6. TECHNICAL SECURITY CONTROLS

6.1. Key Pair Generation and Installation

6.1.1. Key pair generation

Key pairs for the CESNET CA are generated exclusively by authorized CESNET CA personnel acting in the role of CA.

End entities' key pairs are always generated by their application during the requesting process. They are never generated or stored by the CESNET CA.

6.1.2. Private key delivery to entity

Private keys are never delivered. End entities are required to generate their own key pairs.

6.1.3. Public key delivery to certificate issuer

The CESNET CA SHALL accept certificate requests in any of the formats:

  1. PKCS#10 request format.(See RFC 2314).

  2. PEM encoded certificate request (See RFC 1424).

  3. Netscape Signed Public Key And Challenge (SPKAC) format.

The preferred transport method for certification requests is s SSL protected HTTP.

6.1.4. CA public key delivery to users

CA public keys are published on the CESNET CA certificate repository and the CESNET CA WWW site. (See Section 2.6).

6.1.5. Key sizes

The CESNET CA uses RSA public key algorithm.

The CA private key MUST be of 2048 bit key size.

The RA private key MUST be of 2048 bit key size.

All other private keys MUST be of at least 1024 bit key size.

6.1.6. Public key parameters generation

Public key parameters are generated by the relevant applications.

6.1.7. Parameter quality checking

The CESNET CA does not require checking of the quality of the public keys parameters.

6.1.8. Hardware/software key generation

The CESNET CA keys are generated in software.

The subscribers keys MAY be generated in software or hardware.

6.1.9. Key usage purposes (as per X.509 v3 key usage field)

The X.509 v3 keyUsage extension field is set according to the requirements stated in the relevant CP.

6.2. Private Key Protection

6.2.1. Standards for cryptographic module

The CESNET CA does not claim that the cryptographic module used is compliant with any pre-determined standard.

6.2.2. Private key (n out of m) multi-person control

The CESNET CA does not use multi-person control of keys.

6.2.3. Private key escrow

The CESNET CA private keys are not given in escrow. The CESNET CA is also not available for accepting escrow copies of keys of other parties.

6.2.4. Private key backup

The CESNET CA private keys are backup protected. The backup copies encrypted with 3DES or AES are securely stored off-site.

6.2.5. Private key archival

The CESNET CA private keys are archived on encrypted media.

6.2.6. Private key entry into cryptographic module

All private keys managed by the CESNET CA are only stored in encrypted form.

6.2.7. Method of activating private key

Every activation of a CESNET CA private key MUST require entering of activating data (passphrase). The passphrase MUST be known to authorized CESNET CA personnel only.

6.2.8. Method of deactivating private key

Cryptographic modules which have been activated MUST NOT be left unattended. They MUST be deactivated after use, e.g. via logout procedure.

6.2.9. Method of destroying private key

The CESNET CA private keys are archived. After the retention period (see Section 4.6.2) the archive media SHALL be destroyed.

Private keys on magnetic disk can be removed by overwriting the key files.

6.3. Other Aspects of Key Pair Management

6.3.1. Public key archival

Public keys are archived as part of the certificate archival.

6.3.2. Usage periods for the public and private keys

The validity period for issued certificates is set according to the requirements stated in the relevant CP.

6.4. Activation Data

6.4.1. Activation data generation and installation

The passphrases used by the CESNET CA are at least 15 characters long.

6.4.2. Activation data protection

The CESNET CA passphrases MUST be known to authorized CESNET CA personnel only. The passphrases MUST be used only in secure physic environment.

6.5. Computer Security Controls

6.5.1. Specific computer security technical requirements

The CESNET CA computer system MUST satisfy following requirements:

  1. The CESNET CA is run on dedicated computer system.

  2. Only the software needed to perform the CA tasks is installed on the system.

  3. Access to the operating system and the CA software is allowed only to the authorized CESNET CA personnel.

  4. Physical access to the system is allowed only to the authorized CESNET CA personnel.

  5. All security related events are audited.

The desired functionality MAY be provided by the operating system, the CA software, physical protection or by a combination of those.

6.5.2. Computer security rating

No formal computer security rating is required.

6.6. Life Cycle Technical Controls

6.6.1. System development controls

The development of the CESNET CA software is carried in a controlled secure environment.

Production and development environment are totally separated.

6.6.2. Security management controls

The logs, the configuration files and the entire file system of the CESNET CA computer systems are regularly checked.

6.6.3. Life cycle security ratings

No formal life cycle security rating is required.

6.7. Network Security Controls

The CESNET CA computer system SHALL be always kept off-line.

6.8. Cryptographic Module Engineering Controls

The cryptographic functions are provided by software.