Crypto regulations in Russia

Regulation of Cryptography
in Russia
Alexey Lukatsky
Security Business Consultant

© 2011 Cisco and/or its affiliates. All rights reserved. 1

Increasing Role of Cryptography

• Extended interaction with customers and partners,
enhanced efficiency, accelerated globalization
• Growth of system complexity, IT maturity, appearance of new tools
• Changed threat landscape
© 2011 Cisco and/or its affiliates. All rights reserved. 2/75

Social
Outsourcing Virtualization Clouds Mobility Web 2.0
Networks


BUSINESS AND IT REQUIREMENTS OF
PREFERENCES REGULATORY
BODIES

Co-working Legal Import

Clouds and
Legal usage
outsourcing

Holdings Legal distribution


• The first public regulatory documents
date back to 1995
• The key prerequisite when developing
legal documents is the total control
cryptographic tools through their
whole lifetime
• The legal document development is
based on protection of state secrets
• Federal Security Bureau (FSB) is still
adhering to this approach even after
15 years, despite the growing number
of its opponents


Import of cryptographic tools to
the territory of the Russian
Federation
Licensing of cryptography-
related activities
Use of certified cryptographic
tools


1 Fuzzy terminology

4 Incomprehension of a modern
business threat model

3 Various stages of
life cycle imply
various Unavailability of well-defined
Legacy requirements 5 position of the regulatory
2 rules body

• Cryptographic solutions of arbitrary implementation
• HMAC of arbitrary implementation
• Digital signature tools of arbitrary implementation
But not electronic signature tools (DS ≠ ES in new Russian regulations)

• Encoding tools
• Tools for creation of crypto keys
• Crypto keys

• but that is not all


• Systems, equipment, and components designed or modified
to perform cryptanalytic functions
• Systems, equipment, and components designed or
modified for using cryptographic techniques to generate
the expanding code for systems with broadening
spectrum, including code hopping for systems with
frequency hopping
• Systems, equipment, and components designed or
modified for using cryptographic techniques of channel or
scrambling code formation for time-modulated ultra-
wideband systems.
• Cryptography ≠ compression or encoding techniques

• The new law "On Licensing Certain Activities" has made
companies obtain FSB-issued licenses for the development,
manufacture, distribution, and maintenance of
information systems protected via cryptographic tools
telecommunication systems protected via cryptographic tools

• Information system, in the aggregate, consists of database
information together with IT and hardware


• Usually, the need for using encryption
(cryptographic) tools arises when other Laws
methods fail to provide secure
information storage and processing
These cases include, for example, transfer
of personal data via Internet where it is
fundamentally impossible to exclude Confidentiality
illegal intruder access to information being
transferred
≠
Encryption

Normative legal
documents issued by
regulatory bodies


• Obtain entity's approval for transferring clear information
This is what Roskomnadzor does on its web site

• Provide a controlled access zone
• Use optical communication channels
and correct threat model

• Assign the task of providing confidentiality to communication
provider
Under special agreement

• Use encryption tools


• Most of FSB's legal documents refer to 'confidential information'
or 'information of confidential nature'
• Federal law FZ-149 "On Information, Information Technologies,
and Information Security" (as revised in 2006) refers to
confidentiality as requirement, not as property or feature of
information
• Decree No.188 ("On Approval of a List of Data of Confidential
Nature") also says nothing of confidentiality


• All life cycle stages of cryptographic tool

Providing
Import Operation
services

Development Maintenance Export

Control and
Manufacture Distribution
supervision

Evaluation Implementation


• Statute on importation of the encryption (cryptographic) tools to
the customs territory of the customs union and exportation from
the customs territory of the customs union
• Encryption (cryptographic) tools which are subject to restricted
importation to the customs territory of the customs union and
restricted exportation from the customs territory of the customs
union
• These provisions are applied to ANY manufactures

• If a tool's encrypting functionality is not used or it is not its primary
purpose, the tool is nevertheless considered to be cryptographic


• Printers, copymakers, and faxes
• Cash registers
• Pocket computers
• Pocket devices for recording, playing and displaying
• Computing machinery and their constituent parts
• Subscribers' communication units
• Basic stations
• Telecommunications equipment
• Software


