Thông tư 22/2020/TT-BTTTT

Circular No. 22/2020/TT-BTTTT dated September 07, 2020 on technical requirements applicable to digital signature software and digital signature checking software

Nội dung toàn văn Circular 22/2020/TT-BTTTT technical requirements applicable to digital signature software


THE MINISTRY OF INFORMATION AND COMMUNICATIONS
--------

THE SOCIALIST REPUBLIC OF VIETNAM
Independence - Freedom - Happiness
---------------

No. 22/2020/TT-BTTTT

Hanoi, September 07, 2020

 

CIRCULAR

TECHNICAL REQUIREMENTS APPLICABLE TO DIGITAL SIGNATURE SOFTWARE AND DIGITAL SIGNATURE CHECKING SOFTWARE

Pursuant to the Law on E-Transactions dated November 29, 2005;

Pursuant to the Government’s Decree No. 130/2018/ND-CP dated September 27, 2018 on guidelines for the Law on E-Transactions regarding digital signatures and digital signature authentication;

Pursuant to the Government’s Decree No. 17/2017/ND-CP dated February 17, 2017 defining the functions, tasks, powers and organizational structure of the Ministry of Information and Communications;

At the request of the Director of the National Electronic Authentication Centre,

The Minister of Information and Communications hereby promulgates a Circular on technical requirements applicable to digital signature software and digital signature checking software.

Chapter I

GENERAL

Article 1. Scope

1. This Circular provides for technical requirements applicable to digital signature software and digital signature checking software.

2. Technical requirements applicable to digital signature software and digital signature checking software for digital signatures on electronic documents of regulatory agencies are not governed by this Circular.

Article 2. Regulated entities

1. This Circular applies to organizations and individuals that opt to use digital signature software and digital signature checking software to make e-transactions; certification authorities; organizations and individuals that develop digital signature applications and use digital signatures.

2. This Circular does not apply to specialized certification authorities of the Government.

Article 3. Definitions

1. “digital certificate for organization” means a form of electronic certificate issued by a certification authority in order to provide identity for the public key of an organization to certify that such organization is the signer of the digital signature by using corresponding private key.

2. “digital certificate for individual” means a form of electronic certificate issued by a certification authority in order to provide identity for the public key of an individual to certify that such individual is the signer of the digital signature by using corresponding private key.

3. “private key for organization” means a key corresponding to the digital certificate for an organization.

4. “private key for individual” means a key corresponding to the digital certificate for an individual.

5. “digital signature software” means independent software or a software module or a solution that performs the function of attaching digital signatures to data messages.

6. “digital signature checking software” means independent software or a software module or a solution that performs the function of checking validity of digital signatures attached to digital signature data messages.

7. “trusted path on a digital certificate” means a web address on a digital certificate showing the certification authority which issued that digital certificate.

Chapter II

TECHNICAL REQUIREMENTS APPLICABLE TO DIGITAL SIGNATURE SOFTWARE AND DIGITAL SIGNATURE CHECKING SOFTWARE

Section 1- Digital signature software

Article 4. General requirements

Technical standards for digital signatures attached to data messages in the List of technical standards for digital signatures attached to data messages promulgated together with this Circular shall be complied with.

Article 5. Functional requirements

1. Attaching digital signatures:

a) If the singer of digital messages attached to data messages is an individual, such signer is allowed to use the individual private key to attach digital signatures to data messages;

b) If the singer of digital messages attached to data messages is an organization, such signer is allowed to use the private key for organization to attach digital signatures to data messages.

2. Checking validity of digital certificates:

a) Digital certificates of persons attaching digital signatures to data messages are checked via the trusted path on such digital certificates and also checked by the national certification authority.

b) The checking of validity of a digital certificate at the digital signature time shall focus on:

- Validity period of the digital certificate;

- Status of the digital certificate through the Certificate Revocation List (CRL) published at the digital signature time or through the Online Certificate Status Protocol (OCSP) in the case where the certification authority provides OCSP services.

