Good day, Habr! Today we will talk about what the impracticable requirements of the legislation lead to. It is clear that globally this leads to non-fulfillment of these very requirements, but here we will consider a specific example.
It will be about the requirement of the FSB of Russia to encrypt any personal data transmitted over public communication networks (in the people – just the Internet), only by certified cryptographic means.
You are all lying, there is no such requirement!
Yes, we constantly hear objections like “in fact, the law says not to encrypt, but to protect personal data during transmission, and these are different things” and “yes, there is no requirement to use only certified cryptography, ordinary SSL will do.”
Well, okay, let’s take a close look at the legislation and figure it out.
The highest-level document we have here is Federal Law No. 152-FZ “On Personal Data”, article 19 of which says:
2. Ensuring the security of personal data is achieved, in particular:
2) application organizational and technical measures to ensure the security of personal data during their processing in personal data information systems, necessary to meet the requirements for the protection of personal data, the implementation of which is ensured by the levels of personal data protection established by the Government of the Russian Federation;
4. The composition and content of the necessary to fulfill the established by the Government of the Russian Federation in accordance with part 3 of this article requirements to the protection of personal data for each of the security levels, organizational and technical measures to ensure the security of personal data during their processing in personal data information systems established by the federal authority executive authority in security, and the federal executive body authorized in the field of countering technical intelligence and technical protection of information, within the limits of their powers.
So far, it seems okay. We are told that the protection of personal data is achieved by using, inter alia, technical measures and that the list of these measures must first be determined at a high level of abstraction by the Government of the Russian Federation (their decree No. 1119 is not particularly interesting to us in considering this issue) and then in more detail – FSB of Russia and FSTEC of Russia.
In pursuance of RF Government Decree No. 1119, the FSB issues Order No. 378 of July 10, 2014. The document is structured badly, so you have to jump between paragraphs to figure out what’s going on. Below, for convenience, we present only the points of interest to us:
five. In accordance with clause 13 of the Requirements for the protection of personal data when processing them in personal data information systems, approved by the Government of the Russian Federation of November 1, 2012 N 1119 <1> (hereinafter – Requirements for the protection of personal data), to provide 4 levels of security when processing personal data in information systems, the following requirements must be met:
d) use of information security tools that have passed the conformity assessment procedure the requirements of the legislation of the Russian Federation in the field of information security, in the case when the use of such means is necessary to neutralize actual threats…
Here, too, they do not directly tell us that it is necessary to use only certified information protection means, but we know that “conformity assessment” does not equal “certification”.
nine. To fulfill the requirement specified in subparagraph “g” paragraph five of this document, it is necessary for each of the levels of protection of personal data to use a cryptographic data protection system of the appropriate class, allowing to ensure the security of personal data when implementing targeted actions using hardware and (or) software tools in order to violate the security of the protected cryptographic data protection tool of personal data or create conditions for this (hereinafter – attack), which is achieved by:
c) use to ensure the required level of protection of personal data during their processing in the information system SKZI class KS1 and higher…
Here, too, it seems like they do not require in plain text to use only certified means of cryptographic protection of information (they are also cryptographic protection tools), but the problem is that you can get this very “class KC1 and higher” only after passing the certification process for cryptographic protection tools in the FSB of Russia.
An attentive reader will say: “But look, there, in the subparagraph “g” paragraph five written “… in the case when the use of such means is necessary to neutralize actual threats”maybe all this has nothing to do with the transfer of personal data over the Internet? “
Unfortunately, it does. In 2015, the FSB issues a document “Methodological recommendations for the development of regulations that determine threats to the security of personal data are relevant when processing personal data in personal data information systems operated in the implementation of relevant activities”… Immediately after the release of this document, we, of course, carefully studied it, took note of it and put it on the shelf, because this is not necessary, but just “methodological recommendations”. But as it turned out in the end, there is nothing more obligatory than something recommended by the FSB of Russia. Basically, the document is devoted to how to draw up separate sections of the Threat Model document, dedicated to cryptographic information protection tools, but there are also the following provisions:
Using CIPF to ensure the security of personal data necessary in the following cases:
– if personal data is subject to cryptographic protection in accordance with the legislation of the Russian Federation;
– if there are threats in the information system that can only be neutralized with the help of cryptographic information protection tools…
Cases when threats can be neutralized only with the help of cryptographic information protection devices include:
– the transfer of personal data through communication channels that are not protected from the interception of the information transmitted through them by the violator or from unauthorized influences on this information (for example, when transferring personal data over public information and telecommunication networks);
– storage of personal data on storage media, unauthorized access to which by the violator cannot be excluded using non-cryptographic methods and methods.
