Data authenticity. Information reliability: definition, verification and control

You will need

• Library card
• Internet access
• Ability to work with library catalogs
• Ability to work with Internet search services

Instructions

Find out whether you are dealing with a fact or an assessment. The first thing we encounter when receiving new information is facts. A fact is information that has already been verified for accuracy. Information that has not been verified or that cannot be verified is not a fact. Facts can be numbers, dates, names, events. Everything that can be touched, measured, listed, confirmed. Facts are provided by various sources - research institutes, sociological agencies, statistical agencies, etc. The main thing that distinguishes a fact from an assessment is objectivity. An assessment always expresses someone’s subjective position, emotional attitude, and a call for some action. The fact does not give any assessment, does not call for anything.

Check sources of informationThe second thing we encounter is sources of information. Not all facts can be verified by us on our own, so our knowledge is largely based on trust in sources. How to check the source of information? It is known that the criterion of truth is practice, in other words, only that with the help of which we can solve a specific problem is true. Information must be effective. This effectiveness is reflected in the number of people who successfully applied the information. The more people trust a source and refer to it, the more reliable the information provided.

Compare Information Sources Fortunately, the popularity and authority of a source is not a guarantee of reliability. One of the signs of reliable information is its consistency. Any fact must be confirmed by the results of independent research, i.e. it must repeat itself. Independent researchers should come to the same conclusions. Random, isolated information must be treated with great caution. The more identical information is received from different sources, the more reliable this information is.

Check the reputation of the information source The point is that the source is always responsible for the facts provided. This responsibility is not only moral and ethical, but also material. For providing questionable data, the organizations providing it may lose their livelihood. Loss of readers, fines or even imprisonment - the consequences for liars can be severe. Reputable organizations protect their reputation and will never take risks by publishing false information. Read the history of the organization, find out the names of its leaders, read reader reviews and expert opinions.

Find out about the author of the source of information Any information is ultimately transmitted by people. If the information is in doubt, check who the author is. Read the author’s other works, find out his biography, whether he has a scientific degree, what position he holds, what experience he has in this field and, of course, who he refers to. If it is impossible to find out about the author, then it is not recommended to trust dubious information.

mechanisms are closely related because a mechanism or combination of mechanisms is applied to provide service. The mechanism can be used in one or more services. Below, these mechanisms are briefly discussed to understand their general idea. They will be discussed in more detail below.

ITU-T (X.800) has defined five services related to information security objectives and attacks, the types of which we have defined in the previous sections. Figure 1.3 shows the classification of five common services.

Rice. 1.3.

To prevent the information security attacks we have discussed, you simply need to have one or more of the services shown above for one or more information security purposes.

Data privacy

Data privacy designed to protect data from attempted disclosure. This is a broad service defined in the ITU-T X.800 recommendation. It can cover the privacy of an entire message or part of it, and also protects against traffic surveillance and analysis - in fact, it is designed to prevent interference and traffic surveillance.

Data integrity

Data integrity designed to protect data from modification, insertion, deletion, and retransmission of information by an adversary. It can protect the whole message or part of the message.

Establishing authenticity (authentication)

This service provides establishing authenticity (authentication) operator at the other end of the line. In a connection-oriented connection, it ensures the identity of the transmitter or receiver during connection establishment ( object authentication equal level). In a connectionless connection, it verifies the identity of the data source (data origin authentication).

Opt-Out Exception

Service opt-out exception protects against message rejection by the data transmitter or receiver. If the transmitter does not reject the message, the data receiver can then prove the origin of the message using the transmitter's identification code. Barring rejection of messages by the receiver, the sender, using delivery confirmation, can then prove that the data was delivered to the intended recipient.

Access Control

Access Control provides protection against unauthorized access to data. Access in this definition, the term is very broad and can include reading, writing, changing data, running a program, and so on.

Security Mechanisms

To provide information security services, ITU-T (X.800) recommends some security mechanisms, defined in the previous section. Figure 1.4 gives a classification of these mechanisms.

Rice. 1.4.

