Crypto regulations in Russia
Upcoming SlideShare
Loading in...5
×
 

Crypto regulations in Russia

on

  • 5,209 views

 

Statistics

Views

Total Views
5,209
Slideshare-icon Views on SlideShare
5,190
Embed Views
19

Actions

Likes
1
Downloads
161
Comments
0

4 Embeds 19

http://www.linkedin.com 11
http://www.twylah.com 4
https://twitter.com 3
http://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Crypto regulations in Russia Crypto regulations in Russia Presentation Transcript

    • Regulation of Cryptographyin RussiaAlexey LukatskySecurity Business Consultant© 2011 Cisco and/or its affiliates. All rights reserved. 1
    • Increasing Role of Cryptography • Extended interaction with customers and partners, enhanced efficiency, accelerated globalization • Growth of system complexity, IT maturity, appearance of new tools • Changed threat landscape© 2011 Cisco and/or its affiliates. All rights reserved. 2/75
    • SocialOutsourcing Virtualization Clouds Mobility Web 2.0 Networks © 2011 Cisco and/or its affiliates. All rights reserved. 3/75
    • BUSINESS AND IT REQUIREMENTS OF PREFERENCES REGULATORY BODIES Co-working Legal Import Clouds and Legal usage outsourcing Holdings Legal distribution© 2011 Cisco and/or its affiliates. All rights reserved. 4/75
    • • The first public regulatory documents date back to 1995• The key prerequisite when developing legal documents is the total control cryptographic tools through their whole lifetime• The legal document development is based on protection of state secrets• Federal Security Bureau (FSB) is still adhering to this approach even after 15 years, despite the growing number of its opponents© 2011 Cisco and/or its affiliates. All rights reserved. 5/75
    • Import of cryptographic tools to the territory of the Russian Federation Licensing of cryptography- related activities Use of certified cryptographic tools© 2011 Cisco and/or its affiliates. All rights reserved. 6/75
    • 1 Fuzzy terminology 4 Incomprehension of a modern business threat model 3 Various stages of life cycle imply various Unavailability of well-defined Legacy requirements 5 position of the regulatory 2 rules body© 2011 Cisco and/or its affiliates. All rights reserved. 7/75
    • © 2011 Cisco and/or its affiliates. All rights reserved. 8
    • • Cryptographic solutions of arbitrary implementation• HMAC of arbitrary implementation• Digital signature tools of arbitrary implementation But not electronic signature tools (DS ≠ ES in new Russian regulations)• Encoding tools• Tools for creation of crypto keys• Crypto keys• but that is not all© 2011 Cisco and/or its affiliates. All rights reserved. 9/75
    • • Systems, equipment, and components designed or modified to perform cryptanalytic functions• Systems, equipment, and components designed or modified for using cryptographic techniques to generate the expanding code for systems with broadening spectrum, including code hopping for systems with frequency hopping• Systems, equipment, and components designed or modified for using cryptographic techniques of channel or scrambling code formation for time-modulated ultra- wideband systems.• Cryptography ≠ compression or encoding techniques© 2011 Cisco and/or its affiliates. All rights reserved. 10/75
    • • The new law "On Licensing Certain Activities" has made companies obtain FSB-issued licenses for the development, manufacture, distribution, and maintenance of information systems protected via cryptographic tools telecommunication systems protected via cryptographic tools• Information system, in the aggregate, consists of database information together with IT and hardware© 2011 Cisco and/or its affiliates. All rights reserved. 11/75
    • • Usually, the need for using encryption (cryptographic) tools arises when other Laws methods fail to provide secure information storage and processing These cases include, for example, transfer of personal data via Internet where it is fundamentally impossible to exclude Confidentiality illegal intruder access to information being transferred ≠ Encryption Normative legal documents issued by regulatory bodies© 2011 Cisco and/or its affiliates. All rights reserved. 12/75
    • • Obtain entitys approval for transferring clear information This is what Roskomnadzor does on its web site• Provide a controlled access zone• Use optical communication channels and correct threat model• Assign the task of providing confidentiality to communication provider Under special agreement• Use encryption tools© 2011 Cisco and/or its affiliates. All rights reserved. 13/75
    • • Most of FSBs legal documents refer to confidential information or information of confidential nature• Federal law FZ-149 "On Information, Information Technologies, and Information Security" (as revised in 2006) refers to confidentiality as requirement, not as property or feature of information• Decree No.188 ("On Approval of a List of Data of Confidential Nature") also says nothing of confidentiality© 2011 Cisco and/or its affiliates. All rights reserved. 14/75
