EDS - what is it? Electronic digital signature: instructions for beginners. What is an electronic signature - in simple language for beginners in the world of the digital economy

Algorithms), real time clock. Hardware dongles can come in a variety of form factors, but most often they connect to a computer via USB. Also found with LPT or PCMCIA interfaces.

Operating principle of electronic keys. The key is attached to a specific computer interface. Next, the protected program sends it information through a special driver, which is processed in accordance with a given algorithm and returned back. If the key's answer is correct, then the program continues its work. Otherwise, it may perform actions specified by the developers, for example, switching to demo mode, blocking access to certain functions.

There are special keys that can license (limit the number of program copies running on the network) of a protected application over the network. In this case, one key is enough for the entire local network. The key is installed on any workstation or server on the network. Protected applications access the key over the local network. The advantage is that they do not need to carry an electronic key with them to work with the application within the local network.

Encyclopedic YouTube

1 / 4

Arduino NFC EEPROM Dongle RC522 Card Read Module RFID OLED LCD Display

Arduino NFC Subway Ticket Electronic Key RC522 Card Read Module RFID Servo

A. Purnov. Why do you need an electronic key for the terminal? (trading, stock trading, trading on the stock exchange)

How to pay and activate an electronic key in PRAV.TV

Subtitles

Story

Protecting software from unlicensed use increases the developer's profit. Today, there are several approaches to solving this problem. The vast majority of software creators use various software modules that control user access using activation keys, serial numbers, etc. Such protection is a cheap solution and cannot claim to be reliable. The Internet is replete with programs that allow you to illegally generate an activation key (key generators) or block a request for a serial number/activation key (patches, cracks). In addition, one should not neglect the fact that the legal user himself can make his serial number public.

These obvious shortcomings led to the creation of hardware-based software protection in the form of an electronic key. It is known that the first electronic keys (that is, hardware devices to protect software from illegal copying) appeared in the early 1980s, but, for obvious reasons, primacy in the idea and direct creation of the device is very difficult to establish.

Software protection using an electronic key

Software Development Kit

Dongles are classified as hardware methods of software protection, but modern electronic dongles are often defined as multi-platform hardware and software tool systems for software protection. The fact is that in addition to the key itself, companies that produce electronic keys provide an SDK (Software Developer Kit). The SDK includes everything you need to start using the presented technology in your own software products - development tools, complete technical documentation, support for various operating systems, detailed examples, code snippets, tools for automatic protection. The SDK may also include demo keys for building test projects.

Protection technology

The technology for protecting against unauthorized use of software is based on implementing requests from an executable file or dynamic library to a key, followed by receiving and, if provided, analyzing the response. Here are some typical queries:

• checking whether the key is connected;
• reading the data needed by the program from the key as a startup parameter (used mainly only when searching for a suitable key, but not for protection);
• a request to decrypt data or executable code necessary for the operation of the program, encrypted when protecting the program (allows for “comparison with the standard”; in the case of code encryption, execution of undecrypted code leads to an error);
• a request to decrypt data previously encrypted by the program itself (allows you to send different requests to the key each time and, thereby, protect yourself from emulation of API libraries / the key itself)
• checking the integrity of the executable code by comparing its current checksum with the original checksum read from the key (for example, by executing the digital signature of the code or other transmitted data by the key algorithm and checking this digital signature inside the application; since the digital signature is always different - a feature of the cryptographic algorithm - this also helps protect against API/key emulation);
• a request to the real-time clock built into the key (if available; can be carried out automatically if the operating time of the key’s hardware algorithms is limited by its internal timer);
• etc.

It is worth noting that some modern keys (Guardant Code from the Aktiv Company, LOCK from Astroma Ltd., Rockey6 Smart from Feitian, Senselock from Seculab) allow the developer to store his own algorithms or even separate parts of the application code (for example, specific developer algorithms that receive there are a large number of parameters to the input) and perform them in the very key on his own microprocessor. In addition to protecting software from illegal use, this approach allows you to protect the algorithm used in the program from being studied, cloned, and used in your applications by competitors. However, for a simple algorithm (and developers often make the mistake of choosing an algorithm that is not complex enough to load), cryptanalysis can be carried out using the black box analysis method.

As follows from the above, the “heart” of the electronic key is the conversion algorithm (cryptographic or other). In modern keys, it is implemented in hardware - this practically eliminates the creation of a full key emulator, since the encryption key is never transmitted to the dongle output, which eliminates the possibility of its interception.

The encryption algorithm can be secret or public. Secret algorithms are developed by the manufacturer of security equipment itself, including individually for each customer. The main disadvantage of using such algorithms is the impossibility of assessing cryptographic strength. It was possible to say with confidence how reliable the algorithm was only after the fact: it was hacked or not. A public algorithm, or “open source,” has incomparably greater cryptographic strength. Such algorithms are not tested by random people, but by a number of experts specializing in cryptography analysis. Examples of such algorithms are the widely used GOST 28147-89, AES, RSA, Elgamal, etc.

Automated protection

For most families of hardware keys, automatic tools (included in the SDK) have been developed that allow you to protect the program “in a few mouse clicks.” In this case, the application file is “wrapped” in the developer’s own code. The functionality implemented by this code varies depending on the manufacturer, but most often the code checks for the presence of a key, controls the licensing policy (set by the software supplier), implements a mechanism to protect the executable file from debugging and decompilation (for example, compressing the executable file), etc.

The important thing is that using the automatic protection tool does not require access to the application source code. For example, when localizing foreign products (when there is no possibility of interfering with the software source code), such a protection mechanism is indispensable, but it doesn't allow use the full potential of electronic keys and implement flexible and individual protection.

Implementing protection using API functions

In addition to using automatic protection, the software developer is given the opportunity to independently develop protection by integrating the protection system into the application at the source code level. For this purpose, the SDK includes libraries for various programming languages ​​containing a description of the API functionality for a given key. The API is a set of functions designed to exchange data between the application, the system driver (and the server in the case of network keys) and the key itself. API functions provide various operations with the key: searching, reading and writing memory, encrypting and decrypting data using hardware algorithms, licensing network software, etc.