Encryption

Encryption. By classifying or declassifying data, confidentiality can be ensured. Encryption also complements other mechanisms that provide other services. Today, two methods are used for encryption: cryptography and steganography - secret writing (steganography). We will discuss them briefly below.

Data integrity

Mechanism data integrity adds a short check value at the end of the data, which is created a certain process separate from the data. The receiver receives the data and the control flag. Based on the received data, it creates a new control characteristic and compares the newly created one with the received one. If these two telltale signs match, data integrity was saved.

Digital signature

Digital signature- a means by which a sender can electronically sign data and a receiver can use a computer to verify the signature. The sender uses a process that can indicate that this signature has a private key selected from public keys that have been announced publicly for public use. The receiver uses the sender's public key to prove that the message is actually signed by the sender who claims to have sent the message.

Exchange of messages for identification

At messaging for authentication two objects exchange some messages to prove that these objects are known to each other. For example, one legal entity may prove that it knows a secret sign that only it can know (say, the last place of meeting with a partner).

Traffic Filling

Traffic Filling means the ability to insert some fictitious data into the data traffic to thwart attackers' attempts to use it for analysis.

Routing Control

Routing Control means selecting and continuously changing the various available routes between the sender and the receiver in order to prevent the enemy from intercepting information on a particular route.

Power of attorney

Power of attorney means choosing a third party to entrust it with control of the exchange between two objects. This may be done, for example, to prevent the message from being rejected. The receiver can involve a third party that can be trusted to store the sender's requests, thereby preventing the sender from subsequently denying that the message was transmitted.

Access Control

Access Control uses methods to prove that the user has the right to access data or resources owned by the system. Examples of such proof are passwords and

Identification and authentication are the basis of modern software and hardware security tools, since any other services are mainly designed to serve these entities. These concepts represent a kind of first line of defense that provides space for the organization.

What is it?

Identification and authentication have different functions. The first gives the subject (the user or process that acts on his behalf) the ability to provide his own name. With the help of authentication, the second party is finally convinced that the subject really is who he claims to be. Often, identification and authentication are replaced by the phrases “name reporting” and “authentication.”

They themselves are divided into several varieties. Next, we will look at what identification and authentication are and what they are.

Authentication

This concept provides for two types: one-way, when the client must first prove its authenticity to the server, and two-way, that is, when mutual confirmation is carried out. A common example of how standard user identification and authentication is carried out is the login procedure for a particular system. Thus, different types can be used in various objects.

In a network environment, when identification and authentication of users is carried out on geographically dispersed parties, the service in question differs in two main aspects:

• which acts as an authenticator;
• How exactly the exchange of authentication and identification data was organized and how it was protected.

To confirm its authenticity, the subject must present one of the following entities:

• certain information that is known to him (personal number, password, special cryptographic key, etc.);
• a certain thing that he owns (a personal card or some other device that has a similar purpose);
• a certain thing that is an element of himself (fingerprints, voice and other biometric means of identifying and authenticating users).

System Features

In an open network environment, the parties do not have a trusted path, which means that in general, the information transmitted by the subject may not ultimately match the information received and used in authentication. It is necessary to ensure the security of active and passive network listening, that is, protection from correction, interception or reproduction of various data. The option of transmitting passwords in clear text is unsatisfactory, and encrypting passwords cannot save the situation in the same way, since they are not protected from replay. This is why more complex authentication protocols are used today.

Reliable identification has difficulties not only for various reasons, but also for a number of other reasons. First of all, almost any authentication entity can be stolen, forged, or sniffed out. There is also a certain contradiction between the reliability of the system used, on the one hand, and the convenience system administrator or the user - on the other. Thus, for security reasons, it is necessary to prompt the user to re-enter his authentication information with some frequency (since some other person may already be sitting in his place), and this not only creates additional hassle, but also significantly increases the chance that that someone might be spying on your information input. Among other things, the reliability of a protective device significantly affects its cost.

