For dummies 

Purpose of CryptoPro CSP. Purpose of CryptoPro CSP Cryptopro csp version 3.9

CryptoPro CSP 5.0 is a new generation of crypto provider, developing three main product lines of the CryptoPro company: CryptoPro CSP (classic tokens and other passive storage of secret keys), CryptoPro FKN CSP/Rutoken CSP (unretrievable keys on tokens with secure messaging) and CryptoPro DSS (keys in the cloud).

All the advantages of products from these lines are not only preserved, but also multiplied in CryptoPro CSP 5.0: the list of supported platforms and algorithms is wider, performance is higher, and the user interface is more convenient. But the main thing is that working with all key media, including keys in the cloud, is now uniform. For translate application system, in which any version of CryptoPro CSP worked, to support keys in the cloud or to new media with non-removable keys, no software reworking will be required - the access interface remains the same, and working with the key in the cloud will occur in exactly the same way as and with classic key carrier.

Purpose of CryptoPro CSP

  • Formation and verification electronic signature.
  • Ensuring confidentiality and monitoring the integrity of information through its encryption and imitation protection.
  • Ensuring authenticity, confidentiality and imitational protection of connections using the and protocols.
  • System and application integrity monitoring software to protect it from unauthorized changes and violations of trusted functioning.

Supported Algorithms

In CryptoPro CSP 5.0, along with Russian ones, foreign cryptographic algorithms are implemented. Now users have the opportunity to use familiar key media to store RSA and ECDSA private keys.

Supported key storage technologies

Cloud token

In the cryptoprovider CryptoPro CSP 5.0, for the first time, it became possible to use keys stored on cloud service CryptoPro DSS, via the CryptoAPI interface. Now keys stored in the cloud can be easily used by any user applications, as well as most Microsoft applications.

Media with non-retrievable keys and secure messaging

CryptoPro CSP 5.0 adds support for media with non-retrievable keys that implement the protocol SESPAKE, allowing authentication without transmitting the user’s password in clear text, and establishing an encrypted channel for the exchange of messages between the crypto provider and the carrier. An attacker located in the channel between the medium and the user's application can neither steal the authentication password nor replace the signed data. When using such media, the problem of secure work with non-removable keys is completely solved.

The companies Active, InfoCrypt, SmartPark and Gemalto have developed new secure tokens that support this protocol (SmartPark and Gemalto starting from version 5.0 R2).

Media with non-removable keys

Many users want to be able to work with non-retrievable keys, but not upgrade tokens to the FKN level. Especially for them, the provider has added support for popular key media Rutoken EDS 2.0, JaCarta-2 GOST and InfoCrypt VPN-Key-TLS.

List of manufacturers and models supported by CryptoPro CSP 5.0

List of manufacturers and models of media with non-retrievable keys supported by CryptoPro CSP 5.0
Company Carrier
ISBC Esmart Token GOST
Assets Rutoken 2151
Rutoken PINPad
Rutoken EDS
Rutoken EDS 2.0
Rutoken EDS 2.0 2100
Rutoken EDS 2.0 3000
Rutoken EDS PKI
Rutoken EDS 2.0 Flash
Rutoken EDS 2.0 Bluetooth
Rutoken EDS 2.0 Touch
Smart card Rutoken 2151
Smart card Rutoken EDS 2.0 2100
Aladdin R.D. JaCarta-2 GOST
Infocrypt InfoCrypt Token++ TLS
InfoCrypt VPN-Key-TLS

Classic passive USB tokens and smart cards

Most users prefer fast, cheap and convenient key storage solutions. As a rule, preference is given to tokens and smart cards without cryptographic coprocessors. As in previous versions provider, CryptoPro CSP 5.0 retains support for all compatible media produced by the companies Active, Aladdin R.D., Gemalto/SafeNet, Multisoft, NovaCard, Rosan, Alioth, MorphoKST and SmartPark.

In addition, of course, as before, methods for storing keys in the Windows registry, on a hard drive, on flash drives on all platforms are supported.

