crypto regulations in russia

1 © 2011 Cisco and/or its affiliates. All rights reserved.

Regulation of Cryptography in Russia Alexey Lukatsky Security Business Consultant

© 2011 Cisco and/or its affiliates. All rights reserved. 2/75

• Extended interaction with customers and partners,

enhanced efficiency, accelerated globalization

• Growth of system complexity, IT maturity, appearance of new tools

• Changed threat landscape

Increasing Role of Cryptography


Outsourcing Virtualization Mobility Web 2.0 Clouds Social

Networks


BUSINESS AND IT

PREFERENCES

REQUIREMENTS OF

REGULATORY BODIES

Legal usage

Legal distribution

Co-working

Clouds and

outsourcing

Holdings

Legal Import


• The first public regulatory documents date back to 1995

• The key prerequisite when developing legal documents is the total control cryptographic tools through their whole lifetime

• The legal document development is based on protection of state secrets

• Federal Security Bureau (FSB) is still adhering to this approach even after 15 years, despite the growing number of its opponents


Import of cryptographic tools to the territory of the Russian Federation

Licensing of cryptography-related activities

Use of certified cryptographic tools


1 Fuzzy terminology

2 Legacy rules

4 Incomprehension of a modern business threat model

3 Various stages of life cycle imply various requirements 5

Unavailability of well-defined position of the regulatory body


• Cryptographic solutions of arbitrary implementation

• HMAC of arbitrary implementation

• Digital signature tools of arbitrary implementation

But not electronic signature tools (DS ≠ ES in new Russian regulations)

• Encoding tools

• Tools for creation of crypto keys

• Crypto keys

• but that is not all


• Systems, equipment, and components designed or modified to perform cryptanalytic functions

• Systems, equipment, and components designed or modified for using cryptographic techniques to generate the expanding code for systems with broadening spectrum, including code hopping for systems with frequency hopping

• Systems, equipment, and components designed or modified for using cryptographic techniques of channel or scrambling code formation for time-modulated ultra-wideband systems.

• Cryptography ≠ compression or encoding techniques


• The new law "On Licensing Certain Activities" has made companies obtain FSB-issued licenses for the development, manufacture, distribution, and maintenance of

information systems protected via cryptographic tools

telecommunication systems protected via cryptographic tools

• Information system, in the aggregate, consists of database information together with IT and hardware


• Usually, the need for using encryption (cryptographic) tools arises when other methods fail to provide secure information storage and processing

These cases include, for example, transfer of personal data via Internet where it is fundamentally impossible to exclude illegal intruder access to information being transferred

Laws

Confidentiality

Encryption

Normative legal documents issued by

regulatory bodies

≠


• Obtain entity's approval for transferring clear information

This is what Roskomnadzor does on its web site

• Provide a controlled access zone

• Use optical communication channels

and correct threat model

• Assign the task of providing confidentiality to communication provider

Under special agreement

• Use encryption tools


• Most of FSB's legal documents refer to 'confidential information' or 'information of confidential nature'

• Federal law FZ-149 "On Information, Information Technologies, and Information Security" (as revised in 2006) refers to confidentiality as requirement, not as property or feature of information

• Decree No.188 ("On Approval of a List of Data of Confidential Nature") also says nothing of confidentiality


• All life cycle stages of cryptographic tool

Import

Development

Manufacture

Evaluation Implementation

Distribution

Maintenance

Providing services

Operation

Export

Control and supervision


• Statute on importation of the encryption (cryptographic) tools to the customs territory of the customs union and exportation from the customs territory of the customs union

• Encryption (cryptographic) tools which are subject to restricted importation to the customs territory of the customs union and restricted exportation from the customs territory of the customs union

• These provisions are applied to ANY manufactures

• If a tool's encrypting functionality is not used or it is not its primary purpose, the tool is nevertheless considered to be cryptographic