Modern identification and authentication systems support the concept of single sign-on to the network, which primarily helps to satisfy the requirements in terms of user convenience. If a standard corporate network has many information services that provide the possibility of independent access, then repeated entry of personal data becomes too burdensome. At the moment, it cannot yet be said that the use of single sign-on to the network is considered normal, since dominant solutions have not yet emerged.

Thus, many are trying to find a compromise between affordability, convenience and reliability of the means by which identification/authentication is provided. User authorization in this case is carried out according to individual rules.

Special attention should be paid to the fact that the service used can be selected as the target of an availability attack. If it is done in such a way that after a certain number of unsuccessful attempts the ability to enter is blocked, then in this case, attackers can stop the work of legitimate users with just a few keystrokes.

Password authentication

The main advantage of such a system is that it is extremely simple and familiar to the majority. Passwords have been used by operating systems and other services for a long time, and when used correctly, they provide a level of security that is quite acceptable for most organizations. But on the other hand, in terms of the overall set of characteristics, such systems represent the weakest means by which identification/authentication can be carried out. Authorization in this case becomes quite simple, since passwords must be memorable, but simple combinations are not difficult to guess, especially if a person knows the preferences of a particular user.

Sometimes it happens that passwords, in principle, are not kept secret, since they have completely standard meanings specified in certain documentation, and they are not always changed after the system is installed.

When you enter the password, you can see it, and in some cases people even use specialized optical instruments.

Users, the main subjects of identification and authentication, can often share passwords with colleagues so that they can replace the owner for a certain period of time. In theory, in such situations it would be best to use special access controls, but in practice no one uses this. And if two people know the password, this greatly increases the chances that others will eventually find out about it.

How to fix this?

There are several means by which identification and authentication can be secured. The information processing component can be secured by the following:

• Imposing various technical restrictions. Most often, rules are set for the length of the password, as well as the content of certain characters.
• Managing the validity period of passwords, that is, the need to periodically replace them.
• Restricting access to the main password file.
• Limiting the total number of failed attempts available at login. This ensures that attackers only need to perform actions prior to identification and authentication, as brute force cannot be used.
• Preliminary user training.
• Using specialized software password generators that allow you to create combinations that are euphonious and quite memorable.

All of the above measures can be used in any case, even if other means of authentication are also used along with passwords.

One-time passwords

The options discussed above are reusable, and if the combination is revealed, the attacker is able to perform certain operations on behalf of the user. That is why one-time passwords are used as a stronger means that is resistant to the possibility of passive network eavesdropping, thanks to which the identification and authentication system becomes much more secure, although not as convenient.

At the moment, one of the most popular software one-time password generators is a system called S/KEY, released by Bellcore. The basic concept of this system is that there is a certain function F that is known to both the user and the authentication server. The following is the secret key K, which is known only to a specific user.

During initial user administration this function is used for the key a certain number of times, after which the result is saved on the server. In the future, the authentication procedure looks like this:

1. The user system receives a number from the server that is 1 less than the number of times the function is used for the key.
2. The user uses the function to the existing secret key the number of times that was set in the first point, after which the result is sent via the network directly to the authentication server.
3. The server uses this function to the received value, after which the result is compared with the previously saved value. If the results match, then the user is authenticated, and the server saves the new value and then decrements the counter by one.

In practice, the implementation of this technology has a slightly more complex structure, but at the moment this is not so important. Since the function is irreversible, even in the event of a password interception or unauthorized access to the authentication server, it does not provide the ability to obtain the secret key and in any way predict what exactly the next one-time password will look like.

In Russia, a special state portal, the “Unified Identification/Authentication System” (“USIA”), is used as a unified service.

Another approach to a strong authentication system is to New Password was generated at short intervals, which is also implemented through the use of specialized programs or various smart cards. In this case, the authentication server must accept the appropriate password generation algorithm, as well as certain parameters associated with it, and in addition, there must also be synchronization of the server and client clocks.

Kerberos

The Kerberos authentication server first appeared in the mid-90s of the last century, but since then it has already received a huge number of fundamental changes. At the moment, individual components of this system are present in almost every modern operating system.