    • • All life cycle stages of cryptographic tool Providing Import Operation services Development Maintenance Export Control and Manufacture Distribution supervision Evaluation Implementation© 2011 Cisco and/or its affiliates. All rights reserved. 15/75
    • © 2011 Cisco and/or its affiliates. All rights reserved. 16
    • • Statute on importation of the encryption (cryptographic) tools to the customs territory of the customs union and exportation from the customs territory of the customs union• Encryption (cryptographic) tools which are subject to restricted importation to the customs territory of the customs union and restricted exportation from the customs territory of the customs union• These provisions are applied to ANY manufactures• If a tools encrypting functionality is not used or it is not its primary purpose, the tool is nevertheless considered to be cryptographic© 2011 Cisco and/or its affiliates. All rights reserved. 17/75
    • • Printers, copymakers, and faxes• Cash registers• Pocket computers• Pocket devices for recording, playing and displaying• Computing machinery and their constituent parts• Subscribers communication units• Basic stations• Telecommunications equipment• Software© 2011 Cisco and/or its affiliates. All rights reserved. 18/75
    • • Equipment for radio- and television broadcasting and reception• Radio-navigation receivers, remote control devices• Internet access equipment• Electronic circuitry, integrated microcircuits, data storage devices• Other• A large number of items from Groups 84 and 85 of the Unified Customs Tariff of the customs union formed by the Republic of Belarus, Republic of Kazakstan, and Russian Federation© 2011 Cisco and/or its affiliates. All rights reserved. 19/75
    • Simplified Procedure By Licensing • Import under • FSBs authorization notification • Import by the license issued by the Ministry of Industry and Trade• Verification of the legality of import under notification http://www.tsouz.ru/db/entr/notif/Pages/default.aspx• Verification of the legality of import under license A copy of FSBs authorization for import© 2011 Cisco and/or its affiliates. All rights reserved. 20/75
    • • Goods containing encryption (cryptographic) tools, which include any of the following components: symmetric cryptographic algorithm using cryptographic key of up to 56 bit length; or asymmetric cryptographic algorithm based on any of the following methods: Factorization of integers with length shorter than or equal to 512 bits; Calculation of discrete logarithms in multiplicative group of the finite field with the size less or equal to 512 bits; or Discrete logarithm in the group with the size different from the one mentioned in “ii” above but less than 112 bits• Goods with cryptographic functionality blocked by manufacturer• Authentication and digital signature tools© 2011 Cisco and/or its affiliates. All rights reserved. 21/75
    • • Encryption (cryptographic) tools which are components of software operating systems, with cryptographic capabilities that cannot be changed by users, which have been developed to be installed by users themselves without further essential vendor support, their technical documentation (description of cryptographic conversion algorithms, interaction protocols, interface description, etc.) being publicly accessible• Encryption (cryptographic) equipment specially designed and restricted for use in banking or financial sphere• Wireless electronic equipment performing data encryption only in radio channel with maximum distance of wireless action, without amplification and retransmission, less than 400 m according to manufactures technical requirements© 2011 Cisco and/or its affiliates. All rights reserved. 22/75
    • • Encryption (cryptographic) tools used for protection of process channels of information and telecommunications systems and communications networks• Portable or mobile electronic means of civilian use without end-to- end encryption• Personal smart cards• Receiving equipment for radio broadcasting, commercial television and broadcasting for limited audience• Copy protection tools© 2011 Cisco and/or its affiliates. All rights reserved. 23/75
    • © 2011 Cisco and/or its affiliates. All rights reserved. 24
    • • FSB license for encryption business Providing services in the sphere of information encryption Support and maintenance of encryption tools Distribution of encryption tools Development and production of encryption tools protected by using encryption (cryptographic) tools of information and telecommunication systems• On May 4, 2011, a new version of law "On Licensing Certain Activities" (99-FZ) was adopted Unified license for development, production, distribution, performance of works, providing of services, and maintenance of encryption tools, information and telecommunications systems protected by encryption tools© 2011 Cisco and/or its affiliates. All rights reserved. 25/75
