April 18, 2017 at 11:30 PM

We go to your personal account at zakupki.gov.ru without Internet Explorer and other useful tips when working with CryptoPro

• System administration

In this post I will try to summarize the experience of using the CryptoPro cryptographic provider to access the closed part of the official website of the unified procurement information system (zakupki.gov.ru) and the website of state services (gosuslugi.ru). The crypto provider itself has already become a de facto standard for government agencies, in its format it issues an EDS, for example, a certification center (CA) of the Federal Treasury or the CA of the Ministry of Health.

First of all, we will focus on the site zakupki.gov.ru. The personal account of this site is accessible only via HTTPS using GOST encryption algorithms. For a long time, HTTPS over GOST worked only in Internet Explorer, which relied entirely on the crypto provider. The denouement came not so long ago, when support for older versions of IE, including IE8, was discontinued on the site zakupki.gov.ru. The trouble is, IE8 is the last version of that browser supported on Windows XP, and government agencies tend to be very conservative in terms of licensing. Thus, a fairly large part of users found themselves "overboard" overnight.

Fortunately, the CryptoPro company releases a special assembly of the Firefox browser called CryptoPro Fox (CryptoFox), which supports GOST algorithms and works, of course, only in conjunction with the appropriate crypto provider. There was a time when the development of the assembly almost completely stopped, but now new versions are released regularly. The latest build is based on Firefox 45, you can download the builds, versions for Windows, Linux and even Apple OS X are available.

The link is available for the English version of the browser. To localize it, you need to download the package with the translation of the interface. Please note that the version of the package must match the version of the browser itself.

After installing the package, you need to open a new tab, type about: config there, and in the list of parameters that opens, enter general.useragent.locale and change its value from en-US to ru-RU. After restarting the browser, the interface will be in Russian.

Now you can put the root certificate of the Federal Treasury CA into the Trusted Root Certification Authorities store, and the personal user certificate in the Personal store, restart your browser and enter your personal account zakupki.gov.ru according to 44-FZ.

At my workplace, there are no valid certificates of authorized persons installed, so access to my personal account is prohibited. However, the encryption of the connection is in any case carried out by the GOST family algorithm.

In case of access to the closed part of the site under 223-FZ, authorization will go through the ESIA (that is, through the site gosuslugi.ru). Here the situation is simplified, because this site has a plug-in for Firefox for a long time and is being developed by Rostelecom. At the first visit to the site, we will be prompted to download the plugin. After installation, the plugin should be switched to the “Always enable” mode in the CryptoFox settings, otherwise a window with a certificate request will not appear on the government services website.

Unfortunately, signing documents on the zakupki.gov.ru site is implemented through a specific component sing.cab, which uses ActiveX technology. Naturally, this component will not work in CryptoPro, so we will wait for the transition to a more widespread technology. Fortunately, signing a document is only a small part of what an operator should do while working at zakupki.gov.ru, so CryptoFox can be used for day-to-day operations.

Sometimes it is necessary to save a copy of the private key on your local computer. This can be done if the key is marked as unloaded when it is created in the CA. Copying is done using the "Copy" button (what a surprise) in the interface of the CryptoPro applet

If there are two options for storing the key on the local machine - in the "Registry" reader and on a virtual removable disk. In principle, the security of storing the key in both cases is approximately the same, so the choice of the means is left to the reader.

In the "Registry" reader, keys are stored in the branch

HKLM \ SOFTWARE \ Crypto Pro \ Settings \ Users \\ Keys
for user and branch

HKLM \ SOFTWARE \ Crypto Pro \ Settings \ Keys
for the computer as a whole.

In the case of a 64-bit OS, the paths will be slightly different:

HKLM \ SOFTWARE \ Wow6432Node \ Crypto Pro \ Settings \ Users \\ Keys
and

HKLM \ SOFTWARE \ Wow6432Node \ Crypto Pro \ Settings \ Keys

When CryptoPro is running on a terminal server, the user may not have enough rights to write the key to these branches, since they are not in the user's profile. This situation can be corrected by assigning the appropriate rights to the branches through the Regedit utility.