- Cryptographic algorithms used on the digital certificate;

- Purposes and scope of the digital certificate.

c) The digital certificate remains valid if the following criteria are met:

- The validity period on the digital certificate remains unexpired at the digital signature time;

- Cryptographic algorithms used on the digital certificate comply with compulsorily applied technical regulations and standards for digital signatures and digital signature authentication which remain effective;

- The digital certificate remains operational at the digital signature time;

- The digital certificate is used for intended purposes and within the intended scope.

3. Storage and cancellation of the following pieces of information attached to digital signature data messages:

a) Digital certificates corresponding to private keys which signers use to sign data messages at the digital signature time;

b) List of certification authorities’ digital certificates revoked at the signature time that correspond to digital signatures attached to outgoing data messages;

c) Validation etiquettes of certification authorities issuing digital certificates that correspond to the digital signatures attached to outgoing data messages;

d) Results of checking of status of the digital certificates corresponding to the digital signatures attached to incoming data messages.

4. Change (addition or reduction) of digital signatures of certification authorities.

5. Notification (in alphabetical letters/symbols) of checking whether a digital signature is valid or not.

Section 2-Digital signature checking software

Article 6. General requirements

Technical standards for digital signatures attached to data messages in the List of technical standards for digital signatures attached to data messages promulgated together with this Circular shall be complied with.

Article 7. Functional requirements

1. Checking of validity of digital signatures affixed to data messages:

a) Digital signatures affixed to data messages are verified according to the principle: a digital signature is generated from a private key corresponding to the public key on the digital certificate;

b) Digital certificates of persons attaching digital signatures to data messages are checked via the trusted path on such digital certificates and also checked by the national certification authority.

c) Information about persons attaching digital signatures to data messages are checked and verified focusing on the following:

- Validity period of the digital certificates;

- Status of the digital certificates through the Certificate Revocation List (CRL) published at the time of attaching the digital signature or through the Online Certificate Status Protocol (OCSP) in the case where the certification authority provides OCSP services.

- Cryptographic algorithms used on the digital certificates;

- Purpose and scope of the digital certificates.

d) A digital certificate remains valid if the following criteria are met:

 - The validity period on the digital certificate remains unexpired at the digital signature time;

- Cryptographic algorithms used on the digital certificate comply with compulsorily applied technical regulations and standards for digital signatures and digital signature authentication which remain effective;

- The digital certificate remains operational at the digital signature time;

- The digital certificate is used for intended purposes and within the intended scope.

dd) Integrity of digital signature data messages is checked as follows:

- Decrypt the digital signature on each data message to obtain information about the hash value;

- Use the secure hash algorithm that generated the hash value on the digital signature to generate a hash value for the data message;

- Compare the two hash values to check if whether they match, thereby checking the integrity of the digital signature data message.

e) A digital signature on the data message is considered valid if:

- Information about the signer has been checked and verified;

- The signer’s digital certificate remains valid at the signature time;

- Digital signature on the data message matches the private key corresponding to the public key on the digital certificate and integrity of the data message is ensured.

2. Storage and cancellation of the following pieces of information attached to digital signature data messages:

a) Digital certificates corresponding to digital signatures attached to incoming digital signature data messages;

b) List of certification authorities’ digital certificates revoked at the signature time that correspond to with digital signatures attached to incoming data messages;

c) Validation etiquettes of certification authorities issuing digital certificates that correspond to digital signatures attached to incoming data messages;

d) Results of checking of digital certificate status appropriate for digital signatures attached to incoming data messages.

3. Change (addition or reduction) of digital signatures of certification authorities.

4. Notification (in alphabetical letters/symbols) of checking whether a digital signature is valid or not.

Chapter III

IMPLEMENTATION CLAUSE

Article 8. Implementation

1. The National Electronic Authentication Centre shall provide guidelines for the implementation of this Circular.

2. Public certification authorities and specialized certification authorities of organizations shall publish technical specifications (documents and tool sets), digital certificates related to certification authorities and standards for digital signatures on websites of the certification authorities.

3. Organizations and individuals that develop digital signature applications and use digital signatures shall comply with technical requirements and manuals for digital signature software and digital signature checking software.

