CIRCULAR

LISTS OF MANDATORY STANDARDS TO BE APPLIED IN DIGITAL SIGNATURES AND DIGITAL SIGNATURE AUTHENTICATION SERVICES IN FORM OF MOBILE PKI AND REMOTE SIGNING

Pursuant to the Law on E-Transactions dated November 29, 2005;

Pursuant to Decree No. 130/2018/ND-CP dated September 27, 2018 of Government on elaborating to implementation of Law on E-Transactions regarding digital signatures and digital signature authentication services;

Pursuant to Decree No. 17/2017/ND-CP dated February 17, 2017 of Government on functions, tasks, powers, and organizational structure of Ministry of Information and Communications;

At the request of the Director General of the Department of Science and Technology,

Minister of Information and Communications promulgates Circular on lists of mandatory standards to be applied in digital signatures and digital signature authentication services in form of mobile PKI and remote signing.

Article 1. Scope

...

...

...

Article 2. Regulated entities

This Circular applies to public certification authorities, specialized certification authorities of agencies and organizations issued with certificates of eligibility for special-use digital signature security and foreign certification authorities accredited by Ministry of Information and Communications in Vietnam providing digital signature authentication services in form of mobile PKI and remote signing; organizations and individuals developing applications utilizing digital signatures and providing digital signature solution in form of mobile PKI and remote signing. 

Article 3. Implementation

1. Ministry of Information and Communications shall examine and revise the lists of mandatory standards to be applied in digital signatures and digital signature authentication services in form of mobile PKI and remote signing specified in Article 1 of this Circular to match technology development and management policies of the government.

2. Department of Science and Technology is responsible for taking charge, examining and updating the lists of mandatory standards to be applied in digital signatures and digital signature authentication services in form of mobile PKI and remote signing specified in Article 1 of this Circular.

3. National Electronic Authentication Center is responsible for providing guidelines, examining and assessing application of standards under the lists of mandatory standards to be applied in digital signatures and digital signature authentication services in form of mobile PKI and remote signing specified in Article 1 of this Circular. 

Article 4. Implementation clause

1. This Circular comes into force from April 1, 2020.

2. Should there be any discrepancy between provisions of this Circular and those of Circular No. 39/2017/TT-BTTTT dated December 15, 2012 on list of technical standards for application of information technology in regulatory authorities in the same standards relating to use of digital signatures and digital signature authentication services provided by certification authorities in regulatory authorities, those of this Circular shall prevail.

...

...

...

4. Difficulties that arise during the implementation of this Circular should be promptly reported to Ministry of Information and Communications for consideration./.

MINISTER




Nguyen Manh Hung

ANNEX

LISTS OF MANDATORY STANDARDS TO BE APPLIED IN DIGITAL SIGNATURES AND DIGITAL SIGNATURE AUTHENTICATION SERVICES IN FORM OF MOBILE PKI AND REMOTE SIGNING
(Attached to Circular No. 16/2019/TT-BTTTT dated December 5, 2019 of Minister of Information and Communications)

No.

Standards

...

...

...

Full name of standards

Application regulations

1

1.1

Key and digital signature standards

1.1.1

Asymmetrical key and digital signatures

PKCS #1

RSA Cryptography Standard

...

...

...

- For RSA standards:

+ Version 2.1

+ Adopt scheme RSAES-OAEP for encryption and RSASSA-PSS for signature.

+ Minimum key length is 1024 bits

- For ECDSA standards: minimum key length is 256 bits

ANSI X9.62-2005

Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)

1.1.2

Symmetrical key

...

...

...

(FIPS PUB 197)

Information technology – Cryptography techniques – AES data encryption algorithm 

 (Advanced Encryption Standard)

Adopt either of the 2 standards

NIST 800- 67

Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher

1.1.3

Secure hash functions

FIPS PUB 180-4

...

...

...

Adopt any one of following hash functions: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256

FIPS PUB 202

SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions

1.2

Information and data standards

1.2.1

Format of digital certificates and list of revoked digital certificates

RFC 5280

Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

...

...

...

1.2.2

Cryptographic Message Syntax

PKCS #7

Cryptographic Message Syntax Standard

Version 1.5

1.2.3

Certification Request Syntax

PCKS #10

Certification Request Syntax Standard

...

...

...

1.3

Standards of digital signature authentication policies and regulations

1.3.1

Certificate Policy and Certification Practices Framework

RFC 3647

Internet X.509 Public Key Infrastructure - Certificate Policy and Certification Practices Framework

1.4

Standards of digital certificate storage and tracking protocols

...

...

...

Directory access protocol schema

RFC 2587

Internet X.509 Public Key Infrastructure LDAPv2 Schema

Adopt either of the 2 standards

RFC 4523

Lightweight Directory Access Protocol (LDAP) Schema Definitions for X.509 Certificates

...

...

...

Directory access protocol

RFC 2251

Lightweight Directory Access Protocol (v3)

Adopt RFC 2251 standard or a set of 4 following standards:

RFC 4510, RFC 4511, RFC 4512, RFC 4513

RFC 4510

Lightweight Directory Access Protocol (LDAP): Technical specification Road Map

RFC 4511

Lightweight Directory Access Protocol (LDAP): The Protocol

...

...

...

Lightweight Directory Access Protocol (LDAP): Directory Information Models

RFC 4513

Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms

1.5

Standards of digital certificate status check

1.5.1

Digital certificate transfer and receipt protocols, list of revoked digital certificates

RFC 2585

Internet X.509 Public Key Infrastructure - Operational Protocols: FTP and HTTP

...

...

...

1.5.2

On-line Certificate status protocol

RFC 2560

X.509 Internet Public Key Infrastructure - On-line Certificate status protocol

1.6

Standard of security of HSM managing private keys of certification authorities

1.6.1

Security requirements for hardware security modules (HSM)

...

...

...

Security Requirements for Cryptographic Modules

Minimum requirement: level 3

1.7

Standards of systems managing private keys, digital certificates and creating digital signatures of customers

1.7.1

Security requirement for SIM cards

FIPS PUB 140-2

Security Requirements for Cryptographic Modules

- Adopt either of the 2 standards.

...

...

...

Minimum requirement: level 2

- For TCVN 8709 (ISO/IEC 15408) standards:

Minimum requirement: level 4 EAL

TCVN 8709 (ISO/IEC 15408)

Information technology – Safety techniques - Common Criteria for information technology security evaluation

 (Common Criteria for Information Technology Security Evaluation)

1.7.2

Functional and operational requirements

ETSI TR 102 203

...

...

...

Version V1.1.1

1.7.3

Web service interface

ETSI TS 102 204

Mobile Commerce (M- COMM); Mobile Signature Service; Web Service Interface

Version V1.1.4

1.7.4

Security framework

ETSI TR 102 206

...

...

...

Version V1.1.3

1.7.5

Specifications for roaming

ETSI TS 102 207

Mobile Commerce (M- COMM); Mobile Signature Service; Specifications for Roaming in Mobile Signature Services

Version V1.1.3

2

2.1

Key and digital signature standards

...

...

...

Asymmetrical key and digital signatures

PKCS # 1

RSA Cryptography Standard

- Adopt either of the 2 standards.

- For RSA standards:

+ Version 2.1

+ Adopt scheme RSAES-OAEP for encryption and RSASSA-PSS for signature.

+ Minimum key length is 2048 bits

- For ECDSA standards: minimum key length is 256 bits

...

...

...

Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)

2.1.2

Symmetrical key

TCVN 7816:2007 (FIPS PUB 197)

Information technology – Cryptography techniques – AES data encryption algorithm 

Adopt either of the 2 standards

NIST 800-67

Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher

2.1.3

...

...

...

FIPS PUB 180-4

Secure Hash Standard

Adopt any one of following hash functions: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256

FIPS PUB 202

SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions

2.2

Information and data standards

2.2.1

Format of digital certificates and list of revoked digital certificates

...

...

...

Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

2.2.2

Cryptographic Message Syntax

PKCS #7

Cryptographic Message Syntax Standard

Version 1.5

2.2.3

Certification Request Syntax

...

...

...

Certification Request Syntax Standard

Version 1.7

2.2.4

Private-key information syntax

PKCS #8

Private-Key Information Syntax Standard

Version 1.2

2.2.5

Cryptographic token interface

...

...

...

Cryptographic token interface standard

Version 2.20

2.2.6

Personal Information Exchange Syntax

PKCS #12

Personal Information Exchange Syntax Standard

Version 1.0

2.3

Standards of digital signature authentication policies and regulations

...

...

...

Certificate Policy and Certification Practices Framework

RFC 3647

Internet X.509 Public Key Infrastructure - Certificate Policy and Certification Practices Framework

2.4

Standards of digital certificate storage and tracking protocols

2.4.1

Directory access protocol schema

RFC 2587

...

...

...

Adopt either of the 2 standards

RFC 4523

Lightweight Directory Access Protocol (LDAP) Schema Definitions for X.509 Certificates

2.4.2

Directory access protocol

RFC 2251

Lightweight Directory Access Protocol (v3)

Adopt RFC 2251 standard or a set of 4 following standards: RFC 4510, RFC 4511, RFC 4512, RFC 4513

RFC 4510

...

...

...

RFC 4511

Lightweight Directory Access Protocol (LDAP): The Protocol

RFC 4512

Lightweight Directory Access Protocol (LDAP): Directory Information Models

RFC 4513

Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms

2.5

Standards of digital certificate status check

2.5.1

...

...

...

RFC 2585

Internet X.509 Public Key Infrastructure - Operational Protocols: FTP and HTTP

Adopt either or both of FTP and HTTP protocols

2.5.2

On-line Certificate status protocol

RFC 2560

X.509 Internet Public Key Infrastructure - On-line Certificate status protocol

2.6

...

...

...

2.6.1

Security requirements for hardware security modules (HSM)

FIPS PUB 140-2

Security Requirements for Cryptographic Modules

- Adopt either of the 2 standards.

- For FIPS PUB 140-2 standard:

Minimum requirement: level 3

EN 419221- 5:2018

Protection Profiles for TSP Cryptographic modules - Part 5: Cryptographic Module for Trust Services

...

...

...

Standards of systems managing private keys, digital certificates and creating digital signatures of customers

2.7.1

Policy and security requirements for electronic signing servers

ETSI TS 119 431-1

Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service providers; Part 1: TSP service components operating a remote QSCD/SCDev

Adopt 2-part standard set;

Version V1.1.1 (Dec/2018)

ETSI TS 119 431-2

Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service providers; Part 2: TSP service components supporting AdES digital signature creation

...

...

...

Digital signature creation protocol

ETSI TS 119 432

Electronic Signatures and Infrastructures (ESI); Protocols for remote digital signature creation

Version V1.1.1 (Mar/2018)

2.7.3

Signing applications on signing servers

EN 419241- 1:2018

Trustworthy Systems Supporting Server Signing - Part 1: General system security requirements

...

...

...

Requirements for signing modules

EN 419241- 2:2019

Trustworthy Systems Supporting Server Signing - Part 2: Protection Profile for QSCD for Server Signing

2.7.5

Security requirements for hardware security modules (HSM)

EN 419221- 5:2018

Protection Profiles for TSP Cryptographic modules - Part 5: Cryptographic Module for Trust Services

...

...

...