List of manufacturers and models supported by CryptoPro CSP 5.0

List of manufacturers and models of classic passive USB tokens and smart cards supported by CryptoPro CSP 5.0
Company Carrier
Alioth SCOne Series (v5/v6)
Gemalto Optelio Contactless Dxx Rx
Optelio Dxx FXR3 Java
Optelio G257
Optelio MPH150
ISBC Esmart Token
Esmart Token GOST
MorphoKST MorphoKST
NovaCard Cosmo
Rosan G&D element V14 / V15
G&D 3.45 / 4.42 / 4.44 / 4.45 / 4.65 / 4.80
Kona 2200s / 251 / 151s / 261 / 2320
Kona2 S2120s/C2304/D1080
SafeNet eToken Java Pro JC
eToken 4100
eToken 5100
eToken 5110
eToken 5105
eToken 5205
Assets Rutoken 2151
Rutoken S
Rutoken KP
Rutoken Lite
Rutoken EDS
Rutoken EDS 2.0
Rutoken EDS 2.0 3000
Rutoken EDS Bluetooth
Rutoken EDS Flash
Smart card Rutoken 2151
Smart card Rutoken Lite
Smart card Rutoken EDS SC
Smart card Rutoken EDS 2.0
Aladdin R.D. JaCarta GOST
JaCarta PKI
JaCarta PRO
JaCarta LT
JaCarta-2 GOST
Infocrypt InfoCrypt Token++ lite
Multisoft MS_Key isp.8 Hangar
MS_Key ESMART use.5
SmartPark Master's
R301 Foros
Oscar
Oscar 2
Magister's Rutoken

CryptoPro Tools

Cross-platform (Windows/Linux/macOS) appeared as part of CryptoPro CSP 5.0 graphic application- “CryptoPro Tools”.

The main idea is to provide users with the opportunity to conveniently solve common problems. All basic functions are available in a simple interface - at the same time, we have also implemented a mode for advanced users, which opens up additional opportunities.

Using CryptoPro Tools, the tasks of managing containers, smart cards and crypto provider settings are solved, and we have also added the ability to create and verify a PKCS#7 electronic signature.

Supported Software

CryptoPro CSP allows you to quickly and securely use Russian cryptographic algorithms in the following standard applications:

  • office suite Microsoft Office;
  • mail server Microsoft Exchange and client Microsoft Outlook;
  • products Adobe Systems Inc.;
  • browsers Yandex.Browser, Sputnik, Internet Explorer ,Edge;
  • application signature generation and verification tool Microsoft Authenticode;
  • web servers Microsoft IIS, nginx, Apache;
  • Remote Desktop Tools Microsoft Remote Desktop Services;
  • Microsoft Active Directory.

Integration with the CryptoPro platform

From the very first release, support and compatibility with all our products are provided:

  • CryptoPro CA;
  • CA Services;
  • CryptoPro EDS;
  • CryptoPro IPsec;
  • CryptoPro EFS;
  • CryptoPro.NET;
  • CryptoPro Java CSP.
  • CryptoPro NGate

Operating systems and hardware platforms

Traditionally, we work in an unrivaled wide range of systems:

  • Microsoft Windows;
  • Mac OS;
  • Linux;
  • FreeBSD;
  • Solaris;
  • Android;
  • Sailfish OS.

hardware platforms:

  • Intel/AMD;
  • PowerPC;
  • MIPS (Baikal);
  • VLIW (Elbrus);
  • Sparc.

and virtual environments:

  • Microsoft Hyper-V
  • VMWare
  • Oracle Virtual Box
  • RHEV.

Supported different versions CryptoPro CSP.

To use CryptoPro CSP with a license for workplace and server.

Interfaces for embedding

For integration into applications on all platforms, CryptoPro CSP is available through standard interfaces for cryptographic tools:

  • Microsoft CryptoAPI;
  • PKCS#11;
  • OpenSSL engine;
  • Java CSP (Java Cryptography Architecture)
  • Qt SSL.

Performance for every taste

Many years of development experience allows us to cover all solutions from miniature ARM boards such as Raspberry PI to multiprocessor servers on Intel based Xeon, AMD EPYC and PowerPC, perfectly scaling performance.