Skillful application of this method ensures a high level of application security. It is quite difficult to neutralize the protection built into the application due to its uniqueness and “fuzzy” nature in the body of the program. The very need to study and modify the executable code of a protected application to bypass the protection is a serious obstacle to hacking it. Therefore, the task of the security developer, first of all, is to protect against possible automated hacking methods by implementing its own protection using the key management API.

Bypass protection

There is no information about full emulation of modern Guardant keys. Existing table emulators are implemented only for specific applications. The possibility of their creation was due to the non-use (or illiterate use) of the basic functionality of electronic keys by security developers.

There is also no information about full or at least partial emulation of LOCK keys, or about any other ways to bypass this protection.

Hacking a software module

The attacker examines the logic of the program itself in order to, after analyzing the entire application code, select a protection block and deactivate it. Hacking of programs is carried out using debugging (or step-by-step execution), decompilation and RAM dump. These methods of analyzing executable program code are most often used by attackers in combination.

Debugging is carried out using a special program - a debugger, which allows you to execute any application step by step, emulating the operating environment for it. An important feature of the debugger is the ability to install stopping points (or conditions) code execution. Using them, it is easier for an attacker to track places in the code in which access to the key is implemented (for example, stopping execution on a message like “The key is missing! Check for the presence of the key in the USB interface”).

Disassembly- a method of converting the code of executable modules into a programming language understandable to humans - Assembler. In this case, the attacker gets a printout (listing) of what the application does.

Decompilation- converting the application's executable module into program code in a high-level language and obtaining a representation of the application close to the source code. Can be carried out only for some programming languages ​​(in particular, for .NET applications created in C# and distributed in bytecode - a relatively high-level interpreted language).

The essence of the attack using memory dump consists of reading the contents of RAM at the moment when the application begins to execute normally. As a result, the attacker receives the working code (or the part of interest) in its “pure form” (if, for example, the application code was encrypted and is only partially decrypted during the execution of one or another section). The main thing for an attacker is to choose the right moment.

Note that there are many ways to counteract debugging, and security developers use them: non-linearity of the code (multi-threading), non-deterministic sequence of execution, “littering” the code (with useless functions that perform complex operations in order to confuse the attacker), using the imperfections of the debuggers themselves and etc.

Hello! In this article we will talk about electronic digital signature.

Today you will learn:

1. What is digital signature and in what areas can it be used?
2. About the legal force of a signature in this format;
3. About the advantages that its presence provides.

For some time now, digital signature has been a tool that simplifies the movement of documentation. Moreover, this happens not only within the company, but also outside it. Let's look at how to become its owner today.

EDS - what is it in simple words

Everyone knows that any document is signed by a person who has such authority. This is done in order to give the document legal force. Thanks to modern technologies, all document flow is moving into electronic form. Moreover, it turned out to be extremely convenient!

What is digital signature in simple terms?

EDS – This is an analogy to a regular signature, which is used to give legal force to documentation located on electronic media.

It is usually stored on a flash drive.

Advantages:

1. Simplify and speed up the process of data exchange (when collaborating with foreign companies);
2. Reducing costs associated with document flow;
3. Increased security level for information of a commercial nature.

Terms related to digital signature

Closely related to this concept are two others: key And electronic signature certificate.The certificate confirms that the digital signature belongs to a specific person. It can be enhanced or normal. An enhanced certificate is issued either by a certification authority or by the FSB.

The key is the characters in the sequence. They are usually used in pairs. The first is the signature itself, the other confirms that it is genuine. To sign each newly created document, a new key is generated.

The information that is received at the CA is not an electronic digital signature, it is a means to create it.

A little history

The first electronic devices began to be used in Russia in 1994. And the law regulating their use was adopted in 2002. It was extremely vague and ambiguously interpreted the terminology. The issue of obtaining a signature was also practically not covered.

Since 2011, government agencies have switched to electronic document management. And all officials received an electronic signature.

In 2012, this process acquired a global scale and thanks to this, we can now become the owners of universal modern signatures.

How to get an electronic digital signature

Let's consider a situation in which a person has assessed all the advantages of this tool and decided to obtain an electronic signature. So, the question arose: what needs to be done for this? Let's talk about this in more detail.

To obtain an electronic digital signature, you need to go through several important steps:

• Decide on the type of signature;
• Select a certification authority;
• Fill out an application;
• Pay the invoice;
• Collect the necessary documentation package;
• Receive an electronic signature.

Now we will discuss each step in detail.

Step 1. Choose the type of signature that suits you best.

Over the last period of time, the number of those who want to receive an enhanced electronic signature has increased. This is explained by the fact that it can not only confirm the identity of the person who sent the document, but is also protected to the maximum. According to a number of experts, simple digital signatures will soon cease to exist completely.

Let us present in the form of a table the areas in which different types of signatures are used.

No.	Where is it used?	Simple view	Unskilled	Skilled
1	Maintaining internal document flow	found in small companies	Yes	Yes
2	Maintaining external document flow	rarely anymore	Yes	Yes
3	In the Arbitration Court	Yes	Yes	Yes
4	When accessing the State Services website	Yes	No	Yes
5	In regulatory authorities	No	No	Yes
6	When conducting electronic trading	No	No	Yes

Step 2. Select a certification center.

If you need to obtain an electronic signature to submit reports, choose a qualified one, but if you just need to manage paperwork, then choose a simple one.

Let us clarify that the CA is a legal entity whose purpose is to generate and issue an electronic signature.

In addition, the CA carries out the following activities:

• Confirms that the signature is authentic;
• If necessary, blocks the digital signature;
• Serves as a mediator if a conflict situation suddenly arises;
• Provides technical support;
• Provides necessary software to clients.

