Decree No. 194 / 2009 Coll.
Order setting out the details of the use and operation of the data box information system
Valid
Order
Effective from 01.07.2009
194
DECLARATION
of 23 June 2009
on the details of the use and operation of the data box information system
The Ministry of the Interior provides, pursuant to § 9 paragraphs 3 and 4, § 20 paragraph 3 and § 21 of Act No. 300 / 2008 Coll., on electronic acts and authorized conversion of documents, as amended by Act No. 190 / 2009 Coll.:
Forms of access data for logging into the data box
(1) Access data for logging into a data clipboard are user name and security password.
(2) The username is unique for each person.
(3) The user name is a string of at least 6 and a maximum of 12 characters created by automated generation.
(4) Allowed characters for creating the username and security password are listed in Annex 1 to this Decree.
(5) Security password
(a) they must not be identical to the user name with which they form one access data;
(b) it must contain at least 8 characters and not more than 64 characters,
(c) it must contain at least one capital letter, one small letter and one digit;
(d) it shall not contain 3 or more identical characters repeated in succession;
(e) shall not start with the text "qwert," "asdfg" or "12345"; and
(f) shall not be consistent with the last safety passwords used.
Electronic means for logging into a data box
(1) An electronic device which is a cryptographic device may be used for logging into a data box
(a) containing a private cryptographic key and a public cryptographic key which are created and used using one of the algorithms listed in point I of Annex 2 to this Decree;
(b) containing a certificate for the authentication of the user (hereinafter referred to as the "authentication certificate") which is created and used using the hashing function referred to in point II of Annex 2 to this Regulation and using the algorithms referred to in (a);
(c) enabling the creation, storage and use of a private cryptographic key and a public cryptographic key and an authentication certificate in the format established in accordance with the standard set out in point III (a) of Annex 2 to this Decree; the authentication certificate contains:
1. data enabling identification of the person entering the data box information system;
2. the trading firm or the name of the qualified trust service provider that issued the authentication certificate in the case of a legal person, or the name or, where applicable, the name, surname or, where applicable, the distinguishing supplement in the case of a natural person, and the State in which the qualified trust service provider is established;
3. the number of the authentication certificate unique to the qualified trust service provider; and
4. the start and end dates of the authentication certificate,
(d) not allowing the transfer of the private cryptographic key referred to in (a) from that electronic device;
(e) supporting the use of one of the algorithms listed in point I of Annex 2 to this Regulation and the hashing function listed in point II of Annex 2 to this Regulation;
(f) the use of which is subject to the entering of a security code (PIN); and
(g) where there is no known increased risk to the operation of the data box information system.
(2) The Authentication Certificate referred to in paragraph 1 (b) is issued by a qualified trust service provider.
(3) It is also possible to use an electronic device for logging into the data box, which is the connection of the mobile device and the mobile application provided by the Ministry of Interior. Such an electronic device shall comply with the technical specifications and procedures laid down for the characteristics and form of the electronic identification, authentication and technical control devices directly applicable by the European Union Regulation governing the minimum technical specifications and procedures for the levels of guarantee of electronic identification1), at least for a significant level of guarantee.
Technical conditions and safety principles for access to the data box
(1) If the person authorised to access the data box is logged in by means of an electronic device pursuant to Section 2 (1), the data box information system administrator shall not be able to log in without simultaneously entering the username and password in accordance with Section 1. Where a person authorised to access a data box uses an electronic device pursuant to § 2 (1), the controller of the data box information system shall not allow that person to log in only with the access data referred to in § 1.
(2) If a security password is misentered immediately after the fifth consecutive time when logged into a data box by means of the access data provided for in Section 1, the data box information system administrator shall be entitled to prevent logging into the data box by using the same username for up to 1 hour from the time of the fifth incorrect security password entry. The data box information system administrator shall simultaneously send a message to the electronic address of the selected person for which the data box has been set up, or to the administrator, indicating that an attempt has been made to log into the data box and that the person authorised to access the data box is recommended to change the security password without delay. The first and second sentences shall not apply if the person authorised to access the data box is registered by electronic means in accordance with Section 2.
(3) If the person authorised to access the data box that is logged into the data box has not performed any action in the data box for 30 minutes, the data box information system administrator shall log the person from the data box. The first sentence shall not apply when the data box is accessed via an electronic file service system or other electronic application using a certificate.