CryptoPro searches for key containers on disks that have the attribute “removable”, that is, a flash drive or, God forgive me, a floppy disk will be considered key containers, but a network drive or a disk forwarded via RDP will not. This allows keys to be stored on floppy images on a one-key-one-floppy basis, thereby enhancing security. To create a virtual disk drive, you can use the utility

In this post I will try to summarize the experience of using the CryptoPro cryptographic provider to access the closed part of the official website of the unified procurement information system (zakupki.gov.ru) and the website of state services (gosuslugi.ru). The crypto provider itself has already become a de facto standard for government agencies, in its format it issues an EDS, for example, a certification center (CA) of the Federal Treasury or the CA of the Ministry of Health.

First of all, we will focus on the site zakupki.gov.ru. The personal account of this site is accessible only via HTTPS using GOST encryption algorithms. For a long time, HTTPS over GOST worked only in Internet Explorer, which relied entirely on the crypto provider. The denouement came not so long ago, when support for older versions of IE, including IE8, was discontinued on the site zakupki.gov.ru. The trouble is, IE8 is the last version of that browser supported on Windows XP, and government agencies tend to be very conservative in terms of licensing. Thus, a fairly large part of users found themselves "overboard" overnight.

Fortunately, the CryptoPro company releases a special assembly of the Firefox browser called CryptoPro Fox (CryptoFox), which supports GOST algorithms and works, of course, only in conjunction with the appropriate crypto provider. There was a time when the development of the assembly almost completely stopped, but now new versions are released regularly. The latest build is based on Firefox 45, you can download the builds, versions for Windows, Linux and even Apple OS X are available.

The link is available for the English version of the browser. To localize it, you need to download plastic bag with interface translation. Please note that the version of the package must match the version of the browser itself.

After installing the package, you need to open a new tab, type about: config there, and in the list of parameters that opens, enter general.useragent.locale and change its value from en-US to ru-RU. After restarting the browser, the interface will be in Russian.

Now you can put the root certificate CA of the Federal Treasury, in the "Personal" storage - a personal user certificate, restart the browser and go to the personal account zakupki.gov.ru according to 44-FZ.

At my workplace, there are no valid certificates of authorized persons installed, so access to my personal account is prohibited. However, the encryption of the connection is in any case carried out by the GOST family algorithm.

In case of access to the closed part of the site under 223-FZ, authorization will go through the ESIA (that is, through the site gosuslugi.ru). Here the situation is simplified, because this site has plugin for Firefox has been around for a long time and is being developed by Rostelecom. At the first visit to the site, we will be prompted to download the plugin. After installation, the plugin should be switched to the “Always enable” mode in the CryptoFox settings, otherwise a window with a certificate request will not appear on the government services website.

Unfortunately, signing documents on the zakupki.gov.ru site is implemented through a specific component sing.cab, which uses ActiveX technology. Naturally, this component will not work in CryptoPro, so we will wait for the transition to a more widespread technology. Fortunately, signing a document is only a small part of what an operator should do while working at zakupki.gov.ru, so CryptoFox can be used for day-to-day operations.

Sometimes it is necessary to save a copy of the private key on your local computer. This can be done if the key is marked as unloaded when it is created in the CA. Copying is done using the "Copy" button (what a surprise) in the interface of the CryptoPro applet

If there are two options for storing the key on the local machine - in the "Registry" reader and on a virtual removable disk. In principle, the security of storing the key in both cases is approximately the same, so the choice of the means is left to the reader.

In the "Registry" reader, keys are stored in the branch

HKLM \ SOFTWARE \ Crypto Pro \ Settings \ Users \\ Keys
for user and branch

HKLM \ SOFTWARE \ Crypto Pro \ Settings \ Keys
for the computer as a whole.

