- 1. Objectives
- 2. Certificate Class and Issuance Policy
- 3. Applications and Procedure for Certificates
- 4. Personal Identification
- 5. Responsibilities and Liabilities of Related Parties
- 6. Operation of Certification System and Security Control
- 7. Management of Certification Practice
- 8. Definition of Terms
6. Operation of Certification System and Security Control
6.1 Physical Control
6.1.1 Physical Control on Access
KICA safeguards the sites where the core certification systems are installed to prevent physical hazards, such as intrusion, illegal access, or fire damage, as follows:
a. KICA installs and operates the core certification systems in a separate controlled area.
b. KICA controls access to the controlled area by using multi-layer access systems, which use a combination of passwords, fingerprint recognition, weight sensing devices, etc.
c. KICA installs the core certification systems in a secure cabinet to allow for physical access control.
d. KICA has all outside hardware service technicians, etc. accompanied by the person in charge when they enter the area where the core certification systems are installed.
e. KICA maintains and regularly reviews a log that records any entry into the controlled area in connection with the ID authentication card.
f. KICA maintains alarm systems by installing the following surveillance control systems.
- ① CCTV camera monitoring system.
- ② Intrusion dictating system.
g. KICA may emp
loy security professionals to guard the controlled area.
6.1.2 Power Source
KICA employs UPS to prevent damage from unexpected power failures.
6.1.3 Prevention of Flood Damage
KICA installs the core certification systems at minimum height of 30cm or more to protect them from flood damage.
6.1.4 Prevention of Fire Damage
KICA installs fire detector, portable fire extinguisher, and automatic fire extinguishing facilities to guard the core certification systems from fire.
6.1.5 Storage Media
KICA controls physical access to its major storage media that are stored in safes.
6.1.6 Disposal of Refuse
KICA shreds and crushes documents, diskettes, and other items to prevent information from such material from being leaked.
6.1.7 Remote Backup
KICA maintains a remote backup storage of subscriber certificates, including C.R.L, for 10 years after the corresponding certificates are voided.
6.2 Storage and Management of Records
KICA stores all records related to the key generating system, certificate generating system, management system, directory system, and time-stamping system in file format and manages them according to separate KICA guidelines.
6.3 Technical Security Control
6.3.1 Generation and Use of Key pair
6.3.1.1 Generation of Key pair
a. KICA allows only persons authorized by KICA to generate Key pair.
b. KICA generates Key pair by using a secure key generating system that is physically separated from the outside.
6.3.1.2 Size and hash value of Key pair
KICA uses the following size and hash values to employ secure and reliable algorithms for digital signature key encryption.
a. For RSA and KCDSA: 1024 bit or higher.
b. For HAS-160 and SHA-1: 160 bit or higher.
6.3.2 Safeguard of Private keys
KICA stores Private keys and key generating modules in a secure storage device which is not connected to internal or external communication networks and which is protected from physical intrusion. The Private keys are stored in access-authorized smart cards that are safe from leakage or tampering due to the use of double encryption codes.
6.3.2.1 Storage device for Private keys
Digital signature modules used by KICA are sealed; access authorized, and equipped with functions that protect Private keys from leakage or tampering.
6.3.2.2 Generation and secure deletion of Private keys
KICA deletes Private keys immediately from system memory upon completion of their generation and use.
6.3.3 Replacement of Key pair
a. With newly generated Key pair, KICA applies to KISA for renewal of its Licensed CA (Certification Authority) Certificate before expiration of the existing Certificate.
b. In case its Licensed CA (Certification Authority) Certificate expires before expiration of the subscribers' certificates, KICA should as a matter of principle have its Certificate renewed by the Korea Information Security Authority (KISA) prior to use.
6.3.4 Method of Disposing Private keys
When its Licensed CA (Certification Authority) Certificate expires or when Private keys are damaged or leaked, KICA completely destroys their physical storage media.
6.3.5 Validity of Private keys
KICA and subscribers shall use Private keys only during the term of validity of the corresponding certificates.
6.3.6 Security Control on Computers and Networks
a. For maintenance of the core certification systems, KICA manages operation records of the core certification systems and keeps major lists of each system's current status.
b. For access control of networks, KICA employs firewall systems with certificates of assessment.
c. To protect network service from interfering attacks, KICA operates intrusion-detecting systems.
6.3.7 Record Archives
6.3.7.1 Types of archival records
KICA archives the following types of records, which are related to core certification practice, general audit, prevention of security intrusion, and operations:
a. Records of key generation and renewal.
b. Records related to application for issuance, suspension, revocation, and reinstatement of certificates.
c. Notifications of loss, damage, theft, or leakage of Private keys.
d. Records related to generation, issuance, renewal, suspension or revocation of certificates.
e. Issuance and renewal of CRL.
6.3.7.2 Safekeeping of archival records
To prevent forgery of, tampering, or damage to archival records, KICA archives records as follows;
a. Electronic documents are safely stored with Digital signatures.
b. Hard copy documents are stored in locked cabinets.
6.3.7.3 Measures for archiving records
KICA regularly archives the original records; copies are archived in physically separate and secure sites for 10 years.
6.3.8 Recovery Measures
6.3.8.1 Measures against failures of system resources and software
When system resources or software are damaged, KICA restores the system immediately using dual backup system resources and software in order to prevent inconvenience in subscriber use.
6.3.8.2 Measures against damage or loss of data
When major data such as subscribers' certificates are damaged or lost, KICA restores them immediately using backup data.
6.3.9 Others
6.3.9.1 Storage of Public keys
KICA stores certificates containing Public keys in directory during the term of validity of the certificates or until the certificates are revoked.