• Printers, copymakers, and faxes

• Cash registers

• Pocket computers

• Pocket devices for recording, playing and displaying

• Computing machinery and their constituent parts

• Subscribers' communication units

• Basic stations

• Telecommunications equipment

• Software


• Equipment for radio- and television broadcasting and reception

• Radio-navigation receivers, remote control devices

• Internet access equipment

• Electronic circuitry, integrated microcircuits, data storage devices

• Other

• A large number of items from Groups 84 and 85 of the Unified Customs Tariff of the customs union formed by the Republic of Belarus, Republic of Kazakstan, and Russian Federation


Simplified Procedure

• Import under notification

By Licensing

• FSB's authorization

• Import by the license issued by the Ministry of Industry and Trade

• Verification of the legality of import under notification

http://www.tsouz.ru/db/entr/notif/Pages/default.aspx

• Verification of the legality of import under license

A copy of FSB's authorization for import


• Goods containing encryption (cryptographic) tools, which include any of the following components:

symmetric cryptographic algorithm using cryptographic key of up to 56 bit length; or

asymmetric cryptographic algorithm based on any of the following methods:

Factorization of integers with length shorter than or equal to 512 bits;

Calculation of discrete logarithms in multiplicative group of the finite field with the size less or equal to 512 bits; or

Discrete logarithm in the group with the size different from the one mentioned in “ii” above but less than 112 bits

• Goods with cryptographic functionality blocked by manufacturer

• Authentication and digital signature tools


• Encryption (cryptographic) tools which are components of software operating systems, with cryptographic capabilities that cannot be changed by users, which have been developed to be installed by users themselves without further essential vendor support, their technical documentation (description of cryptographic conversion algorithms, interaction protocols, interface description, etc.) being publicly accessible

• Encryption (cryptographic) equipment specially designed and restricted for use in banking or financial sphere

• Wireless electronic equipment performing data encryption only in radio channel with maximum distance of wireless action, without amplification and retransmission, less than 400 m according to manufacture's technical requirements


• Encryption (cryptographic) tools used for protection of process channels of information and telecommunications systems and communications networks

• Portable or mobile electronic means of civilian use without end-to-end encryption

• Personal smart cards

• Receiving equipment for radio broadcasting, commercial television and broadcasting for limited audience

• Copy protection tools


• FSB license for encryption business

Providing services in the sphere of information encryption

Support and maintenance of encryption tools

Distribution of encryption tools

Development and production of encryption tools protected by using encryption (cryptographic) tools of information and telecommunication systems

• On May 4, 2011, a new version of law "On Licensing Certain Activities" (99-FZ) was adopted

Unified license for development, production, distribution, performance of works, providing of services, and maintenance of encryption tools, information and telecommunications systems protected by encryption tools


• In explicit form - no; however, activities including

mounting, installation, configuration of encryption (cryptographic) tools

repair, servicing of encryption (cryptographic) tools

recycling and destruction of encryption (cryptographic) tools

works on support and maintenance of encryption (cryptographic) tools provided for in technical and operational documentation

• shall be attributed, in FSB opinion, to licensable activities – engineering maintenance

• Engineering maintenance is a set of operations or an operation aimed at maintenance or serviceability of a product under conditions of its intended use, expectation, storage, and transportation

GOST18322-78 "A System of engineering maintenance and repair of equipment. Terms and definitions"


• Representatives of FSB's 8-th Center have repeatedly asserted that licenses are not required for in-house needs


• The new law "On Licensing Certain Activities" dated May 4, 2011 restored the 'in-house needs' term (but only with respect to maintenance of encryption tools)

• However, this term, 'in-house needs', has not been defined, and it brings forth a great many questions

Can encryption aimed at protection of employees' and customers' information be attributed to in-house needs or not?

Does encryption of personal data mean protection of own interests or protection of rights of personal data holders?


• What is maintenance?

