Rutoken documentation

Page tree

Versions Compared

Old Version 8

changes.mady.by.user Чернуцкая Милена

Saved on

compared with

New Version 9

changes.mady.by.user Чернуцкая Милена

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


...

Table of Contents

...

maxLevel

 USB tokens

...

4

USB Tokens

Hardware

...

protected microcontroller with integrated non-volatile memory

...

Interface

...

USB 1.1 interface+

...

EEPROM memory

...

From 32 to 128 Kbytes

...

Overall dimensions

...

58x16x8 mm

...

Weight

...

6.3 g

...

Serial number

...

32-bit serial number, unique

...

Supported Operating

...

  • Systems Microsoft Windows  11/10/2019/2016/8. 1/8/2012/7/2008 / Vista / 2003/XP,
  • GNU / Linux,
  • Apple macOS / OS X

...

Supported interfaces and standards

...

PKCS#11 version 2.40, including the Russian profile (2.30 draft)

...

+

...

Microsoft Crypto API

...

+

...

PC/SC

...

+

...

Microsoft Smartcard API

...

+

...

USB CCID (work without installing drivers)

...

+

...

ISO/IEC 7816

...

ISO/IEC 7816-4, 7816-8, 7816-12

...

Cryptoprovider

...

Own Crypto Service Provider

...

X. Certificates509 version 3 at the software level

...

+

...

Cryptographic features

...

Support for the GOST 28147-89 algorithm

...

+

...

Support for the GOST R 34.10-2012 algorithm

...

+

...

Support for the GOST R 34.10-2001 algorithm

...

+

...

Support for GOST 34.11-2012 algorithm (256 and 512 bits)

...

+

...

Support for the GOST 34.11-94 algorithm

...

+

...

Generation of session keys (paired communication keys)

...

+

cryptographic capabilities

  • GOST R 34.10-2001: generate key pairs with quality control, form and check electronic signatures, private keys are valid for 3 years.
  • GOST R 34.10-2012/GOST 34.10-2018 (256 and 512 bit): generate key pairs with quality control, form and check electronic signatures, private keys are valid for 3 years.
  • GOST R 34.11-94: compute hash value of the data, including the possibility of subsequent electronic signature formation.
  • GOST R 34.11-2012/GOST 34.11-2018 (256 and 512 bit): compute hash value of the data, including the possibility of subsequent electronic signature formation.
  • GOST 28147-89: generate encryption key, encrypt data in overwrite mode, XOR-algorithm encryption with feedback, compute and check the cryptographic checksum.
  • GOST R 34.12-2015/GOST 34.12-2018, GOST R 34.13-2015/GOST34.13.2018 (Kuznechik): generate and import encryption keys, encrypt data in overwrite mode, XOR-algorithm encryption with feedback, compute and check the cryptographic checksum.
  • GOST R 34.12-2015/GOST 34.12-2018, GOST R 34.13-2015/GOST34.13.2018 (Magma): generate and import encryption keys, encrypt data in overwrite mode, XOR-algorithm encryption with feedback, compute and check the cryptographic checksum.
  • Session key generation (pair bond keys):
    • according to the VKO GOST R 34.10-2001 (RFC 4357) scheme;
    • according to the VKO GOST R 34.10-2012 (RFC 7836);
    • decryption

...

    • according to the EC El-Gamal scheme

...

    • .
  • RSA

...

+

...

Support algorithms DES (3DES), AES, RC2, RC4, MD4, MD5, SHA-1, SHA-256

...

storing the exported keys in EF,
SHA-1, SHA-256, MD5 PKCS#11, RC4, MD4, MD5, SHA-1, SHA-256, 3DES, AES minidriver

...

File system

...

File structure is

...

built in the ISO/IEC 7816-4

...

Type of placement of file objects in memory (file system architecture)

...

using File Allocation Table (FAT)

...

The number of folders and their nesting

...

level is limited by memory

...

Number of file objects within the folder

...

to 255 inclusive

...

Storing key information

  • : support 1024, 2048, 4096 bit keys, generate key pairs with custom quality control, import key pairs, form electronic signature.
  • ECDSA with curves secp256k1 and secp256r1: generate key pairs with custom quality control, import key pairs, form electronic signature.
  • Generating a sequence of random numbers of the needed length.