Regulatory documents

Complete list of regulatory documents

  • The crypto provider uses algorithms, protocols and parameters defined in the following documents Russian system standardization:
  • R 50.1.113–2016 " Information technology. Cryptographic information protection. Cryptographic algorithms accompanying the use of electronic digital signature algorithms and hashing functions" (also see RFC 7836 "Guidelines on the Cryptographic Algorithms to Accompany the Usage of Standards GOST R 34.10-2012 and GOST R 34.11-2012")
  • R 50.1.114–2016 “Information technology. Cryptographic information protection. Elliptic curve parameters for cryptographic algorithms and protocols" (also see RFC 7836 "Guidelines on the Cryptographic Algorithms to Accompany the Usage of Standards GOST R 34.10-2012 and GOST R 34.11-2012")
  • R 50.1.111–2016 “Information technology. Cryptographic information protection. Password protection of key information"
  • R 50.1.115–2016 “Information technology. Cryptographic information protection. "Shared Key Generation Protocol with Password Authentication" (also see RFC 8133 The Security Evaluated Standardized Password-Authenticated Key Exchange (SESPAKE) Protocol ")
  • Methodological recommendations TC 26 “Cryptographic information protection” “Use of sets of encryption algorithms based on GOST 28147-89 for the security protocol transport layer(TLS)"
  • Methodological recommendations of TC 26 “Cryptographic information protection” “Use of GOST 28147-89, GOST R 34.11 and GOST R 34.10 algorithms in cryptographic messages in CMS format”
  • Technical specification TC 26 “Cryptographic information protection” “Use of GOST 28147-89, GOST R 34.11-2012 and GOST R 34.10-2012 in the IKE and ISAKMP key exchange protocols”
  • Technical specification TC 26 “Cryptographic information protection” “Use of GOST 28147-89 when encrypting attachments in IPsec ESP protocols”
  • Technical specification TC 26 “Cryptographic information protection” “Use of GOST R 34.10, GOST R 34.11 algorithms in the certificate profile and certificate revocation list (CRL) infrastructure public keys X.509"
  • Technical specification TC 26 “Cryptographic information protection” “PKCS#11 extension for use Russian standards GOST R 34.10-2012 and GOST R 34.11-2012"
Cryptoprovider CryptoPro CSP is designed for:
  • authorization and ensuring legal validity electronic documents when exchanging them between users, through the use of procedures for generating and verifying an electronic digital signature (EDS) in accordance with domestic standards GOST R 34.10-94, GOST R 34.11-94, GOST R 34.10-2001;
  • ensuring confidentiality and monitoring the integrity of information through its encryption and imitation protection, in accordance with GOST 28147-89; ensuring authenticity, confidentiality and impersonation protection of TLS connections;
  • integrity control of system and application software to protect it from unauthorized changes or violation of correct functioning; management of key elements of the system in accordance with the regulations on protective equipment.

Key media for CryptoPro CSP

CryptoPro CSP can be used in conjunction with a variety of key media, but most commonly used as key media Windows registry, flash drives and tokens.

The most secure and convenient key media that is used in conjunction with CryptoPro CSP,are tokens. They allow you to conveniently and securely store your electronic signature certificates. Tokens are designed in such a way that even if stolen, no one will be able to use your certificate.

Supported CryptoPro CSP key carriers:
  • floppy disks 3.5";
  • MPCOS-EMV processor cards and Russian smart cards (Oscar, RIK) using smart card readers that support the PC/SC protocol (GemPC Twin, Towitoko, Oberthur OCR126, etc.);
  • Touch-Memory DS1993 - DS1996 tablets using Accord 4+ devices, electronic lock"Sable" or Touch-Memory DALLAS tablet reader;
  • electronic keys With USB interface;
  • removable media with USB interface;
  • Windows OS registry;

Digital signature certificate for CryptoPro CSP

CryptoPro CSP works correctly with all certificates issued in accordance with GOST requirements, and therefore with the majority of certificates issued by Certification Authorities in Russia.