• Equipment for radio- and television broadcasting and reception
• Radio-navigation receivers, remote control devices
• Internet access equipment
• Electronic circuitry, integrated microcircuits, data storage devices
• Other
• A large number of items from Groups 84 and 85 of the Unified
Customs Tariff of the customs union formed by the Republic of
Belarus, Republic of Kazakstan, and Russian Federation


Simplified Procedure By Licensing

• Import under • FSB's authorization
notification • Import by the
license issued by
the Ministry of
Industry and Trade

• Verification of the legality of import under notification
http://www.tsouz.ru/db/entr/notif/Pages/default.aspx

• Verification of the legality of import under license
A copy of FSB's authorization for import


• Goods containing encryption (cryptographic) tools, which include
any of the following components:
symmetric cryptographic algorithm using cryptographic key of up to 56 bit
length; or
asymmetric cryptographic algorithm based on any of the following methods:
Factorization of integers with length shorter than or equal to 512 bits;
Calculation of discrete logarithms in multiplicative group of the finite field
with the size less or equal to 512 bits; or
Discrete logarithm in the group with the size different from the one
mentioned in “ii” above but less than 112 bits

• Goods with cryptographic functionality blocked by manufacturer
• Authentication and digital signature tools


• Encryption (cryptographic) tools which are components of
software operating systems, with cryptographic capabilities that
cannot be changed by users, which have been developed to be
installed by users themselves without further essential vendor
support, their technical documentation (description of
cryptographic conversion algorithms, interaction protocols,
interface description, etc.) being publicly accessible
• Encryption (cryptographic) equipment specially designed and
restricted for use in banking or financial sphere
• Wireless electronic equipment performing data encryption only in
radio channel with maximum distance of wireless action, without
amplification and retransmission, less than 400 m according to
manufacture's technical requirements


• Encryption (cryptographic) tools used for protection of process
channels of information and telecommunications systems and
communications networks
• Portable or mobile electronic means of civilian use without end-to-
end encryption
• Personal smart cards

• Receiving equipment for radio broadcasting, commercial
television and broadcasting for limited audience
• Copy protection tools


• FSB license for encryption business
Providing services in the sphere of information encryption
Support and maintenance of encryption tools
Distribution of encryption tools
Development and production of encryption tools protected by using encryption
(cryptographic) tools of information and telecommunication systems

• On May 4, 2011, a new version of law "On Licensing Certain
Activities" (99-FZ) was adopted
Unified license for development, production, distribution, performance of
works, providing of services, and maintenance of encryption tools, information
and telecommunications systems protected by encryption tools


• In explicit form - no; however, activities including
mounting, installation, configuration of encryption (cryptographic) tools
repair, servicing of encryption (cryptographic) tools
recycling and destruction of encryption (cryptographic) tools
works on support and maintenance of encryption (cryptographic) tools
provided for in technical and operational documentation

• shall be attributed, in FSB opinion, to licensable activities –
engineering maintenance
• Engineering maintenance is a set of operations or an operation
aimed at maintenance or serviceability of a product under
conditions of its intended use, expectation, storage, and
transportation
GOST18322-78 "A System of engineering maintenance and repair of
equipment. Terms and definitions"


• Representatives of FSB's 8-th Center have repeatedly asserted
that licenses are not required for in-house needs


• The new law "On Licensing Certain Activities" dated May 4, 2011
restored the 'in-house needs' term (but only with respect to
maintenance of encryption tools)

• However, this term, 'in-house needs', has not been defined, and it
brings forth a great many questions
Can encryption aimed at protection of employees' and customers' information
be attributed to in-house needs or not?
Does encryption of personal data mean protection of own interests or
protection of rights of personal data holders?


