Order of the Federal Security Service of the Russian Federation No. 795 of December 27, 2011

Eugene2012-02-16 13:53:00

Encryption

Eugene, 2012-02-16 13:53:00

Hello.
I will outline the situation: I work in one company as a developer, the main customer is a large state. company.
For this company, we are already finishing the final touches in the software, there will be an implementation soon. And then they poked me into this order, saying that everything was in the mind. I flipped through this order, and absolutely did not understand anything. The software itself is written in .NET. It is known that the use of cryptographic protection tools not certified by the FSB / FAPSI is prohibited when it comes to working with state secrets or confidential information in the state. organizations.

Actually questions:
1) Cryptographic providers from System.Security.Cryptography are certified by FSB/FAPSI?
2) What should I realize or do after reading this order? :)
3) Guys, if you have experience in protecting information / writing software for the state. companies, etc., please share.

PS 2 and 3 questions are not necessarily within the scope of .NET
PSS Actually the order itself

Answer the question

In order to leave comments, you need to log in

7 answer(s)

Maxim Kuzovlev, 2012-02-16
@KY3EH

I'm afraid that you will have to look towards products from CryptoPro

Maximus43, 2012-02-16
@Maximus43

The content of the order is similar to the requirements for an EV SSL certificate, with the exception of paragraphs 18, 29 and 30. It describes extensions that are very specific to PKI, which can be difficult to fill out.
According to clause 2. It is necessary to generate a request for a certificate, taking into account the requirements of the order. Request generation itself (PKCS10) is possible in OpenSSL with the correct config. And you will have to sign the certificate at an authorized CA. After that, the certificate can be used for its intended purpose.

Chii, 2012-02-16
@Chii

For some reason, I am categorically sure that the RASPO has come across this order and has already begun to think about what to do with it. I advise you to turn to them for advice, the guys there are friendly, they will certainly not refuse advice.

Andrew, 2012-02-17
@OLS

Currently, PP-957 decides where to apply and where not to apply certified cryptography. He is already 5 years old. In particular:
...
e) the implementation of cryptographic algorithms recommended by the licensing authority in the developed encryption (cryptographic) tools used in information and telecommunication systems and networks of critical facilities, federal executive authorities, executive authorities of the constituent entities of the Russian Federation, local authorities and organizations performing work or providing services using encryption (cryptographic) means for state and municipal needs;
…

Andrew, 2012-02-17
@OLS

The FSB order paves the way for the introduction of a qualified electronic signature. Before it is still a long time - at least a year. At a minimum, there are still no requirements for accredited certifying centers, not to mention themselves. So what you are referring to is just a systematic study of the new 63-FZ in detail - work for the future.

Andrew, 2012-02-17
@OLS

PPS If SSL is used only as a transport, ie. both sides are developed by you, i.e. a free VIPNet CSP certified crypto provider. But the "strapping" will have to be done by yourself in this case.

Roman, 2012-06-19
@Laroux

If the topic is still relevant, then at the moment there have been a bunch of changes related to 63-FZ in general and order 795 in particular.
A lot of answers to a lot of questions can be found on the CryptoPro LLC forum.
If lazy - ask. What can I answer