• No results found

COURTESY TRANSLATION

N/A
N/A
Protected

Academic year: 2021

Share "COURTESY TRANSLATION"

Copied!
10
0
0

Loading.... (view fulltext now)

Full text

(1)

P R E M I E R M I N I S T R E Secrétariat général de la défense nationale Paris, 7 April 2003 872 /SGDN/DCSSI/SDR Reference : SIG/P/01.1 Direction centrale de la sécurité des systèmes d’information

PROCEDURE

C

ERTIFICATION OF THE CONFORMITY OF ELECTRONIC SIGNATURE CREATION DEVICES

Subject

: Certification of the conformity of electronic signature creation devices

Application :

From 7 April 2003

Circulation : Public

(2)

Modifications

Version

Date

Modifications

(3)

TABLE OF CONTENTS

1. PURPOSE OF THE PROCEDURE ... 4

2. CONTEXT ... 4

2.1. Legal context... 4

2.2. The Two Levels for Electronic Signatures... 4

2.2.1. The “Simple” Electronic Signature ... 4

2.2.2. The “Presumed Reliable” Electronic Signature ... 4

2.3. The European Context... 5

3. PROCEDURE FOR AWARDING A CERTIFICATE OF CONFORMITY ... 5

3.1. Requirements Concerning the Secure Electronic Signature Creation Device... 5

3.2. Insertion in the French Certification Scheme... 5

3.3. Format of the Certificate of Conformity ... 5

3.4. Conditions for Awarding a Certificate of Conformity ... 6

3.5. Organisms Awarding the Certificate of Conformity ... 6

3.6. Validity of the Certificate of Conformity... 6

4. DCSSI’S RECOMMENDATIONS... 7

4.1. Recommendations Concerning Protection Profiles... 7

4.2. Recommendation Concerning Cryptographic Algorithms... 7

4.3. Requirements Concerning Other Protection Profiles or Security Targets... 7

4.4. Use of Other Certification Standards ... 7

APPENDIX A TABLE SHOWING RECOMMENDED PROTECTION PROFILES ... 8

APPENDIX B ABBREVIATIONS ... 9

(4)

1.

Purpose of the Procedure

This procedure defines the procedure for awarding a certificate of conformity to the requirements of article 3.I of French decree no. 2001-272 of 30 March 2001, relating to electronic signatures, for secure electronic signature creation devices.

2.

Context

2.1.

Legal context

The European directive of 13 December 1999 on a European framework for electronic signatures was transposed by French law no. 2000-230 of 13 March 2000 and application decree no. 2001-272 of 30 March 2001.

French law no. 2000-230 defines two levels of electronic signature processes recognised by the law, presented in paragraph 2.2 :

• “simple” electronic signatures,

• “presumed reliable” electronic signatures.

French decree no. 2001-272 states the conditions required for an electronic signature to be presumed reliable. One of these conditions is that the secure signature creation device (SSCD) be certified as conforming to the requirements laid down in appendix III of the European Directive and reiterated in art. 3.I of decree no. 2001-272.

2.2.

The Two Levels for Electronic Signatures

2.2.1.

The “Simple” Electronic Signature

Article 4 of French law no. 2000-230 of 13 March 2000 defines an electronic signature in the following terms (courtesy translation):

If it [the signature] is electronic, it consists in using a reliable means of identification guaranteeing its link with the action to which it is attached.

At this level, the electronic signature process is not presumed reliable but the text thus signed in electronic form may not be refused as evidence in court if the process makes it possible to identify the signatory and guarantee the link with the action signed. In the event of a dispute, it is up to the signatory to prove the reliability of the electronic signature process used.

2.2.2.

The “Presumed Reliable” Electronic Signature

Article 4 of French law no. 2000-230 of 13 March 2000 specifies that the burden of proof may be inversed in the event of a dispute under certain conditions defined by decree (courtesy translation):

This process is presumed reliable, until proven to the contrary, if the electronic signature is created, the identity of the signatory assured and the integrity of the action guaranteed, under terms fixed by order with obligatory consultation of the Council of State.”

Article 2 of the French decree of 30 March 2001 defines the conditions under which the electronic signature process is considered reliable:

• the electronic signature is secure,

• the signature creation device used to establish the electronic signature is secure,

• verification of the electronic signature is based on use of a qualified electronic certificate. This procedure shall only address the condition stated in the second point.