    • • In explicit form - no; however, activities including mounting, installation, configuration of encryption (cryptographic) tools repair, servicing of encryption (cryptographic) tools recycling and destruction of encryption (cryptographic) tools works on support and maintenance of encryption (cryptographic) tools provided for in technical and operational documentation• shall be attributed, in FSB opinion, to licensable activities – engineering maintenance• Engineering maintenance is a set of operations or an operation aimed at maintenance or serviceability of a product under conditions of its intended use, expectation, storage, and transportation GOST18322-78 "A System of engineering maintenance and repair of equipment. Terms and definitions"© 2011 Cisco and/or its affiliates. All rights reserved. 26/75
    • • Representatives of FSBs 8-th Center have repeatedly asserted that licenses are not required for in-house needs© 2011 Cisco and/or its affiliates. All rights reserved. 27/75
    • • The new law "On Licensing Certain Activities" dated May 4, 2011 restored the in-house needs term (but only with respect to maintenance of encryption tools)• However, this term, in-house needs, has not been defined, and it brings forth a great many questions Can encryption aimed at protection of employees and customers information be attributed to in-house needs or not? Does encryption of personal data mean protection of own interests or protection of rights of personal data holders?© 2011 Cisco and/or its affiliates. All rights reserved. 28/75
    • • What is maintenance? Operation of crypto tools in compliance with requirements of technical and operational documentation included in crypto tools delivery set is not considered to be maintenance activity relating to encryption (cryptographic) tools• Non-attributable to licensable activities Transferring crypto tools to customers and affiliates Generation and transfer of generated keys© 2011 Cisco and/or its affiliates. All rights reserved. 29/75
    • • Federal Law dated April 29, 2008 No. 57-FZ, Moscow "On the Procedure of Foreign Investments to Business Entities Which are Strategically Important for National Defense and State Security" In order to provide for national defense and state security, this Federal Law establishes expropriations of restrictive nature for foreign investors and groups of persons including foreign investors in case they participate in authorized capitals of business entities which are strategically important for national defense and state security and (or) make transactions which lead to instituting control over the specified business entities© 2011 Cisco and/or its affiliates. All rights reserved. 30/75
    • • A business entity which is strategically important for national defense and state security is an enterprise established in the territory of the Russian Federation and performing at least one of the activities which are strategically important for national defense and state security, these activities being specified in Article 6 of this Federal Law i.i. 11-14 – 4 types of licensing related to encryption activities Availability of just one router with IPSec requires a license for CIPT maintenance• On March 23, there were amendments adopted in the first reading to exclude banks (and only banks) from the list of strategic enterprises© 2011 Cisco and/or its affiliates. All rights reserved. 31/75
    • © 2011 Cisco and/or its affiliates. All rights reserved. 32
    • • Signed on April 3, 1995 (amended on July 25, 2000)• It is forbidden for state authorities to use encryption tools without certificate issued by FSB• State authorities are disallowed to place state-guaranteed order at enterprises that use encryption tools without a certificate• Appropriate measures shall be taken with respect to the banks which do not use certified encryption tools when communicating with the Bank of Russia• Activities of legal entities and individuals related to operation of encryption tools without a FSB license shall be enjoined• Import of encryption tools without a license issued by the Ministry of Industry and Trade together with FSB authorization shall be enjoined• The defaulters shall be punished with the utmost rigour of the law© 2011 Cisco and/or its affiliates. All rights reserved. 33/75
    • • Some of its provisions are still unexpired For example, requirements on import of encryption tools and on the sole use of properly certified encryption tools by state authorities• Some articles have been virtually repealed by new statutory legal acts The law "On Licensing Certain Activities" The law "On Technical Regulation" Civil Code• However, Decree No. 334 has not been explicitly repealed yet Despite circulating rumors© 2011 Cisco and/or its affiliates. All rights reserved. 34/75
