D.A. Melnikov

Federal Research Center «Computer Science and Control» of the Russian Academy of Sciences (Moscow), National Research Nuclear University «MEPhI», Financial University under the Government of the Russian Federation

The article is devoted to the analysis of the verification centre (VC) structure in the Russian Federation. The results of the analysis showed a serious vulnerability in the VC, which can lead to the unjustified (illegal) issuance of a falsified public key certificate in the name a particular VC user or a citizen who has never used the VC services. In the future, cybercriminals can use such a certificate and cause serious material and financial damage to the citizen whose name is indicated in the fake certificate (in the field «Subject»).

Based on the mathematical formalism of subjective logic, an analysis of the subjective trust network was carried out, including the trusting subject, validation authority, VC and the trusted party (owner of public key certificate, issued by VC). The result of the analysis confirmed that the «VC ≡ CA + RA» model is extremely vulnerable, which is also confirmed by numerous facts of illegal change of elderly Russians real estate ownership.

A method was proposed to protect citizens from issuing fake certificates in their name, which can be implemented with the direct participation of federal executive authorities. This method can be used as a required function implemented by the public key infrastructure.

The obtained results form the basis for further work on the development of architecture and principles of construction, and improvement of the national trust system based on the public key infrastructure in the interests of the Russian digital economy.

Melnikov D.A. About the problem of trust in verification centers in Russian Federation. Highly Available Systems. 2022. V. 18. № 1.
P. 5−15. DOI: https://doi.org/10.18127/j20729472-202201-01 (in Russian)

1. Fomichyov V.M., Mel'nikov D.A. Kriptograficheskie metody zashchity informacii: Uchebnik (v 2-h chastyah). M.: YUrajt. 2016. ISBN 978-5-534-01741-0, ISBN 978-5-534-01740-3
2. Korolyov V.I. Arhitekturnoe postroenie infrastruktury otkrytyh klyuchej integrirovannogo informacionnogo prostranstva. Bezopasnost' informacionnyh tekhnologij. 2015. T. 22. № 3. S. 59–71. URI: https://bit.mephi.ru/index.php/bit/article/view/92
3. Rajendran B. Evolution of PKI ecosystem, 2017 International Conference on Public Key Infrastructure and its Applications (PKIA). IEEE. 2017. P. 9–10. URI: https://ieeexplore.ieee.org/abstract/document/8278951
4. Mel'nikov D.A., Releev YU.F., Kvarackheliya L.D. Model' doveriya dlya cifrovoj ekonomiki Rossijskoj Federacii. Bezopasnost' informacionnyh tekhnologij. 2020. T. 27. № 2. S. 47–64. URI: http://dx.doi.org/10.26583/ bit.2020.2.04
5. Rossiyanka uznala o prodazhe svoej kvartiry iz kvitancii za uslugi ZHKKH // RIA Novosti. 29.01.21. URI: https://ria.ru/20210129/ kvitantsiya-1595122839.html
6. Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. Official Journal of the European Communities 19.01.2000. P. 0012–0020. URI: https://eur-lex.europa.eu/eli/dir/1999/93/oj
7. Josang A. Subjective Logic. A Formalism for Reasoning Under Uncertainty. Springer International Publishing, Switzerland, 2016. 337 p. ISBN 978-3-319-42335-7(1). DOI 10.1007/978-3319-42337-1