Purpose of CryptoPro CSP. Purpose of CryptoPro CSP License of cryptopro csp 3.9 perpetual

Generation of ES keys and approval keys
Formation and verification electronic signature
Import of programmatically generated ES private keys - to enhance their security
Updating the installation base of the crypto-provider "CryptoPro CSP"

Peculiarities

The main feature (previously the product was called "CryptoPro eToken CSP") is the use of functional key carrier technology (FKN).

Functional key carrier (FKN)- the architecture of software and hardware products based on smart cards or USB tokens, which implements a fundamentally new approach to ensuring the safe use of a key on a smart card or USB token.

Due to the presence of a secure communication channel between the token and the crypto provider, part cryptographic transformations, including storage of private keys and ES keys in a non-retrievable form, is transferred to a smart card or USB token.

In addition to hardware generation of keys, their secure storage and the formation of ES in the microprocessor of the key carrier, the FKN architecture allows you to effectively resist attacks associated with the substitution of a hash value or signature in the communication channel between the CSP software and hardware.

In "CryptoPro FKN CSP" version 3.9, a specially developed JaCarta CryptoPro token, presented in the form factors of a smart card and a USB token, acts as a key carrier.

Part CIPF "CryptoPro FKN CSP" version 3.9 includes a specially developed JaCarta CryptoPro token with the ability to calculate ES using the CRYPTO-PRO FKN technology and produced in the form factors of a USB token (in a Nano or XL case) or a smart card.

JaCarta CryptoPro securely stores and uses private ES keys, performs mutual authentication of the CSP and the token, as well as strong two-factor authentication of the user-owner of the token.

Key Benefits of JaCarta CryptoPro

It is the fastest token among FKN devices (it is ahead of existing products working with FKN in terms of the speed of generating an electronic signature by almost 3 times - based on the Protocol for measuring the speed of FKN devices "CRYPTO-PRO" dated 08.12.2014).
Principle applied Secure by design- uses a secure microcontroller, designed to be secure, for security purposes, has built-in protection both at the hardware and software levels against cloning, hacking and all other attacks known today.
The generation of ES keys, approval keys, as well as the creation of ES takes place inside the JaCarta CryptoPro token.
Uses a secure data transmission channel with the software part "CryptoPRO FKN CSP".

Compound

"CryptoPro FKN CSP" version 3.9 consists of two key components.

1. USB token or JaCarta CryptoPro smart card:

is a functional key carrier (FKN), in which Russian cryptography is implemented in hardware;
allows you to safely store and use private keys EP;
generates an ES "under the mask" - K(h), which allows you to protect the exchange channel between the token (smart card) and the software crypto provider (CSP);
performs mutual authentication of the CSP and the token and strong two-factor authentication of the user - the owner of the token.

2. Crypto provider (CSP):

is high level software interface(MS CAPI) for external applications and provides them with a set of cryptographic functions;
from the signature "under the mask" received from the hardware token (smart card) - K(h), "removes" the mask K(s) and forms a "normal" signature understandable for external applications

Architecture "CryptoPro FKN CSP" version 3.9

Specifications of the JaCarta CryptoPro token

Characteristics of the microcontroller	Manufacturer	INSIDE Secure
	Model	AT90SC25672RCT
	EEPROM Memory	72 Kb
Characteristics operating system	operating system	Athena Smartcard Solutions OS755
	International certificates	CC EAL4+
	Supported cryptalgorithms	GOST R 34.10-2001, GOST 28147-89, GOST R 34.11-94
Supported interfaces	USB	Yes
Supported interfaces	Contact interface (ISO7816-3)	T=1
Security Certifications	FSB of Russia	Certificate of conformity of the FSB of Russia No. SF / 114-2734 Certificate of conformity of the FSB of Russia No. SF / 114-2735
Supported OS	Microsoft Windows Server 2003	(32/64-bit platforms)
	Microsoft Windows Vista	(32/64-bit platforms)
	Microsoft Windows 7	(32/64-bit platforms)
	Microsoft Windows Server 2008	(32/64-bit platforms)
	Microsoft Windows Server 2008 R2	(32/64-bit platforms)
	CentOS 5/6	(32/64-bit platforms)
	Linpus Lite 1.3	(32/64-bit platforms)
	Mandriva Server 5	(32/64-bit platforms)
	Oracle Enterprise Linux 5/6	(32/64-bit platforms)
	Open SUSE 12	(32/64-bit platforms)
	Red Hat Enterprise Linux 5/6	(32/64-bit platforms)
	SUSE Linux Enterprise 11	(32/64-bit platforms)
	Ubuntu 8.04/10.04/11.04/11.10/12.04	(32/64-bit platforms)
	ALT Linux 5/6	(32/64-bit platforms)
	Debian 6	(32/64-bit platforms)
	FreeBSD 7/8/9	(32/64-bit platforms)
Execution time of cryptographic operations	Key import	3.2 op/s (USB token), 2.4 op/s (smart card)
Execution time of cryptographic operations	Create a signature	5.8 op/s (USB token), 3.9 op/s (smart card)
Available key media	smart card	JaCarta CryptoPro
Available key media	USB token	JaCarta CryptoPro