Main purpose of this service is to solve the following problem: there is a certain unprotected network, and various subjects in the form of users, as well as server and client software systems are concentrated in its nodes. Each such subject has an individual secret key, and in order for subject C to have the opportunity to prove his own authenticity to subject S, without which he simply will not serve him, he will need to not only identify himself, but also show that he knows a certain secret key. At the same time, C does not have the opportunity to simply send his secret key to S, since first of all the network is open, and besides this, S does not know, and, in principle, should not know it. In such a situation, a less straightforward technology for demonstrating knowledge of this information is used.

Electronic identification/authentication through the Kerberos system involves its use as a trusted third party that has information about the secret keys of the served entities and, if necessary, assists them in performing pairwise authentication.

Thus, the client first sends a request to the system, which contains the necessary information about him, as well as about the requested service. After this, Kerberos provides him with a kind of ticket, which is encrypted with the server's secret key, as well as a copy of some of the data from it, which is encrypted with the client's key. If there is a match, it is established that the client decrypted the information intended for him, that is, he was able to demonstrate that he really knows the secret key. This indicates that the client is exactly the person he claims to be.

Special attention should be paid here to the fact that the transfer of secret keys was not carried out over the network, and they were used solely for encryption.

Biometric authentication

Biometrics involves a combination of automated means of identifying/authenticating people based on their behavioral or physiological characteristics. Physical means of authentication and identification include checking the retina and cornea of ​​the eyes, fingerprints, facial and hand geometry, as well as other individual information. Behavioral characteristics include the style of working with the keyboard and the dynamics of the signature. Combined methods represent the analysis of various features of a person’s voice, as well as recognition of his speech.

Such identification/authentication and encryption systems are in common use in many countries around the world, but have long been extremely costly and difficult to implement. Recently, the demand for biometric products has increased significantly due to the development of e-commerce, since, from the user’s point of view, it is much more convenient to present oneself than to remember some information. Accordingly, demand creates supply, so relatively inexpensive products began to appear on the market, which are mainly focused on fingerprint recognition.

In the vast majority of cases, biometrics are used in combination with other authenticators such as Often, biometric authentication represents only the first line of defense and acts as a means of activating smart cards that include various cryptographic secrets. When using this technology, the biometric template is saved on the same card.

Activity in the field of biometrics is quite high. There is already a corresponding consortium, and quite active work is underway aimed at standardizing various aspects of the technology. Today you can see many advertising articles in which biometric technologies are presented as an ideal means of providing increased security and at the same time accessible to the masses.

ESIA

The Identification and Authentication System ("ESIA") is a special service created to ensure the implementation of various tasks related to verifying the authenticity of applicants and participants in interdepartmental interaction in the case of the provision of any municipal or government services in electronic form.

In order to gain access to the “Unified Portal of Government Agencies”, as well as any other information systems of the existing e-government infrastructure, you will first need to register an account and, as a result, receive a PEP.

Levels

The portal provides three main levels of accounts for individuals:

• Simplified. To register it, you just need to indicate your last and first name, as well as some specific communication channel in the form of an address email or mobile phone. This is the primary level, through which a person has access only to a limited list of various government services, as well as the capabilities of existing information systems.
• Standard. To receive it, you first need to register for a simplified account, and then provide additional data, including information from your passport and individual insurance account number. Specified information automatically checked via information systems Pension Fund, as well as the Federal Migration Service, and, if the verification is successful, account is transferred to the standard level, which opens the user to an expanded list of government services.
• Confirmed. To obtain this account level unified system identification and authentication is required from users by a standard account, as well as confirmation of identity, which is performed through a personal visit to the branch of the authorized service or by obtaining an activation code through registered letter. If identity verification is successful, the account will be transferred to new level, and the user will have access to the full list of necessary government services.

Despite the fact that the procedures may seem quite complicated, in fact you can get acquainted with the full list of necessary data directly on the official website, so full registration is quite possible within a few days.