So, as a result of the entire regulatory framework discussed above, we have: the interception of personal data transmitted over the Internet is a security threat that can be neutralized only with the help of the KS1 class and higher security protection tools certified by the Russian FSB.
Please note that any personal data must be protected during transmission over communication channels. That is, any portals with personal accounts, where there is any personal data, fall under these requirements. And it doesn’t matter that you are there, with proper access control and the absence of various vulnerabilities, you can only see your personal data. Indeed, in order for them to be displayed on your client device, the server must send them to you over the network, which means that, according to the current legislation, these packages must be encrypted with FSB-certified cryptography. Thus, the largest public storage of personal data of citizens of the Russian Federation is the portal of State Services, and, for example, the website of any university with a personal account falls under these requirements.
And yes, why, after all, have such requirements since 2008, and not since 2014? But because in the old orders of the FSB, everything was written even more simply and concisely:
7) To ensure the security of personal data during their processing in information systems must be used certified in the certification system of the FSB of Russia (having a positive opinion of an expert organization on compliance with the requirements of regulatory documents on information security) crypto-tools.
And since, in accordance with 152-FZ, the processing of personal data also means their transfer over communication networks, we have the same situation.
Meeting the requirement. Realities
Okay, we figured out the regulatory framework, let’s see what is there in practice. But in practice it turned out like this:
data controllers ignored this requirement =>
since there is no demand, the developers of security products have not provided any solutions for a long time =>
the regulator understands everything and turns a blind eye to it when checking =>
since the regulator does not “bother” personal data operators ignore this requirement – the circle is closed.
Still, the categorical tone of the title should be clarified – well, maybe at the beginning of 2021, not all portals with personal data do not fulfill the requirement to certified encrypt personal data, but 99 percent.
Since 2017, a turning point has taken place in one of the above links – domestic manufacturers of information security products began to release certified TLS solutions just to solve this problem. But here it was not without nuances. The solutions turned out to be not at all friendly in their implementation and use. Especially when used on the client side.
The toughest option was to pay for the client solution. The most harmless is the need to use specialized browsers, for example, Chromium-gost. A lot of such operational problems arose when using desktops, and what can we say about mobile devices.
As a result, the solutions available now are only suitable for cases when a web portal is used for a limited number of people, for example, an internal portal of the regional center administration with some reference books about the employees of this very administration. In this case, additional costs for client software or the use of a specialized browser can be arranged by force. But this approach is completely unsuitable, for example, for commercial purposes. Imagine that you have an online store and you tell your client: “To place an order with us, you need to download a special browser, then …”. Already at this stage, the client will surely go somewhere else.
After checking many state web portals, we found out that only a small part implements cryptography in specialized browsers using the GOST algorithm. This is how, for example, in such a browser the certificate of the torgi.gov.ru portal looks like:
However, in Firefox this is already the picture:
Good old RSA, definitely not certified, because the FSB only certifies GOST cryptography. And in general, the question arises, what’s the point in the fact that GOST encryption works, but from special browsers, and from ordinary consumer browsers, the site also works, but on RSA. It turns out that the requirement is fulfilled, as it were, but for a meager number of users.
Well, even though thanks for that, but the State Services decided not to take a steam bath:
Now no one is surprised when legislation contains non-specific formulations that allow for various, incompatible interpretations. In this article, we showed that there is another problem – when the requirement is clear and understandable, but in fact it is not feasible.
For almost 10 years, the requirement in question was impracticable for websites with an unlimited audience due to the banal lack of any suitable technical solutions. When these technical solutions appeared on the side of the portals, problems arose on the part of users who want it to be fast and convenient, and not install any additional browsers, plugins, and even more so paid client software on their computer.
Only the FSB of Russia can do something about this situation by changing its requirements. There can be many ways here. It is possible to specify the requirements for different weight categories of personal data operators, for government agencies – some, for large private organizations – others, for small private organizations – still others. You can postpone the introduction of requirements until GOST encryption starts working in all browsers out of the box. You can think of a lot of things to make the requirements timely, adequate and feasible, but most likely everything will remain as it is.