• What is maintenance?
Operation of crypto tools in compliance with
requirements of technical and operational
documentation included in crypto tools
delivery set is not considered to be
maintenance activity relating to encryption
(cryptographic) tools

• Non-attributable to licensable
activities
Transferring crypto tools to customers and
affiliates
Generation and transfer of generated keys


• Federal Law dated April 29, 2008 No. 57-FZ, Moscow "On the
Procedure of Foreign Investments to Business Entities Which are
Strategically Important for National Defense and State Security"
In order to provide for national defense and state security, this Federal Law
establishes expropriations of restrictive nature for foreign investors and groups
of persons including foreign investors in case they participate in authorized
capitals of business entities which are strategically important for national
defense and state security and (or) make transactions which lead to instituting
control over the specified business entities


• A business entity which is strategically important for national
defense and state security is an enterprise established in the
territory of the Russian Federation and performing at least one of
the activities which are strategically important for national defense
and state security, these activities being specified in Article 6 of
this Federal Law
i.i. 11-14 – 4 types of licensing related to encryption activities
Availability of just one router with IPSec requires a license for CIPT
maintenance

• On March 23, there were amendments adopted in the first
reading to exclude banks (and only banks) from the list of
'strategic' enterprises


• Signed on April 3, 1995 (amended on July 25, 2000)

• It is forbidden for state authorities to use encryption tools without
certificate issued by FSB
• State authorities are disallowed to place state-guaranteed order at
enterprises that use encryption tools without a certificate
• Appropriate measures shall be taken with respect to the banks which do
not use certified encryption tools when communicating with the Bank of
Russia
• Activities of legal entities and individuals related to operation of
encryption tools without a FSB license shall be enjoined
• Import of encryption tools without a license issued by the Ministry of
Industry and Trade together with FSB authorization shall be enjoined
• The defaulters shall be punished with the utmost rigour of the law

• Some of its provisions are still unexpired
For example, requirements on import of encryption tools and on the sole use of
properly certified encryption tools by state authorities

• Some articles have been virtually repealed by new statutory legal
acts
The law "On Licensing Certain Activities"
The law "On Technical Regulation"
Civil Code

• However, Decree No. 334 has not been explicitly repealed yet
Despite circulating rumors


• Yes! The basic document is the Order on Approval of the
Provision on the Development, Manufacturing, Sale, and
Operation of Encryption (Cryptographic) Tools of Information
Protection (PKZ-2005)
• PKZ-2005 regulates relations which arise in the course of
development, production, sale, and operation of encryption
(cryptographic) tools for protecting limited-access data, which
does not contain information classified as state secret (hereinafter
- information of confidential nature)
Order dated 9.02.2005, No. 66 (signed by the Director of FSB and registered in
the Ministry of Justice)

• PKZ-2005 is not applicable to foreign crypto tools


• PKZ-2005 is used for
the protection of information of confidential nature, subject to protection in
compliance with the RF law
Information protection in the Federal executive authorities and executive
authorities of the RF constituent entities
Information protection in organizations, irrespective of their form of
incorporation and pattern of ownership, when they fulfill orders for delivery of
goods, performance of works, or provision of services for state needs
(hereinafter - organizations fulfilling state-guaranteed orders)
Information protection assigned by the RF law to persons who have access to
this information or who are provided with authority to administer data contained
in this information
Protection of information owned by state authorities or organizations fulfilling
state-guaranteed orders


• The mode of information protection by using CIPT is established
by
the holder of information of confidential nature
the possessor (owner) of information resources (information systems)
persons duly authorized by them on the basis of the RF law


• Holder of information
Exchange of own data
• Possessor (owner) of the system

Exchange with state
authorities • State authority

Exchange with
organizations fulfilling • Organization fulfilling state-
state-guaranteed guaranteed orders
orders

Processing and • Holder of information
storage without
transfer • User (consumer)


• Crypto tools must meet the requirements of technical regulations,
with the degree of compliance with them being assessed
according to the procedure described in 184-FZ "On Technical
Regulation"
PKZ-2005
• The quality of cryptographic protection of confidential information
performed by crypto tools is provided through implementation of
requirements for information security imposed on crypto tools


• In certain cases, protection level (crypto tools certification) is
established in regulatory documents
Predominantly, in Requirements Specifications for Federal information systems

• The package of standards for information security of the Bank of
Russia (The Standard for information security of the organizations
of the banking system of the Russian Federation (STO BR IBBS))
provides for using encryption tools certified for class of protection
КС2, at least
• In other cases, the required protection level is determined by
crypto tools user basing on a model of illegal intruder


