The order of FSB of the Russian Federation No. 795 of December 27, 2011

Hello.
Outline the situation: I work in the same company as a developer, the main customer is a large state company.
For this company now depileve the finishing touches in the software's implementation. And then jabbed me in this order, they say, all mind was. I this order is flipped, and anything not understood. The software is written on .NET. It is known that the use of means of cryptographic protection of non-certified FSB/FAPSI banned if we are talking about working with state secret or confidential information in public organizations.

Actually questions:
1) Cryptographic providers from the System.Security.Cryptography certifitsirovana FSB/FAPSI?
2) What should I be aware or to do after reading this order? :)
3) Guys, if you have experience of information security/writing software for public companies, etc., please share.

P. S. 2 and 3 questions are not necessarily in the framework .NET
P. S. S. Actually the order
October 8th 19 at 03:26
7 answers
October 8th 19 at 03:28
I'm afraid You'll have to look in the direction of products from CryptoPro
Thanks for the reply! But I would not in such a radical method to solve the problem :) the Network connection goes through SSL, is it possible to do как0нибудь signed certificates? - Electa.Bra commented on October 8th 19 at 03:31
cryptocom.ru/products/openvpn.html - monique_Weissnat39 commented on October 8th 19 at 03:34
October 8th 19 at 03:30
The contents of the order similar to the requirements for EV SSL certificate, with the exception of items 18, 29 and 30. It describes a very specific PKI extensions, with a filling which can be difficulties.
According to claim 2. It is necessary to generate the certificate request subject to the requirements of the order. The generation of the request (PKCS10) is possible in OpenSSL with the right config. And sign the certificate, have authorized the CA. After that the certificate can be used on purpose.
October 8th 19 at 03:32
For some reason I categorically sure to su to this order have encountered and begun to think what to do with it. We suggest you contact them for advice, the guys there are friendly, certainly not refuse in the Council.
October 8th 19 at 03:34
Currently, where to apply and where not to use certified cryptography, solves the PP-957. It is already 5 years old. In particular:

...
d) implementation of cryptographic algorithms recommended by the licensing authority, in the development of encryption (cryptographic) tools used in information-telecommunication systems and networks of critical facilities, Federal Executive authorities, Executive authorities of constituent entities of the Russian Federation, local self-government bodies and organizations responsible for the execution of works or rendering of services with use of encryption (cryptographic) means for the state and municipal needs;
...
PP-957 is no longer valid. Instead, PP-313 - Electa.Bra commented on October 8th 19 at 03:37
October 8th 19 at 03:36
The orders of the FSB is preparing the ground for the introduction of a qualified electronic signature. To her for a long time — at least a year. At least not even requirements the accredited certifying centres, not that themselves. So that's what You refer to is simply a systematic study of the new 63-FZ in future work.
October 8th 19 at 03:38
P. P. S. If SSL is used only as a transport, i.e. both sides are developed by You, then there are free certified cryptographic service provider VIPNet CSP. But "strapping" have to do yourself in this case.
October 8th 19 at 03:40
If the topic is still relevant, at the moment there is a bunch of changes associated with 63-FZ, in General, and with 795 order in particular.

A lot of answers to many questions can be found on the forum, OOO CryptoPro.

If laziness — ask. What will — I will answer

Find more questions by tags Data protectionEncryption