Commercial two-factor authentication solutions are often expensive, and authentication devices are difficult to deploy and manage. However, you can create your own two-factor authentication solution using the user's IP address, a beacon file, or a digital certificate.

Various commercial solutions provide Web site security that goes beyond traditional single-factor authentication methods (that is, a username and password combination). Second factors include geographic location, user behavior, image queries, and the more familiar smart cards, devices, and fingerprints. For more information on two-factor commercial solutions, see the articles listed in the Further Reading sidebar.

But commercial solutions are not the only option. You can prepare two-factor authentication yourself. This article provides some guidelines for designing two-factor authentication for Web applications and provides sample code to start your own project with.

Two-factor verification overview

Let's go back to brief overview two-factor authentication, i.e. the use of two different forms of identification of potential users. You can check authenticity using three forms:

Something famous;

Some user characteristics;

Something that the user has.

Most applications use only one of these forms, usually the first. The username and password are known data.

This level of security is acceptable for most Web sites and applications. However, given the significant increase in identity theft and other types of online fraud, some Web sites are introducing two-factor authentication. According to new legislation, starting in 2007, all electronic banking sites must use two-factor verification. These requirements may soon be extended to recruiting, medical, government and other sites where personal data can be accessed.

As noted above, there are many commercial two-factor verification products available. Their prices vary widely, although the entry level is quite high. Not every company has the funds for a major decision. And some companies use highly specialized programs that are poorly compatible with commercial products. In any case, it is useful to think about your own two-factor solution. The recommendations given in this article will help you get on the right design path.

IP Address Usage

The article “Protect your site from attacks,” published in ., gives brief description using an IP address for additional user identification. This method falls into the "some user characteristic" category. Many commercial solutions use biological characteristics (such as fingerprints or iris patterns). Lower hardware costs and improved software have made this option more practical, but prices are still quite high.

Additionally, some users object to the company storing their biometric data. It's one thing for someone else to know your Social Security card number, but it's another thing for someone to steal your fingerprints!

Use a solution based on program code, simpler and cheaper. Naturally, its reliability is inferior to physical solutions, but for many application cases it provides sufficient accuracy. Each user has an IP address, which can be used as a second verification factor.

The essence of the method is that when trying to register, the user's IP address is extracted from the Web server logs or other source. The address is then subjected to one or more checks. If successful, and if the login name and password are correct, the user is granted access. If the user fails this level of verification, the request is rejected or sent to a deeper level of analysis. In particular, the user may be asked additional personal questions (for example, mother's maiden name) or asked to telephone an authorized representative for off-network verification.

There are several ways to verify an IP address, each of which provides a certain level of confidence in identifying a user. The simplest test is to compare the user's IP address to a list of known unwanted addresses outside the service area. For example, if users are primarily located in one country, then a comparison can be made with a list of unwanted addresses outside that country. Given that a significant portion of identity theft attempts come from outside a given country, blocking dangerous addresses outside the country will certainly prevent large number fraud attempts.

Obtaining lists of dangerous addresses is not difficult. Bob's Block List at http://www.unixhub.com/block.html starts with address blocks in Asia, Latin America, and the Caribbean. Mapping against it can be useful if a company does not have users in these regions. It should be noted that lists obtained from free sites require some modifications to avoid blocking useful sites. Commercial lists are more accurate, such as MaxMind at http://www.maxmind.com. Listing 1 shows sample pseudocode to implement this approach.

However, if it is not desirable to block users by region or greater selectivity is needed, it is possible to record the user's IP address when registering during the first visit, as long as the registration process has a means of verifying the user. In particular, you can ask the user to answer one or two questions (for example, ask him to name the number of the school in which he studied) or ask him to enter a registration code previously sent to him by email. Once an IP address has been obtained and verified, you can use that address to evaluate subsequent registration attempts.

If all users request access only from corporate sites with known and fixed IP addresses, then very effective method- comparison with a list of pre-approved addresses. In this case, users from unknown sites are deprived of access rights. However, if users access from sites whose addresses are unknown in advance, for example from home, where there is usually no static IP address, then the accuracy of the determination decreases sharply.

