Decree of National Security Office No. 76 / 1999 Coll.
Decree of the National Security Office on ensuring cryptographic protection of classified information, certification of cryptographic devices and certification requirements
Valid
Order
Effective from 27.04.1999
Text versions:
10.06.1999
27.04.1999
Zobrazeno prvních 200 z celkem 212 ustanovení tohoto předpisu.
Zobrazit celý předpis →
Pro stažení celého znění použijte tlačítko Stáhnout výše.
76
DECLARATION
National Security Office
of 14 April 1999
on ensuring cryptographic protection of classified information, certification of cryptographic devices and certification requirements
The National Security Office ("the Office ') provides, pursuant to Sections 52 (5) and 53 (3) of Act No. 148 / 1998 Coll., on the Protection of classified information and on the amendment of certain laws (" the Act'):
Subject matter
This Decree sets out the modalities for the use, deployment and registration of cryptographic means used to protect classified information ("cryptographic means'), the use of key materials, the detection of the competence of cryptographic protection personnel for classified information, the procedure and method of certification process of cryptographic means and the necessity of the certificate.
For the purposes of this decree:
(a) information on knowledge which can be communicated in any form;
(b) classified classified classified classified classified information;
(c) cryptographic science discipline which develops and applies mathematical and physical principles for the creation of methods and means to protect information in order to hide it from an unauthorised person, to ensure its authenticity, to prevent its modification, refusal or unauthorised use ("protection of information");
(d) a summary of cryptographic keys intended for cryptographic devices by key materials;
(e) cryptographic means of equipment, objects, programmes or cryptographic processes, including cryptographic keys, ensuring the protection of information;
(f) cryptographic key specific information used together with cryptographic device to protect information;
(g) the authentication of the confirmation process and thus the establishment of the identity of the user, process or other element with the required degree of guarantee;
(h) means of identification by means of means or systems used to demonstrate the identity of a natural person, in particular identity cards, optical sensors, biometric sensors and systems, digital signature and magnetic, chip or contactless cards;
(i) an audit of the security process ensuring, together with the identification and authentication of the user, that the user is individually responsible for his or her activities in the management of classified information;
(j) an element capable of storing information by the information medium;
(k) compromise the case of the unauthorised handling of classified information, which may result in a breach of the protection of classified information when using a cryptographic device;
(l) cryptographically significant element of the device, property or method involved in the quality of the protection of classified information, in particular cryptographic algorithm and cryptographic key, the initial setting generator or cryptographic key carrier;
(m) the cryptographic device subsystem of the device used immediately with the cryptographic device and enabling it to operate under the classified information protection system and the evaluation of which is part of the certification of the cryptographic device;
(n) compromising radiation such radiation, in particular electrical, electromagnetic, optical and acoustic radiation, which by its occurrence may cause the release of classified information;
(o) a security standard specific legislation, the content of which is consistent with an international technical standard, directive or standard, and a Czech State standard or specification issued by an international organisation, setting out procedures, guidelines, technical solutions, security parameters and organisational measures to protect classified information.
Use and deployment of cryptographic devices
(1) For cryptographic protection of classified information, only a cryptographic device certified by the Bureau for a classification level identical to that of classified information or higher.
(2) The deployment of the cryptographic device and its use are carried out in accordance with the safety standards issued under Section 8 (1) (o) of the Act.
(3) In the information system which processes, transmits, stores or archives (hereinafter referred to as "loading") classified classified classified information, a cryptographic device certified by the Office for the classification level identical to the highest classification level of the classified information which the information system is handling or higher shall be used.
(4) The cryptographic protection officer shall be responsible for the flawless state and correct use of the cryptographic device.
(5) The Authority ensures the use of cryptographic protection of classified information of the North Atlantic Alliance in information systems.
(6) Data on the operation of the deployed cryptographic device certified for the classification level "Top Secret" or "Secret" shall be kept in the "Book of operation of the cryptographic device."
Key materials
(1) Key materials form part of a cryptographic device. The method of handling key materials shall establish safety standards.
(2) Unsecured key materials, materials without technical or cryptographic protection shall be classified by a classification which is identical to the classification of the classified fact for which the key materials are intended or by a higher classification.
(3) Secured key materials, materials with technical or cryptographic protection shall be classified by a classification which is identical to the classification of the classified information for which the key materials are intended or a lower classification.
(4) The production of key materials, their distribution and destruction of unused key materials is governed by safety standards.
(5) Unused key materials allocated by the Authority to the Authority or to an organisation shall be returned to the Office unless otherwise specified in the safety standards.
