Hello. The task is as follows: a mobile application is created with a database of enterprises; when registering a new enterprise (and at the same time, the first user of the registered enterprise), it is necessary that the application accurately establish the fact that this user is actually an employee (representative) of the registered enterprise.

For now, we are exploring the first solution to the problem: every enterprise has its own EDS - for reporting, for RB, etc. They are unique and are not shared with anyone (for obvious reasons). The idea is this: once a user identifies himself as a representative of an enterprise by entering the key of this enterprise, he is authorized to do this (except for criminal situations of theft of keys by hackers).

Question: Is it possible to somehow use these digital signature certificates available to the enterprise to identify the user as a representative of this enterprise when registering in the database via the mobile application ??

It is clear that not by inserting a token-flash drive in a non-existent USB port of the device; may be entering some information?

I understand that the question to the EDS specialist may seem ridiculous and absurd, but I have to investigate all the options. Please do not skimp on your suggestions.

  • Why not existing? I understand that a mobile application is a client, all the drive is in the cloud? - Chad
  • one
    Non-existent because full-sized USB ports are not provided on Android devices. And not everyone carries a cable adapter. - Logist-111
  • All drive in the application. - Logist-111
  • one
    I'm afraid you only have to register users when USB is available. Because forcing the user to enter with handles these signatures and something else of a good certificate (if you did not see the certificate of this company at the moment), this is sort of a brute force, there is a large hex dump. And to get it, the user will still have to go to a computer with USB - Mike
  • @Mike, Then the question arises, for what "in any Western legal Android device are stored root certificates of the largest certification centers (such as VeriSign, Thawte, etc.), with which you can easily understand who owns the received EDS" ?? Western users do not go with cables. So somehow different. It is possible that initially the tokens themselves are made in the microUSB format. - Logist-111

1 answer 1

There is nothing ridiculous and absurd in this matter.

The Russian EDS standard is "slightly" different from the western digital signature standards. The standard is described in GOST R 34.10-2012

In theory, all Russian EDS must meet the specified standard, but as they say - anything can happen in life.

A digital signature at the data level is essentially 2 data sets: a public key and a private key. The private key is not transferred to anyone and is kept by the owner. The public key is sent to everyone, that is, as part of your scenario - the company sends you its public key to gain access to your invaluable application.

Now, attention, you must understand that the public key belongs to the one who issued it to you. For this there are certificates of public keys. The whole thing is this. If it were a matter of Western digital signatures , then in any legal Android device the root certificates of the largest certification centers (such as VeriSign, Thawte, etc.) are stored, with the help of which one can easily understand who owns the received EDS. Russian root (qualified) certificates must be obtained from the appropriate certification authority in which the EDS is received. These centers, we frankly say a lot ... However, most of them do not identify each other. Just in case, the root tax certificate is here , and Sberbank here - in general, I hope clearly.

Closer to programming. The above mentioned GOST is implemented in Bouncy Castle - for those who are in the tank - this is one of the most well-known public APIs that implement almost all conceivable and inconceivable cryptographic algorithms. And what is especially nice, Bouncy Castle implements the algorithms as a standard Java Cryptography Extension provider.

For Android there is a special port Bouncy Castle - called Spongy Castle

User check should be reduced to:

  1. Get the root certificate of the certification authority
  2. Get the certificate of the public key of the user
  3. Verify it for validity with the root certificate of the certification center

All this can be done programmatically (although not easy ...)

Then google yourself on validate + certificate + java

  • Already in the stomach, it tickled from joy ... - Logist-111
  • But seriously, I immediately noticed that anyone can provide the public key (because it is public). Hike question on this option is nearing closure. - Logist-111
  • If you really pleased me by talking about digital signature in Western android devices, can you know how technically it is used in the west? In the comments to the main question there is a point of view that it is necessary to register users only when USB is available to them in order to dull the whistle. - Logist-111
  • The irony is half a ton lower, the colleague will continue to tickle. In general, I always wondered how poorly educated people bred unhappy customers :) - Barmaley
  • There was no irony, and now is not. You misrepresented my tone when you read my comments to your answer with your inner voice, which is really good and useful. At first I was surprised, but after reading my own comments in the context of supposedly "irony", I saw the irony, and I was upset. Sorry, he did not expect, really did not want. All the comments are sincere, imagine, when reading them, the tone of the sincere joy of a green programmer who did not know about a digital signature and was just beginning to receive more or less serious tasks. Thanks for the answer - quickly, deployed, without excess water. - Logist-111