In the case of a 64-bit OS, the paths will be slightly different:

HKLM \ SOFTWARE \ Wow6432Node \ Crypto Pro \ Settings \ Users \\ Keys
and

HKLM \ SOFTWARE \ Wow6432Node \ Crypto Pro \ Settings \ Keys

When CryptoPro is running on a terminal server, the user may not have enough rights to write the key to these branches, since they are not in the user's profile. This situation can be corrected by assigning the appropriate rights to the branches through the Regedit utility.

CryptoPro searches for key containers on disks that have the attribute “removable”, that is, a flash drive or, God forgive me, a floppy disk will be considered key containers, but a network drive or a disk forwarded via RDP will not. This allows keys to be stored on floppy images on a one-key-one-floppy basis, thereby enhancing security. To create a virtual disk drive, you can use the utility ImDisk , which has a version for 64-bit OS. Compatible with Windows up to 8.1 is declared, it works fine in Windows 10 as well.

There is also a utility in which you can create a drive that is visible only to a specific user. Unfortunately, it has not been developed for a long time, and it seems it will not work on 64-bit OS due to the unsigned driver.

Applying these tips and not forgetting about Regulation PKZ-2005 , which, however, is of a recommendatory nature, it is possible to make life somewhat easier for both operators working on procurement sites and for yourself.

Very, very often, I come across the fact that users who are forced to independently configure access to the site for the purchase of gov, government procurement via EDS, have a whole bunch of different problems. There are even those who are so desperate, who have no instructions to set up this business. Join our group on VK! Under repair! Smart workshop!

Purchasing The page cannot be displayed

On the Internet, if you search, you can find many instructions on how and what to set up, how and what to do in case of any problems. I would like to tell you only about the possibility to slightly simplify all this setup and preparation. How long this option will still work is hard to say. But I often use = P. For it is really much easier.

This option is to use automatic configuration through the site of the Contour. We go actually to the site itself. We are looking for a link in the upper right corner Technical support and at the bottom left of the link Installing a certificate. Or go straight to this link. Nevertheless, I advise you to use IE for these cases. So we went to the site. Chose a link Configure for work on the portals of the state procurement and state services ("zakupki.gov.ru").

We press pkm and run this add-on for all nodes, 4 times commercials, until it stops appearing. Next, download the utility AddToTrusted, which, instead of us, will add all the necessary sites to the safe list and configure IE. How to download it, run it. And we update our page either to F5 or using the mouse 🙂 In fact, this is the whole setting, then it only makes sense, after checking the system, to press the button select components to install and remove if not necessary, such checkboxes are acceptable as installing Mozilla Firefox.

AVAST blocks HTTPS and purchases won't open

Why did I start telling all this? Well, yes, after all, as usual, they brought a laptop, from which it is urgently necessary to go to the public procurement website. But when switching to 223 FZ, our beloved takes off The page could not be displayed. The case this time turned out to be in the AVAST antivirus. Although it fails once again, I love it 🙂 After a recent update, it has a function HTTPS Scan, which became the reason for blocking the work of the procurement portal, and I suspect that not only him. In general. for now, it's worth turning it off.

This is easy to do. We are looking at the bottom right in the tray, the icon of our antivirus. Open the avast'a interface with a double click. And we press Settings -> Active defense -> Setup web screen -> basic settings -> Uncheck Enable HTTPS Scanning.

Join our group on VK!

April 18, 2017 at 11:30 PM

We go to your personal account at zakupki.gov.ru without Internet Explorer and other useful tips when working with CryptoPro

In this post I will try to summarize the experience of using the CryptoPro cryptographic provider to access the closed part of the official website of the unified procurement information system (zakupki.gov.ru) and the website of state services (gosuslugi.ru). The crypto provider itself has already become a de facto standard for government agencies, in its format it issues an EDS, for example, a certification center (CA) of the Federal Treasury or the CA of the Ministry of Health.

