Nội dung toàn văn Circular 22/2020/TT-BTTTT technical requirements applicable to digital signature software
THE MINISTRY OF INFORMATION AND COMMUNICATIONS | THE SOCIALIST REPUBLIC OF VIETNAM |
No. 22/2020/TT-BTTTT | Hanoi, September 07, 2020 |
CIRCULAR
TECHNICAL REQUIREMENTS APPLICABLE TO DIGITAL SIGNATURE SOFTWARE AND DIGITAL SIGNATURE CHECKING SOFTWARE
Pursuant to the Law on E-Transactions dated November 29, 2005;
Pursuant to the Government’s Decree No. 130/2018/ND-CP dated September 27, 2018 on guidelines for the Law on E-Transactions regarding digital signatures and digital signature authentication;
Pursuant to the Government’s Decree No. 17/2017/ND-CP dated February 17, 2017 defining the functions, tasks, powers and organizational structure of the Ministry of Information and Communications;
At the request of the Director of the National Electronic Authentication Centre,
The Minister of Information and Communications hereby promulgates a Circular on technical requirements applicable to digital signature software and digital signature checking software.
Chapter I
GENERAL
Article 1. Scope
1. This Circular provides for technical requirements applicable to digital signature software and digital signature checking software.
2. Technical requirements applicable to digital signature software and digital signature checking software for digital signatures on electronic documents of regulatory agencies are not governed by this Circular.
Article 2. Regulated entities
1. This Circular applies to organizations and individuals that opt to use digital signature software and digital signature checking software to make e-transactions; certification authorities; organizations and individuals that develop digital signature applications and use digital signatures.
2. This Circular does not apply to specialized certification authorities of the Government.
Article 3. Definitions
1. “digital certificate for organization” means a form of electronic certificate issued by a certification authority in order to provide identity for the public key of an organization to certify that such organization is the signer of the digital signature by using corresponding private key.
2. “digital certificate for individual” means a form of electronic certificate issued by a certification authority in order to provide identity for the public key of an individual to certify that such individual is the signer of the digital signature by using corresponding private key.
3. “private key for organization” means a key corresponding to the digital certificate for an organization.
4. “private key for individual” means a key corresponding to the digital certificate for an individual.
5. “digital signature software” means independent software or a software module or a solution that performs the function of attaching digital signatures to data messages.
6. “digital signature checking software” means independent software or a software module or a solution that performs the function of checking validity of digital signatures attached to digital signature data messages.
7. “trusted path on a digital certificate” means a web address on a digital certificate showing the certification authority which issued that digital certificate.
Chapter II
TECHNICAL REQUIREMENTS APPLICABLE TO DIGITAL SIGNATURE SOFTWARE AND DIGITAL SIGNATURE CHECKING SOFTWARE
Section 1- Digital signature software
Article 4. General requirements
Technical standards for digital signatures attached to data messages in the List of technical standards for digital signatures attached to data messages promulgated together with this Circular shall be complied with.
Article 5. Functional requirements
1. Attaching digital signatures:
a) If the singer of digital messages attached to data messages is an individual, such signer is allowed to use the individual private key to attach digital signatures to data messages;
b) If the singer of digital messages attached to data messages is an organization, such signer is allowed to use the private key for organization to attach digital signatures to data messages.
2. Checking validity of digital certificates:
a) Digital certificates of persons attaching digital signatures to data messages are checked via the trusted path on such digital certificates and also checked by the national certification authority.
b) The checking of validity of a digital certificate at the digital signature time shall focus on:
- Validity period of the digital certificate;
- Status of the digital certificate through the Certificate Revocation List (CRL) published at the digital signature time or through the Online Certificate Status Protocol (OCSP) in the case where the certification authority provides OCSP services.
- Cryptographic algorithms used on the digital certificate;
- Purposes and scope of the digital certificate.
c) The digital certificate remains valid if the following criteria are met:
- The validity period on the digital certificate remains unexpired at the digital signature time;
- Cryptographic algorithms used on the digital certificate comply with compulsorily applied technical regulations and standards for digital signatures and digital signature authentication which remain effective;
- The digital certificate remains operational at the digital signature time;
- The digital certificate is used for intended purposes and within the intended scope.
3. Storage and cancellation of the following pieces of information attached to digital signature data messages:
a) Digital certificates corresponding to private keys which signers use to sign data messages at the digital signature time;
b) List of certification authorities’ digital certificates revoked at the signature time that correspond to digital signatures attached to outgoing data messages;
c) Validation etiquettes of certification authorities issuing digital certificates that correspond to the digital signatures attached to outgoing data messages;
d) Results of checking of status of the digital certificates corresponding to the digital signatures attached to incoming data messages.