There are about 100 CAs in the Russian Federation. It is better to choose the one that suits your location and capabilities. You can first check to see if there are any in your city. This is easy to do: just look at the information on the official website.

Step 3. Fill out the application.

To do this, we either visit the center’s office or fill it out online. The remote method allows you to avoid a personal visit to the CA, that is, save some time.

As soon as the submission of the application is completed, a CA specialist contacts the client to clarify the data specified in it. You can ask him questions and get advice.

Step 4. Pay.

You will have to pay for the service in advance. As soon as the application is accepted, all details are agreed upon, the client is issued an invoice. The cost may vary, as it depends on the region where the client lives, on the company itself and on what kind of digital signature you want to receive.

Moreover, the price range is quite large - from 1,500 to 8,000 rubles.

Documents for digital signature

When collecting documents, an important nuance is the following: an electronic signature is needed for an individual, an electronic signature for a legal entity or for an individual entrepreneur. Therefore, we will characterize the documentation separately.

To obtain a signature, individuals must collect the following set of documentation:

• Completed application form;
• Passport with photocopy;
• SNILS;
• A receipt confirming payment of the invoice.

If the recipient has an authorized representative, he or she can handle the submission of documents. The only thing is that you need a power of attorney to perform such actions.

Legal entities need to prepare:

• Completed application;
• OGRN certificate;
• TIN certificate;
• (not expired);
• Passport with a copy of the person who will use the digital signature;
• Payment receipt;
• SNILS of the person who will use the digital signature;
• If the director will use the signature, you must provide an order on the basis of which he holds this position;
• Other employees need powers of attorney so that they can use digital signatures.

IPs are provided by:

• Completed application;
• OGRNIP certificate;
• TIN certificate;
• An extract from the register of entrepreneurs, which is no more than 6 months old (a copy is possible);
• A receipt confirming payment.

If the application was submitted remotely, the necessary documents are sent to the CA by mail, if in person, then along with the application.

Electronic signature for individuals

For individuals there are 2 types of signatures: qualified and unqualified. The obtaining procedure, when compared with legal entities, is much simpler.

Private individuals usually use electronic signatures to sign certain papers.

Nowadays systems such as:

• Unified portal of public services;
• ESIA network for obtaining various information.

For the unified identification and authentication system, a simple type of electronic signature is sufficient, but for the government services portal, a qualified one is used.

To obtain an electronic signature, a citizen also applies to the CA with all documents and an application. You also need to have a flash drive with you on which the private part of the key, known only to the owner, will be written.

The procedure looks like this:

• Contact the CA for a certificate and to receive an EDS key;
• Find a password;
• Filling out forms to obtain keys;
• Submission of all documents;
• Obtaining a certificate for keys.

Electronic signature for legal entities

The obtaining algorithm is practically no different from obtaining a signature by an individual. In the same way, a CA is selected, all the necessary documents are collected, and the invoice is paid. The only thing you must not forget is that the extract from the Unified State Register of Legal Entities must be received on time, since the process of preparing it takes about 5 days.

Hash function: why is it needed?

Hash function is a unique number that is obtained from a document by transforming it using an algorithm.

It is highly sensitive to various types of document distortions; if at least one character in the original document changes, most of the hash value characters will be distorted.

The hash function is designed in such a way that it is impossible to restore the original document using its value, and it is also impossible to find 2 different electronic documents that have the same hash value.

To generate an electronic digital signature, the sender calculates the hash function of the document and encrypts it using a secret key.

In simple terms, it is designed to simplify the exchange of data between users. This is a key data protection tool.

The signed file goes through a hashing procedure. And the recipient will be able to verify the authenticity of the document.

Legal force of digital signature

An electronic digital signature has equal legal force with a regular signature on a paper version of a document, if it was applied without violations. If deviations are identified, the document is not valid. The state regulates the process of using digital signatures by Federal legislation.

Validity period of the digital signature

The digital signature is valid for 12 months from the day it was received. As soon as this period ends, it is extended or another one is received.

Let's sum it up. The use of digital signatures brings the greatest benefits to large companies and enterprises. Thanks to it, document flow becomes cheaper and broad horizons for business open up.

It is also beneficial for ordinary citizens to have it. No need to stand in lines, order state. services are available without leaving your home. EDS is a modern, convenient and profitable tool.

Even those accountants who have been submitting reports via the Internet for a long time do not always understand how one of the main elements of the reporting system works - an electronic digital signature (EDS). Meanwhile, such knowledge allows you to prevent some basic mistakes that can lead to conflicts with the inspection. In addition, an accountant who has gained an understanding of the basics of digital signature technology will spend much less time communicating with call center operators.

Creation of digital signature

There are different ways to create an electronic digital signature. In practice, the most convenient and common way is to create an electronic signature using two keys - public and private. Both of these keys are created using a special encryption program (for example, “Crypto-pro”). To create a private key, you must either randomly move the mouse or randomly press keys on the keyboard. The program converts these movements into a very long set of characters (its size is 512 bits; whether this is a lot or a little is below, in the “Additional Information” section). This creates a private key.

Then the same program creates a public key based on the private key (note right away that the reverse process - finding a private key from a public key - is impossible). The public key is published on the websites of certification authorities and the special communications operator whose services the key owner uses, but the private key should be stored with all possible precautions.

Why are certification authorities needed?

They solve the most important problem: they confirm the authenticity of information about the owner of the key and his powers. If CA did not exist, anyone who bought an encryption program could declare their public key to be the key of the chief accountant of Gazprom or the head of the inspection for the largest taxpayers.

Therefore, an accountant (manager), in order to issue an electronic digital signature, must provide the CA with documents proving his identity, a power of attorney from the company and write a request for the issuance of a public signature key certificate. The center issues electronic and paper public key signature certificates. An electronic certificate is a file that represents the client’s public key, signed with the digital signature of a certification authority. A paper certificate contains the following data: the public key of the digital signature, the full name of its owner, the validity period of the certificate (usually one year), the scope of the key (the list of documents that can be signed using the key for which the certificate was issued), information about the organization whose representative is owner of the key.

