Several things prompted me to write this article:
- A debt to the company "Active", which kindly provided me with their new crypto-token Rutoken EDS 2.0, modification 3000. Nastya_d, I will tag you because you are the last person to post on behalf of the company
- COVID-19, which transferred the work of Rosreestr to the "by appointment only" mode with a chronic inability to enroll there
- Changes in legislation that were adopted after a series of last year's scandals related to the use of electronic signature
- Rosreestr update in terms of conducting electronic transactions and submitting any other electronic applications
So, probably, let's go. If you are not interested in something, you can go to an interesting title.
Rutoken EDS 2.0 3000
Data
New token under the old brand. It seems like some kind of additive 3000 at the end and it's not at all clear what it is about. Meanwhile, we have before us a fundamentally new carrier of key information. The only thing that unites it with the classic Rutoken EDS 2.0 is that it can be compatible with it, and as before, it can store unrecoverable private keys, cryptographic operations with which occur directly in the device controller, and private keys never leave its limits.
What's the difference? Perhaps there are four differences:
- This function key carrier (PKU), working on a protocol (actually metaprotokolu) SESPAKE , which gives us the protection channel between the driver and the controller by listening
- Multiple speedup when working with a token that has several keys with certificates
- Inability to work in FCN mode via PKCS # 11
- Lack of operation without CryptoPro
Let's go in order now.
FKN with SESPAKE makes it possible to protect the exchange channel between the driver / encryption provider and the storage controller. Previously, such an interception was possible, and any Wireshark fan with an installed USBcap could contemplate open PIN codes when working with the classic Rutoken EDS 2.0, which are broadcast in the controller's APDU commands, which potentially gives an attack vector for eavesdropping PIN'a and further signing everything and everyone without user interaction. And although formally private keys still remain unrecoverable, this may no longer be a matter of principle.
Acceleration. I do not know how and why, but if you had several certificates on one Rutoken EDS 2.0 token, then the brakes were provided. Especially when the software tries to go through all the certificates or find a container with the right one. Your humble servant personally grasped the situation when in some EDF systems the decryption of a small document took more than a minute. It all ended with the fact that Tensor in its plugins even banned the use of hardware tokens in conjunction with CryptoPro 5th version, which aroused much suspicion . Now everything is not so, I do not even notice the difference between when there was one certificate on the token, and now, when there are four of them (Tensor still does not work with hardware keys in plug-in versions somewhere since autumn 2019).
PKCS # 11 mode is the ability to use the manufacturer's library that implements the standard PKCS # 11 API for working with it (directly without the CryptoProvider). It is used a little under Windows, because The Windows Crypto API is the dominant way. Under Linux, alas, it seems, if you do not take the hypothetical opportunity to install CryptoPro under Linux and use it. CryptoPro for Linux is essentially an implementation of the Windows Crypto API, that is, no traditional software for Linux has supported it and will not support it. Rather, it is an opportunity for developers to cut government orders and develop appropriate server products for Linux with the possibility of GOST cryptography. There is no question of using it in Linux Desktop. Nevertheless, Rutoken supplies his PKCS # 11 library for the old Rutoken EDS 2.0 and I even managed to somehow make her friends with the plug-in of State Services for authentication by electronic signature. With FKN there is no such possibility, as I understand it, but perhaps the Active company will correct me.
Lack of operation without CryptoPro. This is most likely due to the previous paragraph. But in practice, there was some confusion when using Rutoken EDS 2.0. For some reason, few people know that Rutoken EDS 2.0 can work perfectly with CryptoPro 5th version. Perhaps due to the fact that it appeared long before CryptoPro 5. As a result, various market participants have developed custom solutions that allow you to work with Rutoken EDS 2.0 without CryptoPro. This led to quite serious difficulties in diagnosing problems on the sites. You say that you have CryptoPro and Rutoken EDS 2.0, but they tell you that Rutoken EDS 2.0 does not work through CryptoPro. Since 3000, there seems to be no alternative. Only CryptoPro 5. Good or bad - time will tell.