First of all, we will focus on the site zakupki.gov.ru. The personal account of this site is accessible only via HTTPS using GOST encryption algorithms. For a long time, HTTPS over GOST worked only in Internet Explorer, which relied entirely on the crypto provider. The denouement came not so long ago, when support for older versions of IE, including IE8, was discontinued on the site zakupki.gov.ru. The trouble is, IE8 is the last version of that browser supported on Windows XP, and government agencies tend to be very conservative in terms of licensing. Thus, a fairly large part of users found themselves "overboard" overnight.

Fortunately, the CryptoPro company releases a special assembly of the Firefox browser called CryptoPro Fox (CryptoFox), which supports GOST algorithms and works, of course, only in conjunction with the appropriate crypto provider. There was a time when the development of the assembly almost completely stopped, but now new versions are released regularly. The latest build is based on Firefox 45, you can download the builds, versions for Windows, Linux and even Apple OS X are available.

The link is available for the English version of the browser. To localize it, you need to download the package with the translation of the interface. Please note that the version of the package must match the version of the browser itself.

After installing the package, you need to open a new tab, type about: config there, and in the list of parameters that opens, enter general.useragent.locale and change its value from en-US to ru-RU. After restarting the browser, the interface will be in Russian.

Now you can put the root certificate of the Federal Treasury CA into the Trusted Root Certification Authorities store, and the personal user certificate in the Personal store, restart your browser and enter your personal account zakupki.gov.ru according to 44-FZ.

At my workplace, there are no valid certificates of authorized persons installed, so access to my personal account is prohibited. However, the encryption of the connection is in any case carried out by the GOST family algorithm.

In case of access to the closed part of the site under 223-FZ, authorization will go through the ESIA (that is, through the site gosuslugi.ru). Here the situation is simplified, because this site has a plug-in for Firefox for a long time and is being developed by Rostelecom. At the first visit to the site, we will be prompted to download the plugin. After installation, the plugin should be switched to the “Always enable” mode in the CryptoFox settings, otherwise a window with a certificate request will not appear on the government services website.

Unfortunately, signing documents on the zakupki.gov.ru site is implemented through a specific component sing.cab, which uses ActiveX technology. Naturally, this component will not work in CryptoPro, so we will wait for the transition to a more widespread technology. Fortunately, signing a document is only a small part of what an operator should do while working at zakupki.gov.ru, so CryptoFox can be used for day-to-day operations.

Sometimes it is necessary to save a copy of the private key on your local computer. This can be done if the key is marked as unloaded when it is created in the CA. Copying is done using the "Copy" button (what a surprise) in the interface of the CryptoPro applet

If there are two options for storing the key on the local machine - in the "Registry" reader and on a virtual removable disk. In principle, the security of storing the key in both cases is approximately the same, so the choice of the means is left to the reader.

In the "Registry" reader, keys are stored in the branch

HKLM \ SOFTWARE \ Crypto Pro \ Settings \ Users \\ Keys
for user and branch

HKLM \ SOFTWARE \ Crypto Pro \ Settings \ Keys
for the computer as a whole.

In the case of a 64-bit OS, the paths will be slightly different:

HKLM \ SOFTWARE \ Wow6432Node \ Crypto Pro \ Settings \ Users \\ Keys
and

HKLM \ SOFTWARE \ Wow6432Node \ Crypto Pro \ Settings \ Keys

When CryptoPro is running on a terminal server, the user may not have enough rights to write the key to these branches, since they are not in the user's profile. This situation can be corrected by assigning the appropriate rights to the branches through the Regedit utility.

CryptoPro searches for key containers on disks that have the attribute “removable”, that is, a flash drive or, God forgive me, a floppy disk will be considered key containers, but a network drive or a disk forwarded via RDP will not. This allows keys to be stored on floppy images on a one-key-one-floppy basis, thereby enhancing security. To create a virtual disk drive, you can use the utility