• 3 protection levels – А (KА1), В (KВ1, KВ2), and C (KС1, KС2,
KС3)
The level of crypto tools certification depends on the number and severity of
requirements

• 6 models of intruder
Н1 – external intruder acting without in-house assistance
Н2 – in-house intruder who is not crypto tools user
Н3 – in-house intruder who is crypto tools user
Н4 – intruder inviting experts in the sphere of crypto tools development and
analysis
Н5 – intruder inviting research institutes in the sphere of crypto
toolsdevelopment and analysis
Н6 – intelligence services of foreign states


• For cryptographic protection of confidential information, it is
necessary to use crypto tools which meet the requirements for
information security established in compliance with the Russian
Federation law
PKZ-2005


• Decree No. 351 and FZ-85 (on participation in international exchange of information)
• Government regulation (PP-424) (on connection of the Federal state information
systems to Internet)
• FSS Order No. 487 (on the Russian segment of Internet)
• Order of the Ministry of Communications No. 104 (on state-owned IS in public use)
• Order of the Federal Service on Technical and Export Control/FSB No. 489/416 (on
requirements for protection of publicly used IS)
• Government regulation (PP-330) (on specific features of assessment of compliance
of protection tools for state-owned Information Systems and Personal Data
Information Systems)
• Order of the Ministry of Economic Development No. 54 (on electronic sales areas)
• FSB's guidelines on personal data
• Government regulation (PP-781) (on protection of personal data)
• As well as FZ-149, Special requirements on technical protection of confidential
information, PP-608, Decree No. 334, Gidelines of FSTEC on Key systems of
information infrastructure


The number of regulatory legal documents which
require certification in compliance with
security requirements
8
7
6
5
4
3
2
1
0

* - for 2011 – preliminary assessment of new regulatory documents drafts (FZ “On National Payment System”,
FZ “On Official Secrecy”, new orders of FSTEC/FSB, etc.)

45

• There are two certification systems under FSB line
The system of certification of cryptographic information protection tools (РОСС
RU.0001.030001)
The system of certification of information protection tools in compliance with
security requirements for information classified as state secret (РОСС
RU.0003.01БИ00)

• Crypto tools are estimated for compliance with "The
Requirements to Tools for Cryptographic Protection of
Confidential Information"
• User shall be responsible for using non-certified crypto tools
• Impossibility to update certified products


• Old regulatory documents refer
predominantly to certification,
whereas new ones - to evaluation
• Evaluation ≠ certification
• Evaluation is direct or indirect
determination of meeting the
requirements imposed on the
object
• Evaluation is controlled by FZ-
184 "On Technical Regulation"


State control and
supervision

Accreditation

Tests

Evaluation Registration Facultative certification

Compliance approval Obligatory certification

Acceptance and Declaration of
introduction into service compliance

In other form


• Work of representative offices of foreign companies in Russia
Import of western cryptography or export of domestic one

• Commercial IP television and IP video surveillance
The devices do not and will not support GOSTs as they are manufactured
abroad and delivered to hundreds of countries in the world

• Encryption at rates higher than 10 Gbit/s
Backbone links or synchronization of data centers

• Standards of wireless communications 802.11i, mobile
communications 2.5G, 3G, as well as LTE and Wi-Max


• Encryption in smartphones, iPhones, etc.
• Access to Russian Internet banks from a computer in Internet
cafe when on holiday abroad
No certified cryptolibraries with GOSTs is available for this

• Access from abroad to any Russian payment system (Assist,
ChronoPay, Yandex.Dengi, Rapida, etc.), as well as to any other
system of e-commerce (booking tickets, buying books in Internet
stores, etc.)
• Protected electronic Web mail via HTTPS


• Encryption using FibreChannel protocol when recording to tape in
a data center
• Encryption using FibreChannel protocol when transferring data
within a data center or between different data centers
• Outsourcing and XaaS (Cloud Computing)
All processing operations are performed via Internet and, probably, somewhere
abroad.