    • • Yes! The basic document is the Order on Approval of the Provision on the Development, Manufacturing, Sale, and Operation of Encryption (Cryptographic) Tools of Information Protection (PKZ-2005)• PKZ-2005 regulates relations which arise in the course of development, production, sale, and operation of encryption (cryptographic) tools for protecting limited-access data, which does not contain information classified as state secret (hereinafter - information of confidential nature) Order dated 9.02.2005, No. 66 (signed by the Director of FSB and registered in the Ministry of Justice)• PKZ-2005 is not applicable to foreign crypto tools© 2011 Cisco and/or its affiliates. All rights reserved. 35/75
    • • PKZ-2005 is used for the protection of information of confidential nature, subject to protection in compliance with the RF law Information protection in the Federal executive authorities and executive authorities of the RF constituent entities Information protection in organizations, irrespective of their form of incorporation and pattern of ownership, when they fulfill orders for delivery of goods, performance of works, or provision of services for state needs (hereinafter - organizations fulfilling state-guaranteed orders) Information protection assigned by the RF law to persons who have access to this information or who are provided with authority to administer data contained in this information Protection of information owned by state authorities or organizations fulfilling state-guaranteed orders© 2011 Cisco and/or its affiliates. All rights reserved. 36/75
    • • The mode of information protection by using CIPT is established by the holder of information of confidential nature the possessor (owner) of information resources (information systems) persons duly authorized by them on the basis of the RF law© 2011 Cisco and/or its affiliates. All rights reserved. 37/75
    • • Holder of information Exchange of own data • Possessor (owner) of the system Exchange with state authorities • State authority Exchange with organizations fulfilling • Organization fulfilling state- state-guaranteed guaranteed orders orders Processing and • Holder of information storage without transfer • User (consumer)© 2011 Cisco and/or its affiliates. All rights reserved. 38/75
    • © 2011 Cisco and/or its affiliates. All rights reserved. 39
    • • Crypto tools must meet the requirements of technical regulations, with the degree of compliance with them being assessed according to the procedure described in 184-FZ "On Technical Regulation" PKZ-2005• The quality of cryptographic protection of confidential information performed by crypto tools is provided through implementation of requirements for information security imposed on crypto tools© 2011 Cisco and/or its affiliates. All rights reserved. 40/75
    • • In certain cases, protection level (crypto tools certification) is established in regulatory documents Predominantly, in Requirements Specifications for Federal information systems• The package of standards for information security of the Bank of Russia (The Standard for information security of the organizations of the banking system of the Russian Federation (STO BR IBBS)) provides for using encryption tools certified for class of protection КС2, at least• In other cases, the required protection level is determined by crypto tools user basing on a model of illegal intruder© 2011 Cisco and/or its affiliates. All rights reserved. 41/75
    • • 3 protection levels – А (KА1), В (KВ1, KВ2), and C (KС1, KС2, KС3) The level of crypto tools certification depends on the number and severity of requirements• 6 models of intruder Н1 – external intruder acting without in-house assistance Н2 – in-house intruder who is not crypto tools user Н3 – in-house intruder who is crypto tools user Н4 – intruder inviting experts in the sphere of crypto tools development and analysis Н5 – intruder inviting research institutes in the sphere of crypto toolsdevelopment and analysis Н6 – intelligence services of foreign states© 2011 Cisco and/or its affiliates. All rights reserved. 42/75
    • • For cryptographic protection of confidential information, it is necessary to use crypto tools which meet the requirements for information security established in compliance with the Russian Federation law PKZ-2005© 2011 Cisco and/or its affiliates. All rights reserved. 43/75