4. Change (addition or reduction) of digital signatures of certification authorities.
5. Notification (in alphabetical letters/symbols) of checking whether a digital signature is valid or not.
Section 2-Digital signature checking software
Article 6. General requirements
Technical standards for digital signatures attached to data messages in the List of technical standards for digital signatures attached to data messages promulgated together with this Circular shall be complied with.
Article 7. Functional requirements
1. Checking of validity of digital signatures affixed to data messages:
a) Digital signatures affixed to data messages are verified according to the principle: a digital signature is generated from a private key corresponding to the public key on the digital certificate;
b) Digital certificates of persons attaching digital signatures to data messages are checked via the trusted path on such digital certificates and also checked by the national certification authority.
c) Information about persons attaching digital signatures to data messages are checked and verified focusing on the following:
- Validity period of the digital certificates;
- Status of the digital certificates through the Certificate Revocation List (CRL) published at the time of attaching the digital signature or through the Online Certificate Status Protocol (OCSP) in the case where the certification authority provides OCSP services.
- Cryptographic algorithms used on the digital certificates;
- Purpose and scope of the digital certificates.
d) A digital certificate remains valid if the following criteria are met:
- The validity period on the digital certificate remains unexpired at the digital signature time;
- Cryptographic algorithms used on the digital certificate comply with compulsorily applied technical regulations and standards for digital signatures and digital signature authentication which remain effective;
- The digital certificate remains operational at the digital signature time;
- The digital certificate is used for intended purposes and within the intended scope.
dd) Integrity of digital signature data messages is checked as follows:
- Decrypt the digital signature on each data message to obtain information about the hash value;
- Use the secure hash algorithm that generated the hash value on the digital signature to generate a hash value for the data message;
- Compare the two hash values to check if whether they match, thereby checking the integrity of the digital signature data message.
e) A digital signature on the data message is considered valid if:
- Information about the signer has been checked and verified;
- The signer’s digital certificate remains valid at the signature time;
- Digital signature on the data message matches the private key corresponding to the public key on the digital certificate and integrity of the data message is ensured.
2. Storage and cancellation of the following pieces of information attached to digital signature data messages:
a) Digital certificates corresponding to digital signatures attached to incoming digital signature data messages;
b) List of certification authorities’ digital certificates revoked at the signature time that correspond to with digital signatures attached to incoming data messages;
c) Validation etiquettes of certification authorities issuing digital certificates that correspond to digital signatures attached to incoming data messages;
d) Results of checking of digital certificate status appropriate for digital signatures attached to incoming data messages.
3. Change (addition or reduction) of digital signatures of certification authorities.
4. Notification (in alphabetical letters/symbols) of checking whether a digital signature is valid or not.
Chapter III
IMPLEMENTATION CLAUSE
Article 8. Implementation
1. The National Electronic Authentication Centre shall provide guidelines for the implementation of this Circular.
2. Public certification authorities and specialized certification authorities of organizations shall publish technical specifications (documents and tool sets), digital certificates related to certification authorities and standards for digital signatures on websites of the certification authorities.
3. Organizations and individuals that develop digital signature applications and use digital signatures shall comply with technical requirements and manuals for digital signature software and digital signature checking software.
Article 9. Grandfather clause
Organizations and individuals using digital signature software and digital signature checking software before the effective date of this Circular shall keep using them until they are changed, upgraded or replaced shall comply with the regulations laid down in this Circular.
Article 10. Effect
1. This Circular comes into force from November 01, 2020.
2. Chief of Office, National Electronic Authentication Centre, heads of agencies and units affiliated to the Ministry of Information and Communications, Directors of Departments of Information and Communications of provinces and central-affiliated cities, and relevant organizations and individuals are responsible for the implementation of this Circular.
3. Difficulties that arise during the implementation of this Circular should be promptly reported to the Ministry of Information and Communications (the National Electronic Authentication Centre) for consideration and resolution./.
| THE MINISTER |
APPENDIX
LIST OF TECHNICAL STANDARDS FOR DIGITAL SIGNATURES ATTACHED TO DATA MESSAGES
(Enclosed with the Circular No. 22/2020/TT-BTTTT dated September 07, 2020 of the Minister of Information and Communications)
No. | Type of standard | Standard code | Full name of standard | Form of application |
1 | Standards for format of data messages | |||
1.1 | Character set and encoding | ASCII | American Standard Code for Information Interchange | Recommended |
1.2 | Coded Vietnamese character set | TCVN 6909:2001 | TCVN 6909:2001 “Information Technology - 16-bit Coded Vietnamese Character Set” | Compulsory |
1.3 | Character set demonstration | UTF-8 | 8-bit Universal Character Set (UCS)/ Unicode Transformation Format | Recommended |
1.4 | Data message format language | XML v1.0 (5th Edition) | Extensible Markup Language version 1.0 (5th Edition) | Compulsory application of one of the two standards |
XML v1.1 (2nd Edition) | Extensible Markup Language version 1.1 | |||
1.5 | XML Schema Definition | XML Schema version 1.1 | XML Schema version 1.1 | Recommended |
1.6 | XML metadata interchange specification | XML v2.4.2 | XML Metadata Interchange version 2.4.2 | Recommended |
2 | Standards for digital signatures and checking of digital signatures | |||
2.1 | Standards for digital signatures on private key management devices, digital signature software, creation of digital signatures, digital certificates and digital signature checking software. | |||
2.1.1 | Encryption algorithms | TCVN 7816:2007 | Cryptographic technique - Cryptographic algorithms - Data Encryption Algorithm AES | Recommended |
NIST 800-67 | Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher | Recommended | ||
PKCS#1 | RSA Cryptography Standard (Version 2.1 or later) Application and use of the RSAES-OAEP scheme for encryption A minimum of 2048-bit keys | Recommended | ||
ECC | Elliptic Curve Crytography | Recommended | ||
2.1.2 | Digital signature algorithm | TCVN 7635:2007 | Cryptography technique - Digital signature | - Application of one of the three standards. - For TCVN 7635:2007 and + Version 2.1 + Application of + A minimum of 2048-bit keys - For the standard ECDSA: a minimum of 256-bit keys |
PKCS#1 | RSA Cryptography Standard | |||
ANSI X9.62-2005 | Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)
| |||
2.1.3
| Secure hash function | FIPS PUB 180-4 | Secure Hash Algorithms | Application of one of the |
FIPS PUB 202 | SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions | |||
2.1.4 | Secure XML message exchange | XML Encryption Syntax and Processing | XML Encryption Syntax and Processing | Compulsory |
XML Signature Syntax and Processing | XML Signature Syntax and Processing | Compulsory | ||
2.1.5 | XML public key management | XKMS v2.0 | XML Key Management Specification version 2.0 | Compulsory |
2.1.6 | Cryptographic message syntax for signing and encrypting | PKCS#7 v1.5 (RFC 2315) | Cryptographic message syntax for file-based signing and encrypting version 1.5 | Compulsory |
2.2 | Standards for digital signatures on the system of equipment for management of private keys and digital certificates and remote digital signature creation | |||
2.2.1 | Policy and security requirements for digital signature servers | ETSI TS 119 431-1 | Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service providers; Part 1: TSP service components operating a remote QSCD/SCDev | Application of the 2 part standard; Version V1.1.1 (12/2018)
|
ETSI TS 119 431-2 | Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service providers; Part 2: TSP service components supporting AdES digital signature creation | |||
2.2.2 | Protocol for creation of digital signatures | ETSI TS 119 432
| Electronic Signatures and Infrastructures (ESI); Protocols for remote digital signature creation | Version V1.1.1 (03/2019) |
2.2.3 | Signature application on a digital signature server | EN 419241-1:2018 | Trustworthy Systems Supporting Server Signing - Part 1: General system security requirements |
|
2.2.4 | Requirements for digital signature module | EN 419241-2:2019 | Trustworthy Systems Supporting Server Signing - Part 2: Protection Profile for QSCD for Server Signing |
|
2.2.5 | Security requirements for | EN 419221-5:2018 | Protection Profiles for TSP Cryptographic modules - Part 5: Cryptographic Module for Trust Services |
|
3 | Standards for checking digital certificate status | |||
3.1 | Protocol for transmission and receipt of digital signatures and the Certificate Revocation List | RFC 2585 | Internet X.509 Public Key Infrastructure - Operational Protocols: FTP and HTTP | Application of either one or both of FTP and HTTP protocols |
3.2 | Online Certificate Status Protocol | RFC 2560 | X.509 Internet Public Key Infrastructure - On-line Certificate status protocol |
|
------------------------------------------------------------------------------------------------------
This translation is made by THƯ VIỆN PHÁP LUẬT and for reference purposes only. Its copyright is owned by THƯ VIỆN PHÁP LUẬT and protected under Clause 2, Article 14 of the Law on Intellectual Property.Your comments are always welcomed