• Support of SCADA
• And so on


• Encryption at rates 40 Gbit/s
• The regulatory body / domestic manufacturers have proposed to
make a cluster of VPN gateways
A gateway can support rate up to 1 Gbit/s

• A final solution – 40+n gateways at one end and the same
number of gateways at the other end
How much do 80+2n domestic VPN gateways cost?
n items are required for redundancy


• You install certified crypto tools, then
• You cannot
Work efficiently with multimedia traffic (Telepresence, etc.) at the same level as
foreign crypto tools do
Work at multi-gigabit rates (especially higher than 3.5 Gbit/s)
Work from abroad using leased computers/devices
Use outsourcing and cloud computing (including in Russia)
Use most of mobile platforms in your business

• And it would cost you a colossal amount of money ;-(


• Non-Russian VPN products cannot be used for encryption of
most types of information to be protected
If it is not authorized by FSB
De facto, having obtained permission for import, you gain the right to use
The issue related to the terms including 'confidential information',
'confidentiality', 'information of confidential nature remains open
• It is impossible to certify foreign crypto tools
Only GOST-implementing crypto tools are subject to certification
Requirements for certification of foreign-manufacture crypto tools are
unavailable
• The collision: in certain cases, you only can use certified crypto
tools. Domestic crypto tools do not meet technical requirements,
whereas it is impossible to certify crypto tools of foreign
manufacture

• To provide security of personal data when processing them in
information systems, you must use cryptotools certified in the
framework of certification system of FSB of Russia (those
approved by examining organization for compliance with
requirements of regulatory documents on information security
• Incorporation of cryptotools of classes KC1 and KC2 can be
performed without control on the part of FSB of Russia
FSB's guidelines on personal data
• Incorporation does not remove the problem of legal import of
foreign VPN products


• Is it possible to use a certified cryptolibrary as a component of
VPN solutions?
Yes, it is possible

• Will this use be a legitimate one?
No!!!


• Article 13.12. Violation of Information Security Rules (Code of
Administrative Offences)
i.1 – violation of licensing provisions (up to RUB 10000)
i.2. – use of non-certified security tools, if they are subject to obligatory
certification (up to RUB 20000 + confiscation)
i.3 – violation of licensing provisions related to state secret (up to RUB 20000)
i.4. – use of non-certified security tools related to state secret (up to RUB
30000 + confiscation)
i.5 – gross violation of licensing provisions (up to RUB 15000 + suspension of
activities for up to 90 day period)


• Article 13.13. Illegal Activity Related to Information Security (Code
of Administrative Offences)
i.1 – dealing with information protection without a license, if it is obligatory (up
to RUB 20000 + confiscation)
i.2. – dealing with state secret protection and development of tools for its
protection without a license (up to RUB 40000 + confiscation)


• Article 171. Illegal Enterprise (RF Criminal Code)
i.1 – performing activities without registration (if a license is obligatory), with
violations of registration rules, submittance of false facts to the licensing
agency, if it caused damage to citizens, organizations or state or was
accompanied by absorbing significant revenue (up to RUB 300000 or
compulsory labour up to 240 hours or detention up to 6 months)
i.2 – the same but committed by a group of persons or absorption of
particularly large revenue (up to RUB 500000 or imprisonment for up to 5
years)

• There are about 20 criminal cases initiated by FSB against
Russian organizations


• Recall of a licence by FSB (only for service licenses)
k) use, by Licensee, of encryption (cryptographic) tools of foreign manufacture
if these tools have been imported to the territory of the Russian Federation and
distributed there in compliance with the procedure established by statutory
legal acts of the Russian Federation

• Article 188. Contraband (RF Criminal Code)
i.1 – transferring goods in large quantities across customs border by-passing
customs, non-declaring or false declaring (up to RUB 300000 or imprisonment
for up to 5 years)


• Article 16.2. Non-Declaring or False Declaring (Code of Administrative
Offences)
i.1 – non-declaring (up to RUB 20000 or confiscation or double cost of contraband)
i.2 – false declaring aimed at understatement of custom amount (up to RUB 20000
or double cost of unpaid taxes or confiscation)
i.3 – false declaring aimed at by-passing import restrictions (up to RUB 300000 or
confiscation)

• Article 16.3. Incompliance With Restrictions for Import of Goods (Code
of Administrative Offences)
i.1 – incompliance with import restrictions of economic nature (up to RUB 300000)
i.2 – incompliance with import restrictions (up to RUB 100000 + confiscation)