(6) The Office ensures the use and distribution of key materials of the North Atlantic Alliance.
Compromise measures
(1) If the statutory authority finds that a compromise has taken place, it shall immediately notify the Office in writing.
(2) In the event of a compromise, the statutory authority shall, in particular, take the following measures without delay to ensure the protection of classified information protected by cryptographic means:
(a) prevent the continued use of compromised key materials, cryptographic means, systems ("compromised means");
(b) ensure the protection of classified information by other uncompromised cryptographic means where available; where the protection of classified information cannot be ensured in this way, it is necessary to use other means of protection provided for in Sections 47 to 51 of the Act,
(c) in the case of classified information stored in a system connected to a computer or communication network, ensure that it is physically disconnected from the means of communication;
(d) document all the circumstances preceding the compromise found, as well as those immediately following, including the list of persons in contact with the compromised device.
Workers of cryptographic protection of classified information
(1) The cryptographic protection officer of classified information shall be designated by a person for at least the classification level for which the cryptographic device with which he is operating is certified.
(2) The Cryptographic Protection Officer of classified information shall be the operator, the specialist operator and the auditor whose activities set safety standards.
Professional competence of cryptographic protection workers
(1) The Office or its delegated organisation shall ensure the preparation of the competence of cryptographic protection personnel.
(2) The professional competence of cryptographic protection personnel for the classification levels "Reserved," "Confidential" and "Confidential" shall be verified by the Office or by its designated organisation. The expertise of cryptographic protection personnel for the "Top Secret" classification level shall be verified by the Office.
(3) The Office shall issue a certificate of professional competence to the staff member of the cryptographic protection of classified information, a model of which appears in Annex 1.
(4) The period of validity of the certificate of professional competence of a cryptographic protection officer for classified information shall be 6 years for the classification of "reserved" and "confidential," "classified" or "classified" 5 years.
(5) The validity of the certificate of professional competence of a cryptographic protection worker for classified information expires
(a) the expiry date referred to in paragraph 6; or
(b) the expiry of the certificate issued. 1)
Requirements for the certification of cryptographic devices
(1) The Authority establishes the certification criteria by safety standards, the requirements for the systems of measures constituting cryptographic protection of classified information and the cryptographic means which may be used to ensure cryptographic protection for each level of classified information.
(2) Cryptographic devices must use cryptographic algorithms established by security standards and international standards approved by the Office or by the Office.
(3) A system of measures constituting cryptographic protection of classified information must ensure that classified information is protected from leakage and unauthorised disposal. The system of measures must also be applied to their subsystems.
(4) Cryptographic devices used to protect classified information and their subsystems processing classified information in an open, i.e. unencrypted form or handling cryptographically significant elements must be resistant to compromise due to compromising radiation.
(5) The integrity of the protection shall be verified according to safety standards and shall be graded according to the classification level of classified classified classified classified information.
Procedure and method of certification of cryptographic device
(1) To carry out the certification of a cryptographic device for the required classification level of classified information, they may request:
(a) a State authority;
(b) an organisation which has been certified for this classification of classified information;
(c) the natural person designated for that level of classified information.
(2) Certification of the cryptographic device is carried out on request. The model for the application for certification of a cryptographic device is set out in Annex 3.
(3) Applications for certification of a cryptographic device are accompanied by:
(a) certificates issued by other approved test bodies, including the results of measurement protocols, and a list of the standards to which the cryptographic device has been granted;
(b) the necessary number of pieces of cryptographic device to carry out its certification and, if necessary, to carry out their installation under the conditions of the certification centre or to make an initial introduction to the cryptographic device.
(4) Depending on the determination of the use of the cryptographic device, the application for its certification shall be accompanied by:
(a) for the classification level "Reserved" of the documentation listed in Annex 2 (1),
(b) for the classification level "Confidential" documentation referred to in Annex 2 (2),
(c) for the classification level "Secret" documentation referred to in Annex 2 (3),
(d) for the "Top Secret" classification of the documents listed in Annex 2 (4).
(5) The Office may, if necessary, request further:
(a) additional supporting documents or particulars needed to carry out the certification of the cryptographic device;
(b) familiarisation of their evaluation team with the cryptographic device, in particular with installation, parameters, rules of use, used cryptographic keys and key economy;
(c) providing the possibility to use the user environment of the applicant for certification in which the cryptographic device will be used to assess the impact of such an environment on the security requirements for protecting classified information;
(d) evidence of the level of security measures for research, development, production and distribution of the certified device and the key economy.