Accordingly, after completing the documents at the CA, the client has in his hands a paper certificate and a storage medium (ru-token, flash drive, floppy disk) on which the following files are recorded: public key, private key, public key certificate.

Encrypt open, decrypt closed

Let's say an accountant wants to send a declaration to the inspectorate. It generates a reporting file (enters the organization’s data into the electronic declaration format). He then signs the reporting file with his private key. Signing creates a new, original file. In a document signed with an electronic signature, neither the recipient nor the sender can change a single character - such a violation of the integrity of the document is easily detected when checked using a public key certificate.

Next, the program with which the accountant sends the reports encrypts the declaration with the public key of the inspectorate. The encrypted file is sent to the inspectorate. The tax authorities receive the file and decrypt it with their private key. Then the payer’s digital signature is checked using the registry of public key certificates (such verification is carried out automatically when receiving reports). The check provides an answer to two questions: whether after signing the payer’s digital signature, the integrity of the document was violated and whether this digital signature really belongs to the payer who submitted the reports.

After the inspection, the inspection sends the organization an incoming control protocol. The inspector signs the protocol with his private key. Then it encrypts the protocol with the company's public key and sends a file with encrypted information to the company. The accountant opens the information encrypted in the file with his private key.

In theory, anyone can intercept an encrypted file. However, you can only decrypt a file sent to the inspectorate if you have the inspectorate’s private key. Accordingly, an encrypted file sent to a company can only be opened by someone who has the company’s private key.

What happens if you store your private key carelessly?

The most important problem that careless storage of a private key can cause for a company is the so-called key compromise. That is, access to the private key of strangers. If the key is stored on a floppy disk that lies on the accountant's desk or the key is recorded on the hard drive of the accounting computer, then the company risks running into serious trouble. Having a private key, some ill-wisher can send deliberately false reports for the company. For example, long before the deadline by which the accountant plans to submit reports, send a VAT return to the inspectorate with huge amounts to be reimbursed. In this case, the company at a minimum faces tedious proceedings with the tax authorities, who have already accepted the “false” reporting and entered it into their database. And as a maximum (if the accountant does not detect the fact of a “false” dispatch in time) - requesting documents during an in-depth desk audit, additional charges, penalties, fines and litigation.

Another consequence of careless storage is the possible loss of the private key. The key may be stolen. It can be lost. If the private key is written on an unreliable medium—a floppy disk—there is a risk of mechanical damage. In addition, a floppy disk can get lost among other floppy disks, and information on it can be erased by mistake.

Losing a valid key on the eve of reporting submission will result in failure to submit the declaration on time via the Internet. The fact is that no one will be able to give an organization a “duplicate” private key - the certification center simply does not have it, and it is impossible to recreate a private key from a public key. Without a private key, the company will not be able to sign the reports and decrypt the protocols from the inspection, which indicate whether the reports were accepted or not accepted due to some errors. The only way out is to get new keys. If this procedure drags on and the inspectorate takes note of the information about the new keys late, the declarations will have to be submitted in person or sent by regular mail.

Private keys that have expired should also be stored carefully. This thesis is especially relevant for accountants who store all submitted reports not on their computer, but in encrypted form on the server of a special communications operator. If they lost the private key that was valid in, say, 2006, then they would not be able to decipher their own tax returns for that year.

Additional Information
How reliable is the digital signature?

As we have already mentioned, the size of the private key of the digital signature used when submitting reports is 512 bits. In order to understand what degree of reliability this key size provides, we will give an example. It took a team of researchers using hundreds of computers three years to find a 72-bit key. Our key size is 512 bits. The conditions of the experiment make it possible to calculate the number of years it will take to select it. This period is expressed as a number with 130 zeros. For comparison, the age of the Earth is estimated at 4.5 billion years, and a billion is a number with 9 zeros.

How does digital signature differ from old encryption?

One of the first to put information encryption (cryptography) into practice was Emperor Gaius Julius Caesar. He sent messages to remote provinces, where instead of the letter A he put the letter D, instead of the letter B - the letter E, etc. That is, he used an alphabetical shift of three letters. This was enough to prevent enemies who intercepted the message from deciphering it. But recipients in the provinces, who knew the secret of the code, easily read orders from the capital.
More than two thousand years have passed since then. During this time, a huge variety of ciphers were invented (for Caesar it was a simple alphabetical shift of 3 letters, and in the encoding machines of the Second World War, terrible thousand-digit numbers were already used). However, until recently, the science of encryption did not invent anything fundamentally new. The essence remained the same: before the document flow session, the sender of the message and its recipient had to share the secret of the cipher (which required either a personal meeting or the use of some highly reliable communication channels). Such encryption, in which participants in document flow need to transfer the secret of the cipher to each other, is called symmetric cryptography.

However, in the seventies of the last century, a fundamentally new method of cryptographic information protection was invented. It does not require prior exchange of the cipher secret, which is why it was called asymmetric cryptography. This is the encryption method used in digital digital signatures. To send encrypted information to someone, it is enough to have the digital signature keys yourself and know the recipient’s public key.

Many of those who constantly interact with electronic document management have probably come across such a concept as an electronic signature. Nevertheless, for most people this term remains unfamiliar, but those who managed to try this tool were not disappointed. In simple terms, an electronic signature is an analogue of a handwritten signature. This method is often used when working with electronic documents, regardless of the field of activity. Let's take a closer look at what it is, what it is used for and how to obtain an electronic signature key.

Why do you need an electronic signature?

People who have not yet had time to get acquainted with this tool have logical questions about why, in general, an electronic digital signature is needed, when you can simply print out a document on a printer, endorse it and put the usual stamp?

