This Decision promulgates the list of technical standards that must be adhered to when implementing digital signatures and digital signature certification services under the remote key management model (Remote signing) or on mobile devices (Mobile signing). The standards are divided into several groups including: Cryptography and digital signatures, Data information, Certification policies and regulations, Protocol for storing and retrieving digital certificates, Status checking of digital certificates, Security for HSM managing secret keys of digital signature certification service providers, System of customer key management devices, digital certificates, and digital signature creation.
적용 범위
Organizations providing digital signature certification services under the Remote signing or Mobile signing models
핵심 사항
- PKCS #1 standard for asymmetric cryptography and digital signatures with a minimum key length of 2048 bits for Remote signing, 2048 bits or 3072 bits for Mobile signing.
- Security requirements for SIM cards in the customer key management device system according to the FIPS PUB 140-2 level 2 or TCVN 8709 level EAL 4 standard.
- Web service interface and security framework for Mobile signing according to the ETSI TS 102 203, ETSI TS 102 204, ETSI TR 102 206 standards.
- Policy and security requirements for the digital signature server in Remote signing according to the ETSI TS 119 431-1, ETSI TS 119 431-2 standards.
- Protocol for creating digital signatures in Remote signing according to the ETSI TS 119 432 standard.
🌐 이 문서의 사회적 영향
- Enhancing security for remote or mobile digital certification and signature systems
- Developing a safe and reliable electronic service market
- Improving the efficiency of customer key management and digital signature creation
❓ 자주 묻는 질문
What standards must be followed when implementing Remote signing?
PKCS #1 standard for asymmetric cryptography and digital signatures with a minimum key length of 2048 bits, FIPS PUB 140-2 level 3 or EN 419221-5:2018 standard for security of HSM managing secret keys of digital signature certification service providers.
What requirements are there for the system of customer key management devices, digital certificates, and digital signature creation in Mobile signing?
Security requirements for SIM cards according to the FIPS PUB 140-2 level 2 or TCVN 8709 level EAL 4 standard.
Which standards must the Web service interface and security framework for Mobile signing comply with?
ETSI TS 102 203, ETSI TS 102 204, ETSI TR 102 206 standards.
Which standards must the policy and security requirements for the digital signature server in Remote signing comply with?
ETSI TS 119 431-1, ETSI TS 119 431-2 standards.
전문
|
MINISTRY OF INFORMATION AND COMMUNICATION |
SOCIALIST REPUBLIC OF VIET NAM |
|
Provincial People's Committees set specific prices2- An event (risk of disease outbreak) 16/2019/TT-BTTTT |
Hanoi, dated May 5 December in Hanoi, Vietnam |
CIRCULAR
REGULATIONS ON THE LIST OF COMPULSORY STANDARDS FOR DIGITAL SIGNATURES AND CERTIFICATION SERVICES FOR DIGITAL SIGNATURES IN THE MOBILE PKI MODEL AND REMOTE SIGNING
AND REMOTE SIGNING
PURSUANTpursuant to the Law on Electronic Transactions dated November 29, b) Circular No. 03/2015/TT-BKHĐT dated May 6, 2015 of the Minister of Planning and Investment detailing the preparation of construction tender documents.
Based on Decree No. 130/2018/2018/ND-CP dated September 27, 2018 of the Government detailing and guiding the implementation of the Law on Electronic Transactions regarding digital signatures,8 of the Governmentimplemen tation of the Law on Electronic Transactions concerning digital signatures, ||| and digital signature authentication services;
pursuant to Decree No. 17/2017/2017/ND-CP dated February 17, 2017 of the Government stipulating the functions, tasks, powers, and organizational structure of the Ministry of Information and Communications;pursuant to the Decree of the Government No. 17/2017/ND-CP dated February 17, 2017 stipulating the functions, tasks, powers, and organizational structure of the Ministry of Information and Communications;
Pursuant to the proposal of the Director of the Science and Technology Department,
The Minister of Information and Communications issues this Circular regulating the List of Compulsory Standards for Digital Signatures and Certification Services for Digital Signatures in the Mobile PKI Model and Remote Signing.standards for digital signatures and certification services for digital signatures number in the mobile PKI model and remote signing. on mobile devices and remote signing. signing.
Article 1. Scope of Regulation
This Circular regulates the List of Compulsory Standards for Digital Signatures and Certification Services for Digital Signatures in the Mobile PKI Model and Remote Signing (Annex attached).