(6) The Office shall take over the application for certification of a cryptographic device, check the completeness of the documentation accompanying it in accordance with paragraphs 3 and 4 and confirm receipt of the necessary number of pieces of the cryptographic device. In the event of findings of deficiencies in the completeness of the dossier accompanying it in accordance with paragraphs 3 and 4, the Office shall invite the applicant to remedy the deficiencies within the specified period. If the applicant fails to address the deficiencies, the Authority shall not carry out the certification and shall return the application, including all supporting documents and cryptographic means, to the applicant. This consequence must be brought to the attention of the applicant.
(7) In order to carry out the certification, if further supporting documents are needed or to secure the activities referred to in paragraph 5, the Office shall invite the applicant to submit supporting documents or to secure the activities within a specified time limit. If the applicant fails to submit the required supporting documents or fails to ensure the required activities, the Authority shall not continue the certification and shall return the application, including all supporting documents and cryptographic means, to the applicant. The applicant must be made aware of this consequence in the call.
(8) The assessment of the cryptographic device shall be carried out by assessing the supporting documents submitted by the applicant and verifying compliance of the identified parameters of the cryptographic device with safety standards.
(9) On the basis of the results of the evaluations, the Authority shall assess the capability of a cryptographic device to protect classified information. If the Authority ascertains compliance of the evaluated cryptographic device with safety standards, it shall approve its competence and issue a certificate to the applicant. The model of the cryptographic device certificate is set out in Annex 4.
(10) If the evaluated cryptographic device does not fulfil the competence for the required classification level and the Authority finds its compliance with the safety standards for a lower than the required classification level, the Authority shall issue a certificate for that lower classification level.
(11) A certificate of cryptographic means confirming the verification and approval of the competence for the protection of classified information issued by a foreign authority may be recognised only if provided for in an international contract which the Czech Republic is bound by, or on the basis of reciprocity and conformity of assessment criteria. The Office's Bulletin shall publish a list of certification centres of foreign power whose cryptographic means can be recognised and a list of cryptographic devices certified by foreign powers, the certificate of which has been recognised by the Office.
(12) A list of certified technical means shall be published in the Official Journal of the Office, indicating the duration of the certificate.
(13) Upon completion of the certification, the Authority shall only return the cryptographic means submitted by it to the applicant for certification. The application for the certification of a cryptographic device, the documentation accompanying the application referred to in paragraph 3 and the additional supporting documents and the data necessary to carry out the certification requested pursuant to paragraph 5 shall not be returned to the applicant for certification and shall remain part of the certification file.
(14) The period of validity of the certificate of cryptographic device issued by the Office is:
(a) for the "Reserved" classification for 6 years;
(b) for "Confidential," "Secret" or "Top Secret" levels for 5 years.
(15) The validity of the certificate of a cryptographic device shall cease to exist at the end of its period of validity or by decision of the Authority where the cryptographic device has ceased to comply with safety standards.
Requirements of the cryptographic device certificate
The certificate shall contain:
(a) the identification of the cryptographic device, including the description of the version for which it is issued;
(b) identification of the certificate allocated by the Office;
(c) identification of the holder;
(d) identification of the supplier;
(e) the classification of classified information for which its competence has been approved;
(f) the period of validity of the certificate.
Reporting of certified cryptographic products
(1) The Office shall keep an overview of certified cryptographic products. A certified cryptographic device shall be kept in the certification file in which the application for certification of the cryptographic device is based, the documentation accompanying the application for certification in accordance with Section 9 (3), the additional supporting documents or data needed to carry out the certification requested in accordance with Section 9 (5), the results of the certification procedure and a copy of the certificate issued.
(2) The certification file may be shredded not earlier than 15 years after the date of expiry of the certification of the cryptographic device.
Transitional and final provisions
Transitional provisions
(1) A cryptographic device which was used at the date of application of the Act to protect national, economic or professional secrets under the current legislation, (2) which was issued by the Ministry of Interior at the latest on the date of application of the Act at the latest by the Ministry of Interior or which was approved by the Ministry of Interior on the date of application of the Act to protect national, economic and professional secrets shall be deemed to be a certified cryptographic device under this Decree by 31 December 2001 at the latest.
(2) The statutory authority shall determine which cryptographic means referred to in paragraph 1 it considers to be certified cryptographic resources under this Decree.
(3) The algorithms approved by the Ministry of the Interior for Administration before the effective date of this Decree are considered to be algorithms approved by the Office.
(4) The certificate issued by the Ministry of the Interior or the Ministry of Defence before the entry into force of this Order shall be considered as a certificate of professional competence of the Cryptographic Protection Officer in accordance with Article 7 of this Order. The certificate shall expire on 31 December 2001 at the latest if the conditions for its issue cease to apply.
