualified only, according to the developers. Kontur.Diadok also offers a qualified enhanced cloud ES with a relatively low cost and authentication via login + password and SMS message with a one-time password. Certificate of the FSB of Russia on the site is not found. Thus, security of use is directly related to access to the user's phone. Today, this risk is gradually reduced, since the installation of primitive password protection on the phone is an increasingly common practice among users.

Conclusion, results, conclusions

Using a cloud signature is one of the steps to develop the latest information technologies, our approach to a convenient digital future. However, there is still work to be done in this area.

Guarantees are required by the state in the form of a certificate of compliance with information security requirements of cloud electronic signature means. It is advisable to develop and implement a standard for the use of cloud electronic signatures.

Bibliographic list

1. Federal law "On electronic signatures" dated 06.04.2011 N 63-ФЗ (latest revision) [Electronic resource]. - Access mode: http://www.consultant.ru/document/cons_doc_LAW_112701/ (accessed: 06/07/2017)

2. Cloud signature: convergence of practice and legislation [Electronic resource]. - Access mode: http://roseu.org/article/32 (accessed: 06/07/2017)

3. CryptoPro myDSS [Electronic resource]. - Access mode: https://www.cryptopro.ru/products/mydss (accessed: 06/07/2017)

4. What is a cloud electronic signature? [Electronic resource]. - Access mode: http://www.diadoc.ru/lp-instruction (date of access: 07/07/2017)

annotation

UDC 004.056.53

Cloud-based electronic signature: advantages, disadvantages and development paths. Kirillova Vladlena Olegovna, specialist of the teaching department. Federal State Budgetary Educational Institution of Higher Education "Tambov State University named after G.R. Derzhavina

The article discusses the problem of using cloud-based electronic signatures in terms of legality and security. Various approaches to the study of the problem are highlighted, examples of Russian developments are given.

Keywords: electronic signature, cloud, security, information technology, cloud technology

Annotation

Cloud electronic signature: advantages, disadvantages and ways of development. Kirillova Vladlena Olegovna, a specialist in the teaching and methodical department. Federal State Budget Educational Institution of Higher Education "Tambov State University named G.R. Derzhavin"

The article discusses the problem of using cloud electronic signature from the point of view of legality and security. Various approaches to the study of the problem are highlighted, examples of Russian developments are given.

Keywords: electronic signature, cloud, security, Information Technology, cloud technologies

Posted on Allbest.ru

Similar documents

The law "On electronic signature". Definition, application technologies and principles of electronic signature formation. Standard cryptographic algorithms. The concept of a signature key certificate and its authentication. Electronic document management systems.

presentation, added 01/19/2014


Purpose of electronic digital signature. Using hash functions. Symmetric and asymmetric design. Types of asymmetric electronic signature algorithms. Create a private key and obtain a certificate. Features of electronic document management.

abstract, added 12/20/2011


The scheme of forming an electronic digital signature, its types, construction methods and functions. Attacks on electronic digital signature and legal regulation in Russia. Tools for working with electronic digital signature, the most famous packages and their advantages.

abstract, added 13.09.2011


General scheme of digital signature. Features of a cryptographic system with a public key, stages of encryption. The main functions of electronic digital signature, its advantages and disadvantages. Key management from EDS. Use of EDS in Russia and other countries.

term paper, added 02/27/2011


Legal regulation of relations in the field of the use of electronic digital signature. The concept and essence of electronic digital signature as an electronic analogue of a handwritten signature, the conditions for its use. Signs and functions of an electronic document.

test, added 09/30/2013


The purpose and use of electronic digital signatures, the history of its occurrence and the main features. Types of electronic signatures in the Russian Federation. The list of electronic signature algorithms. Signature falsification, public and private key management.

term paper, added 12/13/2012


Legal support of electronic digital signature. The law "On electronic digital signature". EDS functioning: public and private keys, signature generation and message sending. Verification (verification) and the scope of EDS.

term paper, added 12/14/2011


Concept, the history of the creation of electronic digital signatures. Its varieties and scope. Using EDS in Russia and in other countries, its algorithms and key management. Ways to fake it. Attack models and their possible results. Social attacks.

abstract, added December 15, 2013


General characteristics of the electronic signature, its features and components, basic principles and advantages of application. The use of electronic digital signatures in Russia and abroad. Legal recognition of its validity. EDS verification key certificate.

term paper added 11/12/2014


Electronic digital signature: concept, components, purpose and advantages of its use. Use of EDS in the world. Legal basis and features of the use of EDS in Ukraine. The function of calculating the signature based on the document and the secret key.

Electronic reporting in Russia appeared about 10 years ago. Over the past period, accountants have had many opportunities to evaluate its advantages. Every year, the number of companies that submit reports electronically increases exponentially. Today, electronic reporting is evidence of the effective work of the company and an indicator of the level of qualification of an accountant. But while certification of reports with an electronic signature has become familiar to Russian companies, the use of cloud-based electronic signature is a relative rarity.

Let's compare the possibilities of using the “traditional” and cloud-based electronic signatures in several ways: the need for software, data transfer security and cost.

A traditional electronic signature requires the installation of a special program. At the same time, it will be possible to certify the reports with an electronic signature only on the computer where the necessary software is installed. In addition, in Russian reality quite often there are situations when the electronic signature key comes into conflict with the key from the Internet bank. In such a situation, the company is forced to use a dedicated computer to send electronic reports. Traditional electronic signature software, like any software, requires periodic updates and maintenance costs.

The need to address these shortcomings and the possibility of high technology have allowed the creation of a cloud-based electronic signature. Unlike traditional ES, cloud - does not require installation of software and cryptography on a computer. The certification authority issues an electronic signature and places it in its certified secure cell (cloud). Access to this cell is available only to the owner of the signature using sms, which comes to the mobile phone. Since all information about access to a cloud-based electronic signature is stored on a cloud server in a certification center, an accountant can sign and send electronic reports from any computer, tablet, smartphone or even from a mobile phone with Internet access. The undoubted advantage of cloud-based electronic signature is the absence of costs for the purchase of software, its support and updating. This technology is also used in many online banks.

Despite the fact that cloud-based electronic signature is still a fairly new concept for Russian accounting, successful experience in introducing new technologies has already been accumulated. The first in the Russian market to introduce a cloud-based electronic signature using one-time passwords via sms Internet accounting “My business”, together with the certification center “Kaluga Astral”. To date, more than 100 thousand accounting reports have already been submitted with the help of a cloud-based electronic signature.

“Over two years of operation, the service was used by more than one thousand organizations that appreciated its convenience, accessibility and user friendliness,” said Igor Chernin, director of Kaluga Astral. “The service has increased the attractiveness of the electronic reporting method for small enterprises and entrepreneurs. Technical solutions in the field of platform development and in the field of using cloud-based ES, which were implemented as part of the service, formed the basis of many similar products currently operating on the market. "

The benefits of the clouds were also appreciated by other market participants. For example, the Crypto-PRO company, which occupies a leading position in the distribution of cryptographic information protection means and electronic digital signatures, has created a new cryptographic software and hardware module “CryptoPro HSM”. Although this service is not yet used for reporting, the movement is already there and there is hope that in a couple of years it will be possible to forget about the traditional electronic signature in those places where there is no absolute need for it.