Images
If you are using CryptoPro 5 version, then support comes out of the box. The differences for the user are minimal. Creation of a key container:
In contrast to the blunt media, you now have a choice in which mode to generate a key pair. The top is the new FKN mode, at the bottom is the old Rutoken EDS 2.0 mode with PKCS # 11 support, in the middle is the dumb token mode in which the crypto provider does all the work.
When creating the first container in FKN mode, CryptoPro will ask you to set the PUK code and password:
As a result, we will receive a key pair, which can be viewed through the Rutoken Control Panel:
Summary
Rutoken EDS 2.0 3000 became for me a long-awaited replacement for the previously used functional key carrier from the APK CryptoPro Rutoken CSP 3.6, which was only able to use old GOST standards. Nevertheless, I am very upset that to work with all this stuff, I have to keep a virtual machine with Windows. It would be great if Rutoken revealed a description of his implementation of the SESPAKE protocol. I think that it will be possible to attach standard Linux libraries to work with this token without any problems.
COVID-19 and RosReestr
The pandemic adversely affected the ability to work with RosReestr. I donβt know about other regions, but some kind of bacchanalia happened in St. Petersburg. On the one hand, the MFC has completely switched to work by appointment (now they have exited, but they continue to remain for RosReestr services). On the other hand, it became possible to sign up for this only in the first minutes of the beginning of the day after 9:00 and somewhere 2-3 weeks in advance. The media reported that realtors booked everything for themselves, and then sold their turn - but since the record was personalized, in addition to buying a queue, it was also necessary to issue a trust for such a businessman, because no one else could go in turns.
An alternative to this has become notaries, who can electronically send documents for registering a transaction to Rosreestr, but they charge a lot for notarizing the transaction. Another alternative is DomClik from Sberbank: if the buyer buys on a mortgage, then DomClik allows you to register everything electronically (even with a small benefit at an interest rate).
The buyer was found on the mortgage, and together they decided to be issued through DomClick. But it was not there. The property turned out to be old, and the registration of rights was carried out in 1995. If you registered your rights before 01/31/1998, then you need:
- or submit an application for registration of previously arisen rights in advance (requires payment of a state fee)
- or submit such an application simultaneously with the transaction, then it is free
However, DomKlik does not know how to submit such applications. Notaries also do not undertake this for reasons unknown to me, which I did not find out. The deal was in jeopardy, as the MFC offered the record as early as September 23rd.
And then I come out all in white and say: "Let's do it electronically ourselves?"
Changes in legislation
Perhaps it is worth starting with the fact that last year they canceled the obligatory notarization of the transaction, if there is a common shared property and all the owners of the shares participate in the transaction. Of course, this is a positive thing, because the notaries are absolutely crazy - these guys should stay away if possible.
After a series of scandals ( one , two , three ) that swept in 2019 related to the registration of rights to real estate and the creation of legal entities using an electronic signature, some amendments to the law were adopted... In short: now, by default, it is possible to use ES for real estate transactions only if the ES certificate is issued by the certification center of Rosreestr, or rather its daughter, the FGBU "Cadastral Chamber". You can cancel this default by explicitly indicating that you want to do this with the certificate of any CA. However, for this you need to submit an application to Rosreestr through the MFC, and for this, pre-register for 2-3 weeks in advance (see above) - that is, no gain in time.
Well? CA Rosreestr turns out to be the only alternative. We start to study. The CA is located at the link . Click "How much does it cost?" 2200 rubles with an entry for a token. 700 rubles - Provided electronically, identity is verified at the office... Shit! In electronic form, this means that they work according to the scheme with a request for a certificate. That is, you can generate a pair in the most correct way at your workplace, send them a request, and in the office you just go through the identification procedure - this is what the CA should do.