In order to start using CryptoPro CSP, you will definitely need a digital signature certificate. If you have not yet purchased a digital signature certificate, we recommend that you do so.

Supported Windows Operating Systems

CSP 3.6 CSP 3.9 CSP 4.0
Windows 10 x86/x64 x86/x64
Windows 2012 R2 x64 x64
Windows 8.1 x86/x64 x86/x64
Windows 2012 x64 x64 x64
Windows 8 x86/x64 x86/x64 x86/x64
Windows 2008 R2 x64 / itanium x64 x64
Windows 7 x86/x64 x86/x64 x86/x64
Windows 2008 x86 / x64 / itanium x86/x64 x86/x64
Windows Vista x86/x64 x86/x64 x86/x64
Windows 2003 R2 x86 / x64 / itanium x86/x64 x86/x64
Windows XP x86/x64
Windows 2003 x86 / x64 / itanium x86/x64 x86/x64
Windows 2000 x86

Supported UNIX-like operating systems

CSP 3.6 CSP 3.9 CSP 4.0
iOS 11 ARM7 ARM7
iOS 10 ARM7 ARM7
iOS 9 ARM7 ARM7
iOS 8 ARM7 ARM7
iOS 6/7 ARM7 ARM7 ARM7
iOS 4.2/4.3/5 ARM7
Mac OS X 10.12 x64 x64
Mac OS X 10.11 x64 x64
Mac OS X 10.10 x64 x64
Mac OS X 10.9 x64 x64
Mac OS X 10.8 x64 x64 x64
Mac OS X 10.7 x64 x64 x64
Mac OS X 10.6 x86/x64 x86/x64

Android 3.2+ / 4 ARM7
Solaris 10/11 x86/x64/sparc x86/x64/sparc x86/x64/sparc
Solaris 9 x86/x64/sparc
Solaris 8
AIX 5/6/7 PowerPC PowerPC PowerPC
FreeBSD 10 x86/x64 x86/x64
FreeBSD 8/9 x86/x64 x86/x64 x86/x64
FreeBSD 7 x86/x64
FreeBSD 6 x86
FreeBSD 5
LSB 4.0 x86/x64 x86/x64 x86/x64
LSB 3.0 / LSB 3.1 x86/x64
RHEL 7 x64 x64
RHEL 4 / 5 / 6 x86/x64 x86/x64 x86/x64
RHEL 3.3 spec. assembly x86 x86 x86
RedHat 7/9
CentOS 7 x86/x64 x86/x64
CentOS 5/6 x86/x64 x86/x64 x86/x64
TD OS AIS FSSP of Russia (GosLinux) x86/x64 x86/x64 x86/x64
CentOS 4 x86/x64
Ubuntu 15.10 / 16.04 / 16.10 x86/x64 x86/x64
Ubuntu 14.04 x86/x64 x86/x64
Ubuntu 12.04 / 12.10 / 13.04 x86/x64 x86/x64
Ubuntu 10.10 / 11.04 / 11.10 x86/x64 x86/x64
Ubuntu 10.04 x86/x64 x86/x64 x86/x64
Ubuntu 8.04 x86/x64
Ubuntu 6.04 x86/x64
ALTLinux 7 x86/x64 x86/x64
ALTLinux 6 x86/x64 x86/x64 x86/x64
ALTLinux 4/5 x86/x64
Debian 9 x86/x64 x86/x64
Debian 8 x86/x64 x86/x64
Debian 7 x86/x64 x86/x64
Debian 6 x86/x64 x86/x64 x86/x64
Debian 4/5 x86/x64
Linpus Lite 1.3 x86/x64 x86/x64 x86/x64
Mandriva Server 5
Business Server 1		 x86/x64 x86/x64 x86/x64
Oracle Enterprise Linux 5/6 x86/x64 x86/x64 x86/x64
Open SUSE 12.2/12.3 x86/x64 x86/x64 x86/x64
SUSE Linux Enterprise 11 x86/x64 x86/x64 x86/x64
Linux Mint 18 x86/x64 x86/x64
Linux Mint 13 / 14 / 15 / 16 / 17 x86/x64 x86/x64