(4) The data box information system administrator will allow the person authorised to access the data box to change the security password at any time. The change in the security password may be done in a way that allows remote access.
(5) Login to the data box by means of an electronic means as referred to in Article 2 (1) shall be governed by the safety principles set out in the certification policy, which the qualified trust service provider maintains in accordance with the technical standards referred to in points III (b) and (c) of Annex 2 to this Regulation and shall publish in a manner that allows remote access.
Allowed data message formats delivered to the data box
The permissible format of the data message delivered to the data box is set out in Annex 3 to this Regulation.
Maximum size of the data message delivered to the data box
The maximum size of the data message delivered to the data clipboard is 100 MB.
Time of storage of the data message in the data box
The storage time of the data message in the data box
(a) 90 days from the date on which the person who has access to the document contained in the data message entered the data box;
(b) 90 days from the date on which the data box was accessed by means of an electronic file service system or other electronic application using a certificate;
(c) 3 years from the date on which the data message was delivered to the data box if it fails to access the data box referred to in (a) or (b).
Technical formalities for using the data box
The data box information system administrator will not accept a data message for sending,
(a) if it is not in the admissible format laid down in this Decree,
(b) if its size exceeds the maximum size laid down in this Decree, or
(c) the fulfilment of the obligation to ensure the availability, confidentiality and integrity of the data box information system or other information system and the information contained therein.
Method of creating the data clipboard identifier
(1) The data box information system manager creates the data box identifier automatically using algorithms to generate random numbers.
(2) The identifier of the data box is unique for each data box.
Efficacy
This Decree shall take effect on 1 July 2009.
Minister:
Ing. Pecina, MBA v. r.
Příloha č. 1
Annex No. 1 to Decree No. 194 / 2009 Coll.
Allowed characters for creating username and password
I. Letters and figures
| Přípustný znak | ASCII kód přípustného znaku |
|---|---|
| 0 | 48 |
| 1 | 49 |
| 2 | 50 |
| 3 | 51 |
| 4 | 52 |
| 5 | 53 |
| 6 | 54 |
| 7 | 55 |
| 8 | 56 |
| 9 | 57 |
| A | 65 |
| B | 66 |
| C | 67 |
| D | 68 |
| E | 69 |
| F | 70 |
| G | 71 |
| H | 72 |
| I | 73 |
| J | 74 |
| K | 75 |
| L | 76 |
| M | 77 |
| N | 78 |
| O | 79 |
| P | 80 |
| Q | 81 |
| R | 82 |
| S | 83 |
| T | 84 |
| U | 85 |
| V | 86 |
| W | 87 |
| X | 88 |
| Y | 89 |
| Z | 90 |
| a | 97 |
| b | 98 |
| c | 99 |
| d | 100 |
| e | 101 |
| f | 102 |
| g | 103 |
| h | 104 |
| i | 105 |
| j | 106 |
| k | 107 |
| l | 108 |
| m | 109 |
| n | 110 |
| o | 111 |
| p | 112 |
| q | 113 |
| r | 114 |
| s | 115 |
| t | 116 |
| u | 117 |
| v | 118 |
| w | 119 |
| x | 120 |
| y | 121 |
| z | 122 |
II. Special Characters
| Přípustný znak | ASCII kód přípustného znaku |
|---|---|
| (mezera) | 32 |
| ! | 33 |
| # | 35 |
| $ | 36 |
| % | 37 |
| & | 38 |
| ( | 40 |
| ) | 41 |
| * | 42 |
| + | 43 |
| , | 44 |
| - | 45 |
| . | 46 |
| : | 58 |
| = | 61 |
| ? | 63 |
| @ | 64 |
| [ | 91 |
| ] | 93 |
| _ | 95 |
| { | 123 |
| | | 124 |
| } | 125 |
| ~ | 126 |
Příloha č. 2
Annex No. 2 to Decree No. 194 / 2009 Coll.