So, there are a number of reasons why an electronic signature is more valuable than a real one. Let's look at them in more detail:

1. Electronic document management. In the conditions of modern computerization, there is no longer a need to save documents in paper form, as was done before. Now all government organizations recognize the legal validity and convenience of electronic documents for several reasons:

• they don't take up space;
• stored securely;
• the process of information exchange is greatly simplified and so on.

In inter-corporate document circulation, an electronic signature has no analogues at all, since it completely solves the issue of travel for the purpose of signing documentation in subsidiaries. Access from a computer to documents of the merged companies is provided through an electronic signature, which is a guarantee of authenticity and also facilitates communication between managers.

2. Reporting. Documentation supported by an electronic signature has legal force, which means there is no need to send a courier or transport the documents yourself, you just need to open the document with the report, attach the digital signature and send it to the recipient by email. All actions will take only a few minutes.

3. Government services. The main advantage is that you don’t have to waste time in long lines. An individual can simply enter an electronic signature on a universal electronic card (UEC), which already contains all the important data.

4. Online bidding. In this situation, the digital signature guarantees that a real person takes part in the auction, who bears a material obligation for non-compliance with the terms of the contract.

5. Arbitration court. Electronic documents supported by electronic signatures are recognized as full-fledged evidence.

6. Transfer of documentation. This option is especially useful for legal entities, because it gives the right to:

• Enter electronic reporting into the company, thus exchanging documents between departments, structures and other cities.
• Draw up and sign legally binding agreements with partners from other cities and countries.
• Provide evidence in court proceedings electronically, without personal presence.
• Send reports to government agencies without leaving your office.
• Receive services from the state by confirming your right to them with an electronic document.

Heads of organizations with a built-in electronic document management system are forever freed from questions about processing and storing folders with important papers. Are you thinking about how to get an electronic signature key certificate now? You will find the answer to this and many other pressing questions below.

How it works?

The qualified type of electronic key is the most common, since the principle of its operation is extremely simple - the digital signature is registered in the Certification Center, where its electronic copy is stored.

Don't know how to get an electronic signature verification key certificate? A copy is sent to partners, and only the owner company has access to the original key certificate.

Having received the electronic key, the owner installs a special program on the computer that generates a signature, which is a block with the following data:

• Date the document was signed.
• Information about the person who signed.
• Key ID.

After receiving the documentation, partners must receive a qualified electronic signature verification key certificate to carry out the decryption process, that is, authentication control. The digital signature certificate is valid for one year and contains the following information:

• License plate.
• Validity.
• Information about registration with the Certification Center (CA).
• Data about the user and the CA where it was manufactured.
• List of industries where it can be used.
• Authenticity guaranteed.

It is almost impossible to forge a digital signature, for this reason it is unrealistic to insure it against falsification. All processes using keys are carried out exclusively within the program, whose original interface helps in the implementation of electronic document management.

The procedure for obtaining an electronic signature. Step-by-step instruction

Having studied all the advantages of an electronic signature, you decided to get it. Wonderful! But here the question arises: how to obtain an electronic signature key? The answer to this can be found in the detailed step-by-step instructions presented below.

1. Selecting the digital signature type.
2. Selection of a certification organization.
3. Filling out an application for the production of an electronic signature.
4. Payment by invoice after the application is confirmed.
5. Preparation of a set of documents.
6. Obtaining a digital signature. You must come to the certification center with the original documents (or photocopies certified by a notary) that are required to issue an electronic signature, with a receipt for payment of the invoice; in addition, legal entities and individual entrepreneurs should have a stamp with them.

The obtaining process itself is very simple, however, in some situations, obtaining an electronic signature may be refused, for example, the application contains erroneous data or an incomplete package of documents is provided. In such cases, errors should be corrected and the application resubmitted.

Step 1. Selecting the type of digital signature

Don't know how to get an unqualified electronic signature key? First of all, you should understand the types of digital signatures, of which, in accordance with federal law, there are several:

1. Simple. It contains information about the owner of the signature so that the recipient of the documentation can understand who the sender is. Such a signature is not protected against forgery.
2. Reinforced. It is also divided into subspecies:

• Unqualified - contains information not only about the sender, but also about amendments made after signing.
• Qualified is the most reliable type of signature. It is highly secure and also has legal force and is 100% equivalent to a handwritten signature. A qualified signature is issued exclusively in organizations accredited by the FSB.

Most customers apply for a qualified signature, which is understandable, since electronic signatures are hunted by scammers of various categories, as well as other keys that provide access to personal information and financial-related transactions.

Step 2. Certification authority

Don't know where to get an electronic signature key? In a certification center, this is an institution engaged in the production and issuance of electronic digital signatures. Now there are more than a hundred similar centers operating in Russia.

Step 3. Completing the application

The online application will save personal time, and it contains a minimum amount of information: initials, contact telephone number and email address. After sending, you will receive a call from a certification center employee within an hour to clarify the entered data. During the conversation, he will be able to answer all your questions and advise on the types of electronic digital signatures.

Step 4. Payment

Don't know how to get an electronic signature key? First, you need to pay the invoice, this is done before receiving the digital signature. Immediately after confirming the application and agreeing on the nuances with the client, an invoice is issued in his name. The cost of a digital signature varies depending on the chosen organization, area of ​​residence and type of signature. Price includes:

• Generating a signing key certificate.
• Software that is required to generate signatures and send documentation.
• Technical support.

The cost of a digital signature starts from 1,500 rubles, the average ranges from 5 to 7 thousand rubles. When ordering a large number of signatures, for example, for the entire organization, the minimum cost may be lower.

Step 5. Preparing documentation

Don’t know how to get an electronic signature key for an individual entrepreneur? The list of documents for different categories of citizens differs significantly: an individual, a legal entity or an individual entrepreneur, therefore, we will analyze the package of documents required to obtain an electronic signature separately for each group.

Legal entities

• Original passport of the general director.
• Photocopy of pages 2 and 3 in 1 copy.
• OGRN certificate.
• Documents on the establishment of the organization (Charter or constituent agreement).
• SNILS.
• An extract from the unified state register of legal entities (the form must have the seal of the Federal Tax Service, as well as the signature, surname and position of the department employee).