A less reliable solution is to compare "fuzzy" IP addresses. ISPs for home users assign IP addresses from their own range, usually a Class C or B subnet. Therefore, only the first two or three octets of the IP address can be used for authentication. For example, if the address 192.168.1.1 is registered for a user, then later they may have to accept addresses from 192.168.1.1 to 192.168.254.254. This approach involves some risk of attack from an attacker using the services of the same provider, but nevertheless it gives good results.

Users can also be verified using IP addresses to determine their location. You will need to purchase a commercial database containing all known IP address areas and their approximate locations, such as from a company such as MaxMind or Geobytes (http://www.geobytes.com). If the user's registered location is Houston and they subsequently try to access the site from Romania or even New York, then access can be denied or at least a deeper check must be performed. This method solves the problem of the provider changing a block of addresses. However, the attacker still has a chance to gain access from the location where there are registered users.

You can perform double second factor authentication, starting by excluding all IP addresses that match a block list or matching a white list. If a whitelist is used and there is no IP address being checked, the user may be asked an additional question. If the IP address is finally approved, then the user can be asked to add the current IP address to the white list (users should be explained that only the addresses of regularly used computers can be added to the list). Listing 2 shows the pseudocode for matching the block list and white list.

IP authentication is not suitable for situations where multiple mobile users access the site from hotel rooms and other locations in the country and abroad, constantly changing IP addresses, Internet providers and locations. The IP Block List cannot be applied to such users. These users will not be on the list of allowed IP addresses. However, they can still answer the security question during authentication.

To provide more robust protection for roaming users, the check can be deepened by taking into account the browser version (which tends to change infrequently) operating system and even the MAC address of the network card. However, when using such methods you usually need to run special program on the client to access the necessary parameters. However, MAC addresses and browser and operating system versions can be spoofed, and this method of protection is not completely reliable.

Using beacons and certificates

An alternative is to use one of two other forms of verification: "something the user has". Hardware verification systems request special device. In independently designed software systems, you can use “beacon” files or a certificate stored on users’ computers. This approach is similar to security certificates on e-commerce Web sites, which ensure that order information is sent to the correct site.

The easiest way is to use “beacon” files. Many companies use them to track session keys and other information for users. You just need to create a permanent “beacon” file and save it on the user’s computer for future identification. You can go beyond a simple “beacon” file and encrypt part of the file to make it more difficult for a fraudster to forge it.

Digital certificates provide a higher level of security. They require certain preparation on the part of the user: the certificate must be created internally or obtained from a certification authority (Certificate Authority, CA). The latter method is more reliable, since it is more difficult to forge an external certificate. However, the ongoing cost of maintaining a certificate is comparable to the cost of a two-factor solution based on authentication devices.

Of course, beacons and certificates are only applicable to employees' home computers and other computers enrolled in the authentication system. Needed alternative method to identify users working with computers that do not belong to them. One such method is test questions, mentioned above and shown in Listing 2. However, consider whether providing access to important applications from public computers is justified given the threat from keystroke loggers, spyware, and other malware.

This article discusses two ways to implement simple two-factor authentication for Web applications: one using “something characteristic of the user” (IP address), the other using “something that the user has” (beacon files). or certificates). It should be remembered that these solutions do not provide the very high level of security required, for example, in the financial sector, for which hardware is more suitable. But the solutions presented in the article are perfectly combined with other methods for more reliable protection. corporate networks and e-commerce sites.

Paul Hensarling ([email protected]) - security analyst at a consulting company. Has a CSSA certificate;

Tony Howlett ([email protected]) is the president of the network consulting firm Network Security Services. Has CISSP and CSNA certificates

A letter of credit is a conditional monetary obligation accepted by the bank on behalf of the payer, which allows payments to be made in favor of the recipient of funds. The bank may make payments to the seller or authorize another bank to make such payments upon fulfillment of the terms of the letter of credit.