We register, we enter all the data in the profile. We press "Send request". The site makes automatic diagnostics of the installed software: everything meets the necessary requirements, because only common browser plugins are used, not like Tensor. We generate a pair in the FCN mode on our new Rutoken EDS 2.0 3000. We are waiting. A few minutes later, emails about further actions come to the e-mail. It is said to wait for the document for payment. In about half an hour, a receipt for payment with a QR code arrives. Payment to the budget, therefore, UIN is used. We pay 700 rubles through an online bank. After another 20 minutes, the application goes into the paid state. Bundle Bank <-> GIS GMP <-> Rosreestr works faster than payments to account details, but the specific speed may depend on the selected bank.We call the phone number indicated in the letter to make an appointment for a time to verify identity - there are numbers even for today. Running to the office of the cadastral chamber. And here is the result - at 14:00 they were puzzled by this question. At 16:00 we went through the identity card procedure and while we were driving home, certificates were issued. The procedure is quite thorough, in addition to all documentary checks, photographs are also taken.Certificates, by the way, are for 15 months , and not as usual for a year.
Summary
Despite the fact that Rosreestr has remained a de facto monolith in the ES market for real estate transactions, it works well. Before that, I used the TC Tensor, where an individual can get an ES certificate for 500 rubles. But the speed of work, the fact that there is no need to install additional software like Tensor, a certificate for 15 months - all this gives me reason to praise Rosreestr for the first time in many years. Overpayment of 200 rubles relative to Tensor is worth it, IMHO.
Rosreestr update regarding electronic transactions
In the previous article on this topic, we considered the execution of transactions using the main portal of Rosreestr (not available at the time of writing). At first, I decided to follow the beaten path, but very quickly ran into the fact that the entered cadastral number of the premises was not validated, although it was entered absolutely correctly. Analysis of the HTML code showed that a crutch was inserted into the validator, which rejects most of the cadastral numbers for the first group of numbers, which denotes a region. All regions except six pieces (16, 26, 47, 61, 63 and 76) were thus banned. Of course, nowhere is it written about this. I wanted to bomb.
However, I quickly remembered that a similar functionality, but with a different interface was presented in the personal account of a citizen in Rosreestr(authorization via ESIA), which I could not test in the last article. I went there and a cursory examination showed that there are no restrictions for Peter. So we will do this.
On the possible reasons for this behavior of Rosreestr
β . . , . , , .
Go to the "Services and services" tab and select the service you need:
Next, we will have several steps to fill out an application (depending on the selected service):
At the first step, you just need to agree and tick the box.
Further, unfortunately, I do not publish the screenshots, since they contain a lot of personal data.
In the second step, you need to check and fill in the applicant's data. The data is pulled from the ESIA, but if your profile is not completely filled out, then something will have to be added. Rosreestr also badly pulls up residence and registration addresses from ESIA - most likely you will have to specify them manually. Also note that at this step there is an opportunity to add other applicants . This must be done if the apartment has several owners.
In the third step, you specify (in this case) property data (details of the premises, shares, etc.).
The fourth step is the hardest. Here you need to upload all the documents. Starting with scans of the passport, which each applicant certifies with his electronic signature, ending with contracts and other documents, which must be certified with electronic signatures of those who sign them. For example, a contract must be signed by all parties to the transaction. In addition, you may need a document that you only have in paper form or from a party that is not involved in the transaction - for example, the consent of a spouse. Here you can resort to a notary - notaries know how to scan documents and sign the scans with their electronic signature and the fact that the resulting electronic document is completely identical to the document on paper. Perhaps, if the entire document is drawn up by the notary himself,then he can immediately make it electronic with his signature without printing it out on paper - he has not verified whether notaries work this way in practice.
To sign one document with several electronic signatures so that all signatures fall into one file (Rosreestr does not support the ability to specify several files with signatures that relate to one document), in the comments to the last post, it was recommended to use the free Cryptoline utility from Taxcom . Indeed, the utility is fire, although the interface is a bit eccentric.
At the last (fifth) step, you have to re-check the composition of the submitted application, sign it and send it. Before sending, you will be asked about your desire to draw up a second application in the same package of documents. If you are registering a transaction (transfer of rights), and not just registration of rights, then this must be done. Moreover, the first application must be submitted by the current owners of the premises, and the second - on behalf of those to whom the right is transferred. In both statements, you need to attach an agreement signed by all parties to the transaction.
Summary
In a seemingly hopeless situation, there was a way out. This is because geeks are not a way of life, but a desire for the unknown. My past experience, woven from a simple desire to try the unknown, turned into real benefits.