In order for a signature creation device to be recognised as secure, it must fulfil a certain number of requirements described in art. 3.I of decree no. 2001-272 (cf. § 3.1) and be certified as conforming to these requirements.

The purpose of this document is to describe the procedure by which the DCSSI awards certificates of conformity.

(5)

2.3.

The European Context

The DCSSI bases its work on that of the EESSI (European Electronic Signature Standardization Initiative), a European standardization initiative launched by the European Commission following European Directive 1999/93/EC. The EESSI has produced several documents, some of which have been applied by the DCSSI. In accordance with Directive 1999/93/EC, the European Commission should have published standards in the Official Journal of the European Union, after consultation of the Committee created in article 9 of the directive and composed of Member State representatives. Devices certified as conforming to these standards will be presumed to conform to the requirements the directive. The European Commission has to date not, however, published any decision on this subject.

In accordance with article 3.II.2 of decree no. 2001-272 (transposition of article 3.4 of the European directive), this certificate of conformity is recognised in each Member State.

3.

Procedure for Awarding a Certificate of Conformity

3.1.

Requirements Concerning the Secure Electronic Signature Creation Device

Article 3.I of French decree no. 2001-272 lays down the requirements that the secure electronic signature creation device must fulfil (courtesy translation):

A secure electronic signature creation device must:

1. Guarantee via technical means and appropriate procedures that the electronic signature creation data:

a. Cannot be established more that once and that its confidentiality is ensured;

b. Cannot be discovered by deduction and that the electronic signature is protected against any forgery;

c. Can be adequately protected by the signatory against any use by a third party.

2. Not entail any alteration of the content to be signed or prevent the signatory from having full knowledge thereof before signing.”

The requirements listed above shall hereinafter be referred to as the “requirements of the decree”.

The SSCD shall be considered as consisting of the module making it possible to create the electronic signature creation and verification data and generate the electronic signature. We therefore exclude from the scope of the SSCD the application piloting the afore-mentioned module, the operating system on which the application is installed as well as all devices found in the SSCD’s environment. On the other hand, the transmission channel between the SSCD and the electronic signature application must be secure, i.e. the integrity of the data to sign transmitted by the application to the SSCD must be protected, unless the SSCD is in a protected environment (with the service provider’s premises). This requirement is only verified during the evaluation of the SSCD if the latter is to be used in an open environment (with the final user).

3.2.

Insertion in the French Certification Scheme

In the framework of French decree no. 2002-535, the evaluation of the device must take place in a DCSSI-licensed evaluation facility. These evaluation facilities conduct evaluations following standardised criteria: either the ITSEC (used less and less) or the ISO/IEC 15408 standard (also called “Common Criteria” (CC)). The evaluation ensures that a product conforms to a security target, which itself may conform to a protection profile.

The evaluation is conducted prior to the awarding of a certificate of conformity to the decree and must be based on a security target which covers fully the requirements of the decree and which offers an acceptable level of assurance according to the chosen environment.

3.3.

Format of the Certificate of Conformity

The certificate of conformity awarded by the DCSSI is in the form of a separate document in addition to the CC or ITSEC certificate awarded for the product itself.

(6)

The certificate of conformity mentions the functions for which it is awarded and the certification report relating to the CC or ITSEC certification on which it is based.

If the sponsor only has part of the device evaluated (electronic signature creation data generation function or electronic signature creation function), it will be awarded a certificate mentioning the function covered by the device. The device must be used with another device that has also obtained a certificate of conformity mentioning the other, complementary function.

3.4.

Conditions for Awarding a Certificate of Conformity

The evaluation of the module may give rise to two scenarios:

• The security target, drawn up by the evaluation sponsor, conforms to one of the protection profiles recommended by the DCSSI. In this case, the security target is presumed to conform to the requirements of the decree, and the certificate of conformity may be attributed after the evaluation and certification of the device based on this security target;

• The sponsor may propose a security target which does not conform to one of the protection profiles recommended by the DCSSI. In this case, it must prove that the target fulfils the requirements of decree no. 2001-272. The DCSSI awards the conformity certificate if this proof is supplied and if the device is certified based on this security target.

In addition, the certificate of conformity to the decree is only awarded after the DCSSI accepts the algorithms used. Cryptographic analysis is obligatory and is carried out by the DCSSI according to an application note on cryptology for the scheme.