Supported Algorithms

CSP 3.6 CSP 3.9 CSP 4.0
GOST R 34.10-2012 Creating a signature 512 / 1024 bit
GOST R 34.10-2012 Signature verification 512 / 1024 bit
GOST R 34.10-2001 Creating a signature 512 bit 512 bit 512 bit
GOST R 34.10-2001 Signature verification 512 bit 512 bit 512 bit
GOST R 34.10-94 Creating a signature 1024 bit*
GOST R 34.10-94 Signature verification 1024 bit*
GOST R 34.11-2012 256 / 512 bit
GOST R 34.11-94 256 bit 256 bit 256 bit
GOST 28147-89 256 bit 256 bit 256 bit

* - up to version CryptoPro CSP 3.6 R2 (build 3.6.6497 dated 2010-08-13) inclusive.

CryptoPro CSP license terms

By purchasing CryptoPro CSP, you get serial number, which you need to enter during the installation or configuration process of the program. The validity period of the key depends on the selected license. CryptoPro CSP can be distributed in two versions: with an annual or perpetual license.

Having purchased perpetual license, you will receive a CryptoPro CSP key, the validity of which will not be limited. If you buy, you will receive a serial number CryptoPro CSP, which will be valid for a year after purchase.

  • Generation of electronic signature keys and approval keys
  • Generating and verifying an electronic signature
  • Import of software-generated private ES keys - to enhance their security
  • Updating the installation base of the cryptoprovider "CryptoPro CSP"

Peculiarities

The main feature (previously the product was called "CryptoPro eToken CSP") is the use of functional key carrier (FKN) technology.

Functional key carrier (FKN)- architecture of software and hardware products based on smart cards or USB tokens, implementing a fundamentally new approach to providing safe use key on a smart card or USB token.

Thanks to the presence of a secure communication channel between the token and the crypto provider, part of the cryptographic transformations, including the storage of private keys and digital signature keys in non-removable form, is transferred to a smart card or USB token.

In addition to hardware generation of keys, their secure storage and generation of digital signatures in the microprocessor of the key carrier, the FKN architecture allows you to effectively resist attacks associated with the substitution of a hash value or signature in the communication channel between the software and hardware parts of the CSP.

In “CryptoPro FKN CSP” version 3.9, the key carrier is a specially developed JaCarta CryptoPro token, presented in the form factors of a smart card and a USB token.

Part CIPF "CryptoPro FKN CSP" version 3.9 includes a specially developed JaCarta CryptoPro token with the ability to calculate digital signature using the FKN technology of the CRYPTO-PRO company and produced in the form factors of a USB token (in Nano or XL housing) or a smart card.

JaCarta CryptoPro securely stores and uses private digital keys, performs mutual authentication of the CSP and the token, as well as strict two-factor authentication of the user-token owner.

Key advantages of JaCarta CryptoPro

  • It is the fastest token among FKN devices (it is almost 3 times faster than existing products working with FKN in the speed of electronic signature generation - based on the Protocol for measuring the performance of FKN devices "CRYPTO-PRO" dated December 8, 2014).
  • The principle applied Secure by design– uses a secure microcontroller, designed to be secure for security purposes, has built-in protection on both the hardware and program levels from cloning, hacking and all other attacks known to date.
  • The generation of ES keys, approval keys, as well as the creation of ES occurs within the JaCarta CryptoPro token.
  • Uses a secure data transmission channel with software part"CryptoPRO FKN CSP".

Compound

"CryptoPro FKN CSP" version 3.9 consists of two key components.

1. USB token or JaCarta CryptoPro smart card:

  • is a functional key carrier (FKN), in which Russian cryptography is implemented in hardware;
  • allows you to safely store and use private keys;
  • generates an electronic signature “under the mask” - K(h), which allows you to protect the exchange channel between the token (smart card) and the crypto software provider (CSP);
  • performs mutual authentication of the CSP and the token and strict two-factor authentication of the user - the owner of the token.