Individual entrepreneurs

In order to obtain an electronic signature key for the tax office, an individual entrepreneur must provide the following set of documents:

• Original passport.
• Copy of pages 2 and 3 in the passport - 1 copy.
• A photocopy of the document on state registration of an individual as an individual entrepreneur - 1 copy.
• SNILS.
• A photocopy of the document on registration with a tax organization - 1 copy.
• An extract from the Unified State Register of Individual Entrepreneurs, certified by a notary (the issuance period should not exceed 30 days).
• Application for production of digital signature.
• Application for accession to the Regulations of the Certification Authority.
• Consent to the processing of the applicant’s personal information.

If you have a power of attorney and a passport, the digital signature of an individual entrepreneur can be taken by his authorized representative.

Individuals

How to obtain an electronic signature key for a tax office for an individual? First of all, you should prepare the following documents:

• Citizen's passport.
• SNILS.
• Application for the production of an electronic signature.

Step 6. Obtaining a digital signature: the final stage

And finally, we come to the last question: where to get an electronic signature key for government services and other services? This can be done at special delivery points located throughout Russia. Detailed information about certification centers is located on the official website of the organization, in a special section. In general, the period for obtaining a digital signature does not exceed three days.

There may be delay on the part of the applicant due to late payment of the invoice or errors in the documentation.

Important! Pay great attention to the extract from the unified state register of legal entities and individuals, since the process of preparing the document takes 5 working days!

Now you know where and how to get an electronic signature key. The registration process is quite simple, and with proper preparation it will take very little time.

01 August 2001 This material is devoted to the protection of hacking software. More precisely, it will talk about electronic keys - one of the most common methods of protecting software products today.

Electronic keys are in fact the only technical solution that provides an acceptable level of protection and, at the same time, causes the least inconvenience to end users.

Program protection methods

Among the technical solutions proposed to protect replicated software, several main groups can be distinguished.

Use of key floppy disks and specially coated CDs, passwords and registration numbers

These protection methods do not require large financial costs to implement, but are low in resistance to hacking. As a result, the use of such protection is justified only for software in the lower price category. For such programs, popularity and large circulations are important (sometimes due to pirated copies). Using a more reliable, but also expensive protection system, in this case, will not make sense (it will even have a negative effect).

Linked to unique computer characteristics

This protection method is much more resistant to hacking than previous ones, with low implementation costs. However, due to the specific implementation of the protection mechanism, it is the most inconvenient for end users and causes numerous complaints. After all, a program protected in this way cannot be transferred to another computer, difficulties arise with upgrades, etc. The use of such protection is advisable in cases where the manufacturer is confident that it will not scare away customers.

The most recent example of this method is the built-in copy protection of new Microsoft software products.

Software and hardware protection using electronic keys

Today, this is the most reliable and convenient method of protecting replicated software of the middle and high price categories. It is highly resistant to hacking and does not restrict the use of a legal copy of the program. The use of this method is economically justified for programs costing over $80, since the use of even the cheapest electronic keys increases the cost of the software by $10-15. Therefore, every key manufacturer is striving to develop new, cheaper models to protect high-volume, low-cost products without compromising their effectiveness.

Electronic keys mainly protect so-called “business” software: accounting and warehouse programs, legal and corporate systems, construction estimates, CAD, electronic reference books, analytical software, environmental and medical programs, etc. The costs of developing such programs are high , and their cost is correspondingly high, so the damage from pirated distribution will be significant. Here electronic keys are the optimal protection.

As you can see, when choosing a means of protection, the developer must proceed from the principle of economic feasibility. The protection must fulfill its main purpose - to significantly reduce, and ideally stop, losses from piracy, without greatly increasing the cost of the program, which can negatively affect sales. The manufacturer is also obliged to take into account the interests of users. Ideally, protection should not cause them any inconvenience.

What is an electronic key

The electronic key prevents illegal use (exploitation) of the program. It is often said that the key protects against copying, but this is not entirely true. A protected program can be copied, but a copy without a key will not work. That. copying simply doesn't make sense.

The electronic key itself is a device the size, as they say, “about the size of a matchbox,” which is connected to one of the computer ports. The key consists of a board with microcircuits (auxiliary elements, microcontroller and memory), enclosed in a plastic case. The microcontroller contains so-called “mathematics” - a set of commands that implement a certain function or functions that are used to generate information blocks for key exchange and a protected program. Otherwise, these blocks are called “questions and answers”. The memory of the electronic key contains information about its characteristics, as well as user data. The key has two connectors. Using one, it is connected to the LPT port (parallel port) of the computer, the other is used to connect a peripheral device. When used correctly, a modern dongle usually does not interfere with the operation of printers, scanners and other peripherals that are connected through it to the parallel port.

What types of electronic keys are there?

Electronic keys are extremely diverse in their design (internal and external), purpose, appearance, etc. They can also be classified by compatibility with software environments and types of computers, by connection method and degree of complexity (functionality), etc. However, talking about all the types of keys would take a lot of time, so we should focus on the most widely used solutions.

So, most often, electronic keys are used to protect local and network Windows and DOS applications. The bulk of keys today are devices for parallel ports. However, USB dongles are becoming increasingly popular, and it is likely that in the near future they will seriously compete with LPT dongles.

To protect expensive software, complex (multifunctional) keys are used; to protect cheaper programs, simpler keys are used.