If the device has been awarded a CC or ITSEC certificate by another country, the DCSSI reserves the right to conduct an analysis of the algorithms used before awarding the certificate of conformity to decree no. 2001-272.

3.5.

Organisms Awarding the Certificate of Conformity

Article 3.II of French decree no. 2001-272 specifies the terms according to which the electronic signature creation device is certified as conforming to the requirements of the decree, as follows (courtesy translation):

“A secure electronic signature creation device must be certified as conforming to the requirements defined in I:

1. Either by the Prime Minister, under the terms set forth in decree no. 2002-535 of 18 April 2002 relating to evaluation and certification of security provided by information technology products and systems. The awarding of the certificate of conformity is made public.

2. Or by a body appointed to this effect by an EC Member State.”

Decree no. 2002-535 appoints the DCSSI to this effect.

3.6.

Validity of the Certificate of Conformity

The certificate of conformity to the decree is linked to the CC or ITSEC certificate. However, the state of the art with regard to attacks, for which the CC or ITSEC certificate is awarded, can evolve very quickly.

As a result of this, the CC or ITSEC certificate, on the basis of which the certificate of conformity is awarded, must be subject to a monitoring process which is defined in a procedure under the certification scheme. The DCSSI can, therefore, at any time demand an additional evaluation of the device if it considers that the state of the art has significantly changed.

The certificate of conformity is revoked in the event of a failure in the monitoring process or of any fact brought to the attention of the DCSSI calling into question the module’s conformance to the requirements laid down by the decree.

(7)

4.

DCSSI’s Recommendations

4.1.

Recommendations Concerning Protection Profiles

The DCSSI recommends protection profiles, set forth in the table in Appendix A, taking into account the environment in which the target is used and the functions for which they have been written.

There are two types of environment: • The environment of the final user,

• The environment of the certification service provider (CSP).

On the other hand, a complete secure electronic signature creation device must ensure at least the following functions:

• Generation of electronic signature creation data (security key) and verification data (public key), • Electronic signature creation data.

Each of these functions can be executed by a separate module and give rise to a certificate of conformity (cf. § 3.3).

4.2.

Recommendation Concerning Cryptographic Algorithms

The DCSSI encourages using the document produced by the EESSI on algorithms recommended for electronic signatures entitled “Algorithms and Parameters for Secure Electronic Signatures”. This guide:

• Lists existing acceptable algorithms for electronic signatures and the minimum size of keys to use for these algorithms,

• States the length of validity of the recommended algorithms.

For each request for a certificate of conformity to the decree, the DCSSI demands a cryptographic analysis (cf § 3.4), which must attain level “high”.

4.3.

Requirements Concerning Other Protection Profiles or Security Targets

In the event that the sponsor proposes a target which does not conform to one of the protection profiles recommended by the DCSSI, the proposed security target must observe the following minimum requirements:

• The security objectives of the target must cover the requirements laid down by the decree; • The assurance requirements of the security target must correspond to level EAL 4+.

Depending on the environment of the SSCD under evaluation, Level EAL 4 must be supplemented by at least:

• In an open environment: AVA_MSU.3 , AVA_VLA.4,

• In a protected environment: ADV_IMP.2, AVA_CCA.1, AVA_VLA.4.

For an evaluation according to the ITSEC, the assurance level must be “E3 high” and the assurance components required must be examined on a case-by-case basis through cooperation between the evaluation sponsor and the DCSSI.

4.4.

Use of Other Certification Standards

If the device concerned has already been certified according to a standard other than the ITSEC or the CC, the DCSSI examines the additional evaluations needed in order to award the certificate of conformity on a case-by-case basis, and the sponsor must supply the DCSSI with all documents necessary in order to carry out this examination, such as the evaluation report.

The DCSSI examines situations not covered by this procedure on a case-by-case basis.

On the other hand, any dispute or disagreement concerning the awarding of the certificate of conformity to the decree shall be brought to the attention of the certification management board.

