Hardware cryptographic capabilities

• GOST R 34.10-2001: generate key pairs with quality control, form and check electronic signatures, private keys are valid for 3 years.
• GOST R 34.10-2012/GOST 34.10-2018 (256 and 512 bit): generate key pairs with quality control, form and check electronic signatures, private keys are valid for 3 years.
• GOST R 34.11-94: compute hash value of the data, including the possibility of subsequent electronic signature formation.
• GOST R 34.11-2012/GOST 34.11-2018 (256 and 512 bit): compute hash value of the data, including the possibility of subsequent electronic signature formation.
• GOST 28147-89: generate encryption key, encrypt data in overwrite mode, XOR-algorithm encryption with feedback, compute and check the cryptographic checksum.
• GOST R 34.12-2015/GOST 34.12-2018, GOST R 34.13-2015/GOST34.13.2018 (Kuznechik): generate and import encryption keys, encrypt data in overwrite mode, XOR-algorithm encryption with feedback, compute and check the cryptographic checksum.
• GOST R 34.12-2015/GOST 34.12-2018, GOST R 34.13-2015/GOST34.13.2018 (Magma): generate and import encryption keys, encrypt data in overwrite mode, XOR-algorithm encryption with feedback, compute and check the cryptographic checksum.
• Session key generation (pair bond keys):
• according to the VKO GOST R 34.10-2001 (RFC 4357) scheme;
• according to the VKO GOST R 34.10-2012 (RFC 7836);
• decryption according to the EC El-Gamal scheme.
• RSA: support 1024, 2048, 4096 bit keys, generate key pairs with custom quality control, import key pairs, form electronic signature.
• ECDSA with curves secp256k1 and secp256r1: generate key pairs with custom quality control, import key pairs, form electronic signature.
• Generating a sequence of random numbers of the needed length.

Owner authentication capabilities

• Two-factor authentification: when presenting the indetificator itself and when presenting a unique PIN.
• Support 3 categories of owners: Administrator, User, Guest.
• Support 2 global PIN-codes: Administrator PIN and User PIN.
• Support local PINs for certain subjects protection (such as certificate containers) in device's memory.
• Custom hardware quality policies for PINs are processed by the firmware.  They are set during formatting and optionally can be changed by Administrator's PIN.
• PIN-quality policies:
• Limitation of a minimum PIN lenght;
• Restriction of a default PIN usage;
• Restriction of using a PIN which contains one repeated number;
• Independent requirements for the presence of a variety of numbers, lowercase and uppercase Cyrrilic or Latin letters or special symbols in a PIN;
• Memorizing up to 10 PIN's values and also an opportunity to prohibit using the PIN which has been once set before.
• Support combined authentification: authentification according to the "Administrator or User" scheme and authentification with global PINs in conjunction with authentification with local PINs.
• Create local PINs for extra protection of key information on the device memory. Possible to work with several local PINs at the same time (up to 7 PINs).
• Limit a number of PIN entry attempts.
• Indicate a fact of global PIN's change from default ones to original ones.

File system

• Built-in ISO/IEC 7816-4 file structure.
• A number of file subjects inside the folder is up to 255.
• Use File Allocation Table (FAT) for optimal placement of file objects incise the memory.
• A level of nested folders is limited by the amount of free storage for the file system.
• Storage of private and symmetric keys without an opportunity to export them.
• Use Security Environment for easy configure settings of cryptographic operation.
• Use the Rutoken Special Files (RSF) for storage the key information: encryption keys, certificates etc.
• Use predetermined folders for storage different types of key information with automatic selection of a certain folder while creating and using the RSF.
• An opportunity to change the User PIN-policy. PIN change is available for User, Administrator or for both roles at the same time.

Interfaces

• Standart exchange protocols:
  • ISO/IEC 7816-12;
  • ISO 14443 (NFC) for non-contact chip,
• Support USB CCID: works without drivers installation in modern OS versions.
• Support PC/SC.
• Microsoft Crypto API.
• Microsoft SmartCard API.
• PKCS#11 (includuing a Russian profile).

Built-in control and idication

• Control of the firmware integrity of Rutoken ECP.
• Control of the system memory areas integrity.
• Check the integrity of RSF before any usage of them.
• Counters of changes in the file system and changes of any PINs to control any unauthorized changes.
• Check the correct functioning of cryptographic algorithms.