According to the device, electronic keys are divided into

• Keys that do not contain built-in memory
  Such keys do not provide the required level of application security. After all, only the presence of memory in addition to the logical key block allows you to build a protection system of any complexity. In the key's memory, you can store information necessary for the operation of the program, lists of passwords (essentially, an electronic key can be used as a means of identification), etc. The memory capacity of most modern keys usually reaches several hundred bytes. The use of keys without built-in memory can only be justified to protect cheap, large-scale programs.
• Keys containing only memory
  This class of keys is obsolete. Such keys are no longer produced, but a fairly large number of them are still retained by end users of the software.
• Keys on a custom ASIC chip
  This is by far the most common class of keys. Their functionality is determined by the specific type of ASIC chip. The disadvantage of such keys is, so to speak, the “completeness” of the design. The range of their properties is limited by the framework defined during the creation of the microcircuit. All keys of the same model operate using the same algorithm or algorithms (that is, they contain functions of the same type). This feature may adversely affect the degree of resistance of the protection system. After all, a frequently repeated security model makes the attacker's task easier.
• Microprocessor keys
  This type of key, unlike the previous one, has a much more flexible design. It is possible to “flash” a program into the microprocessor key controller that implements functions that are different for each client. In principle, any microprocessor key can be easily programmed so that it will work according to its own unique algorithm.

An electronic key is a hardware part of protection. The software part consists of special software for working with keys. It includes tools for programming keys, utilities for installing security and diagnostics, key drivers, etc.

Protecting programs using a key

To install a protection system, it is necessary to program the electronic key as required, i.e., enter information into its memory by which the protected program will identify the key and “link” the program to the key by installing automatic protection and/or protection using API functions.

To program the key's memory, special utilities are mainly used, with the help of which the contents of memory fields are read and rewritten, the fields themselves are edited, changed or deleted, and the key is programmed remotely. Programming utilities are also used to debug the protection scheme. With their help, they check the correct execution of API functions, create arrays of questions and key answers, etc.

Methods of protection

There are protection systems that are installed on executable program modules (attached or automatic protection), and protection systems that are built into the source code of the program (protection using API functions).

Automatic protection

The executable file of the program is processed by the corresponding utility included in the software package for working with keys. As a rule, this method of protection is almost completely automated; the installation process takes only a few minutes and does not require special knowledge. After this, the program is “tuned” to an electronic key with certain parameters.

Automatic protection utilities usually have many service functions that allow you to select different modes of “binding” the program to the key and implement additional capabilities. For example, such as virus protection, limiting operating time and number of program launches, etc.

However, it should be kept in mind that this method may not provide sufficient reliability. Since the automatic protection module is attached to a ready-made program, there is a possibility that an experienced hacker will be able to find the “connection point” and “unhook” such protection. A good automatic protection utility should have options that make it difficult to debug or disassemble a protected program.

Protection using API functions

This security method is based on the use of API functions collected in object modules. API functions allow you to perform any operations with a key (searching for a key with specified characteristics, reading and writing data, calculating checksums, converting information, etc.). This allows you to create non-standard protection schemes suitable for any case. In general, we can say that the capabilities of API protection are limited only by the richness of the developer’s imagination.

Libraries of special API functions and examples of their use, written in various programming languages, should be included in the key management software package. To install protection, you need to write calls to the required API functions, insert them into the program source code and compile them with object modules. As a result, the protection will be embedded deep into the body of the program. Using API functions provides a much higher degree of security than automatic protection

Almost the only “disadvantage” of this method of protection, according to some software manufacturers, is the additional costs of training staff to work with API functions. However, without using the API, it is impossible to count on acceptable strength of the security system. Therefore, in order to make life easier for developers, security system manufacturers are working on programs that simplify the installation of API protection.

In general terms, the operation of the protection system can be represented as follows:

During operation, the protected program transmits information to the electronic key, the so-called “question”. The electronic key processes it and returns it back - “answers”. The program identifies the key based on the returned data. If it has the correct parameters, the program continues to run. If the key parameters are not suitable, or it is not connected, the program stops working or goes into demo mode.

The confrontation between security system developers and crackers (hackers or crackers) is an arms race. Constant improvement of hacking tools and methods forces security developers to continuously update or invent new security tools and methods in order to stay one step ahead. After all, a scheme that was effective yesterday may not be suitable today.

Security hacking methods

Making a hardware copy of the key

This method involves reading the contents of the key's memory chip using special software and hardware. Then the data is transferred to the chip of another key (“blank”). This method is quite labor-intensive and can be used if the key’s memory is not protected from reading information (which was typical for keys containing only memory). In addition, creating a hardware copy of the key does not solve the problem of replicating the program, because it still remains “tied”, but only to another key. For these reasons, making hardware copies of keys is not widespread.

Making an emulator (software copy) of the key

The most common and effective hacking method, which consists of creating a software module (in the form of a driver, library or resident program) that reproduces (emulates) the operation of an electronic key. As a result, the protected program no longer needs a key.

Emulators can reproduce the operation of keys of a certain model, or keys supplied with a certain program, or one specific key.

Based on their organization, they can be divided into structure emulators and response emulators. The former reproduce the key structure in detail (usually universal emulators), the latter work based on a table of questions and answers for a specific key.

In the simplest case, to create an emulator, a hacker must find all possible correct questions for the key and match the answers to them, that is, obtain all the information exchanged between the key and the program.

Modern keys have a whole range of features that prevent emulation. First of all, these are various options for complicating the key exchange protocol and the protected program, as well as encoding the transmitted data. The following main types of secure exchange protocols or combinations thereof are used:

• floating protocol - “garbage” is transmitted along with real data, and over time, the order of alternation and the nature of both real and unnecessary data changes chaotically
• encrypted protocol - all transmitted data is encrypted
• with automatic verification - any write operation to the key memory is accompanied by an automatic check of the data for adequacy

Additional complication of the exchange protocol is achieved by increasing the volume of transmitted information and the number of questions to the key. Modern keys have memory sufficient to process fairly large volumes of data. For example, a key with 256 bytes of memory can process up to 200 bytes of information in one session. Compiling a table of questions for such a key today seems to be a very labor-intensive task.

Automatic protection module compartment

As mentioned earlier, automatic protection does not have a sufficient degree of resistance, since it does not form a single whole with the protected program. As a result, the “envelope protection” can, with some effort, be removed. There are a number of tools used by hackers for this purpose: special automatic cracking programs, debuggers and disassemblers. One way to bypass the protection is to determine the point at which the protection “envelope” ends and control is transferred to the protected program. After this, force the program to be saved in an unprotected form.