    • • Decree No. 351 and FZ-85 (on participation in international exchange of information)• Government regulation (PP-424) (on connection of the Federal state information systems to Internet)• FSS Order No. 487 (on the Russian segment of Internet)• Order of the Ministry of Communications No. 104 (on state-owned IS in public use)• Order of the Federal Service on Technical and Export Control/FSB No. 489/416 (on requirements for protection of publicly used IS)• Government regulation (PP-330) (on specific features of assessment of compliance of protection tools for state-owned Information Systems and Personal Data Information Systems)• Order of the Ministry of Economic Development No. 54 (on electronic sales areas)• FSBs guidelines on personal data• Government regulation (PP-781) (on protection of personal data)• As well as FZ-149, Special requirements on technical protection of confidential information, PP-608, Decree No. 334, Gidelines of FSTEC on Key systems of information infrastructure© 2011 Cisco and/or its affiliates. All rights reserved. 44/75
    • The number of regulatory legal documents which require certification in compliance with security requirements 8 7 6 5 4 3 2 1 0 * - for 2011 – preliminary assessment of new regulatory documents drafts (FZ “On National Payment System”, FZ “On Official Secrecy”, new orders of FSTEC/FSB, etc.) 45© 2011 Cisco and/or its affiliates. All rights reserved. 45/75
    • • There are two certification systems under FSB line The system of certification of cryptographic information protection tools (РОСС RU.0001.030001) The system of certification of information protection tools in compliance with security requirements for information classified as state secret (РОСС RU.0003.01БИ00)• Crypto tools are estimated for compliance with "The Requirements to Tools for Cryptographic Protection of Confidential Information"• User shall be responsible for using non-certified crypto tools• Impossibility to update certified products© 2011 Cisco and/or its affiliates. All rights reserved. 46/75
    • • Old regulatory documents refer predominantly to certification, whereas new ones - to evaluation• Evaluation ≠ certification• Evaluation is direct or indirect determination of meeting the requirements imposed on the object• Evaluation is controlled by FZ- 184 "On Technical Regulation"© 2011 Cisco and/or its affiliates. All rights reserved. 47/75
    • State control and supervision Accreditation Tests Evaluation Registration Facultative certification Compliance approval Obligatory certification Acceptance and Declaration of introduction into service compliance In other form© 2011 Cisco and/or its affiliates. All rights reserved. 48/75
    • • Work of representative offices of foreign companies in Russia Import of western cryptography or export of domestic one• Commercial IP television and IP video surveillance The devices do not and will not support GOSTs as they are manufactured abroad and delivered to hundreds of countries in the world• Encryption at rates higher than 10 Gbit/s Backbone links or synchronization of data centers• Standards of wireless communications 802.11i, mobile communications 2.5G, 3G, as well as LTE and Wi-Max© 2011 Cisco and/or its affiliates. All rights reserved. 49/75
    • • Encryption in smartphones, iPhones, etc.• Access to Russian Internet banks from a computer in Internet cafe when on holiday abroad No certified cryptolibraries with GOSTs is available for this• Access from abroad to any Russian payment system (Assist, ChronoPay, Yandex.Dengi, Rapida, etc.), as well as to any other system of e-commerce (booking tickets, buying books in Internet stores, etc.)• Protected electronic Web mail via HTTPS© 2011 Cisco and/or its affiliates. All rights reserved. 50/75
    • • Encryption using FibreChannel protocol when recording to tape in a data center• Encryption using FibreChannel protocol when transferring data within a data center or between different data centers• Outsourcing and XaaS (Cloud Computing) All processing operations are performed via Internet and, probably, somewhere abroad.• Support of SCADA• And so on© 2011 Cisco and/or its affiliates. All rights reserved. 51/75
    • © 2011 Cisco and/or its affiliates. All rights reserved. 52/75
    • • Encryption at rates 40 Gbit/s• The regulatory body / domestic manufacturers have proposed to make a cluster of VPN gateways A gateway can support rate up to 1 Gbit/s• A final solution – 40+n gateways at one end and the same number of gateways at the other end How much do 80+2n domestic VPN gateways cost? n items are required for redundancy© 2011 Cisco and/or its affiliates. All rights reserved. 53/75
    • • You install certified crypto tools, then• You cannot Work efficiently with multimedia traffic (Telepresence, etc.) at the same level as foreign crypto tools do Work at multi-gigabit rates (especially higher than 3.5 Gbit/s) Work from abroad using leased computers/devices Use outsourcing and cloud computing (including in Russia) Use most of mobile platforms in your business• And it would cost you a colossal amount of money ;-(© 2011 Cisco and/or its affiliates. All rights reserved. 54/75