(8)

Appendix A

Table Showing Recommended Protection Profiles

Protection profile used EESSI standard no. Environment concerned Electronic signature creation and verification data generation function (1) Electronic signature creation function (2) Conformance to French decree no. 2001-272 (art. 3.I) PP SSCD type1 Secure Signature Creation Device type1 CWA 14169 Appendix A

User Yes No Conformance

for the function (1) PP SSCD type2 Secure Signature Creation Device type2 CWA 14169 Appendix B

User No Yes Conformance

for the function (2) PP SSCD type3 Secure Signature Creation Device type3 CWA 14169 Appendix C

User Yes Yes Conformance

PP MCSO Cryptographic Module for CSP Key Generation Services CWA 14167-2 Certification service provider

Yes Yes Conformance

PP CMCKG Crytographic Module for CSP Key Generation Services CWA 14167-3 (pending) Certification service provider Yes No Conformance

for the function (1)

(9)

Appendix B

Abbreviations

CC

Common Criteria

CEM

Common Evaluation Methodology

CMCKG

Cryptographic Module for CSP Key Generation Services

COFRAC

Comité Français d’Accréditation / French accreditation board

DCSSI

Direction Centrale de la Sécurité des Systèmes d’Information / Central

Directorate for Information Systems Security

IT

Instruction Technique / Technical Instruction

ITSEC

Information Technology Security Evaluation Criteria

ITSEM

Information Technology Security Evaluation Methodology

MCSO

Module for CSP Signing Operation

PSC / CSP

Prestataire de Service de Certification / Certification Service Provider

SSCD

Secure Signature Creation Device / Dispositif sécurisé de création de

(10)

Appendix C

References

Directive 1999/93/CE

of the European Parliament and Council of 13 December 1999 on a Community framework for electronic signatures.

French law

2000-230 of 13 March

2000

Defining the adaptation of the law of proof to information technologies and relating to electronic signatures.

French decree

2001-272 of 30

March 2001

Enacted to implement article 1316-4 of the French Civil Code relating to electronic signatures, modified by article 20 of decree 2002-535.

French decree 2002-535 of 18 April 2002

Relating to evaluation and certification of security provided by information technology products and systems.

CWA 14169 European Committee for Standardization CEN/ISS : Security Requirements of

Secure Signature Creation Devices (SSCD) – SSCD-PP

CWA 14167-2 European Committee for Standardization CEN/ISS : Security Requirements of

Cryptographic Module for CSP Signing Operations – MCSO-PP

CWA 14167-3 European Committee for Standardization CEN/ISS : Security Requirements of

Cryptographic Module for CSP Key Generation Services – CMCKG-PP

ITSEC Information technology security evaluation criteria (ITSEC), version 1.2, June

1991.

ISO/IEC 15408 Information technology — Security techniques — Evaluation criteria for IT

security :

ISO/IEC 15408-1:1999(E) : Part 1 : Introduction and general model ; ISO/IEC 15408-2:1999(E) : Part 2 : Security functional requirements ; ISO/IEC 15408-3:1999(E) : Part 3 : Security assurance requirements.

CC Common Criteria for Information Technology Security Evaluation : Part 1 : Introduction and general model, version 2.1, August 1999 ; Part 2 : Security functional requirements, version 2.1, August 1999 ; Part 3 : Security assurance requirements, version 2.1, August 1999.

References

Related documents

the "Application Form for qualified certificate in Secure Signature Creation Device (DL2)" (Appendix A.1), signed by the applicant and certified by

All of the participants were faculty members, currently working in a higher education setting, teaching adapted physical activity / education courses and, finally, were

The Signature Creation Device „Smart Card with Controller SLE66CX322P or SLE66CX642P, CardOS V4.2B FIPS with Application for Digital Signature“ (in the sequel abbreviated as

A copy each in English and Hindi of the following papers , under sub-section 1 b of Section 394 of the Companies Act, 2013:i a Forty-seventh Annual Report and Accounts of the

This result is partially a consequence of lower confidence when rating the friend and canonical individual as well as smaller mean absolute distances between those two individuals

Thus, this aim is set to be achieved by quantitatively analysing the dy- namics of the following indicators including central government debt, total (% of GDP), real GDP per

Research work has been carried out in three stages: first the number of men and women as the inventors of the new technological solutions that were granted patent protection has

Petrescu-Mag Ioan Valentin: Bioflux, Cluj-Napoca (Romania) Petrescu Dacinia Crina: UBB Cluj, Cluj-Napoca (Romania) Sima Rodica Maria: USAMV Cluj, Cluj-Napoca (Romania)