Efficiency of the Order
This decree shall take effect on the day of its publication.
Director:
Kadlec v. r.
Příloha č. 1
Annex No 1 to Decree No 76 / 1999 Coll.
Příloha č. 2
Annex No 2 to Decree No 76 / 1999 Coll.
List of documentation submitted for the application for the certification of a cryptographic device
The documentation submitted for certification of the cryptographic device must be in the Czech language and in printed or electronic form on standard electronic processing media in a comprehensible form.
The documentation shall contain the following information, depending on the classification of classified or classified classified information:
(1) Reserved
(a) identification and definition of the means of use;
(b) the type of user environment and the systemic integration of the device;
(c) instructions for the use of the device;
(d) basic cryptographic parameters, type of cryptographic algorithm, mathematical model of all cryptographic methods used in the evaluated cryptographic device;
(e) verification data and programmes for verifying the mathematical model of the cryptographic device algorithm;
(f) verification data and programmes for verifying and testing the function of the device;
(g) a description of the key economy, the potency and structure of the cryptographic device keys;
(h) the method of generating cryptographic keys of the cryptographic device;
(i) a block diagram and a description of the device indicating the jointing of the components;
(j) block diagram and description of the sub-components of the device;
(k) detailed comment on the source texts of the various devices' modules;
(l) the total source text of the software of the device allowing translation into and control of the same form as the certified device;
(m) basic cryptographic analysis carried out in the development of the cryptographic device;
(n) basic safety analysis carried out in the development of the device;
(o) documentation and results of the safety analyses carried out on the device;
(p) an assessment of the possibility of changing the cryptographic algorithm in terms of modification of the cryptographic device and licensing policy;
(r) the method of installation of the device,
(s) in the cases provided for by law, the necessary approval certificate of the device or certificates already granted;
(t) the method of protecting the device against compromising classified information or cryptologically relevant elements by parasitic radiation.
(2) Confidential documentation referred to in paragraph 1 of this Annex, and
(a) the principle of the physical implementation of the device;
(b) the complete technical documentation of the device and a description of the functional and technical parameters;
(c) the way in which the key economy of the device is created and implemented;
d) the method of generating the initial setting of the device,
(e) the diagnostic system of the device,
(f) a description of the methods of authentication and identification used;
(g) de-installation of the device.
(3) Secret documentation referred to in paragraph 2 of this Annex, and
(a) a detailed description of the physical implementation of the cryptographic algorithm, all its operating modes used, including control examples;
(b) a time chart of the main functional states and sub-blocks and a description of the basic functional modes of the device;
(c) a complete diagram of the device's involvement, including a detailed technical description, the definition content of programmable circuits, microprograms, memories, etc.,
(d) full commented source texts of the entire software;
(e) safety characteristics and technical parameters of key carriers;
(f) method of distribution of the key economy;
(g) the period of validity of the key economy;
h) method of protecting keys and cryptographic algorithm against compromise;
(i) method of disposal of cryptographic traces after disinstallation;
(j) a description of the methods, characteristics and safety levels of audit functions used;
(k) the rules governing the use of the device;
(l) rules on the use of key carriers;
(m) rules on the design of topology of networks of means;
(n) the resistance of the device to modification of cryptographically relevant parts;
(o) the resistance and method of protection of programme parts of the device against viral infection;
(p) the method of passive protection of the device;
(r) the diagnosis, course and methods of testing and initialization of cryptographically relevant parts in the certification of the device;
(s) the diagnosis, course and methods of testing and initialization of cryptographically relevant parts in serial production of the device.
(4) Top secret, the documentation referred to in paragraph 3 of this Annex, and
(a) detection of cryptographic errors;
(b) the reaction of the device to external interference stimuli;
(c) the reaction of the device to random or intentional changes in the working environment;
(d) the reaction of the device to the occurrence of its own defect or viral attack;
(e) the resistance of the device against operator error;
(f) the method of recording the device and the key economy;
(g) safety measures in the performance of the serial production of the device;
(h) the manner in which the service activities of the device are carried out by the user;
(i) security measures for the production of cryptographic keys;
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Decree of National Security Office No. 76 / 1999 Coll., on ensuring cryptographic protection of classified information, carrying out certification of cryptographic devices and certification requirements |
|---|---|
| Regulation Type | Order |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 27.04.1999 |
|---|---|
| Effective from | 27.04.1999 |
| Effective until | - |
| Status | Valid |
Legal Areas:
Information, Data, Data
Administrative law
The regulation text is for informational purposes only.
Comments 0