Owner authentication capabilities

  • Two-factor authentification: when presenting the indetificator itself and when presenting a unique PIN.
  • Support 3 categories of owners: Administrator, User, Guest.
  • Support 2 global PIN-codes: Administrator PIN and User PIN.
  • Support local PINs for certain subjects protection (such as certificate containers) in device's memory.
  • Custom hardware quality policies for PINs are processed by the firmware.  They are set during formatting and optionally can be changed by Administrator's PIN.
  • PIN-quality policies:
    • Limitation of a minimum PIN lenght;
    • Restriction of a default PIN usage;
    • Restriction of using a PIN which contains one repeated number;
    • Independent requirements for the presence of a variety of numbers, lowercase and uppercase Cyrrilic or Latin letters or special symbols in a PIN;
    • Memorizing up to 10 PIN's values and also an opportunity to prohibit using the PIN which has been once set before.
  • Support combined authentification: authentification according to the "Administrator or User" scheme and authentification with global PINs in conjunction with authentification with local PINs.
  • Create local PINs for extra protection of key information on the device memory. Possible to work with several local PINs at the same time (up to 7 PINs).
  • Limit a number of PIN entry attempts.
  • Indicate a fact of global PIN's change from default ones to original ones.

File system

  • Built-in ISO/IEC 7816-4 file structure.
  • A number of file subjects inside the folder is up to 255.
  • Use File Allocation Table (FAT) for optimal placement of file objects incise the memory.
  • A level of nested folders is limited by the amount of free storage for the file system.
  • Storage of private and symmetric keys without an opportunity to export them.
  • Use Security Environment for easy configure settings of cryptographic operation.
  • Use the Rutoken Special Files (RSF) for storage the key information: encryption keys, certificates etc.
  • Use predetermined folders for storage

file usage Rutoken Special File (RSF) files for the storage of encryption keys, certificates;

...

  • different types of key information with automatic selection of

...

  • a certain folder

...

  • while creating and using

...

  • the RSF

...

  • .
  • An opportunity to change the User PIN-policy. PIN change is available for User, Administrator or for both roles at the same time.

Interfaces

  • Standart exchange protocols:
    • ISO/IEC 7816-12;
    • ISO 14443 (NFC) for non-contact chip,
  • Support USB CCID: works without drivers installation in modern OS versions.
  • Support PC/SC.
  • Microsoft Crypto API.
  • Microsoft SmartCard API.
  • PKCS#11 (includuing a Russian profile).

Built-in control and idication

  • Control of the firmware integrity of Rutoken ECP.
  • Control of the system memory areas integrity.
  • Check the integrity of RSF before any usage of them.
  • Counters of changes in the file system and changes of any PINs to control any unauthorized changes.
  • Check the correct functioning of cryptographic algorithms.

General characteristics

  • Modern secure microcontroller.
  • Identification with the 32-bit unique serial number.
  • Support operating systems:
    • Microsoft Windows 2022/11/

...

, the export Ban is private, and symmetric keys

...

+

...

file system Encryption

...

is transparent, the algorithm GOST 28147-89, a unique encryption key for each device instance

...

Additionally

...

use the Security Environment to easily configure the parameters of cryptographic operations

...

Authentication and Privacy

...

Two-factor authentication

...

Yes, token presentation + PIN entry

...

Access levels

...

  • Guest,
  • User,
  • Administrator

...

Delimiting access to file objects according to the access level

...

+

...

Limit the number of PIN code entry attempts

...

Yes, configurable

...

PIN support

...

  • global PIN codes: Administrator and User,
  • local PIN codes (for protecting specific objects in the device's memory, such as certificate containers)

...

Minimum PIN size limit

...

Yes, configurable independently for any PIN code

...

Optional

...

  • support for combined authentication:

o   global PIN authentication,

o   global PIN authentication global PIN authentication combined with local PIN authentication,

  • the ability to simultaneously control access rights set from 1 to 7 local PIN codes,
  • indication of the fact that the default PIN codes have been changed.

...

Flash memory

...

Aboutbyem

...

From 0 to 64 GB (depending on the model)

...

Average write speed, MB/s

...

6.9

...

Average read speed, MB/s

...

29.3

...

RFID tags

...

Ability to embed RFIDtags

...

+

...

Supported

...

  • EM tag types are Marine,
  • Mifare,
  • ProxCard II and ISOProx II,
  • Indala

...

Integrated monitoring and display

...

Firmware integrity monitoring

...

+

...

Monitoring the integrity of system memory areas

...

+

...

Checking the integrity of RSF files before use

...

+

...

Counter types

...

  • file system change,
  • counter PIN code change,
  • counter consecutive failed PIN entry attempts PIN code entry attempts cods,
  • counter for successful electronic signature operations

...