Operation of crypto tools in compliance with requirements of technical and operational documentation included in crypto tools delivery set is not considered to be maintenance activity relating to encryption (cryptographic) tools

• Non-attributable to licensable activities

Transferring crypto tools to customers and affiliates

Generation and transfer of generated keys


• Federal Law dated April 29, 2008 No. 57-FZ, Moscow "On the Procedure of Foreign Investments to Business Entities Which are Strategically Important for National Defense and State Security"

In order to provide for national defense and state security, this Federal Law establishes expropriations of restrictive nature for foreign investors and groups of persons including foreign investors in case they participate in authorized capitals of business entities which are strategically important for national defense and state security and (or) make transactions which lead to instituting control over the specified business entities


• A business entity which is strategically important for national defense and state security is an enterprise established in the territory of the Russian Federation and performing at least one of the activities which are strategically important for national defense and state security, these activities being specified in Article 6 of this Federal Law

i.i. 11-14 – 4 types of licensing related to encryption activities

Availability of just one router with IPSec requires a license for CIPT maintenance

• On March 23, there were amendments adopted in the first reading to exclude banks (and only banks) from the list of 'strategic' enterprises


• Signed on April 3, 1995 (amended on July 25, 2000)

• It is forbidden for state authorities to use encryption tools without certificate issued by FSB

• State authorities are disallowed to place state-guaranteed order at enterprises that use encryption tools without a certificate

• Appropriate measures shall be taken with respect to the banks which do not use certified encryption tools when communicating with the Bank of Russia

• Activities of legal entities and individuals related to operation of encryption tools without a FSB license shall be enjoined

• Import of encryption tools without a license issued by the Ministry of Industry and Trade together with FSB authorization shall be enjoined

• The defaulters shall be punished with the utmost rigour of the law


• Some of its provisions are still unexpired

For example, requirements on import of encryption tools and on the sole use of properly certified encryption tools by state authorities

• Some articles have been virtually repealed by new statutory legal acts

The law "On Licensing Certain Activities"

The law "On Technical Regulation"

Civil Code

• However, Decree No. 334 has not been explicitly repealed yet

Despite circulating rumors


• Yes! The basic document is the Order on Approval of the Provision on the Development, Manufacturing, Sale, and Operation of Encryption (Cryptographic) Tools of Information Protection (PKZ-2005)

• PKZ-2005 regulates relations which arise in the course of development, production, sale, and operation of encryption (cryptographic) tools for protecting limited-access data, which does not contain information classified as state secret (hereinafter - information of confidential nature)

Order dated 9.02.2005, No. 66 (signed by the Director of FSB and registered in the Ministry of Justice)

• PKZ-2005 is not applicable to foreign crypto tools


• PKZ-2005 is used for

the protection of information of confidential nature, subject to protection in compliance with the RF law

Information protection in the Federal executive authorities and executive authorities of the RF constituent entities

Information protection in organizations, irrespective of their form of incorporation and pattern of ownership, when they fulfill orders for delivery of goods, performance of works, or provision of services for state needs (hereinafter - organizations fulfilling state-guaranteed orders)

Information protection assigned by the RF law to persons who have access to this information or who are provided with authority to administer data contained in this information

Protection of information owned by state authorities or organizations fulfilling state-guaranteed orders


• The mode of information protection by using CIPT is established by

the holder of information of confidential nature

the possessor (owner) of information resources (information systems)

persons duly authorized by them on the basis of the RF law


• Holder of information

• Possessor (owner) of the system Exchange of own data

• State authority Exchange with state

authorities

• Organization fulfilling state-guaranteed orders

Exchange with organizations fulfilling

state-guaranteed orders

• Holder of information

• User (consumer)

Processing and storage without

transfer


• Crypto tools must meet the requirements of technical regulations, with the degree of compliance with them being assessed according to the procedure described in 184-FZ "On Technical Regulation"

PKZ-2005

• The quality of cryptographic protection of confidential information performed by crypto tools is provided through implementation of requirements for information security imposed on crypto tools


• In certain cases, protection level (crypto tools certification) is established in regulatory documents

Predominantly, in Requirements Specifications for Federal information systems

• The package of standards for information security of the Bank of Russia (The Standard for information security of the organizations of the banking system of the Russian Federation (STO BR IBBS)) provides for using encryption tools certified for class of protection КС2, at least

• In other cases, the required protection level is determined by crypto tools user basing on a model of illegal intruder


• 3 protection levels – А (KА1), В (KВ1, KВ2), and C (KС1, KС2, KС3)

