The Central Bank has published recommendations on cryptographic protection of the EBU

EBS. Bottom scanner, bottom right

Russian banks are in full swing connecting to the Unified Biometric System (ЕБС) and starting to collect biometric data of their customers. Information is stored in a single centralized database managed by Rostelecom. For example, recently Sberbank reported that it provided the collection of biometric data in 20% of its branches .

Although the process of collecting, processing and transmitting biometric data in the EBU has long been regulated, but the Central Bank only on February 14, 2019 published guidelines for the protection of this information.

The Central Bank recommends that banks ensure that information is protected by banks through the means of cryptographic protection of information that comply with the Regulations of the PKZ-2005 , approved by the order of the FSB. This provision regulates in detail the procedure for the development and production of SKPI (cryptographic information protection tools), which include:

• encryption tools;
  
• imitation protection;
  
• digital signature tools;
  
• coding tools;
  
• means of producing key documents;
  
• key documents.

Further, the Central Bank describes the information security measures in the process of collecting biometric personal data and in the process of their transfer to Rostelecom in the EMU, as well as the requirements of mandatory information on incidents.

In particular, to ensure information security, in the process of collecting information, it is recommended to use ICTM of a class not lower than KV, including means of electronic signature of a class not lower than KV2.

Banks can work any solutions - own production, typical solutions or cloud. For each of them are recommendations. For example, in the case of using your own solution, it is recommended to provide:

• obtaining a qualified key certificate verifying the electronic signature of a bank created by an certification center accredited by the Ministry of Communications and Mass Media of the Russian Federation (FSBI "Voskhod") using the certification center not lower than KV2;
  
• Embedding a cryptographic protection (HSM) software and hardware module certified as an ICT for a class not lower than KV (electronic signatures of a class not lower than KV2) in the subsystem of processing the biometric personal data of individuals in accordance with the requirements set forth in the operational documentation for software a hardware module of cryptographic protection (HSM), on its own, with the relevant license of the Federal Security Service of Russia, or by third-party organizations that have the relevant license of the Federal Security Service of Russia;
  
• Creation and use of a trusted environment for the functioning of an information system interacting (forming calls) with a cryptographic protection software and hardware module (HSM) certified in a class not lower than KV in the process of signing electronic messages containing biometric personal data of individuals, of the EPRP sold by the SKPI class not lower than KV (by means of electronic signature of a class not lower than KV2).

In turn, the trusted environment should:

• work on a suitable OS (which meets the requirements of the Federal Security Service of the AK3 class) or the requirements of the State Technical Commission for the 3rd class of security and the 2nd level of control);
  
• apply firewalling tools certified by the FSTEC of Russia for compliance with the requirements for firewall-type devices of at least 3rd class of security using IHC-based IMS designed for use on information system servers (type B) and certified by the FSTEC of Russia for compliance with the requirements to antivirals of at least 2nd class of protection;
  
• use protection against computer attacks that are certified by the FSTEC of Russia for compliance with the requirements of software, software and hardware or hardware of the type “intrusion detection system” of at least 3rd class of security;
  
• applied in the information system interacting (forming calls) with the hardware and software module of cryptographic protection (HSM), hardware and software modules of the trusted load of the expansion board level, certified by the FSTEC of Russia for compliance with the requirements for hardware and software modules of the trusted computer load of the 2nd class protection;
  
• use application software that has been tested for the absence of undeclared capabilities and complies with the 4th level of control of the absence of undeclared capabilities or is certified in the FSTEC of Russia certification system for compliance with information security requirements, including requirements for analyzing vulnerabilities and controlling the absence of undeclared capabilities or for which analysis has been performed Vulnerability requirements for the estimated level of confidence not lower than EAL 4.

The trusted environment can be created using a specialized adapter that provides information and technological interaction between the bank’s information infrastructure objects and the software-hardware cryptographic protection module (HSM) and complies with the above description, permits the Central Bank.

Probably, now citizens can be assured that their biometric data in the EMU system is reliably protected.