Home | Site Map | Contact Us

Root Certifying Authority of India (CPS)

 

Technical Security Controls

6.1. Key Pair Generation and Installation

6.1.1 Key Pair Generation
Key pair for the CCA is generated in a hardware security module (HSM) which is FIPS 140-1 level 4 certified. Licensed CAs generate their key pairs in a HSM certified to meet the requirements of FIPS 140-1 level 3 certified at minimum.

6.1.2 Private Key Delivery to Entity
Not applicable.

6.1.3 Public Key Delivery from CA (applicant) to CCA
CAs' Public keys are delivered to the CCA as a PKCS#10 certificate request. The signature on the PKCS#10 request is verified to confirm that the CA is in possession of the private key associated with each public key delivered. A certificate is then signed by the CCA and issued to the CA in the format as specified in 7.1.

6.1.4 Root CA Public Key Delivery to Users
The self-signed Certificate of the CCA is available to End-Users for Certificate validation purposes. The certificate hash (thumbprint) and the Root CA certificate are available on the web site of each licensed CA as well as CCA's Web site (cca.gov.in). Relying parties must confirm the validity of their copy of the CCA certificate using this thumbprint. The CCA Digital signature certificate, along with this CPS and other documentation such as the IT Act, Rules and Regulations are available on CD from the office of the CCA or on CCA's website cca.gov.in.

This certificate shall also be made available by each CA and sub-CA on its website to enable verification by relying parties.

6.1.5 Key Sizes
The modulus of the CCA Root CA and the keys of CCA are all 2048 bits in length and use the RSA algorithm. The hash algorithm used by the CCA for signing is SHA-1.

6.1.6 Public Key Parameters Checking
Not Applicable.

6.1.7 Parameter Quality Checking
Not Applicable.

6.1.8 Hardware/Software Key
Generation Keys are generated in a hardware security module that complies with FIPS 140-1 Level 4.

6.1.9 Key Usage Purposes
The key of the CCA will be used for:

  • the issuance of certificates to the Certification Authorities that have been Licensed.
  • Issuance of Certificate Revocation Lists .

6.2 Private Key Protection

6.2.1 Standards for Cryptographic Module
The cryptographic module used by the CCA is certified to FIPS 140-1 level 4.

6.2.2 Private Key (n out of m) Multi-person Control
The private key stored on the HSM does not leave the HSM for any purpose whatsoever. Whenever the private key on the HSM is to be used for signing, three levels (?) of authorizations (based on smart cards and PINs) will be invoked. The first will be at the 'Crypto-Officer' level specifically for activating the HSM. The second two will be at the 'Security Officer' level of the Certificate Issuing System (CIS). All three authorizations are required, thus establishing 3-out-of-3 control.

6.2.3 Private Key Backup
CCA's Private Key is backed up only for disaster recovery purposes. This backup is also done under the same multi person control as in the case of the original key.

During key generation, the HSM is configured to generate 3 sets of smart cards, containing backup keys. The first 2 sets are housed in the Strong Room containing the CIS and the backup system, while the 3rd set will be placed in the Disaster Recovery site.

6.2.4 Private Key Archival
The Root Private Key will not be archived.

6.2.5 Private Key Entry into Cryptographic Module
Private key for the CCA is generated in Hardware Security Modules as described in § 6.1 of this CPS. The HSM is sensitive to motion, tilting and temperature. To ensure that the private key does not get destroyed, it is ensured that the HSM is maintained within the limits set for the above three parameters.

6.2.6 Method of Activating Private Key

  • CCA Private key activation requires entry and validation of a PIN/passphrase compliant with specified security parameters.
  • CCA's private key for signing can only be activated by authorization at three levels of trusted persons.
  • Two Security officers at the level of the CIS.
  • One Crypto officer at the HSM level.
  • All the above authorizations will be through smart cards and associated PINs.

6.2.7 Method of Deactivating Private Key
The CCA Private key is deactivated after each use by manually shutting down the system.

6.2.8 Method of Destroying Private Key
The CCA Private key in the HSM may be destroyed by returning the HSM to its factory initialized state. SmartCards and other cryptographic tokens used by the CCA will be physically destroyed prior to disposal.

The HSM can be destroyed through motion, tilting or temperature changes outside preset limits. Other than this, destroying the lithium battery on the HSM, will also destroy the private key from the HSM.
Root Certificate 2007 Root Certificate 2007 Certificate Revocation Details 2007
FAQ

How do I get a Digital Signature Certificate? 

Who are the CAs licensed by the CCA? 

more...
What's New?
Contact Details

Controller of Certifying Authorities
Electronics Niketan,
6 CGO Complex, Lodhi Road,
New Delhi - 110003
FAX : 91-011-24369578
info@cca.gov.in
©2008 CCA. All rights reserved.
Best Viewed In: 1024 X 768 		AUDITORS | ADJUDICATING OFFICER | RTI disclaimer