Verification of the correct functioning of cryptographic algorithms

...

+

...

Presence of an LED indicator

...

+

...

Modes of operation of the LED indicator

...

  • ready for operation,
  • performing an operation,
  • violation in the system memory area

Smart Сards

 

...

Main Features

...

Hardware

...

protected microcontroller with integrated non-volatile memory

...

Interface

...

Smart card ID-1

...

EEPROM memory

...

From 64 KB to 128 KB

...

Overall dimensions

...

85.6 x 53.98 x 0.76 mm

...

Weight

...

5.5 g

...

Serial number

...

32-bit serial number, unique

...

Supported Operating

...

    • 10/8.1/2019/2016/2012R2/8/2012/7/2008R2/Vista/2008

...

    • /
    • GNU/Linux

...

    • , including russian domestic ones

...

    • ,
    • Apple macOS

...

    • 10.

...

    • 9 and newer,
    • Android 5 and

...

    • newer,
    • iOS 13 and

...

Supported interfaces and standards

...

PKCS#11 version 2.20, including the Russian profile (2.30 draft)

...

+

...

Microsoft Crypto API

...

+

...

PC/SC

...

+

...

Microsoft Smartcard API

...

+

...

USB CCID (work without installing drivers)

...

+

...

ISO / IEC 7816

...

  • ISO / IEC 7816-3, T=0 and T=1 protocol for contact chip,
  • ISO 14443 (NFC) for contactless chip

...

Cryptoprovider

...

Own Crypto Service Provider

...

X. Certificates509 version 3 at the software level

...

+

...

Cryptographic features

...

Support for the GOST 28147-89 algorithm

...

+

...

Algorithm Support GOST R 34.12-2015 (Magma)

...

+

...

Algorithm Support GOST R 34.12-2015 (Grasshopper)

...

+

...

Support for the GOST R 34.10-2012 algorithm

...

+

...

Support for GOST 34.11-2012 algorithm (256 and 512 bits)

...

+

...

Support for the GOST 34.11-94 algorithm

...

+

...

Generation of session keys (paired communication keys)

    • newer (iPhone XR, XS, XS Max and newer)
      Only for models with NFC,
    • iOS\iPadOS 16.2 and newer
      For contact connection.
    • Aurora 4+
  • 128 KB EEPROM memory.
  • USB 1.1 interface and others.
  • Size: 58х16х8 mm for USB-A and 52х16х8mm for USB-C.
  • Weight: 6,3 g.

Special capabilities

  • An opportunity to create a special non-removable device's key pair.
  • Maintenance of an electronic signature transaction counter.
  • Trusted reading of the value of the non-renewable counter, confirmed by electronic signature.
  • Journaling the electronic signature operations, fixing the critical parameters of electronic signature.
  • Trusted obtain of logs, which is verified through the electronic signature.

Additional capabilities

  • Work with CIFP "CryptoPro ECP 5.0 R2" and newer according to the secure protocol SESPAKE (Functional Key Carrier 2) for contact and wireless (or non-contact) connection via NFC.
  • Our own CSP with a standard interface kit and API functions.
  • An opportunity to integrate into the smartcard-oriented software products.
  • The Minidriver to integrate with Microsoft Base Smart Card Cryptographic Service Provider.


Smart cards

Hardware cryptographic capabilities

  • GOST R 34.10-2001: generate key pairs with quality control, form and check electronic signatures, private keys are valid for 3 years.
  • GOST R 34.10-2012/GOST 34.10-2018 (256 and 512 bit): generate key pairs with quality control, form and check electronic signatures, private keys are valid for 3 years.
  • GOST R 34.11-94: compute hash value of the data, including the possibility of subsequent electronic signature formation.
  • GOST R 34.11-2012/GOST 34.11-2018 (256 and 512 bit): compute hash value of the data, including the possibility of subsequent electronic signature formation.
  • GOST 28147-89: generate encryption key, encrypt data in overwrite mode, XOR-algorithm encryption with feedback, compute and check the cryptographic checksum.
  • GOST R 34.12-2015/GOST 34.12-2018, GOST R 34.13-2015/GOST34.13.2018 (Kuznechik): generate and import encryption keys, encrypt data in overwrite mode, XOR-algorithm encryption with feedback, compute and check the cryptographic checksum.
  • GOST R 34.12-2015/GOST 34.12-2018, GOST R 34.13-2015/GOST34.13.2018 (Magma): generate and import encryption keys, encrypt data in overwrite mode, XOR-algorithm encryption with feedback, compute and check the cryptographic checksum.
  • Session key generation (pair bond keys):
    • according to the

...