Article 2. Applicability
This Circular applies to organizations providing public digital signature certification services, organizations providing specialized digital signature certification services for agencies and organizations that have been granted certificates confirming their qualifications to ensure security for specialized digital signatures, foreign organizations providing digital signature certification services with recognized digital certificates by the Ministry of Information and Communications in Vietnam providing digital signature certification services in the mobile PKI model and remote signing; organizations and individuals developing applications using digital signatures, providing digital signature solutions in the mobile PKI model and remote signing.
Article 3. Implementation Organization
1. The Ministry of Information and Communications shall review, amend, and supplement the List of Compulsory Standards for Digital Signatures and Certification Services for Digital Signatures in the Mobile PKI Model and Remote Signing prescribed in Article 1 of this Circular in accordance with technological development and state management policies.
2. The Department of Science and Technology shall be responsible for leading the review and updating of the List of Compulsory Standards for Digital Signatures and Certification Services for Digital Signatures in the Mobile PKI Model and Remote Signing prescribed in Article 1 of this Circular.
3. The National Center for Electronic Certification shall be responsible for guiding, inspecting, and evaluating the application of standards included in the List of Compulsory Standards for Digital Signatures and Certification Services for Digital Signatures in the Mobile PKI Model and Remote Signing prescribed in Article 1 of this Circular.
Article 4. Implementation provisions
1. This Circular takes effect from April 1, 2020.
2. In case there is a discrepancy between the provisions of this Circular and the provisions of Circular No. 39/2017/TT-BTTTT dated December 15, 2017 promulgating the List of Technical Standards for Information Technology Applications in State Agencies related to the same standard concerning the use of digital signatures and certification services for digital signatures provided by organizations offering digital signature certification services in state agencies, the provisions of this Circular shall apply.
3. The Director of the Office, the Heads of the Department of Science and Technology, the Director of the National Center for Electronic Certification, the Heads of Ministries' agencies and units, and relevant organizations and individuals shall be responsible for implementing this Circular.
4. During the implementation process, if difficulties or obstacles arise, agencies, organizations, and individuals shall promptly report them to the Ministry of Information and Communications for consideration and resolution./.
|
|
THE MINISTER |
ANNEX
LIST OF COMPULSORY STANDARDS FOR DIGITAL SIGNATURES AND CERTIFICATION SERVICES FOR DIGITAL SIGNATURES IN THE MOBILE PKI MODEL AND REMOTE SIGNING
(Issued together with Circular No. 16/2019/2019/TT-BTTTT dated December 5,2019 2019 of the Minister of Information and Communications)
|
Number No. |
Type of standard |
Standard codeFor power plants invested under the Build-Operate-Transfer (BOT) model, n is determined according to the operational period of the power plant stipulated in the BOT contract. |
Full Name of Standard |
Application Provisions |
|
1 |
Digital signatures and certification services for digital signatures in the mobile PKI model |
|||
|
1.1 |
Cryptography and digital signature standards |
|||
|
1.1.1 |
Asymmetric cryptography and digital signatures |
PKCS #1 |
RSA Cryptography Standard |
- Apply one of two standards. - For the RSA standard: + Version 2.1 + Use the RSAES-OAEP scheme for encryption and RSASSA-PSS for signing. + Minimum key length is 1024 bits - For the ECDSA standard: minimum key length is 256 bits |
|
ANSI X9.62-2005 |
Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA) |
|||
|
1.1.2 |
Symmetric cryptography |
TCVN 7816:2007 (FIPS PUB 197) |
Information technology - Cryptographic techniques - Advanced Encryption Standard (AES) data encryption algorithm (Advanced Encryption Standard) |
Apply one of two standards |
|
NIST 800-67 |
Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher |
|||
|
1.1.3 |
Secure hash function |
XML Key Management |
XKMS |
Apply one of the following hash functions: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256 |
|
FIPS PUB 202 |
SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions |
|||
|
1.2 |
Information and data standards |