The level of crypto tools certification depends on the number and severity of requirements

• 6 models of intruder

Н1 – external intruder acting without in-house assistance

Н2 – in-house intruder who is not crypto tools user

Н3 – in-house intruder who is crypto tools user

Н4 – intruder inviting experts in the sphere of crypto tools development and analysis

Н5 – intruder inviting research institutes in the sphere of crypto toolsdevelopment and analysis

Н6 – intelligence services of foreign states


• For cryptographic protection of confidential information, it is necessary to use crypto tools which meet the requirements for information security established in compliance with the Russian Federation law

PKZ-2005


• Decree No. 351 and FZ-85 (on participation in international exchange of information)

• Government regulation (PP-424) (on connection of the Federal state information systems to Internet)

• FSS Order No. 487 (on the Russian segment of Internet)

• Order of the Ministry of Communications No. 104 (on state-owned IS in public use)

• Order of the Federal Service on Technical and Export Control/FSB No. 489/416 (on requirements for protection of publicly used IS)

• Government regulation (PP-330) (on specific features of assessment of compliance of protection tools for state-owned Information Systems and Personal Data Information Systems)

• Order of the Ministry of Economic Development No. 54 (on electronic sales areas)

• FSB's guidelines on personal data

• Government regulation (PP-781) (on protection of personal data)

• As well as FZ-149, Special requirements on technical protection of confidential information, PP-608, Decree No. 334, Gidelines of FSTEC on Key systems of information infrastructure

© 2011 Cisco and/or its affiliates. All rights reserved. 45/75 45

0

1

2

3

4

5

6

7

8

The number of regulatory legal documents which require certification in compliance with

security requirements

* - for 2011 – preliminary assessment of new regulatory documents drafts (FZ “On National Payment System”,

FZ “On Official Secrecy”, new orders of FSTEC/FSB, etc.)


• There are two certification systems under FSB line

The system of certification of cryptographic information protection tools (РОСС RU.0001.030001)

The system of certification of information protection tools in compliance with security requirements for information classified as state secret (РОСС RU.0003.01БИ00)

• Crypto tools are estimated for compliance with "The Requirements to Tools for Cryptographic Protection of Confidential Information"

• User shall be responsible for using non-certified crypto tools

• Impossibility to update certified products


• Old regulatory documents refer predominantly to certification, whereas new ones - to evaluation

• Evaluation ≠ certification

• Evaluation is direct or indirect determination of meeting the requirements imposed on the object

• Evaluation is controlled by FZ-184 "On Technical Regulation"


Evaluation

State control and supervision

Accreditation

Tests

Registration

Compliance approval

Facultative certification

Obligatory certification

Declaration of compliance

Acceptance and introduction into service

In other form


• Work of representative offices of foreign companies in Russia

Import of western cryptography or export of domestic one

• Commercial IP television and IP video surveillance

The devices do not and will not support GOSTs as they are manufactured abroad and delivered to hundreds of countries in the world

• Encryption at rates higher than 10 Gbit/s

Backbone links or synchronization of data centers

• Standards of wireless communications 802.11i, mobile communications 2.5G, 3G, as well as LTE and Wi-Max


• Encryption in smartphones, iPhones, etc.

• Access to Russian Internet banks from a computer in Internet cafe when on holiday abroad

No certified cryptolibraries with GOSTs is available for this

• Access from abroad to any Russian payment system (Assist, ChronoPay, Yandex.Dengi, Rapida, etc.), as well as to any other system of e-commerce (booking tickets, buying books in Internet stores, etc.)

• Protected electronic Web mail via HTTPS


• Encryption using FibreChannel protocol when recording to tape in a data center

• Encryption using FibreChannel protocol when transferring data within a data center or between different data centers

• Outsourcing and XaaS (Cloud Computing)

All processing operations are performed via Internet and, probably, somewhere abroad.