Article 9. Grandfather clause

Organizations and individuals using digital signature software and digital signature checking software before the effective date of this Circular shall keep using them until they are changed, upgraded or replaced shall comply with the regulations laid down in this Circular.

Article 10. Effect

1. This Circular comes into force from November 01, 2020.

2. Chief of Office, National Electronic Authentication Centre, heads of agencies and units affiliated to the Ministry of Information and Communications, Directors of Departments of Information and Communications of provinces and central-affiliated cities, and relevant organizations and individuals are responsible for the implementation of this Circular.

3. Difficulties that arise during the implementation of this Circular should be promptly reported to the Ministry of Information and Communications (the National Electronic Authentication Centre) for consideration and resolution./.

 

 

 

THE MINISTER




Nguyen Manh Hung

 

APPENDIX

LIST OF TECHNICAL STANDARDS FOR DIGITAL SIGNATURES ATTACHED TO DATA MESSAGES
(Enclosed with the Circular No. 22/2020/TT-BTTTT dated September 07, 2020 of the Minister of Information and Communications)

No.

Type of standard

Standard code

Full name of standard

Form of application

1

Standards for format of data messages

1.1

Character set and encoding

ASCII

American Standard Code for Information Interchange

Recommended

1.2

Coded Vietnamese character set

TCVN

6909:2001

TCVN 6909:2001 “Information Technology - 16-bit Coded Vietnamese Character Set”

Compulsory 

1.3

Character set demonstration

UTF-8

8-bit Universal Character Set (UCS)/ Unicode Transformation Format

Recommended

1.4

Data message format language

XML v1.0

(5th Edition)

Extensible Markup

Language version 1.0 (5th Edition)

Compulsory application of one of the two standards

XML v1.1

(2nd Edition)

Extensible Markup

Language version 1.1

1.5

XML Schema Definition

XML Schema version 1.1

XML Schema version 1.1

Recommended

1.6

XML metadata interchange specification

XML v2.4.2

XML Metadata Interchange version 2.4.2

Recommended

2

Standards for digital signatures and checking of digital signatures

2.1

Standards for digital signatures on private key management devices, digital signature software, creation of digital signatures, digital certificates and digital signature checking software.

2.1.1

Encryption algorithms

TCVN 7816:2007

Cryptographic technique - Cryptographic algorithms - Data Encryption Algorithm AES

Recommended

NIST 800-67

Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher

Recommended

PKCS#1

RSA Cryptography Standard

(Version 2.1 or later)

Application and use of the RSAES-OAEP scheme for encryption

A minimum of 2048-bit keys

Recommended

ECC

Elliptic Curve Crytography

Recommended

2.1.2

Digital signature algorithm

TCVN 7635:2007

Cryptography technique - Digital signature

- Application of one of the three standards.

- For TCVN 7635:2007 and

+ Version 2.1

+ Application of  

+ A minimum of 2048-bit keys

- For the standard ECDSA: a minimum of 256-bit keys

PKCS#1

RSA Cryptography Standard

ANSI X9.62-2005

Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)

 

2.1.3

 

Secure hash function

FIPS PUB 180-4

Secure Hash Algorithms

Application of one of the
SHA-224,
SHA-256,
SHA-384,
SHA-512,
SHA-512/224,
SHA-512/256,
SHA3-224,
SHA3-256,
SHA3-384,
SHA3-512, SHAKE128, SHAKE256

FIPS PUB 202

SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions

2.1.4

Secure XML message exchange

XML Encryption Syntax and Processing

XML Encryption Syntax and Processing

Compulsory

XML Signature Syntax and Processing

XML Signature Syntax and Processing

Compulsory

2.1.5

XML public key management

XKMS v2.0

XML Key Management Specification version 2.0

Compulsory

2.1.6

Cryptographic message syntax for signing and encrypting

PKCS#7 v1.5 (RFC 2315)

Cryptographic message syntax for file-based signing and encrypting version 1.5

Compulsory

2.2

Standards for digital signatures on the system of equipment for management of private keys and digital certificates and remote digital signature creation