2. Crypto Provider (CSP):

  • is high level software interface(MS CAPI) for external applications and provides them with a set of cryptographic functions;
  • from the signature “under the mask” received from the hardware token (smart card) - K(h), “removes” the mask K(s) and forms a “normal” signature, understandable for external applications

Architecture of "CryptoPro FKN CSP" version 3.9


Technical characteristics of the JaCarta CryptoPro token

Microcontroller Specifications ManufacturerINSIDE Secure
ModelAT90SC25672RCT
EEPROM Memoryс72 KB
Operating system characteristics operating systemAthena Smartcard Solutions OS755
International certificatesCC EAL4+
Supported crypto algorithmsGOST R 34.10-2001, GOST 28147-89, GOST R 34.11-94
Supported Interfaces USBYes
Contact interface (ISO7816-3)T=1
Safety Certificates FSB of RussiaCertificate of Conformity of the Federal Security Service of Russia No. SF/114-2734
Certificate of conformity of the Federal Security Service of Russia No. SF/114-2735
Supported OS Microsoft Windows Server 2003 (32/64-bit platforms)
Microsoft Windows Vista(32/64-bit platforms)
Microsoft Windows 7(32/64-bit platforms)
Microsoft Windows Server 2008(32/64-bit platforms)
Microsoft Windows Server 2008 R2(32/64-bit platforms)
CentOS 5/6(32/64-bit platforms)
Linpus Lite 1.3(32/64-bit platforms)
Mandriva Server 5(32/64-bit platforms)
Oracle Enterprise Linux 5/6(32/64-bit platforms)
Open SUSE 12(32/64-bit platforms)
Red Hat Enterprise Linux 5/6(32/64-bit platforms)
SUSE Linux Enterprise 11(32/64-bit platforms)
Ubuntu 8.04/10.04/11.04/11.10/12.04(32/64-bit platforms)
ALT Linux 5/6(32/64-bit platforms)
Debian 6(32/64-bit platforms)
FreeBSD 7/8/9(32/64-bit platforms)
Execution time of cryptographic operations Importing a key3.2 op/s (USB token), 2.4 op/s (smart card)
Creating a signature5.8 op/s (USB token), 3.9 op/s (smart card)
Available Key Media Smart cardJaCarta CryptoPro
USB tokenJaCarta CryptoPro

Safety Certificates

confirming that the cryptographic information protection tool (CIPF) "CryptoPro FKN CSP" Version 3.9 (version 1) complies with the requirements of GOST 28147-89, GOST R 34.11-94, GOST R 34.10-2001, the requirements of the FSB of Russia for encryption (cryptographic) class means KS1, requirements for electronic signature tools, approved by order of the FSB of Russia dated December 27, 2011 No. 796, established for class KS1, and can be used for cryptographic protection (creation and management of key information, encryption of data contained in the area random access memory, calculation of the hash function value for data contained in the RAM area, protection of TLS connections, implementation of electronic signature functions in accordance with Federal Law of April 6, 2011 No. 63-FZ “On Electronic Signature”: creation of an electronic signature, verification electronic signature, creation of an electronic signature key, creation of a key for verifying an electronic signature) information that does not contain information constituting a state secret.

confirming that the cryptographic information protection tool (CIPF) "CryptoPro FKN CSP" Version 3.9 (version 2) complies with the requirements of GOST 28147-89, GOST R 34.11-94, GOST R 34.10-2001, the requirements of the FSB of Russia for encryption (cryptographic) class means KS2, requirements for electronic signature tools, approved by order of the FSB of Russia dated December 27, 2011 No. 796, established for class KS2, and can be used for cryptographic protection (creation and management of key information, encryption of data contained in the RAM area, calculation of the value hash functions for data contained in the RAM area, protection of TLS connections, implementation of electronic signature functions in accordance with Federal Law of April 6, 2011 No. 63-FZ "On Electronic Signature": creation of an electronic signature, verification of an electronic signature, creation of an electronic signature key, creation of a key for verifying an electronic signature) information that does not contain information constituting a state secret.