However, security system manufacturers have several techniques in their arsenal to make the process of removing protection as difficult as possible. A good automatic protection utility will include options that provide

• counteracting automated hacking programs,
• counteraction to debuggers and disassemblers (blocking standard debugging tools, dynamic coding of the security module, calculating checksums of program code sections, “crazy code” technology, etc.),
• coding of the protected body and overlays of the program using transformation algorithms (functions).

Removing API function calls

To remove API function calls from a program's source code, hackers use debuggers and disassemblers to find the locations where the calls originate, or function entry points, and modify the program code accordingly. However, if API protection is properly organized, this method becomes very labor-intensive. In addition, an attacker can never be completely sure that he has removed the protection correctly and completely, and the program will work without failures.

There are several effective techniques to counter attempts to remove or bypass API function calls:

• use of “crazy code”: when creating API functions, their commands are mixed with “garbage” - unnecessary commands, i.e. the code is very noisy, which makes it difficult to study the logic of the functions
• Using multiple API entry points: In good API security, each function has its own entry point. To completely neutralize the protection, the attacker must find all points

Software and hardware protection provides the person who implements it with quite a lot of freedom of action. Even with automatic protection, you can choose among the available options and determine the properties of the protected program accordingly. And when using API functions, you can implement any, even the most sophisticated, security model. That. There is no single and detailed scheme for constructing protection. However, there are many ways to add extra strength to your defense (just a few are listed below).

Anti-hacking methods

Combining automatic and API protection

As mentioned above, each of these types of protection has its own bottlenecks. But together they complement each other perfectly and form an insurmountable obstacle even for an experienced burglar. In this case, automatic protection plays the role of a kind of shell, an outer boundary, and API protection is the core.

API protection

When using API protection, it is recommended to use several functions. Their calls need to be distributed throughout the application code and the function variables must be mixed with application variables. Thus, API protection is deeply embedded in the program, and an attacker will have to work hard to identify and select all the protection functions.

The use of data conversion algorithms (or functions) is mandatory. Encoding information makes it pointless to remove API function calls because the data will not be decoded.

An effective technique for complicating the protection logic is to delay the program's response to the return codes of API functions. In this case, the program makes a decision about further work some time after receiving return codes. Which forces the attacker to trace complex cause-and-effect relationships and examine too large sections of code in the debugger.

Automatic protection

When using automatic protection, it is necessary to use options for protection against debugging and disassembling tools, options for encoding and checking keys over time. It is also useful to use virus protection. At the same time, the CRC of code sections is checked, which means that the file is protected from modification.

Security update

After implementing a security system, it is important not to forget about timely updating of the software for working with keys. Each new release means bugs fixed, holes closed, and new security features. It is also necessary to constantly monitor the situation on the security systems market and, if necessary, promptly change the security system to a more progressive and reliable one.

Electronic key capabilities

Of course, first of all, the key is intended to protect programs. However, the potential of modern software and hardware protection is so great that it allows the use of electronic keys to implement a marketing strategy and optimize sales. Here are several options for such “inappropriate” use.

Demo versions

Using electronic keys, you can easily create demo versions of software products without writing a demo version of the program. You can freely distribute copies by blocking or limiting some program features that can only be activated using an electronic key. Or provide clients with a fully functional program as a trial version, limiting the number of times it can be launched. And after payment, extend the period of use of the program or remove the restriction altogether.

Renting and leasing

If the program is expensive, it is often convenient and profitable to sell it in parts or rent it out. In this case, the keys will also be of great help. How does this happen? A full working copy of the program, limited in operating time, is provided to the client. After the client makes the next payment, the period of use of the program is extended using remote reprogramming of the key’s memory.

Selling the program in parts

If the program consists of several components (for example, a set of electronic translators - English-Russian, French-Russian, etc.), then you can include all modules in the delivery package, but activate only those for which you paid. If desired, the client can always pay for the program component he is interested in, which will be activated using remote key programming.

Updating a protected program

The manufacturer has released a new version of the program. Now he faces the problem of updating the program for registered users. Remote key programming makes this process quick and easy. When a new version of the program is released, users of previous versions do not need to be issued or sold a new key. You just need to reprogram the memory section of the existing key and send the new version to the client (free of charge or for a small additional payment - depending on the company’s marketing policy).

Licensing in local area networks

Licensing in this case means control of the number of used copies of the program. Manufacturers of network software are well aware of the situation when one licensed program is purchased, and on the LAN they work with dozens of its copies. Under these conditions, an electronic key becomes an effective means of preventing the launch of “over-limit” copies of the program.

How is licensing carried out? Let's say a user is going to install some kind of program on the network (accounting, warehouse, etc.). When purchasing, he indicates the number of copies of the program that he needs and receives the appropriate license. The manufacturer provides the client with a distribution kit and a properly programmed key. Now the user will be able to work only with the number of copies for which he paid. If necessary, he can always purchase the missing copies, and the manufacturer will reprogram the electronic key for him without leaving his office.

It is easy to see that a modern software and hardware security system provides many service functions that allow you to organize an effective marketing policy and, of course, receive additional (and very tangible) benefits.

The future of the dongle

As long as software exists and computer piracy is a problem, software and hardware protection will remain relevant. It’s hard to say what exactly it will look like in ten years. But already now we can note some trends that are becoming obvious.

USB dongles are becoming widely popular and, most likely, they will gradually replace keys for the parallel port. More complex and robust algorithms will be implemented in the keys, and the memory capacity will increase.

Electronic keys (designed a little differently) are beginning to be used as a means of identifying computer users. These identifier keys, in combination with special programs, can protect web pages.

The capabilities of electronic keys will be increasingly used to form the marketing strategy of software manufacturing companies and to promote software products.