    • • Non-Russian VPN products cannot be used for encryption of most types of information to be protected If it is not authorized by FSB De facto, having obtained permission for import, you gain the right to use The issue related to the terms including confidential information, confidentiality, information of confidential nature remains open• It is impossible to certify foreign crypto tools Only GOST-implementing crypto tools are subject to certification Requirements for certification of foreign-manufacture crypto tools are unavailable• The collision: in certain cases, you only can use certified crypto tools. Domestic crypto tools do not meet technical requirements, whereas it is impossible to certify crypto tools of foreign manufacture© 2011 Cisco and/or its affiliates. All rights reserved. 55/75
    • • To provide security of personal data when processing them in information systems, you must use cryptotools certified in the framework of certification system of FSB of Russia (those approved by examining organization for compliance with requirements of regulatory documents on information security• Incorporation of cryptotools of classes KC1 and KC2 can be performed without control on the part of FSB of Russia FSBs guidelines on personal data• Incorporation does not remove the problem of legal import of foreign VPN products© 2011 Cisco and/or its affiliates. All rights reserved. 56/75
    • • Is it possible to use a certified cryptolibrary as a component of VPN solutions? Yes, it is possible• Will this use be a legitimate one? No!!!© 2011 Cisco and/or its affiliates. All rights reserved. 57/75
    • © 2011 Cisco and/or its affiliates. All rights reserved. 58
    • • Article 13.12. Violation of Information Security Rules (Code of Administrative Offences) i.1 – violation of licensing provisions (up to RUB 10000) i.2. – use of non-certified security tools, if they are subject to obligatory certification (up to RUB 20000 + confiscation) i.3 – violation of licensing provisions related to state secret (up to RUB 20000) i.4. – use of non-certified security tools related to state secret (up to RUB 30000 + confiscation) i.5 – gross violation of licensing provisions (up to RUB 15000 + suspension of activities for up to 90 day period)© 2011 Cisco and/or its affiliates. All rights reserved. 59/75
    • • Article 13.13. Illegal Activity Related to Information Security (Code of Administrative Offences) i.1 – dealing with information protection without a license, if it is obligatory (up to RUB 20000 + confiscation) i.2. – dealing with state secret protection and development of tools for its protection without a license (up to RUB 40000 + confiscation)© 2011 Cisco and/or its affiliates. All rights reserved. 60/75
    • • Article 171. Illegal Enterprise (RF Criminal Code) i.1 – performing activities without registration (if a license is obligatory), with violations of registration rules, submittance of false facts to the licensing agency, if it caused damage to citizens, organizations or state or was accompanied by absorbing significant revenue (up to RUB 300000 or compulsory labour up to 240 hours or detention up to 6 months) i.2 – the same but committed by a group of persons or absorption of particularly large revenue (up to RUB 500000 or imprisonment for up to 5 years)• There are about 20 criminal cases initiated by FSB against Russian organizations© 2011 Cisco and/or its affiliates. All rights reserved. 61/75
    • • Recall of a licence by FSB (only for service licenses) k) use, by Licensee, of encryption (cryptographic) tools of foreign manufacture if these tools have been imported to the territory of the Russian Federation and distributed there in compliance with the procedure established by statutory legal acts of the Russian Federation• Article 188. Contraband (RF Criminal Code) i.1 – transferring goods in large quantities across customs border by-passing customs, non-declaring or false declaring (up to RUB 300000 or imprisonment for up to 5 years)© 2011 Cisco and/or its affiliates. All rights reserved. 62/75
    • • Article 16.2. Non-Declaring or False Declaring (Code of Administrative Offences) i.1 – non-declaring (up to RUB 20000 or confiscation or double cost of contraband) i.2 – false declaring aimed at understatement of custom amount (up to RUB 20000 or double cost of unpaid taxes or confiscation) i.3 – false declaring aimed at by-passing import restrictions (up to RUB 300000 or confiscation)• Article 16.3. Incompliance With Restrictions for Import of Goods (Code of Administrative Offences) i.1 – incompliance with import restrictions of economic nature (up to RUB 300000) i.2 – incompliance with import restrictions (up to RUB 100000 + confiscation)• Article 16.7. Submittance of invalid documents when declaring goods at customs (Code of Administrative Offences) i.1 – alse declaring (up to RUB 300000 + confiscation)© 2011 Cisco and/or its affiliates. All rights reserved. 63/75