2.2.1

Policy and security requirements for digital signature servers

ETSI TS 119 431-1

Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service providers; Part 1: TSP service components operating a remote QSCD/SCDev

Application of the 2 part standard;

Version V1.1.1 (12/2018)

 

ETSI TS 119 431-2

Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service providers; Part 2: TSP service components supporting AdES digital signature creation

2.2.2

Protocol for creation of digital signatures

ETSI TS 119 432

 

Electronic Signatures and Infrastructures (ESI); Protocols for remote digital signature creation

Version V1.1.1 (03/2019)

2.2.3

Signature application on a digital signature server

EN 419241-1:2018

Trustworthy Systems Supporting Server Signing - Part 1: General system security requirements

 

2.2.4

Requirements for digital signature module

EN 419241-2:2019

Trustworthy Systems Supporting Server Signing - Part 2: Protection Profile for QSCD for Server Signing

 

2.2.5

Security requirements for

EN 419221-5:2018

Protection Profiles for TSP Cryptographic modules - Part 5: Cryptographic Module for Trust Services

 

3

Standards for checking digital certificate status

3.1

Protocol for transmission and receipt of digital signatures and the Certificate Revocation List

RFC 2585

Internet X.509 Public Key Infrastructure - Operational Protocols: FTP and HTTP

Application of either one or both of FTP and HTTP protocols

3.2

Online Certificate Status Protocol

RFC 2560

X.509 Internet Public Key Infrastructure - On-line Certificate status protocol

 

 

 


------------------------------------------------------------------------------------------------------
This translation is made by THƯ VIỆN PHÁP LUẬT and for reference purposes only. Its copyright is owned by THƯ VIỆN PHÁP LUẬT and protected under Clause 2, Article 14 of the Law on Intellectual Property.Your comments are always welcomed

Đã xem:

Đánh giá:  
 

Thuộc tính Văn bản pháp luật 22/2020/TT-BTTTT

Loại văn bảnThông tư
Số hiệu22/2020/TT-BTTTT
Cơ quan ban hành
Người ký
Ngày ban hành07/09/2020
Ngày hiệu lực01/11/2020
Ngày công báo...
Số công báo
Lĩnh vựcCông nghệ thông tin
Tình trạng hiệu lựcCòn hiệu lực
Cập nhật4 năm trước
Yêu cầu cập nhật văn bản này

Download Văn bản pháp luật 22/2020/TT-BTTTT

Lược đồ Circular 22/2020/TT-BTTTT technical requirements applicable to digital signature software


Văn bản bị sửa đổi, bổ sung

    Văn bản liên quan ngôn ngữ

      Văn bản sửa đổi, bổ sung

        Văn bản bị đính chính

          Văn bản được hướng dẫn

            Văn bản đính chính

              Văn bản bị thay thế

                Văn bản hiện thời

                Circular 22/2020/TT-BTTTT technical requirements applicable to digital signature software
                Loại văn bảnThông tư
                Số hiệu22/2020/TT-BTTTT
                Cơ quan ban hànhBộ Thông tin và Truyền thông
                Người kýNguyễn Mạnh Hùng
                Ngày ban hành07/09/2020
                Ngày hiệu lực01/11/2020
                Ngày công báo...
                Số công báo
                Lĩnh vựcCông nghệ thông tin
                Tình trạng hiệu lựcCòn hiệu lực
                Cập nhật4 năm trước

                Văn bản thay thế

                  Văn bản được dẫn chiếu

                    Văn bản hướng dẫn

                      Văn bản được hợp nhất

                        Văn bản được căn cứ

                          Văn bản hợp nhất

                            Văn bản gốc Circular 22/2020/TT-BTTTT technical requirements applicable to digital signature software

                            Lịch sử hiệu lực Circular 22/2020/TT-BTTTT technical requirements applicable to digital signature software

                            • 07/09/2020

                              Văn bản được ban hành

                              Trạng thái: Chưa có hiệu lực

                            • 01/11/2020

                              Văn bản có hiệu lực

                              Trạng thái: Có hiệu lực