Security Certifications

confirming that the cryptographic information protection tool (CIPF) "CryptoPro FKN CSP" Version 3.9 (version 1) meets the requirements of GOST 28147-89, GOST R 34.11-94, GOST R 34.10-2001, the requirements of the FSB of Russia for encryption (cryptographic) means of the class KS1, the requirements for electronic signature tools, approved by the order of the Federal Security Service of Russia dated December 27, 2011 No. 796, established for the KS1 class, and can be used for cryptographic protection (creation and management of key information, encryption of data contained in the area random access memory, calculation of the hash value for data contained in the RAM area, protection of TLS connections, implementation of electronic signature functions in accordance with the Federal Law of April 6, 2011 No. 63-FZ "On Electronic Signature": creation of an electronic signature, verification electronic signature, creation of an electronic signature key, creation of an electronic signature verification key) information that does not contain information constituting a state secret.

confirming that the cryptographic information protection tool (CIPF) "CryptoPro FKN CSP" Version 3.9 (version 2) complies with the requirements of GOST 28147-89, GOST R 34.11-94, GOST R 34.10-2001, the requirements of the FSB of Russia for encryption (cryptographic) means of the class KS2, the requirements for electronic signature tools, approved by the order of the Federal Security Service of Russia dated December 27, 2011 No. 796, established for the KS2 class, and can be used for cryptographic protection (creation and management of key information, encryption of data contained in the RAM area, calculation of the value hash functions for data contained in the RAM area, protection of TLS connections, implementation of electronic signature functions in accordance with the Federal Law of April 6, 2011 No. 63-FZ "On Electronic Signature": creation of an electronic signature, verification of an electronic signature, creation of an electronic signature key, creation of an electronic signature verification key) information that does not contain information constituting a state secret.

CryptoPro CSP 5.0 is a new generation of cryptographic provider that develops three main product lines of CryptoPro: CryptoPro CSP (classic tokens and other passive storage of secret keys), CryptoPro FKN CSP / Rutoken CSP (non-retrievable keys on tokens with secure messaging) and CryptoPro DSS (keys in the cloud).

All the advantages of the products of these lines are not only preserved, but also multiplied in CryptoPro CSP 5.0: the list of supported platforms and algorithms is wider, the performance is higher, and the user interface is more convenient. But the main thing is that work with all key carriers, including keys in the cloud, is now uniform. For translate application system, in which CryptoPro CSP of any version worked, to support keys in the cloud or to new media with non-removable keys, no reworking of the software is required - the access interface remains the same, and work with the key in the cloud will occur in exactly the same way as and with a classic key carrier.

Purpose of CryptoPro CSP

Formation and verification of electronic signature.
Ensuring confidentiality and integrity control of information through its encryption and imitation protection.
Ensuring the authenticity, confidentiality and imitation protection of connections using the , and protocols.
System and application integrity control software to protect it from unauthorized changes and violations of trusted functioning.

Supported Algorithms

In CryptoPro CSP 5.0, along with Russian ones, foreign cryptographic algorithms are implemented. Users can now use familiar key carriers to store RSA and ECDSA private keys.

Supported key storage technologies

Cloud Token

In CryptoPro CSP 5.0, for the first time, it became possible to use keys stored on cloud service CryptoPro DSS, through the CryptoAPI interface. Now the keys stored in the cloud can be easily used by any user application, as well as by most Microsoft applications.

Media with non-removable keys and secure messaging

CryptoPro CSP 5.0 adds support for media with non-recoverable keys that implement the protocol SESPAKE, which allows you to perform authentication without transmitting the user's password in clear form, and to establish an encrypted channel for exchanging messages between the crypto provider and the carrier. An attacker in the channel between the carrier and the user's application can neither steal the password during authentication nor change the data being signed. When using such media, the problem is completely solved. safe work with irretrievable keys.

Active, InfoCrypt, SmartPark and Gemalto companies have developed new secure tokens that support this protocol (SmartPark and Gemalto starting from version 5.0 R2).