Authentication

Authentication is the process of determining the identity of a client based on the information they provide. Authentication is carried out in the following ways:

Data Authenticity

The property of data to be authentic and the property of systems to be able to ensure the authenticity of data.

Authenticity of data means that it was created by legitimate participants information process and have not been subject to accidental or intentional distortion.

The ability of a system to ensure data authenticity means that the system is able to detect all cases of data corruption with a probability of error not exceeding a specified value.

Private key

Private key - private (secret) part of the pair cryptographic keys. Used to create electronic signatures, which can then be verified using , and to decrypt messages that have been encrypted.

The private key is kept only by its owner, under no circumstances revealing it to anyone. Losing a private key means the possibility of third parties disclosing any information encrypted for its owner, as well as the possibility of forging its owner’s digital signature by third parties. In any cryptographic system, the private key is always the most important secret, which is why it must be kept secret.

Public key

Public key is the open (non-secret) part of a cryptographic key pair. Serves to verify electronic signatures created using a paired , and to encrypt messages that will later be decrypted.

The public key is sent for registration to a certification center - an organization that registers public keys and their owners, as well as issuing electronic documents confirming the ownership of public keys to specific individuals. At the certification center, the certificates of all public keys of subscribers are placed in a database, from where they can be provided upon request to any person who contacts the center.

Transaction passport under the contract

A transaction passport under a contract is a document that is drawn up when carrying out a foreign exchange transaction under a contract.

Transaction passport under a loan agreement

Transaction passport under a credit agreement is a document that is drawn up when carrying out a foreign exchange transaction under a credit agreement or loan agreement.

SSL protocol

SSL (Secure Sockets Layer) was developed by Netscape. It allows you to identify the parties exchanging data based on electronic certificates, process the transferred data and guarantee the absence of data distortion during the transfer process.

Pay attention! The ability to use the SSL protocol is determined by the presence of a checkbox in the field SSL 2.0 or SSL 3.0 installed when setting up your Internet browser.

Resident

Resident - a legal or natural person permanently registered or permanently residing in a given country.

Certificate

A certificate is a document (possibly in electronic form) containing, which belongs to the certificate holder, together with additional information about its owner (for example, full name and name of organization, email address, etc.), signed by a certification authority (Certificate Authority).

The main purpose of a certificate is to associate a public key with the identity of its owner (the owner of the private key paired with it).

Certificates have a validity period after which they become invalid. The validity period is reflected in the contents of the certificate.

Certificates are stored in Windows registry or on other media of key information. Certificates registered in the Windows Registry can be accessed from Internet Explorer, which has a wizard for importing/exporting certificates and private keys.

Encryption

Encrypting information is a way to prevent unauthorized viewing or use of information. To implement encryption, special mathematical algorithms (cryptoalgorithms) are used. Encryption guarantees the protection of sensitive information from unauthorized access by third parties. To restore encrypted information, the reverse transformation is performed - decryption. To decrypt information, you must have a corresponding secret (private) key.

IN modern systems A pair of encryption keys is used: a public key, which can be known to anyone, and a paired private key, known only to the owner of this key. A pair of corresponding keys can be used for encryption, as well as for creating and verifying an electronic signature (ES), and has the following properties:

• A message encrypted using a public key can only be decrypted using its corresponding private key.
• An electronic signature created using a private key can be verified for compliance using a paired public key.

Electronic signature

An electronic signature is used to sign electronic documents. Electronic signature (ES) is a requisite electronic document, designed to protect this electronic document from forgery and allows you to identify the owner of the signature key certificate, as well as establish the absence of distortion of information in the electronic document.

An electronic signature is generated using, which can be stored on a floppy disk, in system registry, on smart cards, etc.

The ES can be verified using , paired with the private key with which this ES was generated. Thus, knowing the user’s public key, you can accurately determine who signed the document.

To send a document to the bank, you must have at least one electronic signature. The number of electronic signatures used under each document is determined by the bank individually for each client and is established in the Service Agreement in the “Internet Client for Legal Entities” system.