    • • Article 14.1. Performance of entrepreneurial activities without state registration or without a license (Code of Administrative Offences)) i.3 – performance of activity with violation of licensing provisions (up to RUB 40000) i.4 – performance of activity with gross violation of licensing provisions (up to RUB 50000 + suspension of activities for up to 90 day period)© 2011 Cisco and/or its affiliates. All rights reserved. 64/75
    • © 2011 Cisco and/or its affiliates. All rights reserved. 65
    • • In Spring of 2011, FSB expressed disquietude related to using encryption tools of foreign manufacture in public-service communications networks of the Russian Federation Skype, Gmail, Hotmail, etc.• The Commission decided to form an interagency task force for the development of the RF Government proposals on using cryptographic tools• The proposals shall be submitted to the Government in the period before October 1, 2011 Excursus in history: in August of 2007, the Minister of Education, Fursenko, suggested to conquer the whole world through implementation of Russian cryptography. Proposals on the world conquering must have been submitted to the Government before December 1, 2007 It is true that later on our GOSTs were taken as RFC, and also as a basis for DNSSEC… though afterwards it was announced that GOST 28147 had been broken© 2011 Cisco and/or its affiliates. All rights reserved. 66/75
    • Everything will Liberalization Crackdown remain as it is • Probability - • Probability - • Probability - 20% 45% 30% (currently) (currently) (currently) • Probability in 2 • Probability in 2 years - 35% years - 20% and 10% and 55% (depending on (depending on the winner of the winner of presidential presidential election) election) Expert evidence of Cisco specialists© 2011 Cisco and/or its affiliates. All rights reserved. 67/75
    • Adopt unified definition of the encryption tools term Define concept for in-house needs Authorize the use of non- certified crypto tools if countertypes are unavailable Add transparency to the procedure of decision making on crypto tools import authorization Refine the conditions of licensing© 2011 Cisco and/or its affiliates. All rights reserved. 68/75
    • © 2011 Cisco and/or its affiliates. All rights reserved. 69
    • • Cisco and S-Terra CSP have developed VPN solutions supporting Russian crypto algorithms based on Cisco equipment• FSB Certificate SF/114-1622, 114-1624, 124-1623, 124-1625, 124-1626 dated February 28, 2011 The Certificate is for KC2 class for both solutions Solution for remote offices • Based on the module for ISR G1 and G2 (2800/2900/3800/3900) Solution for data centers and headquarters • Based on UCS C-200© 2011 Cisco and/or its affiliates. All rights reserved. 70/75
    • Tried-and-true The local procedure of Over 5,300 production of submitting notifications for the encryption module applications for the Cisco equipment NME-RVPN has import of strict been started cryptography In Spring of 2011, Cisco obtained FSB licenses for encryption activities© 2011 Cisco and/or its affiliates. All rights reserved. 71/75
    • Consultative Technical Center on RG Committee 127 Compliance with CB Subcommittee Subcommittee 3 "Security of the Requirements 127 (PK-3) (PK-3) Information of a set of BR IBBS Technologies" of the Association (TK-362) of the Russian Banks (CC of ARB) "IT Security" "Information "Information Consulting to Development of (representative of Protection in Protection" of banks on recommendations on ISO SC27 in Financial the Federal personal data personal data and on Russia) Institutions" Service on issues the standard for Technical and information security Export Control of the organizations (FSTEC) of the banking system of the Russian Federation (STO BR IBBS) v4© 2011 Cisco and/or its affiliates. All rights reserved. 72/75
    • Non- 500+ FSB Declared 28 96 Capabilities (NDV) FSTEC has certified Cisco unavailable in a product lines of product lines of Cisco certificates for (together with S- number of Cisco have have been sertified Cisco products Terra CSP) product lines of passed by FSTEC solutions Cisco certification under "batch production"© 2011 Cisco and/or its affiliates. All rights reserved. 73/75
    • FAQ about import of encryption tools Cisco solutions on certified cryptography Cryptography regulation chart in Russia (from slide 5) … as well as many other things http://www.facebook.com/CiscoRu http://twitter.com/CiscoRussia http://www.youtube.com/CiscoRussiaMedia http://www.flickr.com/photos/CiscoRussia http://vkontakte.ru/Cisco© 2011 Cisco and/or its affiliates. All rights reserved. 74/75
    • Thank you! security-request@cisco.com