List of algorithms, hashing functions, standards and technical standards
I. Algorithms
(a) RSA 2048 and 3072 bits (RFC 8017)
(b) DSA (FIPS PUB 186-2)
(c) ECDSA-Fp (ANSI X9.62)
(d) ECDSA-F2m (ANSI X9.62)
II. Hash function
SHA-2 - 256, 384, 512 bits (FIPS 180-4)
III. Standard and technical standards
a) RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
(b) ETSI EN 319 401 v2.1.1 Electronic Signatures and Infrastructures (ESI); General Policy Requirements for Trust Service Providers
(c) ETSI EN 319 411-1 v1.1.1 Electronic Signages and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements
Příloha č. 3
Annex No. 3 to Decree No. 194 / 2009 Coll.
Allowed data message formats delivered to the data box
I. Acceptable data message formats delivered to the data box are subject to the condition in point IV of the formats
a) pdf (Portable Document Format),
b) PDF / A (Portable Document Format for the Long-term Archive),
(c) xml (Extensible Markup Language Document),
d) fo / zfo (602XML Filter document),
e) html / htm (Hypertext Markup Language Document),
f) odt (Open Document Text),
(g) ods (Open Document Spreadsheet),
h) odp (Open Document Presentation),
i) txt / csv (plain text),
j) rtf (Rich Text Format),
(k) doc / docx (MS Word Document),
(l) xls / xlsx (MS Excel Spreadsheet),
m) ppt / pptx (MS PowerPoint Presentation),
n) jpg / jpeg / jfif (Joint Photographic Experts Group File Interchange Format),
o) png (Portable Network Graphics),
p) tif / tiff (Tagged Image File Format),
q) gif (Graphics Interchange Format),
r) mpg / mpeg / mpeg1 / mpeg2 (MPEG Phase 1 - ISO- IEC 11172 / Phase 2 - ISO / / ISO / IEC 13818),
s) wav (Waveform Audio Format),
t) mp2 / mp3 (MPEG-1 Audio Layer 2 / Layer 3),
u) isdoc / isdocx (Information System Document) version 5.2 or higher;
(v) edi (international standard EDIFACT, ODETTE and EANCOM standards for electronic trade documents - EDI),
w) dwg (AutoCAD DraWinG File Format) version 2007 and higher,
x) shp / dbf / shx / prj / qix / sbn / sbx (ESRI Shapefile),
y) dgn (Bentley MicroStation Format) version V7 and V8; and
z) gml / gfs / xsd (Geography Markup Language Document).
II. Allowed data message formats delivered to the data box are subject to the condition in point IV of the formats
a) json (JavaScript Object Notice),
b) mp4 / m4a (MPEG-4 Audio ISO / IEC 14496),
c) mp4 / m4v / m4p (MPEG-4 Video ISO / IEC 14496),
(d) heic / heif (High Efficiency Image File); and
e) ddd (Digital Data Distiller - output from tachograph or driver card).
III. Allowed data message formats delivered to the data box are subject to the conditions set out in points IV to VI of the formats
a) zip (ZIP File Format, as specified in the Info-ZIP Application Note 19970311); and
(b) asics / scs / asice / sce (Associated Signature Containers Simple / Extended).
IV. Formats referred to in points I to III are acceptable data message formats delivered to the data box if it contains the name of the file constituting the data message corresponding to them. A link means an external character of the data message format that allows the software to identify the data file type.
V. The formats referred to in point III shall be admissible for data message formats delivered to the data clipboard if:
(a) the content of the data message is not encrypted;
(b) the data message shall consist of at least one file in the format referred to in points I or II;
(c) the data message does not form a file in a format other than that referred to in point I or II;
(d) the data message consists of a maximum of 1 000 files and directories;
(e) the maximum input level of directories is 4; and
(f) the maximum size of the decompressed content shall be 3 GB.
VI. The format referred to in point III (a) shall be the permissible data format of the data message delivered to the data clipboard unless the data message constitutes a file containing part of the compressed content.
(1) Commission Implementing Regulation (EU) 2015 / 1502 of 8 September 2015 laying down minimum technical specifications and procedures for the level of guarantee of electronic identification devices pursuant to Article 8 (3) of Regulation (EU) No 910 / 2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market.
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Decree No. 194 / 2009 Coll., on determining the details of the use and operation of the data box information system |
|---|---|
| Regulation Type | Order |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 26.06.2009 |
|---|---|
| Effective from | 01.07.2009 |
| Effective until | - |
| Status | Valid |
The regulation text is for informational purposes only.
Comments 0