Media with non-removable keys

Many users want to be able to work with non-retrievable keys, but not upgrade tokens to the FKN level. Especially for them, the provider has added support for popular key carriers Rutoken EDS 2.0, JaCarta-2 GOST and InfoCrypt VPN-Key-TLS.

List of manufacturers and models supported by CryptoPro CSP 5.0

List of manufacturers and models of media with non-recoverable keys supported by CryptoPro CSP 5.0

Company	Carrier
ISBC	Esmart Token GOST
Assets	Rutoken 2151
	Rutoken PINPad
	Rutoken EDS
	Rutoken EDS 2.0
	Rutoken EDS 2.0 2100
	Rutoken EDS 2.0 3000
	Rutoken EDS PKI
	Rutoken EDS 2.0 Flash
	Rutoken EDS 2.0 Bluetooth
	Rutoken EDS 2.0 Touch
	Smart card Rutoken 2151
	Smart card Rutoken EDS 2.0 2100
Aladdin R.D.	JaCarta-2 GOST
infocrypt	InfoCrypt Token++ TLS
infocrypt	InfoCrypt VPN-Key-TLS

Classic passive USB tokens and smart cards

Most users prefer fast, cheap and convenient solutions to store keys. As a rule, preference is given to tokens and smart cards without cryptographic coprocessors. As in previous versions provider, CryptoPro CSP 5.0 retains support for all compatible media manufactured by Active, Aladdin R.D., Gemalto / SafeNet, Multisoft, NovaCard, Rosan, Alioth, MorphoKST and SmartPark.

In addition, of course, as before, methods for storing keys in Windows registry, hard drive, flash drives on all platforms.

List of manufacturers and models supported by CryptoPro CSP 5.0

List of manufacturers and models of classic passive USB tokens and smart cards supported by CryptoPro CSP 5.0

Company	Carrier
Alioth	SCOne Series (v5/v6)
gemalto	Optelio Contactless Dxx Rx
	Optelio Dxx FXR3 Java
	Optelio G257
	Optelio MPH150
ISBC	Esmart Token
ISBC	Esmart Token GOST
MorphoKST	MorphoKST
NovaCard	Cosmo
Rosan	G&D element V14 / V15
	G&D 3.45 / 4.42 / 4.44 / 4.45 / 4.65 / 4.80
	Kona 2200s / 251 / 151s / 261 / 2320
	Kona2 S2120s / C2304 / D1080
safenet	eToken Java Pro JC
	eToken 4100
	eToken 5100
	eToken 5110
	eToken 5105
	eToken 5205
Assets	Rutoken 2151
	Rutoken S
	Rutoken KP
	Rutoken Lite
	Rutoken EDS
	Rutoken EDS 2.0
	Rutoken EDS 2.0 3000
	Rutoken EDS Bluetooth
	Rutoken EDS Flash
	Smart card Rutoken 2151
	Smart card Rutoken Lite
	Smart card Rutoken EDS SC
	Smart card Rutoken EDS 2.0
Aladdin R.D.	JaCarta GOST
	JaCarta PKI
	JaCarta PRO
	JaCartaLT
	JaCarta-2 GOST
infocrypt	InfoCrypt Token++ Lite
Multisoft	MS_Key version 8 Angara
Multisoft	MS_Key ESMART version 5
SmartPark	master's
	R301 Foros
	Oscar
	Oscar 2
	Rutoken Master

CryptoPro Tools

As part of CryptoPro CSP 5.0, a cross-platform (Windows/Linux/macOS) graphics application- “CryptoPro Tools” (“CryptoPro Tools”).

The main idea is to enable users to conveniently solve typical tasks. All the main functions are available in a simple interface - at the same time, we have also implemented a mode for advanced users, which opens up additional opportunities.

With the help of CryptoPro Tools, the tasks of managing containers, smart cards and cryptographic providers settings are solved, and we have also added the ability to create and verify a PKCS # 7 electronic signature.

Supported Software

CryptoPro CSP allows you to quickly and securely use Russian cryptographic algorithms in the following standard applications:

office suite Microsoft Office;
mail server Microsoft Exchange and client Microsoft Outlook;
products Adobe Systems Inc.;
browsers Yandex.Browser, Sputnik, Internet Explorer ,edge;
tool for generating and verifying application signatures Microsoft Authenticode;
web servers Microsoft IIS, nginx, Apache;
remote desktop tools Microsoft Remote Desktop Services;
Microsoft Active Directory.

