Smart cards |
|---|
Hardware cryptographic capabilities | - GOST R 34.10-2001: generate key pairs with quality control, form and check electronic signatures, private keys are valid for 3 years.
- GOST R 34.10-2012/GOST 34.10-2018 (256 and 512 bit): generate key pairs with quality control, form and check electronic signatures, private keys are valid for 3 years.
- GOST R 34.11-94: compute hash value of the data, including the possibility of subsequent electronic signature formation.
- GOST R 34.11-2012/GOST 34.11-2018 (256 and 512 bit): compute hash value of the data, including the possibility of subsequent electronic signature formation.
- GOST 28147-89: generate encryption key, encrypt data in overwrite mode, XOR-algorithm encryption with feedbackencrypt data in CTR cipher mode and in CFB cipher mode, compute and check the cryptographic checksum.
- GOST R 34.12-2015/GOST 34.12-2018, GOST R 34.13-2015/GOST34.13.2018 (Kuznechik): generate and import encryption keys, encrypt data in overwrite mode, XOR-algorithm encryption with feedbackencrypt data in CTR cipher mode and in CFB cipher mode, compute and check the cryptographic checksum.
- GOST R 34.12-2015/GOST 34.12-2018, GOST R 34.13-2015/GOST34.13.2018 (Magma): generate and import encryption keys, encrypt data in overwrite mode, XOR-algorithm encryption with feedbackencrypt data in CTR cipher mode and in CFB cipher mode, compute and check the cryptographic checksum.
- Session key generation (pair bond keys):
- according to the VKO GOST R 34.10-2001 (RFC 4357) scheme;
- according to the VKO GOST R 34.10-2012 (RFC 7836);
- decryption according to the EC El-Gamal scheme.
- RSA: support 1024, 2048, 4096 bit keys, generate key pairs with custom quality control, import key pairs, form electronic signature.
- ECDSA with curves secp256k1 and secp256r1: generate key pairs with custom quality control, import key pairs, form electronic signature.
- Generating a sequence of random numbers of the needed length.
|
| - GOST 34.10-2012 (256) electronic signature: from 0.1 sec for NFC anD from 0.1 sec for ISO
- GOST 34.10-2012 (512) electronic signature: from 0.25 sec for NFC anD from 0.27 sec for ISO
- GOST 34.10-2001 electronic signature: from 0.1 sec for NFC anD from 0.1 sec for ISO
- RSA-1024 electronic signature: from 0.05 sec for NFC anD from 0.04 sec for ISO
- RSA-2048 electronic signature: from 0.21 sec for NFC anD from 0.19 sec for ISO
- RSA-4096 electronic signature: from 1.12 sec for NFC anD from 1.08 sec for ISO
- ECDSA-256 ( secp256k1) electronic signature: from 0.14 sec for NFC and from 0.13 sec for ISO
- ECDSA-256 ( secp256r1) electronic signature: from 0.10 sec for NFC and from 0.08 sec for ISO
- GOST R 34.11-2012 (256 и 512) hash rate: from 7.7 Kbps for NFC, up to 9.4 Kbps for ISO
- GOST R 34.11-94 hash rate: from 16.6 Kbps for NFC, up to 28.9 Kbps for ISO
- GOST 28147-89 hash rate: up to 18 Kbps for NFC, up to 35.3 Kbps for ISO
- GOST R 34.12-2015 (Magma) hash rate: up to 16.7 Kbps for NFC, up to 30.8 Kbps for ISO
- GOST R 34.12-2015 (Kuznechik) hash rate: up to 10 Kbps for NFC, up to 13.6 Kbps for ISO
|
Owner authentication capabilities | - Two-factor authentification: when presenting the indetificator itself and when presenting a unique PIN.
- Support 3 categories of owners: Administrator, User, Guest.
- Support 2 global PIN-codes: Administrator PIN and User PIN.
- Support local PINs for certain subjects protection (such as certificate containers) in device's memory.
- Custom hardware quality policies for PINs are processed by the firmware. They are set during formatting and optionally can be changed by Administrator's PIN.
- PIN-quality policies:
- Limitation of a minimum PIN lenght;
- Restriction of a default PIN usage;
- Restriction of using a PIN which contains one repeated number;
- Independent requirements for the presence of a variety of numbers, lowercase and uppercase Cyrrilic or Latin letters or special symbols in a PIN;
- Memorizing up to 10 PIN's values and also an opportunity to prohibit using the PIN which has been once set before.
- Support combined authentification: authentification according to the "Administrator or User" scheme and authentification with global PINs in conjunction with authentification with local PINs.
- Create local PINs for extra protection of key information on the device memory. Possible to work with several local PINs at the same time (up to 7 PINs).
- Limit a number of PIN entry attempts.
- Indicate a fact of global PIN's change from default ones to original ones.
|
File system | - Built-in ISO/IEC 7816-4 file structure.
- A number of file subjects inside the folder is up to 255.
- Use File Allocation Table (FAT) for optimal placement of file objects incise the memory.
- A level of nested folders is limited by the amount of free storage for the file system.
- Storage of private and symmetric keys without an opportunity to export them.
- Use Security Environment for easy configure settings of cryptographic operation.
- Use the Rutoken Special Files (RSF) for storage the key information: encryption keys, certificates etc.
- Use predetermined folders for storage different types of key information with automatic selection of a certain folder while creating and using the RSF.
- An opportunity to change the User PIN-policy. PIN change is available for User, Administrator or for both roles at the same time.
|
Interfaces | - The list of supported card readers isn't limited because the standard exchange protocols are implimented:
- ISO/IEC 7816-3, T=0 and T=1 protocols for contact chip,
- ISO 14443 (NFC) for non-contact chip,
- Support PC/SC.
- Microsoft Crypto API.
- Microsoft SmartCard API.
- PKCS#11 (includuing a Russian profile).
|
Built-in control and idication | - Control of the firmware integrity of Rutoken ECP.
- Control of the system memory areas integrity.
- Check the integrity of RSF before any usage of them.
- Counters of changes in the file system and changes of any PINs to control any unauthorized changes.
- Check the correct functioning of cryptographic algorithms.
|
General characteristics | - Modern secure microcontroller.
- Identification with the 32-bit unique serial number.
- Support operating systems:
- Microsoft Windows 2022/11/10/8.1/2019/2016/2012R2/8/2012/7/2008R2/Vista/2008/XP/2003,
- GNU/Linux (including russian domestic ones),
- Apple macOS 10.9 and newer,
- Android 5 and newer,
- iOS 13 and newer,
- Aurora 4+.
- 128 KB EEPROM memory.
- Size: 85,6x53,98 mm.
- Weight: 5,5 g.
|
Special capabilities | - An opportunity to create a special non-removable device's key pair.
- Maintenance of an electronic signature transaction counter.
- Trusted reading of the value of the non-renewable counter, confirmed by electronic signature.
- Journaling the electronic signature operations, fixing the critical parameters of electronic signature.
- Trusted obtain of logs, which is verified through the electronic signature.
|
Additional capabilities | - Work with CIFP "CryptoPro ECP 5.0 R2" and newer according to the secure protocol SESPAKE (Functional Key Carrier 2) for contact and wireless (or non-contact ) connection via NFC.
- Our own CSP with a standard interface kit and API functions.
- An opportunity to integrate into the smartcard-oriented software products.
- The Minidriver to integrate with Microsoft Base Smart Card Cryptographic Service Provider.
|