• Support of SCADA

• And so on


• Encryption at rates 40 Gbit/s

• The regulatory body / domestic manufacturers have proposed to make a cluster of VPN gateways

A gateway can support rate up to 1 Gbit/s

• A final solution – 40+n gateways at one end and the same number of gateways at the other end

How much do 80+2n domestic VPN gateways cost?

n items are required for redundancy


• You install certified crypto tools, then

• You cannot

Work efficiently with multimedia traffic (Telepresence, etc.) at the same level as foreign crypto tools do

Work at multi-gigabit rates (especially higher than 3.5 Gbit/s)

Work from abroad using leased computers/devices

Use outsourcing and cloud computing (including in Russia)

Use most of mobile platforms in your business

• And it would cost you a colossal amount of money ;-(


• Non-Russian VPN products cannot be used for encryption of most types of information to be protected

If it is not authorized by FSB

De facto, having obtained permission for import, you gain the right to use

The issue related to the terms including 'confidential information', 'confidentiality', 'information of confidential nature remains open

• It is impossible to certify foreign crypto tools

Only GOST-implementing crypto tools are subject to certification

Requirements for certification of foreign-manufacture crypto tools are unavailable

• The collision: in certain cases, you only can use certified crypto tools. Domestic crypto tools do not meet technical requirements, whereas it is impossible to certify crypto tools of foreign manufacture


• To provide security of personal data when processing them in information systems, you must use cryptotools certified in the framework of certification system of FSB of Russia (those approved by examining organization for compliance with requirements of regulatory documents on information security

• Incorporation of cryptotools of classes KC1 and KC2 can be performed without control on the part of FSB of Russia

FSB's guidelines on personal data

• Incorporation does not remove the problem of legal import of foreign VPN products


• Is it possible to use a certified cryptolibrary as a component of VPN solutions?

Yes, it is possible

• Will this use be a legitimate one?

No!!!


• Article 13.12. Violation of Information Security Rules (Code of Administrative Offences)

i.1 – violation of licensing provisions (up to RUB 10000)

i.2. – use of non-certified security tools, if they are subject to obligatory certification (up to RUB 20000 + confiscation)

i.3 – violation of licensing provisions related to state secret (up to RUB 20000)

i.4. – use of non-certified security tools related to state secret (up to RUB 30000 + confiscation)

i.5 – gross violation of licensing provisions (up to RUB 15000 + suspension of activities for up to 90 day period)


• Article 13.13. Illegal Activity Related to Information Security (Code of Administrative Offences)

i.1 – dealing with information protection without a license, if it is obligatory (up to RUB 20000 + confiscation)

i.2. – dealing with state secret protection and development of tools for its protection without a license (up to RUB 40000 + confiscation)


• Article 171. Illegal Enterprise (RF Criminal Code)

i.1 – performing activities without registration (if a license is obligatory), with violations of registration rules, submittance of false facts to the licensing agency, if it caused damage to citizens, organizations or state or was accompanied by absorbing significant revenue (up to RUB 300000 or compulsory labour up to 240 hours or detention up to 6 months)

i.2 – the same but committed by a group of persons or absorption of particularly large revenue (up to RUB 500000 or imprisonment for up to 5 years)

• There are about 20 criminal cases initiated by FSB against Russian organizations


• Recall of a licence by FSB (only for service licenses)

k) use, by Licensee, of encryption (cryptographic) tools of foreign manufacture if these tools have been imported to the territory of the Russian Federation and distributed there in compliance with the procedure established by statutory legal acts of the Russian Federation

• Article 188. Contraband (RF Criminal Code)

i.1 – transferring goods in large quantities across customs border by-passing customs, non-declaring or false declaring (up to RUB 300000 or imprisonment for up to 5 years)


• Article 16.2. Non-Declaring or False Declaring (Code of Administrative Offences)

i.1 – non-declaring (up to RUB 20000 or confiscation or double cost of contraband)

i.2 – false declaring aimed at understatement of custom amount (up to RUB 20000 or double cost of unpaid taxes or confiscation)

i.3 – false declaring aimed at by-passing import restrictions (up to RUB 300000 or confiscation)