Integration with the CryptoPro platform

From the very first release, support and compatibility with all our products is provided:

CryptoPro CA;
CA services;
CryptoPro EDS;
CryptoPro IPsec;
CryptoPro EFS;
CryptoPro.NET;
CryptoPro Java CSP.
CryptoPro NGate

Operating systems and hardware platforms

Traditionally, we work in an unsurpassed wide range of systems:

Microsoft Windows;
MacOS;
Linux;
FreeBSD;
solaris;
android;
SailfishOS.

hardware platforms:

Intel/AMD;
PowerPC;
MIPS (Baikal);
VLIW (Elbrus);
Sparc.

and virtual environments:

Microsoft Hyper-V
VMWare
Oracle VirtualBox
RHEV.

Supported different versions CryptoPro CSP.

To use CryptoPro CSP with a license for workplace and server.

Embedding Interfaces

For embedding in applications on all platforms, CryptoPro CSP is available through standard interfaces for cryptographic tools:

Microsoft Crypto API
PKCS#11;
OpenSSL engine;
Java CSP (Java Cryptography Architecture)
Qt SSL.

Performance for every taste

Years of development experience allows us to cover everything from miniature ARM boards such as Raspberry PI to multi-processor servers based on Intel Xeon, AMD EPYC, and PowerPC, scaling performance very well.

Regulatory documents

Full list of regulatory documents

The crypto provider uses algorithms, protocols and parameters defined in the following documents of the Russian standardization system:
R 50.1.113-2016 " Information technology. Cryptographic protection information. cryptographic algorithms, related to the application electronic digital signature and hash functions" (see also RFC 7836 "Guidelines on the Cryptographic Algorithms to Accompany the Usage of Standards GOST R 34.10-2012 and GOST R 34.11-2012")
R 50.1.114–2016 “Information technology. Cryptographic protection of information. Elliptic curve options for cryptographic algorithms and protocols" (see also RFC 7836 "Guidelines on the Cryptographic Algorithms to Accompany the Usage of Standards GOST R 34.10-2012 and GOST R 34.11-2012")
R 50.1.111–2016 “Information technology. Cryptographic protection of information. Password protection of key information»
R 50.1.115–2016 “Information technology. Cryptographic protection of information. Shared Key Derivation Protocol with Password-Based Authentication" (also see RFC 8133 The Security Evaluated Standardized Password-Authenticated Key Exchange (SESPAKE) Protocol")
Guidelines TC 26 "Cryptographic information protection" "Using sets of encryption algorithms based on GOST 28147-89 for a security protocol transport layer(TLS)"
Guidelines TC 26 "Cryptographic information protection" "Use of algorithms GOST 28147-89, GOST R 34.11 and GOST R 34.10 in cryptographic messages of the CMS format"
Technical specification TC 26 "Cryptographic information protection" "Use of GOST 28147-89, GOST R 34.11-2012 and GOST R 34.10-2012 in the IKE and ISAKMP key exchange protocols"
Technical specification TC 26 "Cryptographic information protection" "Use of GOST 28147-89 when encrypting attachments in IPsec ESP protocols"
Technical specification TK 26 "Cryptographic information protection" "Use of algorithms GOST R 34.10, GOST R 34.11 in the certificate profile and certificate revocation list (CRL) of X.509 public key infrastructure"
Technical specification TC 26 "Cryptographic information protection" "PKCS # 11 extension for the use of Russian standards GOST R 34.10-2012 and GOST R 34.11-2012"

To install a system without installation disk you must download and install all distributions of components from this manual. The installation must be performed with local administrator rights.

Installation of CIPF CryptoPro CSP

Download and install the CryptoPro CSP distribution kit according to the purchased license.

Open the CryptoPro CSP program and enter serial number licenses. Depending on the computer, this can be done in different ways:

Installing the RuToken driver

Download and install the components for working with the RuToken media. (if the certificates are stored on flash media, skip this step). When installing components, disconnect RuToken from the computer.

Installing Capicom

Installing CA Certificates

Download and install CA certificates

Installing and configuring the browser

The system works in the following browsers: Internet Explorer version 11 or higher, Mozilla Firefox, Google Chrome, Yandex.Browser, Opera.
For installation .

For correct operation Internet Explorer with the Kontur.Extern system, you must run the utility to configure the browser.
You can also manually configure the browser. To do this, use this.

For installation of other browsers, contact your system administrator.

Installing Adobe Reader

Download and install Adobe Reader. Use the link to the official Adobe website. To start the installation, you must select the version of the operating system and language.

Installing a shortcut

For ease of login, save to your desktop. After installation is complete, you must restart your computer. Before you start working in the reporting system, do not forget to install the signing certificate. Use the instructions for installing a personal certificate.

Installation completed