General characteristics

• Modern secure microcontroller.
• Identification with the 32-bit unique serial number.
• Support operating systems:
  • Microsoft Windows 2022/11/10/8.1/2019/2016/2012R2/8/2012/7/2008R2/Vista/2008/
  • GNU/Linux, including russian domestic ones,
  • Apple macOS 10.9 and newer,
  • Android 5 and newer,
  • iOS 13 and newer (iPhone XR, XS, XS Max and newer)
    Only for models with NFC,
  • iOS\iPadOS 16.2 and newer
    For contact connection.
  • Aurora 4+
• 128 KB EEPROM memory.
• USB 1.1 interface and others.
• Size: 58х16х8 mm for USB-A and 52х16х8mm for USB-C.
• Weight: 6,3 g.

Special capabilities

• An opportunity to create a special non-removable device's key pair.
• Maintenance of an electronic signature transaction counter.
• Trusted reading of the value of the non-renewable counter, confirmed by electronic signature.
• Journaling the electronic signature operations, fixing the critical parameters of electronic signature.
• Trusted obtain of logs, which is verified through the electronic signature.

Additional capabilities

• Work with CIFP "CryptoPro ECP 5.0 R2" and newer according to the secure protocol SESPAKE (Functional Key Carrier 2) for contact and wireless (or non-contact) connection via NFC.
• Our own CSP with a standard interface kit and API functions.
• An opportunity to integrate into the smartcard-oriented software products.
• The Minidriver to integrate with Microsoft Base Smart Card Cryptographic Service Provider.

Hardware cryptographic capabilities

• GOST R 34.10-2001: generate key pairs with quality control, form and check electronic signatures, private keys are valid for 3 years.
• GOST R 34.10-2012/GOST 34.10-2018 (256 and 512 bit): generate key pairs with quality control, form and check electronic signatures, private keys are valid for 3 years.
• GOST R 34.11-94: compute hash value of the data, including the possibility of subsequent electronic signature formation.
• GOST R 34.11-2012/GOST 34.11-2018 (256 and 512 bit): compute hash value of the data, including the possibility of subsequent electronic signature formation.
• GOST 28147-89: generate encryption key, encrypt data in overwrite mode, XOR-algorithm encryption with feedback, compute and check the cryptographic checksum.
• GOST R 34.12-2015/GOST 34.12-2018, GOST R 34.13-2015/GOST34.13.2018 (Kuznechik): generate and import encryption keys, encrypt data in overwrite mode, XOR-algorithm encryption with feedback, compute and check the cryptographic checksum.
• GOST R 34.12-2015/GOST 34.12-2018, GOST R 34.13-2015/GOST34.13.2018 (Magma): generate and import encryption keys, encrypt data in overwrite mode, XOR-algorithm encryption with feedback, compute and check the cryptographic checksum.
• Session key generation (pair bond keys):
• according to the VKO GOST R 34.10-2001 (RFC 4357) scheme;
• according to the VKO GOST R 34.10-2012 (RFC 7836);
• decryption according to the EC El-Gamal scheme.
• RSA: support 1024, 2048, 4096 bit keys, generate key pairs with custom quality control, import key pairs, form electronic signature.
• ECDSA with curves secp256k1 and secp256r1: generate key pairs with custom quality control, import key pairs, form electronic signature.
• Generating a sequence of random numbers of the needed length.

Hardware cryptographic performance

• GOST 34.10-2012 (256) electronic signature: from 0.1 sec for NFC anD from 0.1 sec for ISO
• GOST 34.10-2012 (512) electronic signature: from 0.25 sec for NFC anD from 0.27 sec for ISO
• GOST 34.10-2001 electronic signature: from 0.1 sec for NFC anD from 0.1 sec for ISO
• RSA-1024 electronic signature: from 0.05 sec for NFC anD from 0.04 sec for ISO
• RSA-2048 electronic signature: from 0.21 sec for NFC anD from 0.19 sec for ISO
• RSA-4096 electronic signature: from 1.12 sec for NFC anD from 1.08 sec for ISO
• ECDSA-256 ( secp256k1) electronic signature: from 0.14 sec for NFC and from 0.13 sec for ISO
• ECDSA-256 ( secp256r1) electronic signature: from 0.10 sec for NFC and from 0.08 sec for ISO
• GOST R 34.11-2012 (256 и 512) hash rate: from 7.7 Kbps for NFC, up to 9.4 Kbps for ISO
• GOST R 34.11-94 hash rate: from 16.6 Kbps for NFC, up to 28.9 Kbps for ISO
• GOST 28147-89 hash rate: up to 18 Kbps for NFC, up to 35.3 Kbps for ISO
• GOST R 34.12-2015 (Magma) hash rate: up to 16.7 Kbps for NFC, up to 30.8 Kbps for ISO
• GOST R 34.12-2015 (Kuznechik) hash rate: up to 10 Kbps for NFC, up to 13.6 Kbps for ISO

