To carry out a set of measures to protect information during its storage, processing and transmission in the payment system, a means of cryptographic information protection “Tumar” is used.
The cryptographic information protection tool uses an open distribution of keys. The encryption and digital signature algorithms are designed in such a way that for their functioning one party does not need to know the secret key of the other, but only a certain prototype of it, the so-called public key, is needed. The public key is computed from the private key using a one-way function, i.e. computing the secret key from the public key is not feasible in real time. This algorithm was proposed in 1976 by scientists W. Diffy and M. Hellman and is used by the “Tumar” cryptographic information protection tool.
The functions of the certification center and key distribution are performed by the NPC certification center, whose tasks are to issue registration certificates and ensure trust in the exchange of key information.
Access to the payment system is provided only to registered users. The system of enhanced identification of remote users is based on a crypto-protocol of bilateral identification, that is, not only the client of the payment system is identified, but also the center of the payment system.
After the identification procedure has been successfully completed and the payment system client has established a connection, information is exchanged between the center and the payment system client. To ensure the integrity of the information transmitted over the communication channel, an imitation insert (cryptographic checksum or message authentication code) is calculated, this procedure protects against deliberate or unintentional changes (distortions) in the transmitted information. To ensure confidentiality, information stored or transmitted over open channels is encrypted, which guarantees protection against unauthorized access to this information and avoids information compromise.
To resolve the issue of authenticating electronic documents, an electronic digital signature (EDS) mechanism is used, which is implemented on the basis of the El-Gamal asymmetric cryptographic algorithm using the hashing function. The main feature of the EDS is the fact that only one user can put such a signature – the author of this document, who has a secret key. Any user who has a registration certificate of the author of this document can check the integrity, authenticity and authorship of a document (authenticate). This mechanism allows you to completely replace paper documents with electronic ones, as well as resolve any disputes related to their authentication.
To protect against accidental or malicious changes in the system kernel, which consists of executable modules of the terminal system and the cryptographic protection system, the calculation of imitation inserts for each executable module is performed. This is done in order to avoid cases of damage or bookmarking by viruses or intruders.
The encryption algorithms used are implemented in accordance with the international standard GOST 28147-89 “Information processing system. Cryptographic protection. Cryptographic transformation algorithm”.
The procedures for the formation and verification of an electronic digital signature are carried out in accordance with the international standards GOST 34.310-2004 “Cryptographic information protection. Procedures for generating an electronic digital signature based on an asymmetric cryptographic algorithm” and GOST 34.311-2004 “Cryptographic information protection. Hash function”. Registration certificates issued by the Certification Center comply with the recommendations of X.509 v.3, RFC 5280 “Certificate and Certificate Revocation List (CRL) Profile” and RFC 3739 “Qualified Certificates Profile”.