• Article 16.7. Submittance of invalid documents when declaring goods at
customs (Code of Administrative Offences)
i.1 – alse declaring (up to RUB 300000 + confiscation)


• Article 14.1. Performance of entrepreneurial activities without
state registration or without a license (Code of Administrative
Offences))
i.3 – performance of activity with violation of licensing provisions (up to RUB
40000)
i.4 – performance of activity with gross violation of licensing provisions (up to
RUB 50000 + suspension of activities for up to 90 day period)


• In Spring of 2011, FSB expressed disquietude related to using
encryption tools of foreign manufacture in public-service
communications networks of the Russian Federation
Skype, Gmail, Hotmail, etc.
• The Commission decided to form an interagency task force for
the development of the RF Government proposals on using
cryptographic tools
• The proposals shall be submitted to the Government in the period
before October 1, 2011
Excursus in history: in August of 2007, the Minister of Education, Fursenko,
suggested to conquer the whole world through implementation of Russian
cryptography. Proposals on the world conquering must have been submitted to
the Government before December 1, 2007
It is true that later on our GOSTs were taken as RFC, and also as a basis for
DNSSEC… though afterwards it was announced that GOST 28147 had been
broken


Everything will
Liberalization Crackdown
remain as it is
• Probability - • Probability - • Probability -
20% 45% 30%
(currently) (currently) (currently)
• Probability in 2 • Probability in 2
years - 35% years - 20%
and 10% and 55%
(depending on (depending on
the winner of the winner of
presidential presidential
election) election)

Expert evidence of Cisco specialists


Adopt unified definition of the
'encryption tools' term
Define concept 'for in-house
needs'
Authorize the use of non-
certified crypto tools if
countertypes are unavailable
Add transparency to the
procedure of decision making
on crypto tools import
authorization
Refine the conditions of
licensing

• Cisco and S-Terra CSP have developed VPN solutions supporting
Russian crypto algorithms based on Cisco equipment
• FSB Certificate SF/114-1622, 114-1624, 124-1623, 124-1625,
124-1626 dated February 28, 2011
The Certificate is for KC2 class for both solutions

Solution for remote offices
• Based on the module for ISR G1 and G2
(2800/2900/3800/3900)

Solution for data centers and
headquarters
• Based on UCS C-200


Tried-and-true
The local
procedure of
Over 5,300 production of
submitting
notifications for the encryption module
applications for the
Cisco equipment NME-RVPN has
import of 'strict'
been started
cryptography

In Spring of 2011, Cisco obtained
FSB licenses for encryption activities


Consultative
Technical Center on RG
Committee 127 Compliance with CB
Subcommittee Subcommittee 3 "Security of the Requirements
127 (PK-3) (PK-3) Information of a set of BR IBBS
Technologies" of the Association
(TK-362) of the Russian
Banks (CC of ARB)

"IT Security" "Information "Information Consulting to Development of
(representative of Protection in Protection" of banks on recommendations on
ISO SC27 in Financial the Federal personal data personal data and on
Russia) Institutions" Service on issues the standard for
Technical and information security
Export Control of the organizations
(FSTEC) of the banking
system of the
Russian Federation
(STO BR IBBS) v4


Non-
500+ FSB Declared 28 96
Capabilities
(NDV)

FSTEC has certified Cisco unavailable in a product lines of product lines of Cisco
certificates for (together with S- number of Cisco have have been sertified
Cisco products Terra CSP) product lines of passed by FSTEC
solutions Cisco certification
under "batch
production"


FAQ about import of encryption tools

Cisco solutions on certified
cryptography
Cryptography regulation chart in
Russia (from slide 5)
… as well as many other things

http://www.facebook.com/CiscoRu
http://twitter.com/CiscoRussia
http://www.youtube.com/CiscoRussiaMedia
http://www.flickr.com/photos/CiscoRussia
http://vkontakte.ru/Cisco


Thank you!

security-request@cisco.com

Crypto regulations in Russia

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Crypto regulations in Russia

Similar to Crypto regulations in Russia (20)

More from Aleksey Lukatskiy

More from Aleksey Lukatskiy (20)

Recently uploaded

Recently uploaded (20)

Crypto regulations in Russia