Owner authentication capabilities

• Two-factor authentification: when presenting the indetificator itself and when presenting a unique PIN.
• Support 3 categories of owners: Administrator, User, Guest.
• Support 2 global PIN-codes: Administrator PIN and User PIN.
• Support local PINs for certain subjects protection (such as certificate containers) in device's memory.
• Custom hardware quality policies for PINs are processed by the firmware.  They are set during formatting and optionally can be changed by Administrator's PIN.
• PIN-quality policies:
• Limitation of a minimum PIN lenght;
• Restriction of a default PIN usage;
• Restriction of using a PIN which contains one repeated number;
• Independent requirements for the presence of a variety of numbers, lowercase and uppercase Cyrrilic or Latin letters or special symbols in a PIN;
• Memorizing up to 10 PIN's values and also an opportunity to prohibit using the PIN which has been once set before.
• Support combined authentification: authentification according to the "Administrator or User" scheme and authentification with global PINs in conjunction with authentification with local PINs.
• Create local PINs for extra protection of key information on the device memory. Possible to work with several local PINs at the same time (up to 7 PINs).
• Limit a number of PIN entry attempts.
• Indicate a fact of global PIN's change from default ones to original ones.

File system

• Built-in ISO/IEC 7816-4 file structure.
• A number of file subjects inside the folder is up to 255.
• Use File Allocation Table (FAT) for optimal placement of file objects incise the memory.
• A level of nested folders is limited by the amount of free storage for the file system.
• Storage of private and symmetric keys without an opportunity to export them.
• Use Security Environment for easy configure settings of cryptographic operation.
• Use the Rutoken Special Files (RSF) for storage the key information: encryption keys, certificates etc.
• Use predetermined folders for storage different types of key information with automatic selection of a certain folder while creating and using the RSF.
• An opportunity to change the User PIN-policy. PIN change is available for User, Administrator or for both roles at the same time.

Interfaces

• The list of supported card readers isn't limited because the standard exchange protocols are implimented:
• ISO/IEC 7816-3, T=0 and T=1 protocols for contact chip,
• ISO 14443 (NFC) for non-contact chip,
• Support PC/SC.
• Microsoft Crypto API.
• Microsoft SmartCard API.
• PKCS#11 (includuing a Russian profile).

Built-in control and idication

• Control of the firmware integrity of Rutoken ECP.
• Control of the system memory areas integrity.
• Check the integrity of RSF before any usage of them.
• Counters of changes in the file system and changes of any PINs to control any unauthorized changes.
• Check the correct functioning of cryptographic algorithms.

General characteristics

• Modern secure microcontroller.
• Identification with the 32-bit unique serial number.
• Support operating systems:
• Microsoft Windows 2022/11/10/8.1/2019/2016/2012R2/8/2012/7/2008R2/Vista/2008/XP/2003,
• GNU/Linux (including russian domestic ones),
• Apple macOS 10.9 and newer,
• Android 5 and newer,
• iOS 13 and newer,
• Aurora 4+.
• 128 KB EEPROM memory.
• Size: 85,6x53,98 mm.
• Weight: 5,5 g.

Special capabilities

• An opportunity to create a special non-removable device's key pair.
• Maintenance of an electronic signature transaction counter.
• Trusted reading of the value of the non-renewable counter, confirmed by electronic signature.
• Journaling the electronic signature operations, fixing the critical parameters of electronic signature.
• Trusted obtain of logs, which is verified through the electronic signature.

Additional capabilities

• Work with CIFP "CryptoPro ECP 5.0 R2" and newer according to the secure protocol SESPAKE (Functional Key Carrier 2) for contact and wireless (or non-contact) connection via NFC.
• Our own CSP with a standard interface kit and API functions.
• An opportunity to integrate into the smartcard-oriented software products.
• The Minidriver to integrate with Microsoft Base Smart Card Cryptographic Service Provider.