    • VKO GOST R 34.10-2001

...

    • (RFC 4357

...

    • ) scheme;
    • according to the

...

    • VKO GOST R 34.10-2012

...

    • (RFC 7836

...

    • );
    • decryption

...

    • according to the EC El-Gamal scheme

...

    • .
  • RSA

...

+

...

ECDSA algorithm support

...

+

...

Support algorithms DES (3DES), AES, RC2, RC4, MD4, MD5, SHA-1, SHA-256

...

storing the exported keys in EF,
SHA-1, SHA-256, MD5 PKCS#11, RC4, MD4, MD5, SHA-1, SHA-256, 3DES, AES minidriver

...

File system

...

File structure is

...

built in the ISO/IEC 7816-4

...

Type of placement of file objects in memory (file system architecture)

...

using the File Allocation Table (FAT)

...

Number of folders and their nesting

...

level the level is limited by the amount of free memory

...

Number of file objects inside the folder

...

up to 255 inclusive

...

Storing key information

...

  • : support 1024, 2048, 4096 bit keys, generate key pairs with custom quality control, import key pairs, form electronic signature.
  • ECDSA with curves secp256k1 and secp256r1: generate key pairs with custom quality control, import key pairs, form electronic signature.
  • Generating a sequence of random numbers of the needed length.

Hardware cryptographic performance

  • GOST 34.10-2012 (256) electronic signature: from 0.1 sec for NFC anD from 0.1 sec for ISO
  • GOST 34.10-2012 (512) electronic signature: from 0.25 sec for NFC anD from 0.27 sec for ISO
  • GOST 34.10-2001 electronic signature: from 0.1 sec for NFC anD from 0.1 sec for ISO
  • RSA-1024 electronic signature: from 0.05 sec for NFC anD from 0.04 sec for ISO
  • RSA-2048 electronic signature: from 0.21 sec for NFC anD from 0.19 sec for ISO
  • RSA-4096 electronic signature: from 1.12 sec for NFC anD from 1.08 sec for ISO
  • ECDSA-256 ( secp256k1) electronic signature: from 0.14 sec for NFC and from 0.13 sec for ISO
  • ECDSA-256 ( secp256r1) electronic signature: from 0.10 sec for NFC and from 0.08 sec for ISO
  • GOST R 34.11-2012 (256 и 512) hash rate: from 7.7 Kbps for NFC, up to 9.4 Kbps for ISO
  • GOST R 34.11-94 hash rate: from 16.6 Kbps for NFC, up to 28.9 Kbps for ISO
  • GOST 28147-89 hash rate: up to 18 Kbps for NFC, up to 35.3 Kbps for ISO
  • GOST R 34.12-2015 (Magma) hash rate: up to 16.7 Kbps for NFC, up to 30.8 Kbps for ISO
  • GOST R 34.12-2015 (Kuznechik) hash rate: up to 10 Kbps for NFC, up to 13.6 Kbps for ISO

Owner authentication capabilities

  • Two-factor authentification: when presenting the indetificator itself and when presenting a unique PIN.
  • Support 3 categories of owners: Administrator, User, Guest.
  • Support 2 global PIN-codes: Administrator PIN and User PIN.
  • Support local PINs for certain subjects protection (such as certificate containers) in device's memory.
  • Custom hardware quality policies for PINs are processed by the firmware.  They are set during formatting and optionally can be changed by Administrator's PIN.
  • PIN-quality policies:
    • Limitation of a minimum PIN lenght;
    • Restriction of a default PIN usage;
    • Restriction of using a PIN which contains one repeated number;
    • Independent requirements for the presence of a variety of numbers, lowercase and uppercase Cyrrilic or Latin letters or special symbols in a PIN;
    • Memorizing up to 10 PIN's values and also an opportunity to prohibit using the PIN which has been once set before.
  • Support combined authentification: authentification according to the "Administrator or User" scheme and authentification with global PINs in conjunction with authentification with local PINs.
  • Create local PINs for extra protection of key information on the device memory. Possible to work with several local PINs at the same time (up to 7 PINs).
  • Limit a number of PIN entry attempts.
  • Indicate a fact of global PIN's change from default ones to original ones.