|||
|
1.2.1 |
Digital certificate format and certificate revocation list (CRL) |
RFC 5280 |
Internet X.509 Public Key Infrastructure Certificate and CRL Profile |
|
|
1.2.2 |
Encrypted message syntax |
PKCS #7 |
Cryptographic Message Syntax Standard |
Version 1.5 |
|
1.2.3 |
Certification request syntax |
PKCS #10 |
Certification Request Syntax Standard |
Version 1.7 |
|
1.3 |
Certification policy and practice standardsCertification framework and policy standards |
|||
|
1.3.1 |
RFC 3647 |
Internet X.509 Public Key Infrastructure - Certificate Policy and Certification Practices Framework |
Standards for storage and retrieval protocols for digital certificates |
|
|
1.4 |
LDAPv2 schema diagramRFC 2587Internet X.509 Public Key Infrastructure LDAPv2 Schema |
|||
|
1.4.1 |
RFC 4523 |
Lightweight Directory Access Protocol (LDAP) Schema Definitions for X.509 Certificates |
LDAP protocol |
Apply one of two standards |
|
|
|
RFC 2251 |
Lightweight Directory Access Protocol (v3) |
|
|
1.4.2 |
Apply either RFC 2251 or the set of four standards: |
RFC 4510, RFC 4511, RFC 4512, RFC 4513 |
RFC 4510 |
Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map RFC 4511 |
|
Lightweight Directory Access Protocol (LDAP): The Protocol |
RFC 4512 |
|||
|
Lightweight Directory Access Protocol (LDAP): Directory Information Models |
RFC 4513 |
|||
|
Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms |
Standards for certificate status checking |
|||
|
Protocol for transmitting and receiving digital certificates and certificate revocation lists |
RFC 2585 |
|||
|
1.5 |
Internet X.509 Public Key Infrastructure - Operational Protocols: FTP and HTTPApply either or both of the FTP and HTTP protocols |
|||
|
1.5.1 |
Protocol for online certificate status checking |
RFC 2560 |
X.509 Internet Public Key Infrastructure - Online Certificate Status Protocol |
Áp dụng một hoặc cả hai giao thức FTP và HTTP |
|
1.5.2 |
Giao thức để kiểm tra trạng thái chứng thư số trực tuyến |
RFC 2560 |
X.509 Internet Public Key Infrastructure - Online Certificate Status Protocol |
|
|
1.6 |
Security standards for HSM managing secret keys of digital signature certification service providers |
|||
|
1.6.1 |
Security requirements for hardware security module (HSM) hardware security blocks |
FIPS PUB 140-2 |
Security Requirements for Cryptographic Modules |
Minimum level 3 requirements |
|
1.7 |
Standards for equipment systems managing secret keys, digital certificates, and generating digital signatures for customers |
|||
|
1.7.1 |
Security requirements for SIM cards |
FIPS PUB 140-2 |
Security Requirements for Cryptographic Modules |
- Apply one of two standards. - For the FIPS PUB 140-2 standard: Minimum level 2 requirements - For the TCVN 8709 (ISO/IEC 15408) standard: Minimum EAL level 4 requirements |
|
TCVN 8709 (ISO/IEC 15408) |
Information technology - Security techniques - Information technology security evaluation criteria (Common Criteria for Information Technology Security Evaluation) |
|||
|
1.7.2 |
Functional and operational requirements |
ETSI TR 102 203 |
Mobile Commerce (M-COMM); Mobile Signatures; Business and Functional Requirements |
Version V1.1.1 |
|
1.7.3 |
Web service interface |
ETSI TS 102 204 |
Mobile Commerce (M-COMM); Mobile Signature Service; Web Service Interface |
Version V1.1.4 |
|
1.7.4 |
Security framework |
ETSI TR 102 206 |
Mobile Commerce (M-COMM); Mobile Signature Service; Security Framework |
Version V1.1.3 |
|
1.7.5 |
Roaming specifications |
ETSI TS 102 207 |
Mobile Commerce (M-COMM); Mobile Signature Service; Specifications for Roaming in Mobile Signature Services |
Version V1.1.3 |
|
2 |
Digital signatures and digital signature certification services according to the remote signing model |
|||
|
2.1 |
Cryptography and digital signature standards |
|||
|
2.1.1 |
Asymmetric cryptography and digital signatures |
PKCS #1 |
RSA Cryptography Standard |
- Apply one of two standards. - For the RSA standard: + Version 2.1 + Use the RSAES-OAEP scheme for encryption and RSASSA-PSS for signing. - Minimum key length is 2048 bits - For the ECDSA standard: minimum key length is 256 bits |
|
ANSI X9.62-2005 |
Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA) |
|||
|
2.1.2 |
Symmetric cryptography |
TCVN 7816:2007 (FIPS PUB 197) |
Information technology - Cryptographic techniques - Advanced Encryption Standard (AES) data encryption algorithm |
Apply one of two standards |
|
NIST 800-67 |
Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher |
|||
|
2.1.3 |
Secure hash function |
XML Key Management |
XKMS |
Apply one of the following hash functions: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256 |
|
FIPS PUB 202 |
SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions |
|||
|
2.2 |
Information and data standards material |
|||
|
2.2.1 |
Digital certificate format and certificate revocation list (CRL) |
RFC 5280 |
Internet X.509 Public Key Infrastructure Certificate and CRL Profile |
|
|
2.2.2 |
Encrypted message syntax |
PKCS #7 |
Cryptographic Message Syntax Standard |
Version 1.5 |
|
2.2.3 |
Certification request syntax |
PKCS #10 |
Certification Request Syntax Standard |
Version 1.7 |
|
2.2.4 |
Private-key information syntax |
PKCS #8 |
Private-Key Information Syntax Standard |
Version 1.2 |
|
2.2.5 |
Cryptographic token communication interface |
PKCS #11 |
Cryptographic token interface standard |
Version 2.20 |
|
2.2.6 |
Personal information exchange syntax |
PKCS #12 |
Personal Information Exchange Syntax Standard |
Version 1.0 |
|
2.3 |
LDAPv2 schema diagramInformation policies and regulations and Individuals in Handling Errors, Losses, Misplacements, or Damage to Files and Results, and in Delayed Result DeliveryCertification framework and policy standards |
|||
|
2.3.1 |
RFC 3647 |
Internet X.509 Public Key Infrastructure - Certificate Policy and Certification Practices Framework |
Standards for storage and retrieval protocols for digital certificates |
|
|
2.4 |
StandardsDigital certificate storage and retrieval protocol standards |
|||
|
2.4.1 |
RFC 4523 |
Lightweight Directory Access Protocol (LDAP) Schema Definitions for X.509 Certificates |
LDAP protocol |
Apply one of two standards |
|
RFC 2251 |
Lightweight Directory Access Protocol (v3) |
|||
|
2.4.2 |
Apply either RFC 2251 or the set of four standards: |
RFC 4510, RFC 4511, RFC 4512, RFC 4513 |
RFC 4510 |
Apply either RFC 2251 or the set of four standards: RFC 4510, RFC 4511, RFC 4512, RFC 4513 |
|
Lightweight Directory Access Protocol (LDAP): The Protocol |
Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map |
|||
|
Lightweight Directory Access Protocol (LDAP): Directory Information Models |
RFC 4513 |
|||
|
Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms |
Standards for certificate status checking |
|||
|
Protocol for transmitting and receiving digital certificates and certificate revocation lists |
RFC 2585 |
|||
|
2.5 |
Internet X.509 Public Key Infrastructure - Operational Protocols: FTP and HTTPApply either or both of the FTP and HTTP protocols |
|||
|
2.5.1 |
Protocol for online certificate status checking |
RFC 2560 |
X.509 Internet Public Key Infrastructure - Online Certificate Status Protocol |
Áp dụng một hoặc cả hai giao thức FTP và HTTP |
|
2.5.2 |
Giao thức để kiểm tra trạng thái chứng thư số trực tuyến |
RFC 2560 |
X.509 Internet Public Key Infrastructure - Online Certificate Status Protocol |
|
|
2.6 |
Security standards for HSM managing secret keys of digital signature certification service providers |
|||
|
2.6.1 |
Security requirements for hardware security module (HSM) hardware security blocks |
FIPS PUB 140-2 |
Security Requirements for Cryptographic Modules |
- Apply one of two standards. - For the FIPS PUB 140-2 standard: Minimum level 3 requirements |
|
EN 419221-5:2018 |
Protection Profiles for TSP Cryptographic modules - Part 5: Cryptographic Module for Trust Services |
|||
|
2.7 |
Standards for equipment systems managing secret keys, digital certificates, and creating signaturesNumberingDigital signatures number of customers |
|||
|
2.7.1 |
Policy and security requirements for digital signature servers |
ETSI TS 119 431-1 |
Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service providers; Part 1: TSP service components operating a remote QSCD/SCDev |
Apply both parts of the standard; Version V1.1.1 (12/2018) |
|
ETSI TS 119 431-2 |
Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service providers; Part 2: TSP service components supporting AdES digital signature creation |
|||
|
2.7.2 |
Digital signature generation protocols |
ETSI TS 119 432 |
Electronic Signatures and Infrastructures (ESI); Protocols for remote digital signature creation |
Version V1.1.1 (03/2019) |
|
2.7.3 |
Server-side digital signature application |
EN 419241-1:2018 |
Trustworthy Systems Supporting Server Signing - Part 1: General system security requirements |
|
|
2.7.4 |
Requirements for signature module |
EN 419241-2:2019 |
Trustworthy Systems Supporting Server Signing - Part 2: Protection Profile for QSCD for Server Signing |
|
|
2.7.5 |
Security requirements for hardware security module (HSM) hardware security blocks |
EN 419221-5:2018 |
Protection Profiles for TSP Cryptographic modules - Part 5: Cryptographic Module for Trust Services |
|
원본 문서(PDF)
관계도
문서를 클릭하면 열립니다. 빨간 테두리=효력을 변경하는 관계.
번역본
이 문서는 다음 언어로 제공됩니다: