ORDER OF THE MINISTRY OF DIGITAL TRANSFORMATION OF UKRAINE, ADMINISTRATION OF PUBLIC SERVICE OF SPECIAL COMMUNICATION AND INFORMATION SECURITY OF UKRAINE

of September 30, 2020 No. 140/614

About establishment of requirements to technical means, processes of their creation, use and functioning as a part of information and telecommunication systems by provision of qualified electronic confidential services

According to Article part two 7, to part two of article 8 of the Law of Ukraine "About electronic confidential services", to the paragraph to the second Item 73 of requirements in the field of the electronic confidential services approved by the resolution of the Cabinet of Ministers of Ukraine of November 7, 2018 the No. 992, to Items 4, 8, 10 Regulations on the Ministry of digital transformation of Ukraine approved by the resolution of the Cabinet of Ministers of Ukraine of September 18, 2019 No. 856, to Items 4, of 10, 12 Regulations on Administration of Public service of special communication and information security of Ukraine, approved by the resolution of the Cabinet of Ministers of Ukraine of September 3, 2014 No. 411, for the purpose of ensuring interoperability and technological neutrality of national technical solutions, and also non-admission of their discrimination we ORDER:

1. Determine that:

1) technical means which are created, used and function as a part of information and telecommunication systems by provision of qualified electronic confidential services, namely software and hardware complexes and means of the qualified digital signature or seal (further - technical means) which apply the algorithms of cryptographic information security given in the national standards determined in Items 55 - 58 Lists of the standards applied by skilled suppliers of electronic confidential services during provision of qualified electronic confidential services which is applied to the requirements in the field of electronic confidential services approved by the resolution of the Cabinet of Ministers of Ukraine of November 7, 2018 No. 992 (further - the List), shall conform to requirements of national standards which are determined in Items 1 - 50 and 66 - 77 Lists, in amount, which concerns the qualified confidential services provided or received with

use of such technical means;

2) technical means which apply the algorithms of cryptographic information security given in the national standards determined in Items 51 - 53 Lists shall conform to requirements of national standards which are determined in Items 1 - 50 and 66 - 77 Lists, and also GSTU state standard specification 28147:2009 "Systems of information processing. Protection cryptographic. Algorithms of cryptographic transformation" and to the international recommendations of RFC 5208 and RFC 2898 in amount which concerns the qualified confidential services provided or received with use of such technical means taking into account the features concerning identification the politician of the certificate, national algorithms of cryptographic information security and other information objects, calculations corresponding hash functions and creations of the digital signature;

3) by results of state examination in the field of cryptographic information security compliance of technical means to requirements of national standards which are determined in Items 28 - 33 Lists, in volume of the carried-out functions is confirmed by documents on compliance or positive expert opinions (to destination).

Assessment of conformity or state examination in the field of cryptographic information security of technical means is performed taking into account requirements of the standards provided in Items 59 - 62 Lists.

2. To skilled suppliers of electronic confidential services, customers, developers and producers of means of the qualified digital signature or seal, the organizations which use electronic confidential services during electronic interaction of physical persons and legal entities which requires departure, obtaining, use and permanent storage with participation of the third parties of electronic data whose analogs on papers shall contain the sign manual according to the legislation, and also checks of authenticity in components of information systems in which processing of such electronic data and owners of information in whom public authorities, local government bodies, the companies, organizations and the organizations of the state pattern of ownership are is performed, to provide application of the requirements to technical means established by this order and personal keys, which generation is performed before entry into force of this order,

before the termination of effective period of the appropriate qualified certificates of open keys, but no later than November 06, 2020.

3. The subjects of the relations in the field of electronic confidential services using qualified certificates of open keys in the activities apply the qualified digital signature:

1) within the country for the purpose of providing electronic document management and electronic authentication of persons according to:

GSTU 4145-2002 "Information technologies. Cryptographic information security. The digital signature based on elliptic curves. Forming and check" about hash function in accordance with GOST 34.311-95 "Information technology. Cryptographic information security. Hashing function". These national standards are applied to creation of the qualified digital signature till January 01, 2022 and to creation of the qualified digital signature for the purpose of provision of information on the status of certificates of open keys before completion of term of their action and to verification of the qualified digital signature;

GSTU 4145-2002 "Information technologies. Cryptographic information security. The digital signature based on elliptic curves. Forming and check" about hash function in accordance with GOST 7564-2014 "Information technologies. Cryptographic information security. Hashing function". These national standards are applied to creation of the qualified digital signature since January 01, 2021 and to verification of the qualified digital signature;

GSTU ISO/IEC 14888-3:2019 "Information technologies. Protection methods. Digital signatures with appendix. Part 3. Mechanisms on the basis of discrete logarithming" using algorithm ECDSA with extent of expansion of the main field of elliptic curve at least than 256 with functions hash of sha256 or sha512 according to the national standard determined by Item 55 of the List";

2) for cross-border cooperation with any purpose according to requirements:

established by the national standard determined in Item 55 of the List;

specified in the subitem of 1 this Item.

4. To expert group of development of electronic confidential services of management of functional development of digitalization of the Ministry of digital transformation of Ukraine for the purpose of ensuring interoperability and technological neutrality of national technical solutions in the field of electronic confidential services, and also non-admission of their discrimination, mutual recognition of the Ukrainian and foreign certificates of the open keys and digital signatures used by provision of legally significant electronic services to provide functioning of software and hardware complex of the central certifying body and information security which in it is processed, according to requirements of the legislation, way of implementation on the official website of the central certifying body:

1) the software for creation and check of the unified formats of advanced digital signatures (CAdES, PAdES, XAdES), and also containers of electronic documents (ASiC), conforming to the requirements of national standards determined in Items 11 - 23 Lists (further - the instrument of creation and verification of advanced digital signatures).

The functionality of the instrument of creation and verification of advanced digital signatures provides:

creation of containers of electronic documents (ASiC), verification of the electronic documents created as a result of creation of containers of electronic documents (ASiC);

creation and verification of the advanced digital signature of CAdES;

creation and verification of the advanced digital signature of PAdES;

creation and verification of the advanced digital signature of XAdES;

integration of technical solutions with information and telecommunication system of the central certifying body, the integrated system of electronic identification and other information and telecommunication systems;

2) the software of monitoring system of provision and use of electronic confidential services which will promote increase in level of safety of electronic confidential services and interoperability of technical means which fall under action of requirements of this order (further - the instrument of monitoring of the sphere of electronic confidential services).

The functionality of the instrument of monitoring of the sphere of electronic confidential services provides:

distribution and timely updating of qualified certificates of open keys of the central certifying body and skilled suppliers of electronic confidential services in information and telecommunication systems of users of electronic confidential services;

submission of messages on changes in the Confidential list and statements on receipt of electronic confidential services from the central certifying body;

exchange of test examples for check of correctness of realization of formats, protocols and interfaces of technical means which fall under action of requirements of this order, between skilled suppliers of electronic confidential services and developers of such technical means (in particular, integration with the test software and hardware complex created on the official website of the central certifying body for forming of test certificates of open keys);

the automated exchange of statistical data concerning provision of electronic confidential services, including, connected with forming of electronic tags of time and test certificates of open keys, between skilled suppliers of electronic confidential services and the central certifying body;

monitoring in real time the existing qualified certificates of open keys of users of electronic confidential services with the relevant data (attributes) which contain in such qualified certificates created for subscribers or creators of electronic seals;

impossibility of forming by skilled suppliers of electronic confidential services of new qualified certificates of open keys in requests for forming of such certificates which were already processed earlier.

5. For the purpose of prevention of use of test certificates not to destination skilled suppliers of electronic confidential services take measures for realization of provisions of subitem 6.9.2 of Item 6.9 of Section 6 of the national GSTU ETSI EN 319 411-1:2019 standard (ETSI EN 319 411-1 V1.2.2 (2018-04), IDT) "Digital signatures and infrastructures (ESI). Requirements for safety for suppliers of confidential services which issue certificates. Part 1. General requirements", the state company "Ukrainian Research and Training Center of Problems of Standardization, Certification and Quality" approved by the order of December 27, 2019 No. 515.

6. Declare invalid the order of the Ministry of Justice of Ukraine, Administration of Public service of special communication and information security of Ukraine of November 18, 2019 No. 3563/5/610 "About establishment of requirements to technical means, processes of their creation, use and functioning as a part of information and telecommunication systems of provision of electronic confidential services", registered in the Ministry of Justice of Ukraine on November 20, 2019 for No. 1172/34143.

7. To provide to the administrator of information and telecommunication system of the central certifying body:

1) the publication on the official website of the central certifying body of technical specifications with test examples for check of correctness of realization of formats, protocols and interfaces the technical means determined in the subitem 2 of Item 1 of this order (the qualified digital signature certificate, the qualified certificate of electronic seal and the qualified certificate of check of authenticity of the website, certificate revocation lists, qualified mark of time, information on the status of certificates, formats of signed data, the list of object identifiers) no later than one month from the effective date this order;

2) creation on the official website of the central certifying body of functionality for assessment of internal and cross-border technological compatibility of technical means which fall under action of requirements of this order, and their capability to interact among themselves by introduction and implementation of technical support till January 01, 2022:

instrument of creation and verification of advanced digital signatures;

the instrument of monitoring in the field of electronic confidential services.

8. Determine that the object identifiers of algorithms of cryptographic information security determined in the subitem 2 of Item 1 of this order are published on the official website of Gosspetssvyaz until their registration by the national registering organization according to the legislation.

9. To management of functional development of digitalization of the Ministry of digital transformation of Ukraine (Haleeva A. P.) submit this order on state registration according to the Presidential decree of Ukraine of October 3, 1992 to No. 493 "About state registration of regulatory legal acts of the ministries and other executive bodies".

10. This order becomes effective from the date of its official publication.

11. To impose control of execution of this order on the deputy minister of digital transformation of Ukraine and the vice-chairman of Public service of special communication and information security of Ukraine according to distribution of functional obligations.

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info