• Article 16.3. Incompliance With Restrictions for Import of Goods (Code of Administrative Offences)

i.1 – incompliance with import restrictions of economic nature (up to RUB 300000)

i.2 – incompliance with import restrictions (up to RUB 100000 + confiscation)

• Article 16.7. Submittance of invalid documents when declaring goods at customs (Code of Administrative Offences)

i.1 – alse declaring (up to RUB 300000 + confiscation)


• Article 14.1. Performance of entrepreneurial activities without state registration or without a license (Code of Administrative Offences))

i.3 – performance of activity with violation of licensing provisions (up to RUB 40000)

i.4 – performance of activity with gross violation of licensing provisions (up to RUB 50000 + suspension of activities for up to 90 day period)


• In Spring of 2011, FSB expressed disquietude related to using encryption tools of foreign manufacture in public-service communications networks of the Russian Federation

Skype, Gmail, Hotmail, etc.

• The Commission decided to form an interagency task force for the development of the RF Government proposals on using cryptographic tools

• The proposals shall be submitted to the Government in the period before October 1, 2011

Excursus in history: in August of 2007, the Minister of Education, Fursenko, suggested to conquer the whole world through implementation of Russian cryptography. Proposals on the world conquering must have been submitted to the Government before December 1, 2007

It is true that later on our GOSTs were taken as RFC, and also as a basis for DNSSEC… though afterwards it was announced that GOST 28147 had been broken


Liberalization

• Probability - 20% (currently)

• Probability in 2 years - 35% and 10% (depending on the winner of presidential election)

Crackdown


• Probability in 2 years - 20% and 55% (depending on the winner of presidential election)

Everything will remain as it is


Expert evidence of Cisco specialists


Adopt unified definition of the 'encryption tools' term

Define concept 'for in-house needs'

Authorize the use of non-certified crypto tools if countertypes are unavailable

Add transparency to the procedure of decision making on crypto tools import authorization

Refine the conditions of licensing


• Cisco and S-Terra CSP have developed VPN solutions supporting Russian crypto algorithms based on Cisco equipment

• FSB Certificate SF/114-1622, 114-1624, 124-1623, 124-1625, 124-1626 dated February 28, 2011

The Certificate is for KC2 class for both solutions

Solution for remote offices

• Based on the module for ISR G1 and G2 (2800/2900/3800/3900)

Solution for data centers and headquarters

• Based on UCS C-200


Over 5,300 notifications for the Cisco equipment

Tried-and-true procedure of submitting

applications for the import of 'strict' cryptography

The local production of

encryption module NME-RVPN has

been started

In Spring of 2011, Cisco obtained FSB licenses for encryption activities


Subcommittee

127 (PK-3)

Subcommittee 3

(PK-3)

Technical

Committee 127

"Security of

Information

Technologies"

(TK-362)

Consultative

Center on

Compliance with

the Requirements

of a set of BR IBBS

of the Association

of the Russian

Banks (CC of ARB)

RG

CB

"IT Security"

(representative of

ISO SC27 in

Russia)

"Information

Protection in

Financial

Institutions"

"Information

Protection" of

the Federal

Service on

Technical and

Export Control

(FSTEC)

Consulting to

banks on

personal data

issues

Development of

recommendations on

personal data and on

the standard for

information security

of the organizations

of the banking

system of the

Russian Federation

(STO BR IBBS) v4


500+ FSB Non-

Declared

Capabilities

(NDV)

28 96

FSTEC

certificates for

Cisco products

has certified Cisco

(together with S-

Terra CSP)

solutions

unavailable in a

number of

product lines of

Cisco

product lines of

Cisco have

passed

certification

under "batch

production"

product lines of Cisco

have been sertified

by FSTEC


FAQ about import of encryption tools

Cisco solutions on certified

cryptography

http://www.facebook.com/CiscoRu

http://twitter.com/CiscoRussia

http://www.youtube.com/CiscoRussiaMedia

http://www.flickr.com/photos/CiscoRussia

http://vkontakte.ru/Cisco

Cryptography regulation chart in

Russia (from slide 5)

… as well as many other things

Thank you!

[email protected]

crypto regulations in russia

Real Estate