File system

  • Built-in ISO/IEC 7816-4 file structure.
  • A number of file subjects inside the folder is up to 255.
  • Use File Allocation Table (FAT) for optimal placement of file objects incise the memory.
  • A level of nested folders is limited by the amount of free storage for the file system.
  • Storage of private and symmetric keys without an opportunity to export them.
  • Use Security Environment for easy configure settings of cryptographic operation.
  • Use the Rutoken Special Files (RSF) for storage the key information: encryption keys, certificates etc.
  • Use predetermined folders for storage

...

  • different types of key information with automatic selection of

...

  • a certain folder

...

  • while creating and using the RSF

...

  • .
  • An opportunity to change the User PIN-policy. PIN change is available for User, Administrator or for both roles at the same time.

Interfaces

  • The list of supported card readers isn't limited because the standard exchange protocols are implimented:
    • ISO/IEC 7816-3, T=0 and T=1 protocols for contact chip,
    • ISO 14443 (NFC) for non-contact chip,
  • Support PC/SC.
  • Microsoft Crypto API.
  • Microsoft SmartCard API.
  • PKCS#11 (includuing a Russian profile).

Built-in control and idication

  • Control of the firmware integrity of Rutoken ECP.
  • Control of the system memory areas integrity.
  • Check the integrity of RSF before any usage of them.
  • Counters of changes in the file system and changes of any PINs to control any unauthorized changes.
  • Check the correct functioning of cryptographic algorithms.

General characteristics

  • Modern secure microcontroller.
  • Identification with the 32-bit unique serial number.
  • Support operating systems:
    • Microsoft Windows 2022/11/10/8.1/2019/2016/2012R2/8/2012/7/2008R2/Vista/2008/XP/2003,
    • GNU/Linux (including russian domestic ones),
    • Apple macOS 10.9 and newer,
    • Android 5 and newer,
    • iOS 13 and newer,
    • Aurora 4+.
  • 128 KB EEPROM memory.
  • Size: 85,6x53,98 mm.
  • Weight: 5,5 g.

Special capabilities

  • An opportunity to create a special non-removable device's key pair.
  • Maintenance of an electronic signature transaction counter.
  • Trusted reading of the value of the non-renewable counter, confirmed by electronic signature.
  • Journaling the electronic signature operations, fixing the critical parameters of electronic signature.
  • Trusted obtain of logs, which is verified through the electronic signature.

Additional capabilities

  • Work with CIFP "CryptoPro ECP 5.0 R2" and newer according to the secure protocol SESPAKE (Functional Key Carrier 2) for contact and wireless (or non-contact) connection via NFC.
  • Our own CSP with a standard interface kit and API functions.
  • An opportunity to integrate into the smartcard-oriented software products.
  • The Minidriver to integrate with Microsoft Base Smart Card Cryptographic Service Provider.

...

Prohibition of exporting private and symmetric keys

...

+

...

File system encryption

...

yes, transparent, GOST 28147-89 algorithm, unique encryption key for each device instance

...

Additionally

...

use the Security Environment to easily configure the parameters of cryptographic operations

...

Authentication and Privacy

...

Two-factor authentication

...

Yes, token presentation + PIN entry

...

Access levels

...

  • Guest,
  • User,
  • Administrator

...

Delimiting access to file objects according to the access level

...

+

...

Limit the number of PIN code entry attempts

...

Yes, configurable

...

PIN support

...

  • global PIN codes: Administrator and User,
  • local PIN codes (for protecting specific objects in the device's memory, such as certificate containers),
  • Customizable hardware PIN quality policies

...

Minimum PIN size limit

...

Yes, configurable independently for any PIN code

...

Optional

...

  • support for combined authentication:
    • global PIN authentication,
    • global PIN authentication global PIN authentication combined with local PIN authentication,
  • the ability to simultaneously control access rights set by up to 7 local PIN codes,
  • indication of the fact that global PIN codes have been changed from hidden ones to the original ones.

...

RFID tags

...

Ability to embed RFIDtags

...

+

...

Supported

...

  • EM tag types are Marine,
  • Mifare,
  • ProxCard II, and ISOProx II,
  • Etc.

...

Integrated monitoring and display

...

Firmware integrity monitoring

...

+

...

Monitoring the integrity of system memory areas

...

+

...

Checking the integrity of RSF files before use

...

+

...

Counter types

...

  • file system change,
  • counter PIN code change,
  • counter consecutive failed PIN entry attempts,
  • counter for successful electronic signature operations

...

Verification of the correct functioning of cryptographic algorithms

...

+

...

Modes of operation of the LED indicator

...

  • ready for operation,
  • performing an operation,
  • violation in the system memory area

 

...